Lightweight is our tenth machine in the OSCP list provided by NetSec Focus! Very interesting machine due to the enumeration given through LDAP, its HTTP services, and the privilege escalation with capabilities. This is the tenth blog before my third attempt to the OSCP exam, so let’s get to it!
So, we start with a nmap scan to check what ports are open and what services are running in this machine.
nmap -sC -sV -p- -oN scan.nmap 10.10.10.119
There are couple services running such as SSH, HTTP, and LDAP. Sounds like the enumeration is going to be quiet interesting this time.
There are different techniques to enumerate this service where one of them was using different nmap scripts that are going to look for a service and enumerate it according the scripts given, or the usage of ldapsearch which is also good and clear. This time we are going to enumerate LDAP with nmap scripts.
nmap -p 389 10.10.10.119 --script=ldap-brute.nse,ldap-novell-getpass.nse,ldap-rootdse.nse,ldap-search.nse
Ok, according the results given by nmap, there are different things to look, such as the users which are
ldapuser1 and ldapuser2, and there are some hashes, but unfortunately we are not able to crack them.
Directory Brute Force
After enumerating LDAP, it’s time to see what is to find in HTTP, but trying gobuster didn’t give many results because the machine was protected against brute force, which means that we got banned multiple times because of trying to do directory brute force. In spite of the protection of the website, we could get some results that were good enough to continue with the process.
gobuster dir -u http://10.10.10.119/ -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 5 -x .php, .txt, .py
After checking with the browser the content from the webpage this is what we found.
And, after going to
user.php, we found information saying that we can login through SSH using our IP as a username and password, great!
SSH Login & Privileges Escalation
Effectively, the login was successful providing credentials as our IP as username and password.
So, at the time to escalate privileges, the usage of LinEnum was crucial and useful because we found some capabilities that we could execute with our user. The capability was related with usage of tcpdump which means that we can capture traffic in the target machine.
To escalate privileges, we execute tcpdump, wait some time while it captures some traffic packets, and once the packets have been captured, it’s time to analyze the traffic in our localhost with wireshark. This is the command to capture the traffic within the target machine.
tcpdump -i any -w captured.pcap
Once the traffic has been captured, we can transfer the file through SCP and analyze it with wireshark.
Great, we found credentials in LDAP protocol. So,
After obtaining the credentials, it’s time to log in and get the user flag!
The user has been owned.
Privilege Escalation To ldapuser1
In the home directory from user
ldapuser2 there is a file called
backup.7z, interesting name, right? So, we can transfer this file through base64.
- From target machine:
Copy the result in the localhost, and name it
backup.7z.b64, and decode it. After decoding it it’s time to crack the password because we are required to use a password to read the file.
To crack backup.7z there is a tool-kit from John that can extract the hash from a 7z file and cracked.
perl 7z2john.pl backup.7z > backup john backup -w=/usr/share/wordlists/rockyou.txt
and we got the password which is
Once we extract the files from backup.7z we see a file called
status.php which contains the passwords to get
Great, so we just
su ldapuser2 using the password found which is
Privileges Escalation to Root
Using LinEnum we found other capability which was related to openssl, and there was a openssl binary in the home folder from
ldapuser1 which means that we might read, and write files through openssl.
Now, having this flaw, we can extract the file
/etc/shadow from root
./openssl aes-256-cbc -d -a -in shadow.enc -out shadow
Knowing that we can modify the hash from root in the shadow file, set our password and write it, so we can login to root with our own password.
./openssl aes-256-cbc -a -salt -in shadow -out shadow.enc
And, we get to root with the password that we have set!
And let’s read the flag.
We have owned Lightweight!
To be honest the machine was challenging and there was a lot to learn. The privileges escalation process was exotic in my own experience due to my lack of knowledge of capabilities in windows. Saying that, the learning experience was fruitful with this machine.