HackTheBox Writeup 10.10.10.138

My plan was to finally start writing reports about machines on HTB and what better way start than writing a writeup about Writeup. *HA!*

We do a TCP scan with nmap and find the regular port 22 and 80 to be open. Browsing the site we can see a simple static web page which gives us a hint to check his write ups which are coming soon. When we go to 10.10.10.138/robots.txt we find that it contains the url link /writeup/.

This is just a quick reminder that sometimes simple things like that can lead to an easy path to progress, especially seeing how dirb wouldn't work due to DDOS protection. It forces you to think about the places where you can find info. One of these places being robots.txt We continue to examine /writeup/ and in the source code we find out that cms made easy is being used, we look for exploits and find appropriate one. Searchsploit command is your friend, if that fails we go to google.

```/usr/share/exploitdb/exploits/php/webapps/46635.py```
It really felt like a movie scene, seeing each part of the salt, username and etc. being generated in front of us. We could also have cracked it with hashcat, but the program did a good job, even when it was run in my VM.

## We got User, down the rabbit hole we continue. After some good time spent enumerating I hit a wall and I get a hint from a friend...hidden cron jobs and this wonderful tool pspy[1]. Def something nice to keep in your tools folder.
Once in a lifetime you actually get lucky to be on the free HTB servers. Being a free box, there was a ton of people trying to pwn the box. We find that the command run-parts gets called when someone logs in. BAM we have our way in.

We can enter the directory and write to it, but we can't read it.

## You had one job sysadmin, one job... A quick touch run-parts with a simple bash reverse shell in it got us an reverse shell. Don't forget to chmod +x run-parts after you have created it. That was a stupid mistake that wasted 10min of my life

Why does this happen? If you don't understand the $PATH variable and how programs get executed in Linux, I'd recommend reading this[2] Thanks a lot to jkr for this fun journey. Def. learned some stuff and had fun pwning this machine.
[1]https://github.com/DominicBreuker/pspy - Process spy to investigate even hidden calls
[2]https://medium.com/@mitali.s.auger/linux-under-the-hood-what-happens-when-you-type-ls-l-b8432e533794 - Linux program execution

[ 2020-04-18 ] Bits n bytes stego challenge(htb)
[ 2019-10-13 ] Writeup(htb)
[ 2019-08-20 ] Why don't you get a job a.k.a shutting down scammers