HackTheBox LIghtweight write-up

CTF Hackthebox Writeups
1

HackTheBox Lightweight

Heyo nullers :smiley:
Welcome to my writeup for the recently retired box Lightweight from HackTheBox.
Lightweight was tricky at the beginning. In general, it had:

  • Packet sniffing
  • LDAP Authentication
  • Files’ capabilites

Portscan:
Nmap showed three open ports, i.e. ssh, http and ldap

Nmap scan report for 10.10.10.119
Host is up (0.61s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (EdDSA)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

On port 80:

port 80
port 801849×942 483 KB

The user page prompt me to login via ssh with my IP as username and password.
So after doing that and taking a hint from @pry0cc and @guly I just “listened” to the box for as long as I had to. I ran tcpdump -i lo -A -w inter.pcap on the Lightweight box and then I just browsed the webpage. The status.php was taking quite a time to load, so that was suspicious.

After browsing the website enough, I moved the pcap file to /tmp and transfered it to my local computer with scp [email protected]:/tmp/inter.pcap .

Opening the file with wireshark, we find that there is an ldap “bind request” from ldapuser2 with simple authentication, meaning that the ldapuser2’s password was in plain sight.

wire
wire1719×930 178 KB

By using it we su to ldapuser2 we get the user flag.

su ldapuser2
Password: 
[ldapuser2@lightweight ~]$ ls
backup.7z  OpenLDAP-Admin-Guide.pdf  OpenLdap.pdf  user.txt
[ldapuser2@lightweight ~]$  cat user.txt
8a866d3b*******************

In ldapuser2’s home directory we find a backup.7z file. I transfered it to my local machine like the pcap file only to find out that it was password protected. There I used a script I found here which uses john to bruteforce the 7z file. The password was delete

There I found some php files, which are the same from the website, only with a twist:
after running cat * | grep user in a desparate move for something valueable, I found that the user is ldapuser1,

vict0ni@vict0niLaptop:~/Desktop/CTF/HTB/Lightweight/backup$ cat * | grep username
$username = 'ldapuser1';

so the next logical thing to do is to run cat * | grep password, where we find the ldapuser1’s password

vict0ni@vic0niLaptop:~/Desktop/CTF/HTB/Lightweight/backup$ cat * | grep password
$password = 'f3ca9d298a553da117442deeb6fa932d';
if ($bind=ldap_bind($ds, $dn, $password)) {
...
...

Escalating to ldapuser1, like previously with ldapuser2.

[ldapuser2@lightweight ~]$ su ldapuser1
Password: 
[ldapuser1@lightweight ldapuser2]$ whoami
ldapuser1

There, root got a bit spoiled to me, because some people where giving away clues inside the box. Specific, one broadcasted the message “openssl is the key”. Kind of a bummer but finding two binaries on the home directory was meaning that the way for root had to do with one of them. So the spoil just saved me a rabbithole. But, please, don’t spoil things.

I enumerated the openssl binary I had in front of me. After examing it’s capabilities with getcap -r openssl the output was openssl =ep, which means that it had access to anything.

So to get the root.txt file, one must grab it with openssl, encrypt it and paste it in a directory, then decrypt it to read it, like /home/ldapuser1/openssl enc -base64 -in /root/root.txt -out enc_root and then base64 -d enc_root.
And there is the sweet root flag :smiley:

[ldapuser1@lightweight ~]$ /home/ldapuser1/openssl enc -base64 -in /root/root.txt -out enc_root
[ldapuser1@lightweight ~]$ base64 -d enc_root
f1d4e309c*******************

PS: As @PresComm once said: “But if you don’t get a shell and can’t run code, is a system really owned? :thinking:”.
Searching for some way to get a root shell I came across this article, where one can rewrite the /etc/shadow file.

vict0ni

3 Likes
2

maybe sudoers, instead of brickin shadow file ?

1 Like