add: writeup-ctf

content/writeup-ctf/writeup-backdoor-htb/index.md

@@ -0,0 +1,128 @@
+---
+title: "Writeup - Backdoor (HTB)"
+date: 2022-04-19
+slug: "writeup-backdoor-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Backdoor](https://app.hackthebox.com/machines/Backdoor) machine from the HackTheBox site.
+
+# Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.125
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : web server (Apache 2.4.41)
+- 1337/tcp : ?????
+
+We have a site on port 80 and port 1337 that hosts an unknown service at the moment; let's see what the site looks like.
+
+![](img/image-2.webp)
+
+# Exploit
+
+After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws:
+
+![](img/image-3.webp)
+
+Nothing special, let's try to do an aggressive detection of the plugins. For this I use the following command:
+
+
+```bash
+wpscan --url http://backdoor.htb --plugin-detection aggressive
+```
+![](img/image-4.webp)
+
+There are two plugins: akismet and ebook-download. After some research I find that ebook-download in version 1.1 is exploitable (CVE-. 
+
+So we create a script to automate the process scan, if the page returns a message with a size greater than 82 bytes, then the process exists.
+
+
+```bash
+import requests
+
+for i in range(0,1000):
+    url = "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc>
+    answer=requests.get(url)
+    lg=len(answer.text)
+    if(leng>82):
+        if '1337' in resp.text:
+            print("%d %s ",lg, answer.text)
+```
+After running the script, we find 2 services:
+
+![](img/image-5.webp)
+
+These processes are gdbserver running on our mystery port: 1337. So we can now look for exploits related to this process.
+
+Je trouve rapidement le script suivant qui permet d'exécuter du code à distance via le service GDB :
+
+[GNU gdbserver 9.2 - Remote Command Execution (RCE)](https://www.exploit-db.com/exploits/50539)
+
+After generating a payload with msfvenom, I run the script :
+
+![](img/image-6.webp)
+
+I now have a shell on the remote machine, I can get the first flag.
+
+![](img/image-7.webp)
+
+# Privilege escalation
+
+First I try to find the SUID files. For that I use the following command:
+
+
+```bash
+find / -perm -u=s -type f 2>/dev/null
+```
+![](img/image-8.webp)
+
+There are a lot of usual commands. But among the list there is "screen".  It is a command that allows to manage several terminals at the same time. I look then if a process runs with this command:
+
+![](img/image-9.webp)
+
+And indeed there is a process running. But not just any process, a root shell with the options -dmS :
+
+- -d : detache de screen when started
+- -m : ignore the $STY environment variable, creation of a new session is enforced
+- -S : When creating a new session, this option can be used to specify a meaningful name
+
+So we know that a screen named root has been created with the user root. If we manage to connect to the screen, we will have access to a root shell.
+
+To connect to the detached screen we need to use the following command:
+
+
+```bash
+screen -x [name]/[user]
+```
+But before connecting we will have to define the variable $TERM, to do this I use the following command:
+
+
+```bash
+export TERM=screen
+```
+I can now connect to the root screen with the following command:
+
+
+```bash
+screen -x root/root
+```
+I now have access to a root shell and can retrieve the last flag.
+
+![](img/image-10.webp)
+
+# Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update Wordpress plugin
+- Update GDB server
+- Do not run screen as root with the -m variable