Hackthebox: Lightweight Write-up

Recon

Start it off with an NMAP Scan and with only 3 ports open I start taking a look at the web server first since both LDAP and SSH usually require some form of logon/credentials to take advantage of.

22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

Interesting, so they’re going to allow you to login with your IP as your username/password via SSH so this will probably involve manipulating LDAP once you’re in the server.

Went ahead and printed out the /etc/passwd list to see if there’s any interesting users to look around for.

cat /etc/passwd (removing nologin)
root:x:0:0:root:/root:/bin/bash
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.30:x:1003:1003::/home/10.10.14.30:/bin/bash

uname -mrs
Linux 3.10.0-862.3.3.el7.x86_64 x86_64

So we’ve got a couple users now, and I threw out an nmap scan specifically trying to enumerate some more info on LDAP but didn’t come up with anything useful. Then tried seeing if there was a way to grab some credentials from LDAP since the site itself seems to be doing some user creation directly on the box.

nmap -p 389 --script ldap-rootdse 10.10.10.119
dc=lightweight,dc=htb

tcpdump port 389 -v -i lo -x -w /tmp/ok/log.cap

Allowed this to capture for a bit and ended up finding a plaintext password being sent from ldapuser2 on the box. This allows you to directly ssh into their user directly which led to finding a 7z file that needed to be cracked.

Foothold & Privesc

Ended up cracking this with https://github.com/philsmd/7z2hashcat that allows hashcat to crack 7z files. This then led to getting ‘ldapuser1’ password that was inside the archive.

Inside ldapuser1’s home directory are some clues as to how we can privesc, including a binary of openssl. After some messing around with the binaries I ended up coming across the ‘getcap’ command which will tell you the capabilities your user has with certain binaries on the system.

http://man7.org/linux/man-pages/man8/getcap.8.html

Turns out we have read/write privileges with the openssl binary and combining that with the advice on the gtfo bins site (https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099) it’ll allow you to read out the contents of the root.txt file!

Wrap-up

There was some cool learning to be had on this box, specifically the ‘getcap’ I’ll be adding to my toolkit of things to enumerate with, especially if there are binaries in a home directory that seem a little off. Keep in mind there’s also ways to manipulate openssl to create a reverse shell back to your attacking box (that will actually be an encrypted shell), but that wasn’t necessary for this box though I do recommend some reading on the subject.

https://medium.com/@int0x33/day-43-reverse-shell-with-openssl-1ee2574aa998