3 min read
October 12, 2019

HackTheBox Writeup: Writeup

Writeup was an easy rated box - basic enumeration and exploitation for a foothold then abusing a bad path configuration with lax write permissions to escalate privileges to root.

Nmap scan:

Webpage on port 80:

There's a warning of a script running that will watch for 40x errors and ban bad IPs so gobuster/dirb are not the way to go. Let's see if there's a robots.txt file:

/writeup/ contents:

Nothing really stands out in the page but viewing the source reveals that the site was made with 'CMS Made Simple':

I checked out CMS Made Simple's website and saw that the current version is 2.2.10:

The version on the website is from 2019 so it must be this version or possibly a little older.

Searchsploit shows a possible exploit:

Let's check out the options:

I try running the exploit with rockyou.txt and it appears to work:

The creds work for ssh and we now have a limited shell:

User flag:

Let's see what's running here:

Looks like SQL is running but that lead nowhere so I uploaded pspy64 to the machine and ran it. This stood out:

/usr/sbin/CRON is being run as root but the file does not exist:

Unfortunately we do not have write access to that. I continued to enumerate further and found /etc/apache2/sites-enabled shows an auth file for http://writeup.htb/writeup/admin:

The auth file is readable:

I couldn't crack this hash and moved on.

I continued to watch pspy64 and noticed this was being run as root when I ssh'ed in as jkr:

There are some funky permissions going on here: jkr has write access to /usr/local/sbin and /usr/local/bin but cannot list the contents of those directories. You'll notice that run-parts does not have the full path so we can take advantage of this. I create a file /usr/local/sbin/run-parts using nano:

Make it executable:

I logged out of the ssh session, logged back in as jkr over ssh and with a netcat listener, a root shell was caught:

Root flag: