🔎🦶Enumeration/Foothold
Writer is a Medium box from HTB and created by TheCyberGeek. This box features a website with a SQL login bypass and img_url
parameter exploit allowing us to execute code. Once on the box we find a postfix
and apt
exploit allowing us to get root.
Before I begin each machine I kick off a full port nmap
scan. This scan profile should normally not be used with the -T5
as you might miss/get incorrect information/results:
Reviewing the results I can see Ports 22/80/445
open. Starting with SMB
I use enum4linux
to pull some enumeration and directly access the share. I have no rights to the folders but I do find some accounts/users:
Next I navigate over to the website which is sitting on Port 80
. I’ve recently been trying to use ffuf
more in my day to day but highlighted Feroxbuster as well:

Story Bank website sitting on Port 80.
OR
Running the directory scans shows an administrative directory. Navigating to it shows a login page. I use admin/password
in the fields and capture the request in Burp Suite. I change the parameters to match for easier identification. I then copy the request and create a req.txt
. I use ffuf
to fuzz the username/password fields for possible SQL injection or login bypass.
I get a hit:

Story Bank Dashboard after the SQL Login Bypass.
After logging into the environment I am presented with a dashboard. I can see an area to edit stories. After some trial and error I realize that if I intercept the request with Burp Suite I can also the image URL
to execute the code added to the end of the image:
⚠ Attack Machine
I click Edit Story and click Browse. I upload the exploit.jpg (created in the steps above) then browse to HERE to verify. Next, I upload a second image and intercept in Burp suite. Change our img_url request with:

Using the Edit Story to upload a malicious jpg on HTB Writer.
A few seconds later the shell pops. I loaded LinPEAS onto the box and notice:
/etc/postfix/disclaimer
running every 5mins. I’ve previously run across a similar privesc regarding disclaimer. Reviewing the script I add in a reverse shell:
⚠ Attack Machine
I then create a basic send mail script based off HERE and upload them both to the server:
Pulling them both to the server in a folder called crx. Once pulled I run the send mail script alongside the disclaimer copy noting the task above happens frequently:
🎯 Victim Machine
On my attack machine I kick off a reverse shell after transferring the files:
⚠ Attack Machine
Once on the virtual machine I grab John’s SSH
key and log back into the box:
🎯 Victim Machine
🔝Escalation to Root
⚠ Attack Machine
I run LinPEAS again and notice apt
running as root. I can also see that I can write to the file.:
GTFOBins confirms my hunch. I echo a one-liner bash reverse shell into the file and wait the shell.