add: writeup-ctf

2024-03-02 21:49:07 +01:00
parent ff520654f0
commit 095a13b2c9
1021 changed files with 9299 additions and 0 deletions
--- a/content/writeup-ctf/writeup-nibbles-htb/featured.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/featured.png
--- a/content/writeup-ctf/writeup-nibbles-htb/featured.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/featured.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-1.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-10.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-2.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-3.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-4.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-5.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-6.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-7.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-8.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.png
--- a/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp
+++ b/content/writeup-ctf/writeup-nibbles-htb/img/image-9.webp
--- a/content/writeup-ctf/writeup-nibbles-htb/index.md
+++ b/content/writeup-ctf/writeup-nibbles-htb/index.md
@ -0,0 +1,101 @@
+---
+title: "Writeup - Nibbles (HTB)"
+date: 2022-05-17
+slug: "writeup-nibbles-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Nibbles](https://app.hackthebox.com/machines/Nibbles) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.2p2)
+- 80/tcp : HTTP web server (Apache 2.4.18)
+
+## Exploit
+
+Looking at the source code of the web page I found the following comment:
+
+
+```bash
+<!-- /nibbleblog/ directory. Nothing interesting here! -->
+```
+So I go to this new page:
+
+![](img/image-2.webp)
+
+I then search the pages present on the site with `ffuf`.
+
+![](img/image-3.webp)
+
+One page is particularly interesting: `admin`.
+
+![](img/image-4.webp)
+
+So I try to brute force the password of the `admin` user with the `hydra` command.
+
+![](img/image-5.webp)
+
+Although the command finds several results it does not work. Indeed there is an anti-brute force security. So I try to test common passwords and after a few tries I find the following credentials: `admin/nibbles`.
+
+It's good but rather frustrating not to have found a more legit way. After some research I find a solution online to test passwords taking into account the anti brute force: [brute force version](https://eightytwo.net/blog/brute-forcing-the-admin-password-on-nibbles/).
+
+I can now connect to the admin panel! After going through the panel, I find the following page where you can upload images.
+
+![](img/image-6.webp)
+
+So I try to send a reverse shell in php, then I go to the following link to execute it:
+
+
+```bash
+10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
+```
+I now have a reverse shell as a `nibbler` and I can get the first flag.
+
+![](img/image-7.webp)
+
+## Privilege escalation
+
+I start by checking the sudo permissions of my user:
+
+![](img/image-8.webp)
+
+I find it in my personal folder a `.zip` file, I unzip it :
+
+![](img/image-9.webp)
+
+The script can be modified by myself and can be executed as root. I put the following content in the script `monitor.sh` :
+
+
+```bash
+mkdir /root/.ssh
+touch /root/.ssh/authorized_keys
+echo 'id_rsa' > /root/.ssh/authorized_keys
+```
+This will create the SSH folder of the root user and then add my key in the `authorized_keys`. To execute the script I use the following command:
+
+
+```bash
+sudo -n ./monitor.sh
+```
+I can now log in as root and get the last flag.
+
+![](img/image-10.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave important comments in HTML code
+- Update NibbleBlog to fix file upload problem
+- Do not let user-modifiable scripts be executed by the root user