HackTheBox Writeup — Writeup

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

The IP of this box is

NMAP Results

nmap -sC -sV -oN nmap-writeup

We see 2 ports open , Port 22 and Port 80 running SSH and HTTP

We now check web services running on this machine.

Port 80 — HTTP Service

As we check the IP on the browser , we get to see

Running gobuster against this doesn’t work as there is a WAF

From the NMAP Scan , we can see that there is robots.txt file , checking it , we get

We see that there is a /writeup directory disallowed in the robots.txt file , let’s try to access it

We see a page , which is regarding writeups and all

Analyzing the page on Wappalyzer , we get to know

The page uses CMS Made Simple (CMSMS) , and looking for exploits for it on Google we get one for SQLi ( link at the end of this writeup)

Checking the usage of the exploit script , we see

So we need to specify the URL using -u and also specify it to crack and provide a wordlist

We are set and ready to run this script and here we do

So we got the Username as jkr and the password as raykayjay9

Now , from the documentation of this script , it was given that this CMSMS has an admin panel by default as /admin , in our case it is in /writeup/admin

As we can see it prompts us for the Username and Password , so we now put the credentials which we got after running the python exploit script

Hmmm!! It doesn’t work , but we remember from the NMAP Scan that we had SSH Open , so we try these credentials on SSH

We got successfully logged in as jkr through SSH , let’s try to get the user flag first

The user flag was located on the same directory where we were spawned after SSH Login , now time for Priv Esc

Privelege Escalation

We run pspy on this box and see what processes or crons are running

So we see that when we login through SSH each and everytime , “sh -c /usr/bin/env -i PATH=linuxpaths run-parts something “ is ran

Checking the permissions of the paths in the PATH variable , we see that

/usr/local/sbin directory has group permission for staff

When we run the id command , we can see that we can run or edit files as staff group member

So , now we will try to hijack the path and create our run-parts binary as the original one was located under /bin directory which was at the last of the PATH variable

We can hijack the PATH and create our own run-parts under /usr/local/sbin directory and then make it run through the SSH login

We created our binary and set the permission of it to 777

We can see that the file is created and the permissions are set

Now we set up netcat listener and wait for the connection after the new SSH login from us

Here we login through SSH again from another terminal so that we get hit for the shell

Boom! We got the reverse shell and we can check the details down below

Now we go for root flag which is usually located under /root/root.txt file

This was really a fantastic box and I really enjoyed solving this , Thanks to jkr for creating this box. If you loved reading this writeup , please do leave 50 claps :)

Resources Used While Solving This Box

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover