Witer machine is a vulnerable machine with Linux operating system which is among the retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of netwrok scanning, 22/tcp ssh OpenSSH 8.2p1, 80/tcp http Apache httpd, 139/tcp netbios-ssn Samba smbd, 445/tcp netbios-ssn Samba smbd ports are open.
We enumerated the smb port and could not get valuable information because we do not have credential information.
With enum4linux we identified users kyle and john.
This enumeration revealed a couple of findings. First, we have 3 Samba shares, but unfortunately none of them allow anonymous access, so we will need a username and password to proceed. The second finding is more interesting, we identified 2 usernames: kyle and john
We provide emueration via port 80 since we do not find information from the smb side at the beginning.
We looked in developer mode, we looked with webaanlzye, and finally we looked at the source code and found no valuable information. We scan with Gobuster for hidden files and directories
We detected /contact, /about, /static, /logout, /dashboard, /administrative, /server-status directories.
Except for /administrative and /static directories, there is nothing remarkable.
/administrative
/static
/administrative
There is an input field in the directory, we tried default passwords in this field without success, we are trying sql injection
Vays we were able to bypass.
We provided enumeration through this interface and we could not get any rce etc.
We know we can run commands on a system with sql njection.
is to determine the number of columns used by the query. to determine this we must try the union parameter
‘union select 1 — – –
‘union select 1,2 — – –
When we wrote this, we tried up to 6, we tried up to 5, the credential information returned incorrectly, here we understand that we received welcome 2 at 6, so we understand that 6 columns
‘union select 1,2,3,4,5,6 — – –
Here we see that we have seen the number of columns Let’s try to read the contents of the file with FILE_LOAD
‘union select 1,LOAD_FILE(‘/etc/passwd’),3,4,5,6 — –
As you can see, we can see the /etc/passwd file. Another thing we can do here is to find the source code of the website and see if there is a security vulnerability in it.
We know you are using Apache, let’s look at its conf file
/etc/apache2/sites-enabled/000-default.conf
Here we see the file “/var/www/writer.htb/writer.wsgi”
Let’s go and look at what has caught our attention here
Here we then saw the init.py file.
This time we are redirected to it
In the init.py file we see that it analyzes a really long file, let’s see if there is any useful information
After spending a long time here
os.system(“mv /tmp/{} /var/www/writer.htb/writer/static/img/{}”.format(image, image))
It looks like there is command injection in the display name, it sends it directly to the system command without editing the filename, but we have to be careful with special characters so that it doesn’t break the command in between, so I’ll make it base64 safe.
Now let’s create the filename on our machine
Here we have created a file and now let’s upload it in the Stories section.
We see users in the Stories section
Here we added the file we created
It gave us a nc revershell because of the image file
Since there is no authorized user in this shell, let’s provide numeration to local to provide privilege escalation
We saw that Mysql was running on the system.
Let’s try to enumerate
We have detected credentail information in the mariadb.cnf file
user = djangouser
password = DjangoSuperPassword
let’s connect using this
We saw the dev database, we said let’s list the tables from the bee, then we read inside the auth_user table, here we saw the user kyle
kyle:
pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A=
Let’s try to break this hash with hashcat.
We broke the hash to :marcoantonio
Let’s try to connect to ssh using kyle with this
that’s how we’re connected
In this way we got our user flag, but we still did not have root access, so we continue to provide local enumeration.
Linenum.sh did not give us any results, let’s run pspy here to see the processes running behind the scenes
What comes to us as interesting in running processes
/etc/postfix/master.cf
/etc/postfix/disclaimer
We have seen the files.
Let’s look at these
Here at disclaimer we have a bash script that is run to get some checks when we send a mail, so let’s add a revshell line in it and then wait for it to trigger
Bu şekilde john kullanışından shell imizi aldık
But since we don’t have root privileges here, we provide local enumeration again
We did not find anything from Linpeas, let’s look at the prcesses running in the back with pspy
We continue local enumeration without any result from Pspy
Here we see with id that in the management group, let’s look at the files in this group
/etc/apt/apt.conf.d
Let’s see if there is privilege escation in this
Here we saw how to manipulate this file
We implement it in our target machine
Then we got shell authorization from the port we rested with nc
This is how we got our root authorization.