Writeup | HackTheBox Writeup


Writeup is an easy Linux based machine in HackTheBox by jkr

User Part

Starting with Nmap scan found 2 ports are open.

22: SSH

80: HTTP

The HTTP shows a  webpage, nothing interesting.

In the robots.txt file, I got a path.

I went to that page.

On checking the source code I got the CMS name.

using whatweb i found the CMS is released in 2019.

I checked for the CMS exploit and got many exploits.

On checking the CMS website I found on 2019, there were some releases.

I checked the exploitdb and found 3 exploits are there in 2019.

The latest one is SQL Injection.

So I copied that exploit and started using that.

By that script, I got the username and password.

Using that credentials, I can log in to SSH and got the user flag.

While checking with pspy64, I found a script is running, the PID is 4725 which is running with sh.

it adding the PATH and also have command run-parts.

so further exploitation I crated a run-parts in tmp folder.

In that, I added code to add j1mm1 user in /etc/passwd with GID and UID as root’s ID which is 0.

Then I copied that to /usr/local/sbin which is writable for the current user and the /usr/local/sbin path is used 1st for checking commands as you can see from the pspy64, setting PATH.

Reference is given below.

By that, I can log in to j1mm1 user and now I am root.

Share on facebook
Share on twitter
Share on linkedin