HTB: Writeup

Target Experience:

My observations while working this target:

· Enumeration: Life-like

· Vulnerabilities: Life-like

· Exploitation: Life-like/CTF-like

· Difficulty: Easy/Medium

· Community Notes: Life-like/CTF-like

Tools:

The recommended tools for this lab were:

· Nmap

· Browser

· Searchsploit

· Python

· SSH

· pspy

Vulnerabilities:

The following vulnerabilities were found:

· Remote Code Execution

· Misconfiguration

· Local Privilege Escalation

Information Gathering:

Using my trusty Nmap scanner, I performed a scan for service version detection, OS detection, script scanning, and traceroute.

Nmap Scan

Next, I tried Nikto and dirb, but kept getting disconnected from the target. I had thought that there was a lot of traffic or that a reboot was taking place. However, this behavior persisted during each scan. So, I decided to launch a web browser and take a look at the site.

Target Root Web Site

The site noted that there was DoS protection and that false positives may occur. That explained why the automated tools were disconnecting. So, I had to start manually enumerating the target web server.

I also took note of the email address as I was thinking that this could have been important.

Web Enumeration:

Reviewing the findings from Nmap, I knew that robots.txt and the /writeup/ directory were present.

Robots.txt
/writeup/ Directory

Next, I reviewed the ypuffy, blue, and writeup hyperlinks. I did not find useful information on the ypuffy or the blue web pages. However, I did find it interesting that the writeup site was incomplete.

writeup Web Page: Source

After exhausting my manual search for finding additional web pages, I visited https://www.cmsmadesimple.org to find out more about the content generator. Reviewing the site, I found that there was an admin page that should be included within the webserver of the target. So, I returned and further enumerated until I found the admin login page.

Admin Login Page

CMS Made Simple Exploit:

Launching searchsploit, I searched to determine if a vulnerability and/or exploit would be listed for CMS. It turned out that there were many entries returned within searchsploit.

searchsploit Results

I reviewed several scripts and ultimately settled on the SQL Injection RCE, by Daniel Scanu, based on the details found for CVE-2019–9053.

https://packetstormsecurity.com/files/cve/CVE-2019-9053

https://www.exploit-db.com/exploits/46635

I ran the script multiple times and found the output to be rather odd. Reviewing a post on HTB, it was noted that the TIME variable may need to be adjusted in order to receive valid output.

Truncated Python Script

So, I increase the variable by one until the email output matched what I found from the email address on the target’s default website.

After I started receiving the same output, after multiple attempts, I moved to my cracking rig to use HashCat. Since the password hash was 32 characters, as well as mention of the hash type within the Python script, I knew that the hash was MD5.

So, I created several files with variations of MD5+Salt+Pass and tried them against several MD5 hashes within HashCat. However, I did not have much luck. I then reviewed the Python script and discovered that it could use a wordlist to crack the password.

After modifying the script flags, I launched the script and let it crack against the default rockyou.txt wordlist on my attacker system. This took roughly an hour +/- to crack the password.

Exploited Credentials

Edit: after cracking the hash with the Python program, I returned to HashCat determined to crack the hash. I reexamined the output and realized that I was using an incorrect hash separator character as well as in the incorrect order. Once corrected, the file containing the following hash format:

Formatted Hash

Next, I used the MD5 20 (MD5+Salt+Pass); which was the opposite for the formatted hash from above. I overlooked MD5 10 (MD5+Pass+Salt); which also worked.

HashCat Syntax

HashCat cracked the hash within less than a second.

HashCat Success
Pot File Results

Foothold:

With the newly obtained credentials, I launched SSH to see if I could connect to the target.

SSH Connectivity

After connecting to the target, I issued the commands of whoami && id to determine privileges.

User Account

I then listed the contents of the /home directory and then the /home/jkr directory; where I found and viewed the contents of the user.txt file.

User.txt

Privilege Escalation:

I started performing typical enumeration, but seemed to not be coming up with anything. I ran LinEnum.sh and lse.sh and found a couple of interesting items.

Using a tip that was provided, I decided to upload pspy from GitHub. The tool permitted unprivileged users to ‘snoop’ on processes :

With the tool uploaded to the home directory, I launched it and observed the results.

pspy64s: Initial

Since I was on a HTB free server, I started noticing interesting traffic when others were logging into the target via SSH. The part that caught my eye was the script that posted the motd.d or message of the day.

pspy64s: SSH Login

Next, I decided to research each one of the commands to determine what was occurring during the login process. In addition, I reviewed each one of the directories that was within the PATH statement as well.

Command Details

Unlike the other directories, /usr/local/bin and /usr/local/sbin both had write access and no read access for the group of staff. Reviewing the output from the id command from above, I knew that the jkr user was a member of staff. Meaning, I could create a file/script in either directory.

Directory Permissions

To aid me in this process, I reviewed IppSec’s video review of the HTB system Lazy. The interesting portion of the video was between 17:30 and 22:50 of the following link:

https://www.youtube.com/watch?v=3VxZNflJqsw

Armed with that information, I needed to replicate that technique with the login process. So, I created the following script and gave it execute privileges. I then moved the script to the /usr/local/sbin directory.

Privilege Escalation Script

Next, I logged out of the target and then SSH’d back into the target. I immediately reviewed the /tmp directory for the file of testing.out; which had the contents of the root flag.

Root.txt

Note: I probably would have been better served by obtaining a reverse shell with Netcat instead of going directly after the flag.

Edit: I decided it would be best to go back and create a reverse shell using Python.

Python Reverse Shell Script
Privilege Escalation Steps
Shell and Root.txt

Cleanup:

To cleanup my tracks, so other were not able to read the contents of the testing.out file, I used the following process and then logged out and back into the target.

Cleanup Script
Empty File

Resources:

https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

https://github.com/DominicBreuker/pspy

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.

Information within this article is “as is”, without warranty of any sort.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store