{"id":179,"date":"2025-05-16T19:01:34","date_gmt":"2025-05-16T17:01:34","guid":{"rendered":"https:\/\/fromkiddietorobot.fr\/?p=179"},"modified":"2025-05-16T19:10:02","modified_gmt":"2025-05-16T17:10:02","slug":"startup","status":"publish","type":"post","link":"https:\/\/fromkiddietorobot.fr\/index.php\/2025\/05\/16\/startup\/","title":{"rendered":"Startup"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Abuse traditional vulnerabilities via untraditional means.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>L&#8217;adresse IP de la victime peut \u00eatre amen\u00e9e \u00e0 changer, c&#8217;est normal je l&#8217;ai fait en deux fois<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Phase d&#8217;\u00e9num\u00e9ration<\/h2>\n\n\n\n<p>Pour commencer la box, rien de tel qu&#8217;un petit nmap sur l&#8217;adresse IP de la victime pour voir quels services tournent sur le serveur :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"762\" height=\"655\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-46.png\" alt=\"\" class=\"wp-image-182\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-46.png 762w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-46-300x258.png 300w\" sizes=\"auto, (max-width: 762px) 100vw, 762px\" \/><figcaption class=\"wp-element-caption\">Ports ouverts : ftp, ssh, http<\/figcaption><\/figure>\n\n\n\n<p>On voit que le port FTP accepte les connexions anonymes, on peut donc essayer de se servir de \u00e7a pour voir ce qu&#8217;il contient.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phase d&#8217;exploitation<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"386\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-48.png\" alt=\"\" class=\"wp-image-184\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-48.png 936w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-48-300x124.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-48-768x317.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><figcaption class=\"wp-element-caption\">Connexion au serveur FTP avec le combo : anonymous &amp; pas de mot de passe<\/figcaption><\/figure>\n\n\n\n<p>On voit qu&#8217;il contient un dossier &#8220;ftp&#8221;, une image en .jpg et une fichier texte &#8220;notice.txt&#8221;, r\u00e9cup\u00e9rons le tout pour voir ce qu&#8217;ils contiennent plus tard.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"521\" height=\"244\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-49.png\" alt=\"\" class=\"wp-image-185\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-49.png 521w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-49-300x140.png 300w\" sizes=\"auto, (max-width: 521px) 100vw, 521px\" \/><\/figure>\n\n\n\n<p>Le dossier &#8220;ftp&#8221; ne contient rien, passons \u00e0 l&#8217;analyse des deux fichiers r\u00e9cup\u00e9r\u00e9s :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"458\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/important.png\" alt=\"\" class=\"wp-image-187\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/important.png 735w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/important-300x187.png 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><figcaption class=\"wp-element-caption\">L&#8217;image &#8220;important.jpg&#8221; est un meme sur Among Us<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"946\" height=\"85\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-50.png\" alt=\"\" class=\"wp-image-186\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-50.png 946w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-50-300x27.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-50-768x69.png 768w\" sizes=\"auto, (max-width: 946px) 100vw, 946px\" \/><figcaption class=\"wp-element-caption\">Et dans la notice, on voit que quelqu&#8217;un se plaint de ces memes.<\/figcaption><\/figure>\n\n\n\n<p>Nous apprenons donc deux choses avec ce document texte, en premier lieu qu&#8217;ils h\u00e9bergent bien un site internet et en second lieu que nous pouvons t\u00e9l\u00e9charger des documents depuis leur site donc qu&#8217;il est bien actif.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"723\" height=\"279\" data-id=\"188\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-51.png\" alt=\"\" class=\"wp-image-188\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-51.png 723w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-51-300x116.png 300w\" sizes=\"auto, (max-width: 723px) 100vw, 723px\" \/><figcaption class=\"wp-element-caption\">Page d&#8217;accueil du site<\/figcaption><\/figure>\n<\/figure>\n\n\n\n<p>Voyons voir quels sont les dossiers &#8220;cach\u00e9s&#8221; que nous pourrions d\u00e9couvrir sur le site :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"775\" height=\"402\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-52.png\" alt=\"\" class=\"wp-image-189\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-52.png 775w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-52-300x156.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-52-768x398.png 768w\" sizes=\"auto, (max-width: 775px) 100vw, 775px\" \/><figcaption class=\"wp-element-caption\">Nous voyons seulement un \/files qui r\u00e9pond, d\u00e9couvrons ce qu&#8217;il contient :<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"456\" height=\"279\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-53.png\" alt=\"\" class=\"wp-image-190\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-53.png 456w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-53-300x184.png 300w\" sizes=\"auto, (max-width: 456px) 100vw, 456px\" \/><\/figure>\n\n\n\n<p>Nous retrouvons la structure du serveur, essayons d&#8217;inclure un fichier sur le serveur qui nous permettrai de r\u00e9cup\u00e9rer un acc\u00e8s l\u00e9gitime au serveur<\/p>\n\n\n\n<p>Petit test avec un fichier ne contenant rien :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"938\" height=\"181\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-56.png\" alt=\"\" class=\"wp-image-194\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-56.png 938w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-56-300x58.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-56-768x148.png 768w\" sizes=\"auto, (max-width: 938px) 100vw, 938px\" \/><\/figure>\n\n\n\n<p>Le fichier s&#8217;\u00e9tant bien import\u00e9, nous pouvons d\u00e9sormais essayer avec un fichier malicieux en .php contenant un reverse shell :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"148\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-57.png\" alt=\"\" class=\"wp-image-195\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-57.png 940w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-57-300x47.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-57-768x121.png 768w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"542\" height=\"313\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-58.png\" alt=\"\" class=\"wp-image-196\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-58.png 542w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-58-300x173.png 300w\" sizes=\"auto, (max-width: 542px) 100vw, 542px\" \/><\/figure>\n\n\n\n<p>Comme nous retrouvons bien nos fichiers sur le site, exploitons la faille:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"649\" height=\"211\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-59.png\" alt=\"\" class=\"wp-image-197\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-59.png 649w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-59-300x98.png 300w\" sizes=\"auto, (max-width: 649px) 100vw, 649px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"159\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-60.png\" alt=\"\" class=\"wp-image-198\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-60.png 799w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-60-300x60.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-60-768x153.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/figure>\n\n\n\n<p>Je r\u00e9cup\u00e8re bien un acc\u00e8s, maintenant c&#8217;est reparti pour une phase de reconnaissance afin de rep\u00e9rer ce qui pourrait m&#8217;\u00eatre utile pour faire un mouvement lat\u00e9ral et r\u00e9cup\u00e9rer l&#8217;acc\u00e8s d&#8217;un utilisateur:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"887\" height=\"578\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-61.png\" alt=\"\" class=\"wp-image-199\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-61.png 887w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-61-300x195.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-61-768x500.png 768w\" sizes=\"auto, (max-width: 887px) 100vw, 887px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"546\" height=\"57\" data-id=\"200\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-62.png\" alt=\"\" class=\"wp-image-200\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-62.png 546w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-62-300x31.png 300w\" sizes=\"auto, (max-width: 546px) 100vw, 546px\" \/><\/figure>\n<\/figure>\n<\/div>\n<\/div>\n\n\n\n<p>Je r\u00e9cup\u00e8re le premier flag THM :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"676\" height=\"120\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-64.png\" alt=\"\" class=\"wp-image-202\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-64.png 676w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-64-300x53.png 300w\" sizes=\"auto, (max-width: 676px) 100vw, 676px\" \/><\/figure>\n\n\n\n<p>Je cr\u00e9e un mini serveur web pour pouvoir r\u00e9cup\u00e9rer les diff\u00e9rents fichiers du dossier &#8220;incidents&#8221; vers ma machine attaquante :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"647\" height=\"131\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-65.png\" alt=\"\" class=\"wp-image-203\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-65.png 647w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-65-300x61.png 300w\" sizes=\"auto, (max-width: 647px) 100vw, 647px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"266\" height=\"75\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-28.png\" alt=\"\" class=\"wp-image-241\"\/><\/figure>\n\n\n\n<p>Nous n&#8217;avons pu r\u00e9cup\u00e9rer que la recette et un fichier .pcapng mais pour l&#8217;instant voyons voir si le compte par d\u00e9faut peut faire une \u00e9l\u00e9vation de privil\u00e8ges en analysant le serveur avec linpeas :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"492\" height=\"335\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-67.png\" alt=\"\" class=\"wp-image-205\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-67.png 492w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-67-300x204.png 300w\" sizes=\"auto, (max-width: 492px) 100vw, 492px\" \/><figcaption class=\"wp-element-caption\">Lancement du serveur python sur la machine attaquante<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"272\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-68.png\" alt=\"\" class=\"wp-image-206\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-68.png 608w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/04\/image-68-300x134.png 300w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><figcaption class=\"wp-element-caption\">R\u00e9cup\u00e9ration du script sur la machine victime<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"946\" height=\"905\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image.png\" alt=\"\" class=\"wp-image-210\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image.png 946w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-300x287.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-768x735.png 768w\" sizes=\"auto, (max-width: 946px) 100vw, 946px\" \/><figcaption class=\"wp-element-caption\">Lancement du script linpeas.sh sur la machine victime<\/figcaption><\/figure>\n\n\n\n<p>Apr\u00e8s analyse du r\u00e9sultat du script, je n&#8217;ai rien trouv\u00e9 de facilement exploitable, voyons voir si une autre solution est possible.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"563\" height=\"160\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-1.png\" alt=\"\" class=\"wp-image-211\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-1.png 563w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-1-300x85.png 300w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\" \/><\/figure>\n\n\n\n<p>En me baladant sur le serveur je d\u00e9couvre qu&#8217;un utilisateur du serveur a pour nom &#8220;lennie&#8221;, voyons voir si je trouves d&#8217;autres choses pour pouvoir faire mon mouvement lat\u00e9ral :<\/p>\n\n\n\n<p>Je tente de regarder ce qui se trouve dans le fichier suspicious.pcapng<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"959\" height=\"641\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-8.png\" alt=\"\" class=\"wp-image-218\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-8.png 959w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-8-300x201.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-8-768x513.png 768w\" sizes=\"auto, (max-width: 959px) 100vw, 959px\" \/><\/figure>\n\n\n\n<p>Je comprends donc qu&#8217;un ancien attaquant est d\u00e9j\u00e0 par l\u00e0 et a tent\u00e9 de rentrer sur le serveur en utilisant un mot de passe non fonctionnel pour le compte &#8220;www-data&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"297\" height=\"281\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-9.png\" alt=\"\" class=\"wp-image-219\"\/><\/figure>\n\n\n\n<p>Je tente na\u00efvement de rentrer sur le serveur en tapant le mot de passe pr\u00e9c\u00e9demment trouv\u00e9 avec le nom d&#8217;utilisateur &#8220;lennie&#8221; :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"649\" height=\"494\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-10.png\" alt=\"\" class=\"wp-image-220\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-10.png 649w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-10-300x228.png 300w\" sizes=\"auto, (max-width: 649px) 100vw, 649px\" \/><\/figure>\n\n\n\n<p>Cela a fonctionn\u00e9, j&#8217;ai r\u00e9ussi mon mouvement lat\u00e9ral et peut donc r\u00e9cup\u00e9rer mon second flag :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"307\" height=\"61\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-11.png\" alt=\"\" class=\"wp-image-221\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-11.png 307w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-11-300x60.png 300w\" sizes=\"auto, (max-width: 307px) 100vw, 307px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"684\" height=\"119\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-12.png\" alt=\"\" class=\"wp-image-222\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-12.png 684w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-12-300x52.png 300w\" sizes=\"auto, (max-width: 684px) 100vw, 684px\" \/><\/figure>\n\n\n\n<p>Passons maintenant \u00e0 la phase d&#8217;\u00e9l\u00e9vation de privil\u00e8ges avec toutes les informations que je d\u00e9tiens.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phase d&#8217;\u00e9l\u00e9vation de privil\u00e8ges<\/h2>\n\n\n\n<p>Dans son dossier home, j&#8217;observe un sous-dossier nomm\u00e9 &#8220;scripts&#8221;, allons voir ce qu&#8217;il contient :<br>On voit qu&#8217;il y a un script nomm\u00e9 &#8220;planner.sh&#8221; donc suppos\u00e9ment un script qui tourne de mani\u00e8re planifi\u00e9, regardons ce qu&#8217;il ex\u00e9cute :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"404\" height=\"99\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-15.png\" alt=\"\" class=\"wp-image-225\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-15.png 404w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-15-300x74.png 300w\" sizes=\"auto, (max-width: 404px) 100vw, 404px\" \/><figcaption class=\"wp-element-caption\">Il rentre la variable LIST dans le document texte startup_list.txt et ex\u00e9cute le script &#8216;print.sh&#8217; <\/figcaption><\/figure>\n\n\n\n<p>Le document texte &#8216;startup_list.txt&#8217; ne contient rien.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"389\" height=\"64\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-16.png\" alt=\"\" class=\"wp-image-226\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-16.png 389w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-16-300x49.png 300w\" sizes=\"auto, (max-width: 389px) 100vw, 389px\" \/><\/figure>\n\n\n\n<p>En revanche on voit que le script &#8216;print.sh&#8217; ex\u00e9cute des commandes bash, nous pouvons potentiellement nous en servir pour refaire un reverse shell mais dans un environnement root.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"279\" height=\"52\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-26.png\" alt=\"\" class=\"wp-image-237\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"427\" height=\"69\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-27.png\" alt=\"\" class=\"wp-image-238\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-27.png 427w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-27-300x48.png 300w\" sizes=\"auto, (max-width: 427px) 100vw, 427px\" \/><figcaption class=\"wp-element-caption\">Nous avons bien les droits de modification, \u00e9tant le propri\u00e9taire du fichier.<\/figcaption><\/figure>\n\n\n\n<p>Pr\u00e9paration reverse bash :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"457\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-21-1024x457.png\" alt=\"\" class=\"wp-image-231\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-21-1024x457.png 1024w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-21-300x134.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-21-768x343.png 768w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-21.png 1114w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"347\" height=\"67\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-20.png\" alt=\"\" class=\"wp-image-230\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-20.png 347w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-20-300x58.png 300w\" sizes=\"auto, (max-width: 347px) 100vw, 347px\" \/><figcaption class=\"wp-element-caption\">Le script est bien modifi\u00e9.<\/figcaption><\/figure>\n\n\n\n<p>Apr\u00e8s avoir attendu une minute, j&#8217;ai bien un retour du reverse dans l&#8217;environnement root.<br>Je me sers du full TTY (<a href=\"https:\/\/hacktricks.boitatech.com.br\/shells\/shells\/full-ttys\">https:\/\/hacktricks.boitatech.com.br\/shells\/shells\/full-ttys<\/a>) pour avoir un environnement fiable dans lequel \u00e9voluer.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"645\" height=\"318\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-23.png\" alt=\"\" class=\"wp-image-233\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-23.png 645w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-23-300x148.png 300w\" sizes=\"auto, (max-width: 645px) 100vw, 645px\" \/><figcaption class=\"wp-element-caption\">Apr\u00e8s avoir mis la commande &#8220;id&#8221; je remarque que je suis bien root.<\/figcaption><\/figure>\n\n\n\n<p>Gr\u00e2ce \u00e0 \u00e7a je peux r\u00e9cup\u00e9rer mon dernier flag et terminer la box.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"302\" height=\"89\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-25-edited.png\" alt=\"\" class=\"wp-image-236\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-25-edited.png 302w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-25-edited-300x88.png 300w\" sizes=\"auto, (max-width: 302px) 100vw, 302px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"945\" height=\"362\" src=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-24.png\" alt=\"\" class=\"wp-image-234\" srcset=\"https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-24.png 945w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-24-300x115.png 300w, https:\/\/fromkiddietorobot.fr\/wp-content\/uploads\/2025\/05\/image-24-768x294.png 768w\" sizes=\"auto, (max-width: 945px) 100vw, 945px\" \/><\/figure>\n\n\n\n<p>GG !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Abuse traditional vulnerabilities via untraditional means.<\/p>\n","protected":false},"author":3,"featured_media":180,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts\/179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/comments?post=179"}],"version-history":[{"count":10,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts\/179\/revisions"}],"predecessor-version":[{"id":246,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts\/179\/revisions\/246"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/media\/180"}],"wp:attachment":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/media?parent=179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/categories?post=179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/tags?post=179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}