Hey guys, today writeup retired and here’s my write-up about it. It was a very nice box and I enjoyed it. It’s a Linux box and its ip is 10.10.10.138, I added it to /etc/hosts as writeup.htb. Let’s jump right in !
As always we will start with nmap to scan for open ports and services :
root@kali:~/Desktop/HTB/boxes/writeup# nmap -sV -sT -sC -o nmapinitial writeup.htb Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-11 16:03 EET Nmap scan report for writeup.htb (10.10.10.138) Host is up (0.14s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA) | 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA) |_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/writeup/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Nothing here yet. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.71 seconds
We got http on port 80 and ssh on port 22. On port 80 nmap found /robots.txt with a disallowed entry for /writeup.
The index page says that the website is not ready yet, it also says that there’s a dos protection script so we won’t bruteforce anything. Let’s check /writeup :
/writeup is the write-ups page and as the index page said, it’s still not ready yet and that’s why it was disallowed in robots.txt. I checked wappalyzer‘s results and saw that it’s using a cms called CMS Made Simple :
Without wappalyzer we can still identify that by looking at the source of the page :
<metaname="Generator"content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
SQLi, User Flag
I searched for exploits for CMS Made Simple, and because the version was from 2019 (Copyright (C) 2004-2019) I searched only for exploits in 2019. I found this sql injection exploit so I gave it a try. I set the time to 3 :
Which means that we can put an executable of our choice in /usr/local/bin and call it run-parts, then ssh into the box again and our fake run-parts will be executed as root. I wrote a bash script that echoes :
to /etc/passwd which will add a new user rooot : AAAA with uid 0. (same from the previous post)