Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add files via upload

Browse source
This commit is contained in:
ARZ 2021-07-15 20:57:49 +05:00 committed by GitHub
parent a2a670b5fb
commit 166c9f1066
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 181 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
HackTheBox/Shocker.md Normal file
View file

@ -0,0 +1,63 @@
# HackTheBox-Shocker
## NMAP
```bash
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gp
NcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQq
qj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9K
AtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
On the web server we only get a static html page
<img src="https://i.imgur.com/8O2skgK.png"/>
But there wasn't anything on this page , so after searching exploits for apache 2.4.18 , I saw a vulnerability called `shellshock`
<img src="https://i.imgur.com/jr3EQb4.png"/>
So maybe there's a folder `cgi-bin` on web server but on running `gobuster` and `dirsearch` it wasn't showing so I assumed it's on the webserver and I fuzz for files with the extensions `pl,rb,sh,py`
<img src="https://i.imgur.com/hDewIfH.png"/>
We can see `user.sh` is in `cgi-bin` directory ,cgi-bin is a folder used to house scripts that will interact with a Web browser to provide functionality for a Web page or website. Common Gateway Interface (CGI) is a resource for accommodating the use of scripts in Web design.
Now let's check if it's vulnerable to shellshock
```bash
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://10.10.10.56/cgi-bin/user.sh
```
<img src="https://i.imgur.com/1aPsX2v.png"/>
We can get a bash reverse shell
<img src="https://i.imgur.com/y0n9KwZ.png"/>
Now to escalate to a user , in this case we have only a root user to escalate to , we can check what we can run as sudo so in order to do that we'll run the command `sudo -l`
<img src="https://i.imgur.com/U4tkxxP.png"/>
We can run `perl` as root so let's visit GTFOBINS to see how we can abuse this
<img src="https://i.imgur.com/aJDG7Lf.png"/>
<img src="https://i.imgur.com/Pno3Xf4.png"/>

118
HackTheBox/Writeup.md Normal file
View file

@ -0,0 +1,118 @@
# HackTheBox-Writeup
## NMAP
```bash
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKBbBK0GkiCbxmAbaYsF4DjDQ3JqErzEazl3v8OndVhynlxNA5sMnQmyH+7ZPdDx9IxvWFWkdvPDJC0rUj1CzOTOEjN61Qd7uQbo5x4rJd3P
AgqU21H9NyuXt+T1S/Ud77xKei7fXt5kk1aL0/mqj8wTk6HDp0ZWrGBPCxcOxfE7NBcY3W++IIArn6irQUom0/AAtR3BseOf/VTdDWOXk/Ut3rrda4VMBpRcmTthjsTXAvKvPJcaWJATtRE2NmFj
BWixzhQU+s30jPABHcVtxl/Fegr3mvS7O3MpPzoMBZP6Gw8d/bVabaCQ1JcEDwSBc9DaLm4cIhuW37dQDgqT1V
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPzrVwOU0bohC3eXLnH0Sn4f7UAwDy7jx4pS39wtkKMF5j9yKKfjiO+5YTU//inmSjlTgXBYNv
aC3xfOM/Mb9RM=
| 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuLLsM8u34m/7Hzh+yjYk4pu3WHsLOrPU2VeLn22UkO
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
On the webserver we only see a html page which is made with `CMS made simple` from the results of `wappalyzer` , also looking at the source there's nothing we can look for
<img src="https://i.imgur.com/3Kis0HE.png"/>
From the nmap scan it did show us that there's a `robots.txt` file so let's look at that
<img src="https://i.imgur.com/ADRxzpS.png"/>
We see a disallowed entry `/writeup/` that shouldn't be picked up by search engines
<img src="https://i.imgur.com/DNRCfw4.png"/>
<img src="https://i.imgur.com/kcNwozQ.png"/>
Now I went through all of the posts but found nothing , but I did notice a GET parameter `page` was being used
<img src="https://i.imgur.com/GUiwQ0y.png"/>
So I tried to see if it was vulnerable to `LFI` (Local FIle Inclusion)
<img src="https://i.imgur.com/iRDm84K.png"/>
I kept trying but didn't seem it was we can do LFI here, now we don't know the version of `CMS made simple` so let's just see if there are any exploits for this CMS
<img src="https://i.imgur.com/iRDm84K.png"/>
The first result came up with `exploit-db` and it was related to SQL injection
<img src="https://i.imgur.com/v55NRL4.png"/>
So let's try this maybe and see if we can somehow get the password, run the exploit script
<img src="https://i.imgur.com/9Q6znRS.png"/>
<img src="https://i.imgur.com/eRiyC9c.png"/>
We get the username and password, so let's see if we can access admin panel in `CMS Made Simple`
<img src="https://i.imgur.com/6GyIt44.png"/>
But when I tried those creds , it failed . So the only option left for us is to see if these credentials work on ssh
## PORT 22 (SSH)
<img src="https://i.imgur.com/OzTR7DT.png"/>
Neat , we are in !
Let's do a quick `sudo -l` to see if we can run anything as sudo
<img src="https://i.imgur.com/RZqvtHE.png"/>
It seems `sudo` command isn't available on this machine, I ran linpeas but didn't found anything useful , than decide to run `pspy` which is a process and cronjob monitor which can even monitor cronjobs running as different users or as root
<img src="https://i.imgur.com/2G3W28Y.png"/>
Running the tool , we can see a fail2ban script running in the background which is why we weren't able to run fuzzing tools
<img src="https://i.imgur.com/Pa9yZ02.png"/>
Also there's a script which is running like every minute
<img src="https://i.imgur.com/o1JRntp.png"/>
But it's in `root` directory and we can't do anything with it
<img src="https://i.imgur.com/ZJCfk7Z.png"/>
So I used ssh again to login and found that it was running `message of the day script` (/etc/update-motd.d) through a binary named `run-parts` , notice that `run-parts` isn't using it's absolute PATH so here we can abuse it by creating `run-parts` file by giving it executable permissions,the path variable includes `/usr/local/sbin` and `/usr/local/bin` which we have permissions to it as these folders are owned by `staff` group and we are in that group so we can create that file there
<img src="https://i.imgur.com/ANG0qDt.png"/>
<img src="https://i.imgur.com/WaYaYaV.png"/>
We can write into `/usr/local/sbin`
<img src="https://i.imgur.com/ZJ7iaFX.png"/>
<img src="https://i.imgur.com/DSwJac7.png"/>
Now we have created a file named `run-parts` which has a bash reverse shell which will execute when we will login to ssh our `run-parts` file will be executed and give us a reverse shell
<img src="https://i.imgur.com/v8yy2xz.png"/>
```
jkr@writeup.htb:raykayjay9
```
/run/motd.dynamic.new
/etc/update-motd.d