HackTheBox Writeup — LaCasaDePapel
Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .
The IP of this box is 10.10.10.131
NMAP Results
We can see 3 ports open , Port 21 running ftp version vsftpd 2.3.4 , Port 22 running OpenSSH 7.9 and Port 80 running Node.js http service and Port 443 running ssl for Node.js
Exploiting vsftpd 2.3.4
As you may remember , there was a famous exploit for vsftpd 2.3.4 in metasploit which used to gave us direct shell , but in this case metasploit doesnt work , so we will do it manually
We have to login to ftp and put a smiley like “:)” at the end of whatever username you want to give and any password , this will trigger the backdoor running on Port 6200 , don’t worry if you dont know about it , I will provide a resource at the end of this writeup
So we login through FTP as told above
As soon as we enter the password , this gets stuck , so we will cancel this using CTRL+C and then connect to port 6200 using netcat
So we got connected and the shell is activated , we see that it is a Psy Shell v0.9.9 and I dont have any idea about it , so I googled and checked its official website , and then we use the “help” command to see the things we can do
We get a bunch of commands , we use the “ls” command to list the variables
We get only one variable , let’s see what does it contain using the “show” command followed by the variable name
So we see some codes , and the most interesting thing here is the $caKey variable which contains the contents of a particular ca.key
We try to get the contents of that ca.key file to our screen
We got it on screen , but see some “/n”s on it , let’s copy it to a file and make it clear
We are done and save it to a file named ca.key
Now we go and check the port 443 which runs ssl or https for the web server
It says connection is not secure as the website uses invalid security certificate , so we Add Exception and move further to see what happens
We get the page and a certificate error saying “Sorry , but you need to provide a client certificate to continue”
We got the ssl ca.key file , from which we can create a client ssl certificate and then access , but first we export the certificate this website is using
Now we got the certificate , which we saved as “ca.cer” , now we will create Client SSL Certificate using openssl
Generating a Client SSL Certificate
- Generate a private key for the SSL client
openssl genrsa -out client.key 4096
2. Use the client’s private key to generate a cert request.
openssl req -new -key client.key -out client.req
The details I filled same as from the certificate
3. Issue the client certificate using the cert request and the CA cert/key.
openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer
4. Convert the client certificate and private key to pkcs#12 format for use by browsers.
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
Here , I didnt provide any password as this was for the CTF purpose
5. Clean up — remove the client private key, client cert and client request files as the pkcs12 has everything needed.
rm client.key client.cer client.req
So , we are all done creating the SSL Certificate
Now, import the .p12 file into your browser. On Windows you can double click the file to import into the operating system’s keystore that will be used by IE and Chrome. For Firefox, open the Options -> Advanced -> Certificates -> View Certificates -> Your Certificates and import the certificate.
Now , we click on Import and Import our file
Click OK and we are done!
Now, visit your website with the browser where you imported the client certificate. You’ll likely be prompted for which client certificate to use — select it. Then you’ll be authenticated and allowed in!
This will look similar to this , and then we click OK
As we can see , we got no certificate error like before
Digging More Into HTTPS
So , we got access to the page now without the certificate and it looks something like this
We see something as “Private Area” with two links “Season-1” and “Season-2” and it asks to Select a season , so we trying selecting both and see what it does
On clicking on Season-1 , we get
A list of bunch of .avi files , lets try to get one of them
We see that its a plaintext documents of 0 bytes , means having nothing in it , and if you check the sourcecode of this page , all the links lead to same directory and has nothing , so its a waste of time trying to download each and every file of it
If we see the URL , we see something interesting
It has ?path=something , which might be potential to LFI , lets try putting /etc/passwd instead of SEASON-1
We see some kind of error , let’s check the source code
If we scroll down , we see that our /etc/passwd was passed on /home/berlin/downloads/ folder , which might be the location to get the contents from ?path parameter
So we try to go back to root directory to check the contents of /etc/passwd by putting ../../../etc/passwd
We still get that error , but we see that the server appends a / at the end of whatever we put in the path parameter , so let’ s try to see if it does list the directory files , here we will try to list out the directory files of user berlin
We just put a ../ to see that
We can see it lists the files and directories under the berlin folder , the user.txt flag is also located here but we cant get the files as it appends / at the end and also putting null byte injection or path truncation is not useful here
So we got and check how the server provides us the Season-01 avi files which we saw before
As we see that it provides us as the format /file/(base64 encoded) , we try to decode that base64 encoded string
We see its just encodes the location of the file in the downloads folder of berlin user , so all we have to do is to encode the location of the ssh key of berlin use to base64 and get it using the https://10.10.10.131/file/(encoded base64 string)
So we encoded our directory and now we are ready to download our ssh key
We see that we get prompted to download the id_rsa file which we wanted to download , so now we save it to our box and then try to connect berlin user through ssh
We see that we are being asked for password which is totally strange
If we look for more users through LFI , we see
We see alot of users , so we try the key on the user “professor”
Voila! We got in !! Time to get user.txt flag
As we can see we dont have permission to read user flag as user professor
So we ran pspy and saw something interesting running as cron
We see that its running a command which is provided under memcached.ini file
So we see that the command in memcached.ini is running as cron , let’s try to edit it and try to get reverse shell
But first we renamed the original memcached.ini file to something and create our new one
Also we add our shell as shell.sh here
And now we put our netcat listener on
Boom! We got shell and we got shell as Root!
User and Root Flags
We saw earlier that user flag was located under /home/berlin/user.txt
Also , the root flag on Linux boxes on HTB are located under /root/roo.txt
So , here is the box , if you enjoyed , then do leave 50 claps :)
