Traceback was an easy rated Linux machine that required finding a webshell on an already pwned website, using it to upload a php reverse shell, then catching a shell as webadmin. From there, webadmin had access to running luvit
as sysadmin so a simple Lua script was used to catch a reverse shell as sysadmin. Finally, lax permissions on motd files allowed me to append reverse shell code to catch a shell as root. I added Traceback to my /etc/hosts and got started.
Enumeration
nmap scan:
![](/content/images/2020/08/image.png)
Without any creds for ssh, let's check http:
![](/content/images/2020/08/image-1.png)
I always check the source code for things like this and saw a nice little comment:
![](/content/images/2020/08/image-2.png)
I ran gobuster first to see if it might find the backdoor:
![](/content/images/2020/08/image-3.png)
No luck finding the backdoor but the .ssh file was a peek at the future:
![](/content/images/2020/08/image-4.png)
Initial Foothold
I poked around a bit more but didn't find anything. Finally I googled 'some of the best web shells you might need' and found this. I saved the list of shells to shells.txt and ran gobuster again:
![](/content/images/2020/08/image-5.png)
Accessing smevk.php showed a login page:
![](/content/images/2020/08/image-6.png)
The hackers had bad opsec and admin/admin worked as creds:
![](/content/images/2020/08/image-7.png)
I uploaded a php reverse shell, accessed via browser and caught a shell as webadmin:
![](/content/images/2020/08/image-8.png)
I generated a ssh key pair and appended the public key to webadmin's authorized_keys file:
![](/content/images/2020/08/image-9.png)
I now had a stable shell:
![](/content/images/2020/08/image-10.png)
User Pivot
In the home dir was a nice little note:
![](/content/images/2020/08/image-11.png)
It turns out that sysadmin gave webadmin the ability to run luvit
as sysadmin:
![](/content/images/2020/08/image-12.png)
I ran luvit
to see wtf it was and had no idea what to do with it:
![](/content/images/2020/08/image-13.png)
I found the github page and after googling a bit more, was not entirely surprised to see that PayloadsAllTheThings had an entry for it. I created rs.lua:
![](/content/images/2020/08/image-14.png)
As webadmin, I ran `sudo -u sysadmin /home/sysadmin/luvit rs.lua' and caught a reverse shell as sysadmin:
![](/content/images/2020/08/image-22.png)
User flag:
![](/content/images/2020/08/image-16.png)
Privilege Escalation
I proceeded to append the same ssh public key generated earlier to sysadmin's authorized_keys file and got ssh access:
![](/content/images/2020/08/image-17.png)
While enumerating the system, I saw an interesting set of commands being run:
![](/content/images/2020/08/image-18.png)
This was a huge hint for the next step and was most likely there to clean up after lazy htb players. Let's take a look at /etc/update-motd.d:
![](/content/images/2020/08/image-19.png)
All of these are owned by root and sysadmin has write access. These motd (message of the day) scripts are run when someone logs in. I appended bash reverse shell code to one of these, which should give us a reverse shell when someone logs in. I readied a netcat listener, ssh'ed in and caught a root shell:
![](/content/images/2020/08/image-20.png)
Root flag:
![](/content/images/2020/08/image-21.png)