Hello everyone , in this post I will be sharing my writeup for HTB Writeup machine , which was easy but a little tricky. Foothold involved enumerating what’s running on web server and using a browser extension called wappalyzer we were able to see that it’s using CMS Made Simple , which had Sqli exploit for it , on ruuning the expoit it found us the salt and hash for the password along with a username , on cracking the hash we were able to login using ssh. Then running pspy to monitor what cronjobs or processes are being run as root we can see a binary named run-parts being executed whenever we login to the machine without using the absolute path so this can lead us to PATH variable exploit by making the fake file with the name in /usr/local/sbin folder as it has the priority of being checked for that binary first.


22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKBbBK0GkiCbxmAbaYsF4DjDQ3JqErzEazl3v8OndVhynlxNA5sMnQmyH+7ZPdDx9IxvWFWkdvPDJC0rUj1CzOTOEjN61Qd7uQbo5x4rJd3P
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPzrVwOU0bohC3eXLnH0Sn4f7UAwDy7jx4pS39wtkKMF5j9yKKfjiO+5YTU//inmSjlTgXBYNv
| 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuLLsM8u34m/7Hzh+yjYk4pu3WHsLOrPU2VeLn22UkO
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


On the webserver we only see a html page which is made with CMS made simple from the results of wappalyzer , also looking at the source there's nothing we can look for

From the nmap scan it did show us that there’s a robots.txt file so let's look at that

We see a disallowed entry /writeup/ that shouldn't be picked up by search engines

Now I went through all of the posts but found nothing , but I did notice a GET parameter page was being used

So I tried to see if it was vulnerable to LFI (Local FIle Inclusion)

I kept trying but didn’t seem it was we can do LFI here, now we don’t know the version of CMS made simple so let's just see if there are any exploits for this CMS

The first result came up with exploit-db and it was related to SQL injection

So let’s try this maybe and see if we can somehow get the password, run the exploit script

We get the username and password, so let’s see if we can access admin panel in CMS Made Simple

But when I tried those creds , it failed . So the only option left for us is to see if these credentials work on ssh


Neat , we are in !

Let’s do a quick sudo -l to see if we can run anything as sudo

It seems sudo command isn't available on this machine, I ran linpeas but didn't found anything useful , than decide to run pspy which is a process and cronjob monitor which can even monitor cronjobs running as different users or as root

Running the tool , we can see a fail2ban script running in the background which is why we weren’t able to run fuzzing tools

Also there’s a script which is running like every minute

But it’s in root directory and we can't do anything with it

So I used ssh again to login and found that it was running message of the day script (/etc/update-motd.d) through a binary named run-parts , notice that run-parts isn't using it's absolute PATH so here we can abuse it by creating run-parts file by giving it executable permissions,the path variable includes /usr/local/sbin and /usr/local/bin which we have permissions to it as these folders are owned by staff group and we are in that group so we can create that file there

We can write into /usr/local/sbin

Now we have created a file named run-parts which has a bash reverse shell which will execute when we will login to ssh our run-parts file will be executed and give us a reverse shell




