Writer Writeup
Executive Summary
After enumerating the website, the /administrative page was found which involved a simple login page. The username field is vulnerable to a critical SQL injection, which an attacker could leverage to login as an administrative user, access sensitive local files, and extract usernames and password hashes.
Following the authentication bypass, an insecure image upload feature could be exploited to gain RCE on the target. After obtaining a shell as the www-data user, escalating privileges to the local kyle user could be done by way of cracking his hash in the dev SQL database. The kyle user was part of the filter group which allowed for editing the configuration files of the SMTP service running locally on port 25. Because this service was running as the john user, getting a shell via the service resulted in compromising his account.
Finally, the john user is part of the management group which has access to the apt repository configuration files. A cronjob running as root which performed a frequent apt-get update command could therefore be taken advantage of, and obtaining root privileges was possible through adding a reverse shell file in the apt configurations. Please view the Post Exploitation Analysis and Conclusion sections to see remediations for these vulnerabilities.
Attack Narrative
No information was provided prior to this engagement, other than the IP address of the target: 10.10.11.101.
Port Enumeration
To examine potential vulnerabilities, the ports of the target were first scanned:
# Nmap 7.91 scan initiated Tue Aug 17 14:52:04 2021 as: nmap -sC -sV -o
nmap/nmap 10.10.11.101
Nmap scan report for 10.10.11.101
Host is up (0.065s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
| 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 32s
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC:
<unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
3| date: 2021-08-17T19:52:51
|_ start_date: N/A
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
# Nmap done at Tue Aug 17 14:52:20 2021 -- 1 IP address (1 host up) scanned
in 15.70 seconds
From the nmap scan, it is apparent that the SSH, HTTP, and SMB services are running on the target. The SMB service is of interest, however there is no anonymous access to any of the shares:
领英推荐
Web Enumeration
Users visiting the target’s web server are met with the following home page:
Enumerating the directories of the webpage with gobuster, the following directories are found:
/contact (Status: 200) [Size: 4905
/logout (Status: 302) [Size: 208] [--> https://10.10.11.101/]
/about (Status: 200) [Size: 3522]
/static (Status: 301) [Size: 313] [-->
https://10.10.11.101/static/]
/. (Status: 200) [Size: 11971]
/dashboard (Status: 302) [Size: 208] [--> https://10.10.11.101/]
/server-status (Status: 403) [Size: 277]
/administrative (Status: 200) [Size: 1443]]
A directory of particular interest is /administrative, especially since it cannot be found without brute forcing directories. Visiting this directory reveals a simple login form which asks for a username and password:
Note the domain of the target (namely writer.htb). However, no virtual host routing is present.
SQL Injection
When inputting ’OR 1=1-- - as the username and choosing a random value for the password, the user is automatically authenticated, thus confirming the presence of SQL injection. As an authenticated user, stories can be edited and created, and pictures can be uploaded:
Thanks for reading! To see the full writeup, please visit https://0xd4y.github.io/Writeups/HackTheBox/Writer%20Writeup.pdf.