mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-10 06:34:17 +00:00
Add files via upload
This commit is contained in:
parent
a2a670b5fb
commit
166c9f1066
2 changed files with 181 additions and 0 deletions
63
HackTheBox/Shocker.md
Normal file
63
HackTheBox/Shocker.md
Normal file
|
@ -0,0 +1,63 @@
|
|||
# HackTheBox-Shocker
|
||||
|
||||
## NMAP
|
||||
|
||||
```bash
|
||||
PORT STATE SERVICE REASON VERSION
|
||||
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|
||||
| http-methods:
|
||||
|_ Supported Methods: GET HEAD POST OPTIONS
|
||||
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||||
|_http-title: Site doesn't have a title (text/html).
|
||||
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|
||||
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gp
|
||||
NcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQq
|
||||
qj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
|
||||
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|
||||
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9K
|
||||
AtWltmk3qm4oc=
|
||||
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|
||||
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
```
|
||||
|
||||
## PORT 80 (HTTP)
|
||||
|
||||
On the web server we only get a static html page
|
||||
|
||||
<img src="https://i.imgur.com/8O2skgK.png"/>
|
||||
|
||||
But there wasn't anything on this page , so after searching exploits for apache 2.4.18 , I saw a vulnerability called `shellshock`
|
||||
|
||||
<img src="https://i.imgur.com/jr3EQb4.png"/>
|
||||
|
||||
So maybe there's a folder `cgi-bin` on web server but on running `gobuster` and `dirsearch` it wasn't showing so I assumed it's on the webserver and I fuzz for files with the extensions `pl,rb,sh,py`
|
||||
|
||||
<img src="https://i.imgur.com/hDewIfH.png"/>
|
||||
|
||||
We can see `user.sh` is in `cgi-bin` directory ,cgi-bin is a folder used to house scripts that will interact with a Web browser to provide functionality for a Web page or website. Common Gateway Interface (CGI) is a resource for accommodating the use of scripts in Web design.
|
||||
|
||||
Now let's check if it's vulnerable to shellshock
|
||||
|
||||
```bash
|
||||
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
|
||||
http://10.10.10.56/cgi-bin/user.sh
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/1aPsX2v.png"/>
|
||||
|
||||
We can get a bash reverse shell
|
||||
|
||||
<img src="https://i.imgur.com/y0n9KwZ.png"/>
|
||||
|
||||
Now to escalate to a user , in this case we have only a root user to escalate to , we can check what we can run as sudo so in order to do that we'll run the command `sudo -l`
|
||||
|
||||
<img src="https://i.imgur.com/U4tkxxP.png"/>
|
||||
|
||||
We can run `perl` as root so let's visit GTFOBINS to see how we can abuse this
|
||||
|
||||
<img src="https://i.imgur.com/aJDG7Lf.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/Pno3Xf4.png"/>
|
118
HackTheBox/Writeup.md
Normal file
118
HackTheBox/Writeup.md
Normal file
|
@ -0,0 +1,118 @@
|
|||
# HackTheBox-Writeup
|
||||
|
||||
## NMAP
|
||||
|
||||
```bash
|
||||
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|
||||
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKBbBK0GkiCbxmAbaYsF4DjDQ3JqErzEazl3v8OndVhynlxNA5sMnQmyH+7ZPdDx9IxvWFWkdvPDJC0rUj1CzOTOEjN61Qd7uQbo5x4rJd3P
|
||||
AgqU21H9NyuXt+T1S/Ud77xKei7fXt5kk1aL0/mqj8wTk6HDp0ZWrGBPCxcOxfE7NBcY3W++IIArn6irQUom0/AAtR3BseOf/VTdDWOXk/Ut3rrda4VMBpRcmTthjsTXAvKvPJcaWJATtRE2NmFj
|
||||
BWixzhQU+s30jPABHcVtxl/Fegr3mvS7O3MpPzoMBZP6Gw8d/bVabaCQ1JcEDwSBc9DaLm4cIhuW37dQDgqT1V
|
||||
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|
||||
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPzrVwOU0bohC3eXLnH0Sn4f7UAwDy7jx4pS39wtkKMF5j9yKKfjiO+5YTU//inmSjlTgXBYNv
|
||||
aC3xfOM/Mb9RM=
|
||||
| 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
|
||||
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuLLsM8u34m/7Hzh+yjYk4pu3WHsLOrPU2VeLn22UkO
|
||||
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
|
||||
| http-methods:
|
||||
|_ Supported Methods: GET HEAD POST OPTIONS
|
||||
| http-robots.txt: 1 disallowed entry
|
||||
|_/writeup/
|
||||
|_http-title: Nothing here yet.
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
```
|
||||
|
||||
## PORT 80 (HTTP)
|
||||
|
||||
On the webserver we only see a html page which is made with `CMS made simple` from the results of `wappalyzer` , also looking at the source there's nothing we can look for
|
||||
|
||||
<img src="https://i.imgur.com/3Kis0HE.png"/>
|
||||
|
||||
From the nmap scan it did show us that there's a `robots.txt` file so let's look at that
|
||||
|
||||
<img src="https://i.imgur.com/ADRxzpS.png"/>
|
||||
|
||||
We see a disallowed entry `/writeup/` that shouldn't be picked up by search engines
|
||||
|
||||
<img src="https://i.imgur.com/DNRCfw4.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/kcNwozQ.png"/>
|
||||
|
||||
Now I went through all of the posts but found nothing , but I did notice a GET parameter `page` was being used
|
||||
|
||||
<img src="https://i.imgur.com/GUiwQ0y.png"/>
|
||||
|
||||
So I tried to see if it was vulnerable to `LFI` (Local FIle Inclusion)
|
||||
|
||||
<img src="https://i.imgur.com/iRDm84K.png"/>
|
||||
|
||||
I kept trying but didn't seem it was we can do LFI here, now we don't know the version of `CMS made simple` so let's just see if there are any exploits for this CMS
|
||||
|
||||
<img src="https://i.imgur.com/iRDm84K.png"/>
|
||||
|
||||
The first result came up with `exploit-db` and it was related to SQL injection
|
||||
|
||||
<img src="https://i.imgur.com/v55NRL4.png"/>
|
||||
|
||||
So let's try this maybe and see if we can somehow get the password, run the exploit script
|
||||
|
||||
<img src="https://i.imgur.com/9Q6znRS.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/eRiyC9c.png"/>
|
||||
|
||||
We get the username and password, so let's see if we can access admin panel in `CMS Made Simple`
|
||||
|
||||
<img src="https://i.imgur.com/6GyIt44.png"/>
|
||||
|
||||
But when I tried those creds , it failed . So the only option left for us is to see if these credentials work on ssh
|
||||
|
||||
## PORT 22 (SSH)
|
||||
|
||||
<img src="https://i.imgur.com/OzTR7DT.png"/>
|
||||
|
||||
Neat , we are in !
|
||||
|
||||
Let's do a quick `sudo -l` to see if we can run anything as sudo
|
||||
|
||||
<img src="https://i.imgur.com/RZqvtHE.png"/>
|
||||
|
||||
It seems `sudo` command isn't available on this machine, I ran linpeas but didn't found anything useful , than decide to run `pspy` which is a process and cronjob monitor which can even monitor cronjobs running as different users or as root
|
||||
|
||||
<img src="https://i.imgur.com/2G3W28Y.png"/>
|
||||
|
||||
Running the tool , we can see a fail2ban script running in the background which is why we weren't able to run fuzzing tools
|
||||
|
||||
<img src="https://i.imgur.com/Pa9yZ02.png"/>
|
||||
|
||||
Also there's a script which is running like every minute
|
||||
|
||||
<img src="https://i.imgur.com/o1JRntp.png"/>
|
||||
|
||||
But it's in `root` directory and we can't do anything with it
|
||||
<img src="https://i.imgur.com/ZJCfk7Z.png"/>
|
||||
|
||||
So I used ssh again to login and found that it was running `message of the day script` (/etc/update-motd.d) through a binary named `run-parts` , notice that `run-parts` isn't using it's absolute PATH so here we can abuse it by creating `run-parts` file by giving it executable permissions,the path variable includes `/usr/local/sbin` and `/usr/local/bin` which we have permissions to it as these folders are owned by `staff` group and we are in that group so we can create that file there
|
||||
|
||||
|
||||
<img src="https://i.imgur.com/ANG0qDt.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/WaYaYaV.png"/>
|
||||
|
||||
We can write into `/usr/local/sbin`
|
||||
|
||||
<img src="https://i.imgur.com/ZJ7iaFX.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/DSwJac7.png"/>
|
||||
|
||||
Now we have created a file named `run-parts` which has a bash reverse shell which will execute when we will login to ssh our `run-parts` file will be executed and give us a reverse shell
|
||||
|
||||
<img src="https://i.imgur.com/v8yy2xz.png"/>
|
||||
|
||||
|
||||
```
|
||||
jkr@writeup.htb:raykayjay9
|
||||
```
|
||||
/run/motd.dynamic.new
|
||||
|
||||
/etc/update-motd.d
|
Loading…
Reference in a new issue