Hack The Box - Writeup server


Writeup is retired Linux server on the HackTheBox penetration testing lab. It was marked with Easy difficulty, which again makes it an ideal candidate for beginners to start with. I am writing this blog as there is almost identical vulnerability as in one recently released server. As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why. 

We will use/learn: nmap, www.exploit-db, pspy, reverse shell, 


Getting User:

Let's start with basic enumeration of the ports & services running on the server with nmap (Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Source).  

For those not familiar with the command I suggest checking this cheat-sheet first:  nmap-cheat-sheet

Before we start, let's add the IP address of the server (10.10.10.138) into /etc/hosts file, so we can start using the server name (writeup.htb) instead of the IP address. 


We have 2 ports - 22 (ssh) and 80 (http running Apache). We can also see that there is robots.txt file that disallows e.g. google to crawl the writeup directory created on the web server. (More about robots.txt file can be found here: Link

The http://writeup.htb gives us a warning message that we should not be brute-forcing the server (A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in. This repetitive action is like an army attacking a fort. Source )


However, the nmap revealed us a /writeup directory on the site. So when we navigate there, we can see this page: 


But again, nothing too fancy here. ypuffy and blue are old & retired servers on HackTheBox network and these directories only show how to hack them, but does not have any information for this Writeup server. Because we cannot find anything here, the next step is to find the source code of the page: 


We can see that the site use CMS (CMS Made Simple) engine. Let's check the exploit database for a possible exploit. www.exploit-db.com is a huge repository of both tested and un-tested exploits for various systems and applications. When we search for CMS Made Simple, we get several hits. We need to try those one by one: 



When we download this file, we can see it is a python script named 46635.py. A quick check of it tells us that it does Unauthenticated SQL Injection and that we are going to need to provide some parameters in order to run it. The first parameter is the website (in our case it is http://writeup.htb/writeup) and a wordlist for cracking a password. I'm going to use the biggest file there is in Kali Linux - the rockyou.txt file, which currently contains over 14 million passwords). 


When we run the command: 
python 46635.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt

And we get the username and cracked password: 


So we can now SSH as jkr (command: ssh jkr@writeup.htb password: raykayjay9) and get the user's flag (in user.txt). 




Getting Root: 


For root we are going to need PSPY tool. pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea (Source). So let's download it from this Github link and copy over to the server via scp. 

We run the tool in one terminal window and log as jkr user in another one. 



And we can see that MOTD (Message of the day) scripts are being executed as a root user. These scripts are executed every time when a user logs in. 

Pay attention to run-parts bit. It runs as a relative path (not an absolute path). run-parts binary is stored in /bin/ directory. If we could re-create it in any of the directories in the PATH variable BEFORE  /bin/, it will be executed there with the code that we wrote in it. (Difference between absolute and relative path can be found here: Link). 

So let's create our run-parts file in /usr/local/sbin . We are going to use reverse shell written in python script (A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host. Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack. A reverse shell (also called a connect-back shell) can also be the only way to gain remote shell access across a NAT or firewall. Source).  

There is no need to reinvent the wheel again - there are plenty of reverse shell samples available to download all around the internet. I am using this one as it is tested and reliable: Pentestmonkey_shells.


We need to change the IP address to the IP address we have configured on our Kali Linux. We can leave the port the same (just keep in mind, that 1234 can be used by several people, so it is a good practice to use a different port when multiple people are trying to log in at the same time). 

Once we save the file in /usr/local/sbin/run-parts file, we need to change the permissions and make the file executable (command: chmod 777 /usr/local/sbin/run-parts).

Now we want to start a listener on our Kali Linux (command: nc -lnvp 1234). And login in another terminal window. And we will get the reverse shell as root! 



As I said, the similar vulnerability was used in one of the recent HTB servers. If you follow the steps above, you cannot miss it. 

Thanks for reading! 

Comments

Post a Comment

Popular posts from this blog

Hackthebox - Registry server

Image
Registry is retired Linux server on the HackTheBox penetration testing lab. It was marked with  Hard difficulty  and can be cracked by using vulnerabilities in Docker, Bolt CMS and  Restic backup software... There are 2 ways how to proceed with this server. The first one was to install docker on a local system and import the image found. I choose not to do this and used bit of reverse engineering & searched the image manually.  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.  We will use/learn:  nmap, gobustDocker, White Wolf Webshell, reverse shell, Bolt CMS, Restic, port forwarding Getting User: I am going to add the server's IP (10.10.10.159) to /etc/hosts file, so I can keep using the hostname (registry.htb) instead of the IP address. Let's start with a basic enumeration of the ports & services running on the server with nmap ( Nmap ("N...
Read more

Hack The Box - Sniper Server

Image
Sniper is retired (28.3.2020) Microsoft Windows server on the HackTheBox penetration testing lab. It was marked with  Medium difficulty  and can be cracked by using a vulnerability in  Windows help files...  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.  We will use/learn:  nmap, burpsuite, samba, enum4linux, reverse shell, netcat, powershell & credentials creation from cleartext in PS, Windows Help files (*.chm) etc. Getting User: I am going to add the server's IP (10.10.10.151) to /etc/hosts file, so I can keep using the hostname (sniper.htb) instead of the IP address. Let's start with a basic enumeration of the ports & services running on the server with nmap ( Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing.  Source .   For those not familiar with the command...
Read more