OSCP PREPROTİONS – HTB LaCasaDePapel

LaCasaDePapel machine is a deliberately vulnerable machine with Linux operating system among the reitred machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of network scanning, 21/tcp ftp vsftpd 2.3.4, 22/tcp ssh OpenSSH 7.9, 80/tcp http Node.js, 443/tcp ssl/http and 6200 ports are open.
Since port 6200 is remarkable, let’s scan it with the -A parameter

Let’s connect to this port with nc

Here we can’t use commands like normal shel to give us psy shekk.
Let’s google what it is. It is a runtime developer console, interactive debugger and REPL for PHP.

We realized that it was running the ca.key file, we found something similar to ssl key in the file, we noted it down and continued.

We saw user flag etc but we got permission denied error.

As far as we understand, this is as much data as we have been able to get here.

After receiving what we will receive in ftp, we perform web enumeration.
First on port 80

We looked at the source code and tried to use authedticated but we couldn’t get any results. Let’s perform a Gobuster file and directory scan.

The scan did not return any results.
Let’s continue on port 443

Sorry, but you need to provide a client certificate to continue. We encountered the error, we looked at the codes we saved here, we did not scan gobuster, we thought we could use the ssl certificate because of the error we received. Let’s use the key we have saved.
We need to create our ssl certificate with Openssl.
First, let’s export the certificate on the web page.

Then we save the certificate we detected in vsfd as ca.key and save the certificate as psx.

We save the pfx file we saved as a certificate to firefox.

Save the certificate and then open the page again.

We were finally able to see the Prvate area part 🙂

When we look at Session 1, we test that there may be path raversel in the path parts.

As you can see, we were able to perform path traversal as a command.

Here we saw that the ssh key is

Let’s try to get this ssl key with curl
We did not access the id_rsa file

While we were enumerating a little bit more on the website to see what we can do here, we realized that it was encoded with base64 while it was coming on the tables.

Let’s do an encoding process so that we can access the id_rsa file in this way

Now we will make this id_rsa file suitable for ssh key

We had trapped professor, memcached users from vfstp vulnerability and when we tried respectively, we detected that the professor user had an ssh key and connected to it.

Since our authorization is limited in the ssh connection, we could not successfully obtain a flag. Here we will provide a local enumeration to raise the authorization.
Running Linpeas.shs scrpitinn

We didn’t get any valuable information with linpeas.sh, let’s use the pspy32 tool to see what is running in the backend.

We go to the specified path. We look at the executed files.

We read the contents of the memcached.ini file and run the memcached.js file under sudo authorization. Let’s create a memcached file and try to get revershell with root authorization.
We changed memacached.ini file to ini.bak file.
We wrote our command to get our revershell in the tmp directory and saved it as Shell.sh file.
We authorized our shell.sh file to run by giving it +x authorization
We went to the /home/professor directory to create the memcached.ini file.

We edited the memcached.ini file content and set our shell.sh file under the tmp directory to run

After saving our file, we started listening to the port with nc and after 5 minutes we got our shell with root authorization.

As you can see, we were able to get the user and root flags.