Writeup

Writeup is an easy difficulty Linux box with DoS protection in place to prevent brute forcing. A CMS susceptible to a SQL injection vulnerability is found, which is leveraged to gain user credentials. The user is found to be in a non-default group, which has write access to part of the PATH. A path hijacking results in escalation of privileges to root.
Enumeration
Scanning open ports using nmap
└──╼ $nmap -p- -v -r 10.10.10.138 -T5 | grep open
Discovered open port 22/tcp on 10.10.10.138
Discovered open port 80/tcp on 10.10.10.138
The port 22 for SSH and port 80 for HTTP are open. Performing default and vulnerability script scan for these ports.
└──╼ $nmap -sCV 10.10.10.138 -p80,22
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 16:20 AEDT
Nmap scan report for writeup.htb (10.10.10.138)
Host is up (1.1s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Nothing here yet.
| http-robots.txt: 1 disallowed entry
|_/writeup/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
robots.txt file shows that /writeup is allowed to visit. Adding the ip hostname entry to /etc/hosts.
└──╼ $echo '10.10.10.138 writeup.htb' | sudo tee -a /etc/hosts
Checking the website http://writeup.htb/writeup/

Inspecting the source code.

This reveals that it is using CMS Made Simple - Copyright (C) 2004-2019 Searching cms made simple github on google shows its source code here. From navigating through the code we can see that we can see below files.

CHANGELOG.txt file looks interesting as it shows the version number of latest code.

Checking http://writeup.htb/writeup/doc/CHANGELOG.txt to see the changelog
