HACKTHEBOX MACHINES

HTB [LaCasaDePapel]


#vsftpd#ssl#memcache

RECON

Port Scan 

PORT    STATE SERVICE  REASON  VERSION
21/tcp  open  ftp      syn-ack vsftpd 2.3.4
22/tcp  open  ssh      syn-ack OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 03e1c2c9791ca66b51348d7ac3c7c850 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNzmarvyIINA+hjsLo2xYn1PUyzuTflhtXQs8S1Z56FzbdzXs6FiwhoRGn63XuGCHqCfEzHmh1cg4HGLfGAMwe+AsdJ8hLd/ISNRECH8yvM+9k78Aio3pe+lYbiWSQWyJrQdeqJXyDJFSd6BR3Cr6/rwSvE7N3eWeQvxS+fsg5HOER6n8SOnXvqpWYUo+XmZxGzmluNfsqoJ6doJCyW3X4sTImTlpmRmee6iseo9neZO18aHsARxlkHCqUhp1SBzIiik3DurtH1tgrn8ntfNiK3q0FZJmh9qzu0P/L50j8bzlJdvAsLuqbYmVZhqFs0JfBVdyVTFMn4O0J+IqRrXAF
|   256 41e495a3390b25f9dadebe6adc59486d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNli8Xx10a0s+zrkT1eVfM1kRaAQaK+a/mxYxhPxpK0094QFQBcVrvrXb3+j4M8l2G/C9CtQRWVXpX8ajWhYRik=
|   256 300bc6662b8f5e4f2628750ef5b171e4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2uNaKo2PK5cMci4E7dNWQ6ipiEzG3cWUR56qqMZqYR
80/tcp  open  http     syn-ack Node.js (Express middleware)
|_http-favicon: Unknown favicon MD5: 621D76BDE56526A10B529BF2BC0776CA
|_http-title: La Casa De Papel
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
443/tcp open  ssl/http syn-ack Node.js Express framework
| tls-nextprotoneg:
|   http/1.1
|_  http/1.0
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 621D76BDE56526A10B529BF2BC0776CA
| tls-alpn:
|_  http/1.1
|_http-title: La Casa De Papel
| ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Issuer: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-01-27T08:35:30
| Not valid after:  2029-01-24T08:35:30
| MD5:   6ea4933aa347ce508c405f9b1ea88e9a
| SHA-1: 8c477f3e53d8e76b4cdfeccaadb60551b1b638d4
| -----BEGIN CERTIFICATE-----
| MIIC6jCCAdICCQDISiE8M6B29jANBgkqhkiG9w0BAQsFADA3MRowGAYDVQQDDBFs
| YWNhc2FkZXBhcGVsLmh0YjEZMBcGA1UECgwQTGEgQ2FzYSBEZSBQYXBlbDAeFw0x
| OTAxMjcwODM1MzBaFw0yOTAxMjQwODM1MzBaMDcxGjAYBgNVBAMMEWxhY2FzYWRl
| cGFwZWwuaHRiMRkwFwYDVQQKDBBMYSBDYXNhIERlIFBhcGVsMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/5vJpuaxJF3A5q2rV
| QJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e8DR9ksBQYyXqOZZ8
| /rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsOhl4+KB4cM4hNhE5B
| 4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVzmhlHVypqsfS9rKUV
| ESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55ZD66vQBSkN2PwBeiR
| PBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wMZwIDAQABMA0GCSqG
| SIb3DQEBCwUAA4IBAQCuo8yzORz4pby9tF1CK/4cZKDYcGT/wpa1v6lmD5CPuS+C
| hXXBjK0gPRAPhpF95DO7ilyJbfIc2xIRh1cgX6L0ui/SyxaKHgmEE8ewQea/eKu6
| vmgh3JkChYqvVwk7HRWaSaFzOiWMKUU8mB/7L95+mNU7DVVUYB9vaPSqxqfX6ywx
| BoJEm7yf7QlJTH3FSzfew1pgMyPxx0cAb5ctjQTLbUj1rcE9PgcSki/j9WyJltkI
| EqSngyuJEu3qYGoM0O5gtX13jszgJP+dA3vZ1wqFjKlWs2l89pb/hwRR2raqDwli
| MgnURkjwvR1kalXCvx9cST6nCkxF2TxlmRpyNXy4
|_-----END CERTIFICATE-----
Service Info: OS: Unix
  • Four ports opened, anonymous login was disabled in FTP

Web Enumeration

  • It’s a nodejs application

  • Scanning the QR code gives us this link

  • I used that form to Get Free Trial, this time our link changes (see below)

  • We have an endpoint called /qrcode and they’re passing ?qurl to it to render the QR code image
  • That’s dynamically generated using our email & token

  • I Visited /qrcode page manualy, it reveals the user’s home directory with a bunch of error messages
  • That makes sense, coz you can see the above request to /qrcode (See that burp suite pic above) sends a parameter qurl to render the image
  • They’re using otpauth here
  • You can visit the above like to see the package info, and here’s the documentation
  • But nothing interesting with this

HTTPS

  • We have some certificate error, and we need to provide certificate to access this page ig
  • Looking at the nmap result again, tells us that we missed vsftpd 2.3.4, which is vulnerable to Backdoor Command Execution
  • We’re going to exploit this manually

INITIAL FOOTHOLD

  • First we need to use ftp to login as usual
  • The creds is our choice no matter what we’re going to input

  • Just add a :) smiley at the end of your username
  • This will trigger the backdoor, and we can connect to it on port 6200 on the machine

  • We can execute normal commands, but system is blocked there!!

  • But we can use alternate functions to achieve our goal

  • There are 5 users in this box

  • We don’t have permissions to view the contents of user.txt

  • There’s a public key in dali’s .ssh folder

  • This is the file that contains ssl certificates
  • Let’s copy this to our local
  • First we need to generate a cert.pem with this key

Generate Certificate 

openssl s_client -showcerts -connect 10.10.10.131:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ca.crt


  • First download the cert from browser

  • Create a new private key for the server using openssl

  • Generate a CSR using the private key

  • Now we can obtain the certificate

  • No more cert errors, that path looks interesting, hope we can do LFI using that!

  • I’ve used ?path parameter with SEASON-1 value, it returned me a bunch of .avi file links
  • The file/<some encoded string> that looks like base64

  • Yes it is!!

LFI

  • Cool it works, now let’s try to get the id_rsa key’s of the users

  • We got the id_rsa key but it haven’t worked for berlin

  • Instead it worked for professor!

PRIVESC

  • This process gets executed often, coz this memcached program is supervisord process it will continue to run until it is stopped or restarted (like cron)

  • If we change this we can create our own memcached.ini file
  • And that will get executed by root


[program:memcached]
command = chmod u+s /bin/bash


  • After few minutes we can root it by bash -p ezpz

Hack The Box

It would be appreciated if you give me a respect+ on HTB