Hack The Box - Lazy

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled.png

NMAP :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%201.png

Enumerating Web :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%202.png

⇒ After we register and login we don’t get anything. Inspecting the cookies we see an auth cookie.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%203.png

⇒ When we change the cookie we get the following error :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%204.png

⇒ Researching for a while we come to Padding Oracle Attack.

https://www.hackingarticles.in/hack-padding-oracle-lab/

The padding oracle attack enables an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillfully manipulated ciphertexts to the padding oracle and observing of the results returned by it.

⇒ We will be using padbuster an automated script for performing Padding Oracle attacks.

padbuster [http://10.10.10.18/index.php](http://10.10.10.18/index.php) ZVrX75FDWtDjgwNByepfkxAvql%2FGQmhR 8 --cookies auth=ZVrX75FDWtDjgwNByepfkxAvql%2FGQmhR --encoding 0 -plaintext user=admin

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%205.png

→ We got admin cookie.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%206.png

⇒ We used editthiscookie extension and just replaced our cookie with the admin cookie :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%207.png

→ We got user mitsos ssh key :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%208.png

⇒ SSH’ed in as user mitsos using the ssh key :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%209.png

Privilege Escalation to root

⇒ In user home directory there’s an backup binary which is ran as root when we run it.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%2010.png

⇒ After running strings on the binary we see that it does cat /etc/shadow . Full path to cat isn’t specified so we can perform path hijacking and escalate our privileges

cd /tmp echo '/bin/sh' > cat chmod +x cat PATH=/tmp:$PATH /home/mitsos/backup

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Lazy%20Box%2034d1862a662342e2a61eb68b2748e2eb/Untitled%2011.png

ROOTED