This post documents the complete walkthrough of Writeup, a retired vulnerable VM created by jkr, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Writeup is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.138 --rate=1000 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-06-11 06:06:24 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.138 Discovered open port 22/tcp on 10.10.10.138

Nothing unusual with the ports. Let’s do one better with nmap scanning the discovered ports to establish the services.

# nmap -n -v -Pn -p22,80 -A --reason -oN nmap.txt 10.10.10.138 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA) | 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA) |_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian)) | http-methods: |_ Supported Methods: OPTIONS HEAD GET POST | http-robots.txt: 1 disallowed entry |_/writeup/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Nothing here yet.

Hmm. There’s an entry in robots.txt , calling me to check it out. Here’s how it looks like.

Pretty HTML

CMS Made Simple

If you check out the HTML source of /writeup , you’ll see that CMS Made Simple was used.

And because this box is pretty new, you have to look for a relatively new exploit as well. For that, look no further than EDB-ID 46635. Running the exploit is pretty self-explanatory.

Once that’s done, we can go ahead and recover the password from the salted MD5 hash with John the Ripper.

# cat hash.txt 62def4866937f08cc13bab43bb14e6f7$5a599ef579066807

According to the exploit, the hash format is md5($s.$p) .

# john --list=subformats ... UserFormat = dynamic_1017 type = dynamic_1017: md5($s.$p) (long salt) ...

It was super quick!

Low-Privilege Shell

Perhaps the credential ( jkr:raykayjay9 ) is meant for SSH? Well, there’s only one way to find out.

Baam. Straight to user.txt .

Privilege Escalation

During enumeration of jkr ’s account, I noticed that it’s in the staff group, which is pretty unusual. Check out what the staff group can do.

This means that jkr as a member of staff , can write stuff to /usr/local/bin and /usr/local/sbin ! Now, I just need something to execute stuff from these two directories. Enter pspy .

See what happens when I log in.

Classic search path hijacking. Armed with this knowledge, we can create the following “fake” run-parts .

It creates a .ssh directory in /root if it doesn’t exist and then echo a SSH public key I control to authorized_keys . Lastly, we simply pass all the original options and arguments to the real run-parts .

Let’s test this concept.