AdSense

Sunday, July 28, 2019

Lazy


LAZY

 - Layout for this exercise:

1 - INTRODUCTION

 - The goal for this exercise is to develop a hacking process for the vulnerable machine Lazy from the Hack The Box pentesting platform:

 https://www.hackthebox.eu/


2 - ENUMERATION

- Lazy's IP is 10.10.10.18:


- Scanning with Nmap:





- Dirbusting: 




- Going to /classes/auth.php we discover a potential user called admin:






- Connecting to the web server we confirm the existence of user admin because when trying to register admin the answer is that the user already exists:











3 - EXPLOITATION

 3.1 - Intercepting with Burp

Registering a new user with credentials whitelist:12345






- Let's intercept the login of user whitelist:12345 with Burp:




- Clicking Forward the authentication cookie is displayed:
- Sending to Repeater, removing the caracter % and finally clicking Go the Response is Invalid padding:




3.2 - Oracle padding attack

 - The Invalid padding response leads to think on a possible padding oracle attack.

- A padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext.

 - For further explanation:

 https://en.wikipedia.org/wiki/Padding_oracle_attack
- padbuster is an automated script for performing this type of attacks:

 https://github.com/GDSSecurity/PadBuster

https://tools.kali.org/web-applications/padbuster
- Providing ID# equals to 2:








- Launching again padbuster but entering user=admin as option:





- Finally we get the authentication cookie for user admin:




- Replacing the original authentication cookie and clicking Forward:


- Clicking Forward again finally the admin authentication is successful:



- There is a message about an SSH key, and just clicking My Key we get an RSA Private Key:






- The URL shows that the SSH key belongs to user with name mitsos:



- Storing locally the SSH key:




- Using that key the SSH connection fails, due to bad permissions:



- Changing permissions so that owner can read and write:



- Now connection with SSH is successful and we get a remote shell:






4 - CAPTURING THE 1st FLAG

 - Finding the 1st flag is easy:



- Reading user.txt:



5 - PRIVILEGE ESCALATION

 - The file backup is owned by user root and has got SUID and SGID bits set:




- When running backup the file /etc/shadow is displayed:



- Also /etc/passwd is available:


- So it seems that using John The Ripper could be a good solution, however we will follow an alternative Privilege Escalation path.

 - Applying command strings over backup we learn that the command cat /etc/shadow is executed every time file backup is run:


- The path to the command cat is not fully specified (/bin/cat), what means that it is vulnerable to the attack of modifying the PATH system variable to the local or working directory. 

 - Redefining the command cat so that it spawns a shell (with root privileges because backup is run as root), giving execution privileges, and finally setting the path to the working directory (/tmp in this case):


- Now running again backup we get a remote root shell:



6 - CAPTURING THE 2nd FLAG

 - Reading root.txt (look that the full path /bin/cat is now specified):






Posted by at
Labels: