📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
      • Random
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

GLITCH

PreviousDavNextFowsniff CTF

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.81.21

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 80 -oN nmap 10.10.81.21

Enumeration

Lets visit the site

There is nothing on the page, lets look at the source code

We can see that there is a getAccess() function, but it not called, lets do to developer tools and call the function. (Ctrl + i) Go to console and type this

getAccess()

We have a base64 string, lets decode it.

Looking at the first question, this is a token, lets look at the tokens on the site. (Located in the storage tab).

Lets replace the current value for token with the token we just decoded.

Now refresh the page

We have another page. Lets look at the source code

There is a script.js file in the end , lets check it out

Looking through the page, there is a /api/items page what is being fetched, lets go check it out.

There seems to be nothing interesting. Here I was stuck so I looked at the hint tryhackme gave us.

So now lets catch the request with Burp Suite and send it to repeater.

It looks like it is using a GET method, lets change it to POST

We find something interesting. As this item endpoint accepts a post request too, we can try sending data to the endpoint only if we have a parameter, to do this lets fuzz the API parameter , lets use ffuf to do this.

ffuf -w /usr/share/wordlists/dirb/common.txt -X POST -u http://10.10.81.21/api/items?FUZZ=test -fs 45 -mc all

Looks like cmd is the parameter. Lets send a post request to this endpoint using the cmd parameter.

Exploitation

Lets use this, but with our own reverse shell, make sure to start a reverse shell

Once you hit you should get this response and a reverse shell

We can stabilize the shell and read the user.txt file

Privilege Escalation

Looking in the home directory of user, we see this directory .firefox

Lets see the content of the file

Lets first start a netcat listener

Then lets send the folder using netcat on the victim machine

Now we should get a connection and also we should see the .firefox directory on our machine

Now lets run the python exploit we cloned from GitHub on the directory

We got a username and a password, lets switch users to v0id

Lets now look at the SUIDs that we can exploit

Lets look at what doas is

So we can execute command as other users, lets read the root.txt file with this command

We can also switch users to root

Looking at the output of the error, we can see eval. I went searching on google and then found this that gives us a breakdown of how the eval function can be exploited to gain RCE on the machine.

Looking on google I found . Lets clone it and then lets copy the .firefox directory to our machine

article
firefox_decrypt