LaCasaDePapel — HTB walkthrough

ENUMERATION

Nmap Scan

HTTP 80 ENUMERATION

Gobuster scan & Nikto Scan

Gobuster Scan

Nikto Scan

Did not get anything so decided to run fullport scan

HTTPS ENUMERATION

visiting website I see we need certificate

We will come back to port 443, let’s first enum other one’s

FTP ENUMERATION

We see the above exploit of vsftpd gives us shell on 6200 on successful exploitation, and since we see we have this port open. So we can exploit this vulnerability. We won’t use metasploit.

Enumerating about the exploit, we see there is a vulnerability in vsftpd , that if any user with name containing :) is logged in, we can get shell on port 6200

on your machine connect to FTP with any user whose name contains :)

PORT 6200 ENUMERATION

after logging in to FTP with username containing :), connecting to port 6200 via netcat I see psysh — — a shell that runs php commands, is a RHEL and PHP debugger.

type help to know more about commands

enumerating more about PSYSH commands, we can run scandir — to scan contents of directory.

failed to see content of root, but able to enum home/

in /home/nairobi we find certificate key.

Now we see, we have a key for ca, certificate authority and we can use it to connect to https port

We now create our own certificate using openssl

request a certificate of x509 passing key ca key, cipher sha256 for 1024 days and save to file name offs3cg33k.pem

Export the pem file to p12

PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers

A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography Standard #12) encryption. It is used as a portable format for transferring personal private keys and other sensitive information. P12 files are used by various security and encryption programs.

p12 v/s pem

PKCS12 — A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. This can contain private key material. Its used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl. DER — The parent format of PEM.

Now import this file in your web browser. Mozilla → preferences → privacy → view certificates → your certificates — -> import.

allow certificate

I see .ssh but cannot access it on season2

cannot access private key files

On season 1 , clicking 01.avi , it directly downloads, but opening in new tab it shows URL change

Decoding URL it gives name of Season, so we can encode for ssh/id_rsa to gain access to keys

downloading this show nothing, because we did it wrong.

encode — — — — /.ssh/id_rsa

Download the file and SSH.

PRIVILEGE ESCALATION

There are files named memcached.ini and memcached.js , that are owned by root. Let’s check what they do.

When I see what is in memcache.ini, it is running memcache.js as user nobody

So I tried to edit it. Both the files were in editable. So I thought of replacing file with new one. The one I can put reverse shell code in. Why? Because though file is owned by root, it is in professor directory and we can access it any way we can.

I made new memcached.ini and put reverse shell code there. Like this.

This file is owned professor but is accessed by root. So will return root shell to us in few minutes. On netcat we see,

Got root.txt flag and user.txt flag.

ROOTED!!!