HackTheBox Writeup — LaCasaDePapel

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

The IP of this box is 10.10.10.131

NMAP Results

We can see 3 ports open , Port 21 running ftp version vsftpd 2.3.4 , Port 22 running OpenSSH 7.9 and Port 80 running Node.js http service and Port 443 running ssl for Node.js

Exploiting vsftpd 2.3.4

As you may remember , there was a famous exploit for vsftpd 2.3.4 in metasploit which used to gave us direct shell , but in this case metasploit doesnt work , so we will do it manually

We have to login to ftp and put a smiley like “:)” at the end of whatever username you want to give and any password , this will trigger the backdoor running on Port 6200 , don’t worry if you dont know about it , I will provide a resource at the end of this writeup

So we login through FTP as told above

As soon as we enter the password , this gets stuck , so we will cancel this using CTRL+C and then connect to port 6200 using netcat

So we got connected and the shell is activated , we see that it is a Psy Shell v0.9.9 and I dont have any idea about it , so I googled and checked its official website , and then we use the “help” command to see the things we can do

We get a bunch of commands , we use the “ls” command to list the variables

We get only one variable , let’s see what does it contain using the “show” command followed by the variable name

So we see some codes , and the most interesting thing here is the $caKey variable which contains the contents of a particular ca.key

We try to get the contents of that ca.key file to our screen

We got it on screen , but see some “/n”s on it , let’s copy it to a file and make it clear

We are done and save it to a file named ca.key

Now we go and check the port 443 which runs ssl or https for the web server

It says connection is not secure as the website uses invalid security certificate , so we Add Exception and move further to see what happens

We get the page and a certificate error saying “Sorry , but you need to provide a client certificate to continue

We got the ssl ca.key file , from which we can create a client ssl certificate and then access , but first we export the certificate this website is using

Now we got the certificate , which we saved as “ca.cer” , now we will create Client SSL Certificate using openssl

Generating a Client SSL Certificate

  1. Generate a private key for the SSL client

2. Use the client’s private key to generate a cert request.

The details I filled same as from the certificate

3. Issue the client certificate using the cert request and the CA cert/key.

4. Convert the client certificate and private key to pkcs#12 format for use by browsers.

Here , I didnt provide any password as this was for the CTF purpose

5. Clean up — remove the client private key, client cert and client request files as the pkcs12 has everything needed.

So , we are all done creating the SSL Certificate

Now, import the .p12 file into your browser. On Windows you can double click the file to import into the operating system’s keystore that will be used by IE and Chrome. For Firefox, open the Options -> Advanced -> Certificates -> View Certificates -> Your Certificates and import the certificate.

Now , we click on Import and Import our file

Click OK and we are done!

Now, visit your website with the browser where you imported the client certificate. You’ll likely be prompted for which client certificate to use — select it. Then you’ll be authenticated and allowed in!

This will look similar to this , and then we click OK

As we can see , we got no certificate error like before

Digging More Into HTTPS

So , we got access to the page now without the certificate and it looks something like this

We see something as “Private Area” with two links “Season-1” and “Season-2” and it asks to Select a season , so we trying selecting both and see what it does

On clicking on Season-1 , we get

A list of bunch of .avi files , lets try to get one of them

We see that its a plaintext documents of 0 bytes , means having nothing in it , and if you check the sourcecode of this page , all the links lead to same directory and has nothing , so its a waste of time trying to download each and every file of it

If we see the URL , we see something interesting

It has ?path=something , which might be potential to LFI , lets try putting /etc/passwd instead of SEASON-1

We see some kind of error , let’s check the source code

If we scroll down , we see that our /etc/passwd was passed on /home/berlin/downloads/ folder , which might be the location to get the contents from ?path parameter

So we try to go back to root directory to check the contents of /etc/passwd by putting ../../../etc/passwd

We still get that error , but we see that the server appends a / at the end of whatever we put in the path parameter , so let’ s try to see if it does list the directory files , here we will try to list out the directory files of user berlin

We just put a ../ to see that

We can see it lists the files and directories under the berlin folder , the user.txt flag is also located here but we cant get the files as it appends / at the end and also putting null byte injection or path truncation is not useful here

So we got and check how the server provides us the Season-01 avi files which we saw before

As we see that it provides us as the format /file/(base64 encoded) , we try to decode that base64 encoded string

We see its just encodes the location of the file in the downloads folder of berlin user , so all we have to do is to encode the location of the ssh key of berlin use to base64 and get it using the https://10.10.10.131/file/(encoded base64 string)

So we encoded our directory and now we are ready to download our ssh key

We see that we get prompted to download the id_rsa file which we wanted to download , so now we save it to our box and then try to connect berlin user through ssh

We see that we are being asked for password which is totally strange

If we look for more users through LFI , we see

We see alot of users , so we try the key on the user “professor”

Voila! We got in !! Time to get user.txt flag

As we can see we dont have permission to read user flag as user professor

So we ran pspy and saw something interesting running as cron

We see that its running a command which is provided under memcached.ini file

So we see that the command in memcached.ini is running as cron , let’s try to edit it and try to get reverse shell

But first we renamed the original memcached.ini file to something and create our new one

Also we add our shell as shell.sh here

And now we put our netcat listener on

Boom! We got shell and we got shell as Root!

User and Root Flags

We saw earlier that user flag was located under /home/berlin/user.txt

Also , the root flag on Linux boxes on HTB are located under /root/roo.txt

So , here is the box , if you enjoyed , then do leave 50 claps :)

Resources I Used While Solving This Box

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store