OSCP PREPROTİONS – HTB LaCasaDePapel

LaCasaDePapel machine is a deliberately vulnerable machine with Linux operating system among the reitred machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of network scanning, 21/tcp ftp vsftpd 2.3.4, 22/tcp ssh OpenSSH 7.9, 80/tcp http Node.js, 443/tcp ssl/http and 6200 ports are open.
Since port 6200 is remarkable, let’s scan it with the -A parameter

Let’s connect to this port with nc

Here we can’t use commands like normal shel to give us psy shekk.
Let’s google what it is. It is a runtime developer console, interactive debugger and REPL for PHP.

We realized that it was running the ca.key file, we found something similar to ssl key in the file, we noted it down and continued.

We saw user flag etc but we got permission denied error.

As far as we understand, this is as much data as we have been able to get here.

After receiving what we will receive in ftp, we perform web enumeration.
First on port 80

We looked at the source code and tried to use authedticated but we couldn’t get any results. Let’s perform a Gobuster file and directory scan.

The scan did not return any results.
Let’s continue on port 443

Sorry, but you need to provide a client certificate to continue. We encountered the error, we looked at the codes we saved here, we did not scan gobuster, we thought we could use the ssl certificate because of the error we received. Let’s use the key we have saved.
We need to create our ssl certificate with Openssl.
First, let’s export the certificate on the web page.

Then we save the certificate we detected in vsfd as ca.key and save the certificate as psx.

We save the pfx file we saved as a certificate to firefox.

Save the certificate and then open the page again.

We were finally able to see the Prvate area part 🙂

When we look at Session 1, we test that there may be path raversel in the path parts.

As you can see, we were able to perform path traversal as a command.

Here we saw that the ssh key is

Let’s try to get this ssl key with curl
We did not access the id_rsa file

While we were enumerating a little bit more on the website to see what we can do here, we realized that it was encoded with base64 while it was coming on the tables.

Let’s do an encoding process so that we can access the id_rsa file in this way

Now we will make this id_rsa file suitable for ssh key

We had trapped professor, memcached users from vfstp vulnerability and when we tried respectively, we detected that the professor user had an ssh key and connected to it.

Since our authorization is limited in the ssh connection, we could not successfully obtain a flag. Here we will provide a local enumeration to raise the authorization.
Running Linpeas.shs scrpitinn

We didn’t get any valuable information with linpeas.sh, let’s use the pspy32 tool to see what is running in the backend.

We go to the specified path. We look at the executed files.

We read the contents of the memcached.ini file and run the memcached.js file under sudo authorization. Let’s create a memcached file and try to get revershell with root authorization.
We changed memacached.ini file to ini.bak file.
We wrote our command to get our revershell in the tmp directory and saved it as Shell.sh file.
We authorized our shell.sh file to run by giving it +x authorization
We went to the /home/professor directory to create the memcached.ini file.

We edited the memcached.ini file content and set our shell.sh file under the tmp directory to run

After saving our file, we started listening to the port with nc and after 5 minutes we got our shell with root authorization.

As you can see, we were able to get the user and root flags.

Comments

  1. Lashunna

    I’m truly enjoying the design and layout of your website.
    It’s a very easy on the eyes which makes it much more enjoyable for me to come
    here and visit more often. Did you hire out a designer
    to create your theme? Great work!

  2. Farrell

    With havin so much written content do you ever run into any problems of plagorism or
    copyright infringement? My site has a lot of unique content I’ve either written myself or
    outsourced but it seems a lot of it is popping it up all over the internet without my permission. Do you
    know any methods to help prevent content from being ripped off?

    I’d really appreciate it.

  3. Vinita

    Thanks a bunch for sharing this with all folks you actually recognise what you’re talking about!
    Bookmarked. Please additionally visit my web site =).
    We can have a hyperlink alternate agreement among us

  4. Kelly

    That is a really good tip particularly to those new
    to the blogosphere. Simple but very precise info… Many thanks for sharing this one.
    A must read post!

  5. Barnaby

    An impressive share! I’ve just forwarded this onto a friend who has been conducting a little
    research on this. And he actually ordered me lunch due to
    the fact that I found it for him… lol. So let me reword this….
    Thanks for the meal!! But yeah, thanx for spending the
    time to discuss this topic here on your blog.

  6. Jennalyn

    First of all I want to say awesome blog! I had a quick question in which I’d like
    to ask if you do not mind. I was curious to
    find out how you center yourself and clear your mind
    prior to writing. I’ve had difficulty clearing my thoughts in getting my ideas out.
    I truly do enjoy writing however it just seems like the first 10 to 15 minutes
    are wasted just trying to figure out how to begin. Any recommendations or hints?
    Many thanks!

  7. Kyeisha

    Hi, I do believe this is a great web site. I stumbledupon it 😉 I
    may revisit yet again since I saved as a favorite it.

    Money and freedom is the best way to change, may you be rich and continue to guide other people.

  8. Chasen

    Magnificent beat ! I wish to apprentice while you amend your website,
    how can i subscribe for a blog website? The account helped me a acceptable deal.

    I had been tiny bit acquainted of this your broadcast offered bright clear concept

  9. Max

    Hey there! Would you mind if I share your blog with my facebook group?

    There’s a lot of folks that I think would really appreciate your content.
    Please let me know. Thank you

  10. Phone Tracker Free

    When we suspect that our wife or husband has betrayed the marriage, but there is no direct evidence, or we want to worry about the safety of our children, monitoring their mobile phones is also a good solution, usually allowing you to obtain more important information.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir