WriteUp - HackTheBox
I started by doing a scan with Nmap to detect open ports.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS --min-rate=5000 -p- -v -Pn -n 10.10.10.138 -oG allports
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-13 19:35 CEST
Initiating SYN Stealth Scan at 19:35
Scanning 10.10.10.138 [65535 ports]
Discovered open port 22/tcp on 10.10.10.138
Discovered open port 80/tcp on 10.10.10.138
Completed SYN Stealth Scan at 19:36, 26.41s elapsed (65535 total ports)
Nmap scan report for 10.10.10.138
Host is up (0.050s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.54 seconds
Raw packets sent: 131088 (5.768MB) | Rcvd: 27 (1.444KB)
Perform another scan to detect the version and service of each open port.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sC -sV -p80,22 10.10.10.138 -oN targeted
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-13 19:38 CEST
Nmap scan report for writeup.htb (10.10.10.138)
Host is up (0.035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.82 seconds
I had two ports open, one SSH and the other an http server, this is what the web server had.
I tried to fuzz the website, but it seemed that some kind of rule was being applied at the iptables level and it wouldn’t let me, I looked at the robots.txt and found an interesting route called writeup.
This is what the page had.
I did a whatweb on the page and saw that it had a CMS Made Simple
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ whatweb http://10.10.10.138/writeup/
http://10.10.10.138/writeup/ [200 OK] Apache[2.4.25], CMS-Made-Simple, Cookies[CMSSESSID9d372ef93962], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.10.10.138], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Title[Home - writeup]
I searched for a CMS Made Simple exploit and found one that took advantage of SQLi –> 46635.py, it asked me for a dictionary, I put rockyou.txt in it and the attack started, it cracked my password in a matter of 1 minute or so.
The machine had SSH open so I tried to authenticate with the password I had obtained using the jkr user and it worked, I could now see the user’s “flag”.
ESCALADA DE PRIVILEGIOS
Now all that was missing was the privilege escalation, for this I spent some time investigating the machine until I found that a task was being executed at regular intervals of time when starting SSH, the task is called run-parts, basically what it does is ask you for a directory and it will execute each “script” that is inside, but the important thing is not this, but that the task is being executed without using the absolute path, so this was a PATH hijacking.
To get root I did a which to run-parts to see its absolute path and then I went to that directory to create a file called run-parts that assigns SUID privileges to bash, I gave it execution permissions, I copied the run-parts file created by me to the absolute path of the run-parts task, I restarted the SSH session and reconnected and became root by assigning the bash -p command, I could now view the root “flag”.
Leave a comment