LAZY — HTB walkthrough

Dhanishtha Awasthi

4 min readJul 6, 2020

Easy if you spotted the right thing at right time. MESSING is the key.

ENUMERATION

Visiting the site we get

Did following and got nothing

— nikto scan ; — gobuster scan; — wfuzz

Let’s capture the login request on burp to see what’s happening.

On changing auth value to something else, like replacing even a single character gives invalid padding. This is prone to padding attack

we can see invalid padding on changing auth value

Time to exploit

EXPLOITATION

Refering https://www.hackingarticles.in/hack-padding-oracle-lab/

Using padbuster : do login again and capture the response

Now using this auth in padbuster , first decrypt this cookie into base64

Syntax : Padbuster URL EncryptedSample BlockSize [options]

Url = http://10.10.10.18/login.php

Block Size: 8 bytes

Cookies = auth cookie

Encoding = 0

{Encoding Format of Sample (Default 0) 0=Base64, 1=Lower HEX, 2=Upper HEX , 3=.NET UrlToken , 4=WebSafe Base64}

Decoding this gives us “user=n00bDi”

base64 to ascii

Well we need user=admin for forgery so we will encrypt the same cookie with user admin instead of n00bDi. For this use padbuster and do as follows

encrypting the same auth key to user=admin

Now that we have got our encrypted value it’s time to log in, for this we will add our auth cookie to login request

Change the value of auth in next requests too. And you will see you are logged in as admin

It shows us link to ssh keys . And displays name in the URL

Name: mitsos && Key : id_rsa < copy whole key to this file and give permissions 600>

cat user.txt from here to get USER FLAG.

PRIVILEGE ESCALATION

We have a backup folder in our directory which has suid bit on.

It has command to cat /etc/shadow , this means it will open /etc/shadow for us. We see we don’t have direct access to /etc/shadow but on running backup we can see it.