Hack The Box - Lazy | Nikhil's Cybersec Blog

We are going to pwn Lazy from Hack The Box.

Link : https://www.hackthebox.eu/home/machines/profile/18

Lets Begin with our Initial Nmap Scan.

Nmap Scan Results:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 e1:92:1b:48:f8:9b:63:96:d4:e5:7a:40:5f:a4:c8:33 (DSA)
|   2048 af:a0:0f:26:cd:1a:b5:1f:a7:ec:40:94:ef:3c:81:5f (RSA)
|   256 11:a3:2f:25:73:67:af:70:18:56:fe:a2:e3:54:81:e8 (ECDSA)
|_  256 96:81:9c:f4:b7:bc:1a:73:05:ea:ba:41:35:a4:66:b7 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: CompanyDev
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.18 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP:

There is a Login and Register tab. I created a new account. br/ Once Account Created, I logged in with the credentials.

I intercept the webpage using burp to check if there is anything suspecious. And I found there is an auth in Cookie.

So I changed the auth and send that request and is shows Invalid Padding This make me think of a popular attack name Padding Oracle Attack

Padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not.

Reference:

https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

We can use the tool Padbuster

This is the format

 padbuster URL EncryptedSample BlockSize [options]

The default block size is 8k in Oracle. This is the most common. Sometimes, people create the database with 16k block size for datawarehouses. You can also find some 32k block size, but less common which means more bug

-cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2)

br/ I used my auth from the cookie.br/

We can change the user=admin so we can get his auth and login as admin. br/ br/ We got admin auth.

So I replaced our auth with the admin's auth.

Yeah We logged in as admin, There is My Key which gives us ssh private key.

Downloaded to my machine and gave it permission and I used that key to login as mitsos because its the file name.

Privilege Escalation:

There is a binary file called backup when I execute it prints us /etc/shadowbr/

While checking the strings of itbr/

It shows cat /etc/shadow and cat full path is not specified.

So I checked PATH and where is cat actually located.br/

cat is in /bin/ but we know that the PATH first search in /usr/local/sbin so we can create cat file with a reverse shell and place it in /usr/local/sbin But we dont have write permission in /usr/local/sbin

I created cat file in /tmp and give execute permission.br/

This will give us shell if its executed.br/

We don't have permission on /usr/local/sbin so I changed the /tmp in PATH to make it search there first.

export PATH=/tmp:$PATH

Now If I execute the backup binary it searches for the cat in /tmp first and once its found it executes and give me shell as root.