Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Ypuffy

# Getting started

Normally I start off with a nmap portscan and from there enumerate my way up.
But because I’m doing OSCP, I have written a program that does the enumeration for me and gives me recommendation according to its findings.
Not because I’m lazy, but normally this will save me time.

This small bash script contains a framework that uses a lot of pentesting tools in an semi-automated way.
If you really want to learn what you’re doing, you maybe wanna do all of this stuff manually. But if you know your way around Kali, this tool can save up some time.
After I’m done with OSCP this tool will be posted on GitHub for anyone interested.
Some useful information about OpenBSD LDAP security: http://puffysecurity.com/wiki/ypldap.html
When I try to connect with the webserver I get an error 400 <bad request> and my browser is reset.
But with nc I get another view:

The use of the HTML address tag is a bit odd. Because there is a public facing LDAP service I try to connect to it with JXplorer.

We got some info about user Alice.

And there is some info about user Bob.
The most useful piece of information here is the hash from Alice.
This will grant anyone access to the samba server.
To test this there is a nice tool called crackmapexec. This tool can be used to scan a network and check if the creds can be applied on several machines.
In this case it is just one machine.

It looks like it works. To connect I can use smbclient.py, found in the impacket collection.

# Remote access

This is a ppk file which is a file format used by Windows program PuTTY. To convert this key I use a tool called puttygen.

First flag. On to root.

It looks like my current user is a non-user and the only user on this system is userca.

On OpenBSD there is a command that is similar like the sudo command and that is doas. This command let you run commands as someone else.
In this case alice can run the command  ssh-keygen as userca. Maybe this will give the opportunity to generate new ssh-keys and get them signed.
Because ssh seems to be playing an important role in this scenario I took a look at the SSH server config file: /etc/ssh/sshd_config

For the AuthorizedKeysCommand and AuthorizedPrincipalsCommand there is a curl command that tries to retrieve keys from an user (placeholder %u).
There is a webserver running, but it was not accessible from the outside. What is in the config file?

Let’s see what running the curl command retrieves.

Hmmmm…..that doesn’t look right.

Much better. When using curl you need to encase the entire string in quotes for it to accept parameters.
Normally I would think this is a password for root or something similar.
But after a login try as root that didn’t work. Therefor I gues (after reading the ssh document) it’s a principal name.
I have used SSH a lot, but mostly as user when it was fully configured.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys has some interesting information about the use of creating ssh keys and certificates.
So this link is a good read about creating a chain-of-trust and how to set up a SSH CA structure.
According to the sshd config file it looks like the TrustedUserCAKeys are in /home/userca/ca.pub.
I’m going to create a public key on my kali host, transport it to the remote host and sign it there with the private key from userca.
Hopefully this will grant me access as root.

Now to copy the files to the remote host.

And finally signing my public key with the private key found in /home/userca/ca.
It’s important here to use the found principal name in the signing command.

It looks like the signing is successful.
Lets see if it worked.

And finally for the flag.

# Alternate exploit

If you don’t want to do all the hassle with SSH, keys and signing there is an alternate way of rooting this box.
There is a fairly new xorg-x11-server vulnerability which can be exploited using OpenBSD’s cron.
The exploit can be found here: https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm

And the final step….

Not really the way you wanna do this box as it is more a script kiddie way which doesn’t teach you a thing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.