This post documents the complete walkthrough of Writeup, a retired vulnerable VM created by jkr, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Writeup is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.138 --rate=1000
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-06-11 06:06:24 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.138
Discovered open port 22/tcp on 10.10.10.138
Nothing unusual with the ports. Let’s do one better with nmap
scanning the discovered ports to establish the services.
# nmap -n -v -Pn -p22,80 -A --reason -oN nmap.txt 10.10.10.138
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Hmm. There’s an entry in robots.txt
, calling me to check it out. Here’s how it looks like.
Pretty HTML
CMS Made Simple
If you check out the HTML source of /writeup
, you’ll see that CMS Made Simple was used.
And because this box is pretty new, you have to look for a relatively new exploit as well. For that, look no further than EDB-ID 46635. Running the exploit is pretty self-explanatory.
Once that’s done, we can go ahead and recover the password from the salted MD5 hash with John the Ripper.
# cat hash.txt
62def4866937f08cc13bab43bb14e6f7$5a599ef579066807
According to the exploit, the hash format is md5($s.$p)
.
# john --list=subformats
...
UserFormat = dynamic_1017 type = dynamic_1017: md5($s.$p) (long salt)
...
It was super quick!
Low-Privilege Shell
Perhaps the credential (jkr:raykayjay9
) is meant for SSH? Well, there’s only one way to find out.
Baam. Straight to user.txt
.
Privilege Escalation
During enumeration of jkr
’s account, I noticed that it’s in the staff
group, which is pretty unusual. Check out what the staff
group can do.
This means that jkr
as a member of staff
, can write stuff to /usr/local/bin
and /usr/local/sbin
! Now, I just need something to execute stuff from these two directories. Enter pspy
.
See what happens when I log in.
Classic search path hijacking. Armed with this knowledge, we can create the following “fake” run-parts
.
It creates a .ssh
directory in /root
if it doesn’t exist and then echo
a SSH public key I control to authorized_keys
. Lastly, we simply pass all the original options and arguments to the real run-parts
.
Let’s test this concept.
Awesome. Getting root.txt
is trivial.