Let’s get started !!

LEVEL: Medium

Enumeration

This is the initial stage !

COMMAND: nmap -sC -sV -oN lazy 10.10.10.18

Nmap-Scan

As we can see port 22 and 80 are open!
Let’s check the webserver on port 80 .

URL: http://10.10.10.18

I register the new user with username exp1o1t9r and a random password.

After this attempt to login, we will intercept the request with Burp Suite to see the parameters.

Here we can see that there are one cookie with setup called Auth cookie. We can definitely play with the Auth cookie to see what the value is behind it, as it is something non-default.

Below, I have just changed the value of the Auth cookie to exp1o1t9r and the error message we got is invalid padding. Great! This means it is vulnerable to the Oracle Padding Attack. A great explanation of this attack and how it can be automated with Padbuster can be found here

Padbuster is available in kali linux.

Let’s use the tool to decrypt the auth value!!

COMMAND: padbuster http://10.10.10.18/login.php <<cookie-value>> 8 -cookies auth=<<cookie-value>> -encoding 0

Below, we can see that Padbuster reveals that the auth cookie is a combination of user=exp1o1t9r.

Now we will have to use the encryption feature of Padbuster as well, since we can apply the same pattern to user=admin and obtain the auth cookie and then pass it in the parameters to bypass login. To do so, we have to provide it with plaintext, which is user=admin, sample value and the request parameter.

COMMAND: padbuster http://10.10.10.18/login.php <<cookie-value>> 8 -cookies auth=<<cookie-value>> -encoding 0  -plaintext user=admin

Now we have got the encrypted value.

Let’s pass this value with the help of burpsuite interceptor on auth value.

On replacing the auth value, we succedfully logined as admin and we can see there is a hyperlink says MYKEY.

We can see there is an ssh key.

We will copy and save it as id_rsa.

Change the permissions of id_rsa as below!

COMMAND: chmod 400 id_rsa

Now we can login to ssh with the help of the ssh key and user mitsos.

COMMAND: ssh mitsos@10.10.10.18 -i id_rsa

We see there is a executable file named backup in the directory.

Let’s check it.

COMMAND: ./backup

Running strings on the backup utility reveals that it references the cat command without the actual path to the binary.

COMMAND: strings backup

In order to exploit this, we can create a temp file named cat in the temp directory. The code for the cat binary is below.
#!/bin/sh
/bin/sh

We’ll make it executable with chmod.

COMMAND: chmod +x cat

Now we have to make sure that our custom-created file gets picked up instead of the default one. In order to achieve this, we have to change the PATH variable and point it to search from /tmp, as below.

COMMAND: echo $PATH

Now running the backup utility runs our custom cat binary, and since the backup is owned by root, the code inside our custom cat command gets executed and spawns a root shell.
./backup

And now we can see the contents of the root.txt file.
cat root.txt

If you like my writeup, Give me Respect on my HTB profile: Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here