The Writeup machine is a retired Linux operating system machine. By hacking this machine, we are asked for user and root flags.

General Machine Information:

It contains a CMS and a sql injection vulnerability that is used to obtain a user credential. Then user is found to be in the non-default group that provides a write access. By providing hijacking, privilege escalation is passed to root.

Machine solving

First we scan for open port information and versions to recognize the target machine

classic scan

Full TCP scan

Full UDP scan

As a result of scanning

We can see that the 80 and 22 inch ports are open. As a result of nmap scanning, when script scanning is performed on port 80, http-robots.txt and /writeup/ directories draw our attention.

Since 80.port is open, let’s look through the browser.

We come across an article like this. It draws our attention that there may be a user named jkr here.

We’re reviewing the source code and we don’t come across much valuable information.

Let’s look at the http-robots.txt and /writeup/ sections in nmap scan, in order.

There is not much information in the robots.txt file, we examine the source code, and nothing comes up. Writeup is highlighted here, let’s take a look there.

On the writeup side, we see such a page.

We provide source code analysis on the page that appears. The CMS Made Simple part draws our attention.

We use searchsploit to see if there is a vulnerability by CMS Made Simple.

Let’s start with the vulnerabilities that will be most useful to us here. Of course, since the sql injection vulnerability is critical here, let’s start by trying it.

In the searchsploit part, we add the mirro to our own machine using the -m parameter.

Let’s look at the mirrored code

we run the exploit code

After the exploit code runs, the exploit code gets an error while giving the credential information as follows.

As it can be understood from the error, there is a problem in decoding, fortunately, we can solve this problem with hashcat.

First, we create a hash with the obtained salt and password.

then we crack it with hashcat

We provide ssh connection using this crendital information

We were able to obtain the user.txt flag

When I want to access the root area, we get permission denied error.

It is expected from us to increase the authority here.
system enumeration operations are provided, but we could not obtain any information.

We will use the linpeas.sh tool to provide enumuration with script as we can’t get information in manual enumuration. To download the tool, we go under the /tmp directory and pull the tool from github.

I tried to download it from the machine, but it could not access github, so I will download the machine to myself, broadcast from there and download the file

We run the linepeas.sh file. Here, priv presents what it can provide. Paths draw our attention.

The path /usr/local/ has always caught our attention. We have seen that user jkr is part of staff group and staff group has the ability to modify /usr/local/ without root privileges

We can run a binary run as root without using the absolute path. I can drop a malicious binary with the same name in the /usr/local/bin directory. Then, when the conditions for the binary to be executed are met, my malicious binary is executed with root privileges because my first peripheral path is /usr/local/bin.

With that in mind, I ran pspy32 and when I logged into SSH with jkr, I found that the run-parts binary was executed without an absolute file path

We can get a reverse shell by providing PATH HIJACKING.

Let’s put uname in the reverse shell folder.

we start listening on the port on our own machine and login via SSH from another terminal

Finally, we were able to obtain our root flag.