Today, we’re going to solve another CTF machine “Lightweight”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.119
  • Difficulty: Medium

Weakness

  • Abusing Linux Capabilities

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Nmap Lightweight

We got 3 Ports running SSH – 22 / HTTP – 80 / Ldap – 389. Let’s take a look at Ldap first.

LDAP Enumeration

Enumerating LDAP using ldapsearch tool.

ldapsearch -h 10.10.10.119 -p 389 -x -b dc=lightweight,dc=htb

We found some interesting information such as,

After decoding Base64 we got these hashes.

The encryption is SHA512 i tried cracking it but didn’t work.

Enumeration

Let’s do some enumeration and browse URL http://10.10.10.119

Generally in CTF’s methodology we have to enumerate for hidden directories and files. But in this case it blocked us due to some-kind of firewall so we have to enumerate manually.

Going to user.php page it tells us that you’re SSH account is created.

“This server lets you get in with ssh. Your IP (10.10.14.17) is automatically added as userid and password within a minute of your first HTTP page request. We strongly suggest you to change your password as soon as you get in the box.”

Let’s login to SSH

We got nothing in current directory let’s find out what other users we have here cat /etc/passwd

Let’s enumerate more with LinEnum.sh script

After running the script we can see files with POSIX capabilities set.

Linux capabilities feature use to give a binary certain permissions which are needed to perform daily tasks without giving a user root permission or making it SUID binary.

The binary tcpdump has cap_net_admin,cap_net_raw+ep capabilities enabled.

/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep

Let’s run tcpdump and save the output.

Let’s transfer capture.cap file into our local machine.

scp [email protected]:/home/10.10.14.17/capture.cap capture.cap

Now let’s go back to our SSH session and switch user with this current creds.

We owned user.txt

Privilege Escalation

Let’s head towards getting root.txt flag. There’s a file backup.7z it’s password protected let’s transfer it to our local machine and try cracking it.

Let’s encode backup.7z into Base64 and decode into our local machine.

I used this tool to dictionary attack backup.7z

After extracting the 7z file we got some php files.

If we cat status.php | head -30

We got the ldapuser1 creds let’s su - ldapuser1

let’s look at the files inside /home/ldapuser1/

We have some php files which doesn’t include any interesting information. Let’s check the capabilities of openssl and tcpdump binary.

Getting Root By Abusing Linux Capabilities

Let’s modify /etc/shadow file to modify root password using openssl capability.

We need to created a salted password using openssl let’s use root as username/password.

Replace the salted password inside shadow file which we copied.

cat shadow | head -1

We can use openssl capabilities to replace our modified shadow file with original /etc/shadow file.

And we got root!

We can also run cronjob and spawn a reverse shell as root.

Now, let’s wait for a minute and start a listener and you’ll get shell.