# HackTheBox-Writeup
## NMAP
```bash
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKBbBK0GkiCbxmAbaYsF4DjDQ3JqErzEazl3v8OndVhynlxNA5sMnQmyH+7ZPdDx9IxvWFWkdvPDJC0rUj1CzOTOEjN61Qd7uQbo5x4rJd3P
AgqU21H9NyuXt+T1S/Ud77xKei7fXt5kk1aL0/mqj8wTk6HDp0ZWrGBPCxcOxfE7NBcY3W++IIArn6irQUom0/AAtR3BseOf/VTdDWOXk/Ut3rrda4VMBpRcmTthjsTXAvKvPJcaWJATtRE2NmFj
BWixzhQU+s30jPABHcVtxl/Fegr3mvS7O3MpPzoMBZP6Gw8d/bVabaCQ1JcEDwSBc9DaLm4cIhuW37dQDgqT1V
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPzrVwOU0bohC3eXLnH0Sn4f7UAwDy7jx4pS39wtkKMF5j9yKKfjiO+5YTU//inmSjlTgXBYNv
aC3xfOM/Mb9RM=
| 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuLLsM8u34m/7Hzh+yjYk4pu3WHsLOrPU2VeLn22UkO
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
On the webserver we only see a html page which is made with `CMS made simple` from the results of `wappalyzer` , also looking at the source there's nothing we can look for
From the nmap scan it did show us that there's a `robots.txt` file so let's look at that
We see a disallowed entry `/writeup/` that shouldn't be picked up by search engines
Now I went through all of the posts but found nothing , but I did notice a GET parameter `page` was being used
So I tried to see if it was vulnerable to `LFI` (Local FIle Inclusion)
I kept trying but didn't seem it was we can do LFI here, now we don't know the version of `CMS made simple` so let's just see if there are any exploits for this CMS
The first result came up with `exploit-db` and it was related to SQL injection
So let's try this maybe and see if we can somehow get the password, run the exploit script
We get the username and password, so let's see if we can access admin panel in `CMS Made Simple`
But when I tried those creds , it failed . So the only option left for us is to see if these credentials work on ssh
## PORT 22 (SSH)
Neat , we are in !
Let's do a quick `sudo -l` to see if we can run anything as sudo
It seems `sudo` command isn't available on this machine, I ran linpeas but didn't found anything useful , than decide to run `pspy` which is a process and cronjob monitor which can even monitor cronjobs running as different users or as root
Running the tool , we can see a fail2ban script running in the background which is why we weren't able to run fuzzing tools
Also there's a script which is running like every minute
But it's in `root` directory and we can't do anything with it
So I used ssh again to login and found that it was running `message of the day script` (/etc/update-motd.d) through a binary named `run-parts` , notice that `run-parts` isn't using it's absolute PATH so here we can abuse it by creating `run-parts` file by giving it executable permissions,the path variable includes `/usr/local/sbin` and `/usr/local/bin` which we have permissions to it as these folders are owned by `staff` group and we are in that group so we can create that file there
We can write into `/usr/local/sbin`
Now we have created a file named `run-parts` which has a bash reverse shell which will execute when we will login to ssh our `run-parts` file will be executed and give us a reverse shell