HackTheBox Traceback Writeup – 10.10.10.181
HackTheBox Traceback is a new Linux machine released on 14th March. The machine is categorized as easy and by the term “easy” you can emphasize the first blood was taken in about 15 mins after the release.
As like everyone, I too tried my luck, honestly I took like more than an hour to finish as I lost a couple of times, but in reality the machine was pretty neat and well-made, I liked the way the machine was designed. Here is my writeup of Traceback – 10.10.10.181.
Let us start.
As always, I started off with adding machine IP 10.10.10.181 to my hosts file as traceback.htb.
# root @ ns09 in ~/htb/traceback [17:35:45] $ nmap -T4 -A -p- -oS namp.scan traceback.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-15 17:35 +03 Nmap scan report for traceback.htb (10.10.10.181) Host is up (0.15s latency). Not shown: 65483 closed ports, 50 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/15%OT=22%CT=1%CU=36624%PV=Y%DS=2%DC=T%G=Y%TM=5E6E3F4 OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1 OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 199/tcp) HOP RTT ADDRESS 1 153.81 ms 10.10.14.1 2 154.16 ms traceback.htb (10.10.10.181) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 508.85 seconds
Nmap says it can only find two ports open. A TCP 80 and SSH at 22. The default page in the Port 80 says the website has been hacked with a message: “I have left a backdoor for all the net. FREE INTERNETZZZ”
After looking at the page source, I understood what “Backdoor” the hacker was talking about. There is a web-shell, the hacker want us to find.
A quick Google search “best web shell” led me to a GitHub page which contains a number of web-shells. Since the commented part “Some of the best web shells that you might need ;)” that matches the description of the GitHub page, I know that this page has something to do with the shell the machine author is taking about.
What I did was something silly, I copied the web-shell file name one by one and try if the shell really exists. None of then worked until I reach the last but one “
smevk.php“, is the web-shell made by Kashif Khan.
And looking at the source-code I found the default username and password is admin:admin
I logged-in and this was the web-shell control panel:
The web-shells normally contains execute option, so this shell as well has the option to run commands. A quick whoami showed me the shell running as webadmin but has no access to root. I tried to list the files in the directory:
Building my own /home/webadmin/.ssh/authorized_keys on the machine
Once I’m in I made a small tour inside the directories. I found authorized_keys inside the home, so I decided to use it as an opportunity and get the ssh.
It was pretty easy as the Web-shell has execute and upload commands option. I made a fresh SSH key pair in my Kali and renamed the id_rsa.pub to “authorized_keys” and upload it to “/home/webadmin/.ssh/” directory.
Once the file is uploaded, I run the ssh from terminal and I have the proper SSH on the machine as webadmin.
Privilege escalation and Getting User.txt
Running sudo -l showed the user webadmin can execute any scripts in /home/webadmin/luvit directory as sysadmin without password. And there is a note discussing a tool called “Lua”.
# root @ ns09 in ~/htb/traceback [23:24:20] $ ssh -i /root/.ssh/id_rsa firstname.lastname@example.org ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - ################################# Welcome to Xh4H land Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Sun Mar 15 13:20:27 2020 from 10.10.14.8 webadmin@traceback:~$ id uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare) webadmin@traceback:~$ webadmin@traceback:~$ sudo -l Matching Defaults entries for webadmin on traceback: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User webadmin may run the following commands on traceback: (sysadmin) NOPASSWD: /home/webadmin/luvit webadmin@traceback:~$ ls icyb3r.lua luvit note.txt privesc.lua webadmin@traceback:~$ cat note.txt - sysadmin - I have left this tool to practice Lua. Contact me if you have any question. webadmin@traceback:~$
Going further I read the contents of two other files.
The .lua extension is something new for me. A quick Google search informed me “Lua is a powerful and fast programming language that is easy to learn and use and to embed into your application. Lua is designed to be a lightweight embeddable scripting language. It is used for all sorts of applications, from games to web applications and image processing.
I didn’t find anything that requires the Lua language at this point, so what I need to do is, run the SSH as SysAdmin. To run this, I need to copy my authorized keys to “/home/sysadmin/.ssh/authorized_keys”.
Pretty easy, I opened the “nano privesc.lua” using nano and replaced the default ssh key with my own key and saved it. After this I need to run “sudo -u sysadmin /home/webadmin/luvit privesc.lua”.
Then I SSH the box as Sysadmin, got the shell and grab the user.txt
Privilege Escalation #2 and Getting The Root
As I have SysAdmin privilege, I started to look for useful things inside the box,
After running PSPY I noticed this:
When an user ssh the box “/bin/sh -c sleep 30 ; / bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/“ runs as root, and the “run-parts —lsbsysinit /etc/update-motd.d” runs afterwards.
The file was found in the
The point is, update-mod.d runs as root when a user logs in, the script shows the welcome banner. The service skips the release if under-development and the login session continues.
What I did was, I amend my reverse shell script into the 00-header file. Then I set up the listener. Opened a new terminal and logged-in as sysadmin and boom I’m root.
That’s it, Traceback was really a funny and easy box. I learned a couple of things. Thank you Xh4H for the nice build. thank you for reading.
Appreciate your respect+ 🙂 here: https://www.hackthebox.eu/home/users/profile/68523