Writeup | HackTheBox Writeup
Starting with Nmap scan found 2 ports are open.
The HTTP shows a webpage, nothing interesting.
In the robots.txt file, I got a path.
I went to that page.
On checking the source code I got the CMS name.
using whatweb i found the CMS is released in 2019.
I checked for the CMS exploit and got many exploits.
On checking the CMS website I found on 2019, there were some releases.
I checked the exploitdb and found 3 exploits are there in 2019.
The latest one is SQL Injection.
So I copied that exploit and started using that.
By that script, I got the username and password.
Using that credentials, I can log in to SSH and got the user flag.
While checking with pspy64, I found a script is running, the PID is 4725 which is running with sh.
it adding the PATH and also have command run-parts.
so further exploitation I crated a run-parts in tmp folder.
In that, I added code to add j1mm1 user in /etc/passwd with GID and UID as root’s ID which is 0.
Then I copied that to /usr/local/sbin which is writable for the current user and the /usr/local/sbin path is used 1st for checking commands as you can see from the pspy64, setting PATH.
Reference is given below.
By that, I can log in to j1mm1 user and now I am root.