![](/content/images/2019/10/image-73.png)
Writeup was an easy rated box - basic enumeration and exploitation for a foothold then abusing a bad path configuration with lax write permissions to escalate privileges to root.
Nmap scan:
![](/content/images/2019/10/image-74.png)
Webpage on port 80:
![](/content/images/2019/10/image-75.png)
There's a warning of a script running that will watch for 40x errors and ban bad IPs so gobuster/dirb are not the way to go. Let's see if there's a robots.txt file:
![](/content/images/2019/10/image-76.png)
/writeup/ contents:
![](/content/images/2019/10/image-77.png)
Nothing really stands out in the page but viewing the source reveals that the site was made with 'CMS Made Simple':
![](/content/images/2019/10/image-78.png)
I checked out CMS Made Simple's website and saw that the current version is 2.2.10:
![](/content/images/2019/10/image-79.png)
The version on the website is from 2019 so it must be this version or possibly a little older.
Searchsploit shows a possible exploit:
![](/content/images/2019/10/image-80.png)
Let's check out the options:
![](/content/images/2019/10/image-81.png)
I try running the exploit with rockyou.txt and it appears to work:
![](/content/images/2019/10/image-82.png)
![](/content/images/2019/10/image-83.png)
The creds work for ssh and we now have a limited shell:
![](/content/images/2019/10/image-84.png)
User flag:
![](/content/images/2019/10/image-85.png)
Let's see what's running here:
![](/content/images/2019/10/image-86.png)
Looks like SQL is running but that lead nowhere so I uploaded pspy64 to the machine and ran it. This stood out:
![](/content/images/2019/10/image-87.png)
/usr/sbin/CRON is being run as root but the file does not exist:
![](/content/images/2019/10/image-88.png)
Unfortunately we do not have write access to that. I continued to enumerate further and found /etc/apache2/sites-enabled shows an auth file for http://writeup.htb/writeup/admin:
![](/content/images/2019/10/image-89.png)
The auth file is readable:
![](/content/images/2019/10/image-90.png)
I couldn't crack this hash and moved on.
I continued to watch pspy64 and noticed this was being run as root when I ssh'ed in as jkr:
![](/content/images/2019/10/image-91.png)
There are some funky permissions going on here: jkr has write access to /usr/local/sbin and /usr/local/bin but cannot list the contents of those directories. You'll notice that run-parts
does not have the full path so we can take advantage of this. I create a file /usr/local/sbin/run-parts using nano:
![](/content/images/2019/10/image-92.png)
Make it executable:
![](/content/images/2019/10/image-93.png)
I logged out of the ssh session, logged back in as jkr over ssh and with a netcat listener, a root shell was caught:
![](/content/images/2019/10/image-94.png)
Root flag:
![](/content/images/2019/10/image-95.png)