Writeup: Hack The Box Walkthrough

This post documents the complete walkthrough of Writeup, a retired vulnerable VM created by jkr, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

• Background
• Information Gathering
  • CMS Made Simple
• Low-Privilege Shell
• Privilege Escalation

Background

Writeup is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.138 --rate=1000

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-06-11 06:06:24 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.138
Discovered open port 22/tcp on 10.10.10.138

Nothing unusual with the ports. Let’s do one better with nmap scanning the discovered ports to establish the services.

# nmap -n -v -Pn -p22,80 -A --reason -oN nmap.txt 10.10.10.138
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.

Hmm. There’s an entry in robots.txt, calling me to check it out. Here’s how it looks like.

Pretty HTML

CMS Made Simple

If you check out the HTML source of /writeup, you’ll see that CMS Made Simple was used.

And because this box is pretty new, you have to look for a relatively new exploit as well. For that, look no further than EDB-ID 46635. Running the exploit is pretty self-explanatory.

Once that’s done, we can go ahead and recover the password from the salted MD5 hash with John the Ripper.

# cat hash.txt
62def4866937f08cc13bab43bb14e6f7$5a599ef579066807

According to the exploit, the hash format is md5($s.$p).

# john --list=subformats
...
UserFormat = dynamic_1017  type = dynamic_1017: md5($s.$p) (long salt)
...

It was super quick!

Low-Privilege Shell

Perhaps the credential (jkr:raykayjay9) is meant for SSH? Well, there’s only one way to find out.

Baam. Straight to user.txt.

Privilege Escalation

During enumeration of jkr’s account, I noticed that it’s in the staff group, which is pretty unusual. Check out what the staff group can do.

This means that jkr as a member of staff, can write stuff to /usr/local/bin and /usr/local/sbin! Now, I just need something to execute stuff from these two directories. Enter pspy.

See what happens when I log in.

Classic search path hijacking. Armed with this knowledge, we can create the following “fake” run-parts.

It creates a .ssh directory in /root if it doesn’t exist and then echo a SSH public key I control to authorized_keys. Lastly, we simply pass all the original options and arguments to the real run-parts.

Let’s test this concept.

Awesome. Getting root.txt is trivial.