Hacking the HTB "Getting Started" Machine

Greetings!

Today, I'm documenting the process of compromising a machine from the "Getting Started" module in the Hack The Box CPTS Job Role path. This walkthrough covers initial reconnaissance, gaining a reverse shell, and ultimately achieving root access.

1. Initial Reconnaissance and Web Directory Enumeration

My first step in approaching any target is always a thorough reconnaissance phase. I began by using nmap to identify all open ports and services running on the machine, which helps in understanding the attack surface. The scan provided crucial insights into the target's network posture, revealing several key services:

• HTTP (Port 80): Running Apache version 2.4.41.

• SSH (Port 22): Identified as OpenSSH 8.2p1 Debian.

With the web services identified, my next move was to enumerate directories and files on the web servers. For this, I employed gobuster, a popular tool for brute-forcing URLs, along with the common.txt wordlist from seclists. This process aims to uncover hidden directories, configuration files, or other web application components that might expose vulnerabilities.

2. Identifying CMS and Vulnerability

During the web directory enumeration, an interesting discovery was made within the /data/cache directory. It contained a JSON output that immediately caught my attention:

{"status":"0","latest":"3.3.16","your_version":"3.3.15","message":"You have an old version - please upgrade"}

This snippet provided definitive proof that the target was running GetSimple CMS version 3.3.15. The explicit message "You have an old version - please upgrade" was a clear red flag, indicating a high probability of exploitable vulnerabilities.

3. Gaining a Reverse Shell

With a specific CMS and its outdated version identified, the next logical step was to search for known vulnerabilities (CVEs) associated with GetSimple CMS 3.3.15. A quick search confirmed the existence of a relevant CVE.

To exploit this, I turned to Metasploit, a powerful penetration testing framework known for its extensive collection of exploits and payloads. Specifically, I utilized the multi/http/getsimplecms_unauth_code_exec module, which targets an unauthenticated code execution vulnerability. I configured it to deliver a meterpreter payload. The exploitation was successful, providing me with a stable meterpreter session, which is an advanced shell that offers comprehensive post-exploitation capabilities on the compromised machine.

4. Catching user.txt

With a meterpreter session established, my immediate goal was to locate the user.txt flag, signifying initial user-level compromise. Navigating through the file system, I found the flag located in the home directory of a user named mrb3n, specifically at /home/mrb3n/user.txt. A simple cat command allowed me to retrieve and display its contents, successfully obtaining the user flag.

5. Local Privilege Escalation

Having gained initial access as the www-data user (a common default user for web servers with limited privileges), the next critical phase was local privilege escalation. My objective was to gain root access. I needed to systematically enumerate the system for misconfigurations or vulnerabilities that could allow me to elevate my privileges.

Through my meterpreter session, I observed that the www-data user had write permissions primarily within the /var/www/ directory. To facilitate a more thorough enumeration, I transferred LinEnum.sh, a widely used Linux privilege escalation enumeration script, from my attacking host to the target machine's /var/www/ directory, leveraging a simple Python web server for the transfer.

Executing LinEnum.sh proved highly fruitful. It quickly identified a critical misconfiguration: the www-data user had sudo access to /usr/bin/php without requiring a password. This NOPASSWD entry for sudo is a common, yet severe, vulnerability.

6. Getting Root and root.txt

The sudo NOPASSWD permission for /usr/bin/php provided a direct path to root. By executing php with sudo, I could run arbitrary PHP code as the root user. Leveraging PHP's system() function, which executes shell commands, I crafted a payload to spawn a root shell:

CMD="/bin/sh" 
sudo php -r "system('$CMD');"

Executing this command from my www-data shell successfully elevated my privileges. I instantly gained a root shell on the target machine.

With root privileges secured, the final step was to retrieve the root.txt flag. I navigated to the /root/ directory and used cat /root/root.txt to display its contents, thus completing the compromise.

This machine served as an excellent practical exercise, showcasing fundamental penetration testing steps: from meticulous initial reconnaissance and vulnerability identification to exploiting a CMS and leveraging a critical sudo misconfiguration for full system compromise.