HackTheBox Writeup: Traceback
Traceback was an easy rated Linux machine that required finding a webshell on an already pwned website, using it to upload a php reverse shell, then catching a shell as webadmin. From there, webadmin had access to running luvit
as sysadmin so a simple Lua script was used to catch a reverse shell as sysadmin. Finally, lax permissions on motd files allowed me to append reverse shell code to catch a shell as root. I added Traceback to my /etc/hosts and got started.
Enumeration
nmap scan:
Without any creds for ssh, let's check http:
I always check the source code for things like this and saw a nice little comment:
I ran gobuster first to see if it might find the backdoor:
No luck finding the backdoor but the .ssh file was a peek at the future:
Initial Foothold
I poked around a bit more but didn't find anything. Finally I googled 'some of the best web shells you might need' and found this. I saved the list of shells to shells.txt and ran gobuster again:
Accessing smevk.php showed a login page:
The hackers had bad opsec and admin/admin worked as creds:
I uploaded a php reverse shell, accessed via browser and caught a shell as webadmin:
I generated a ssh key pair and appended the public key to webadmin's authorized_keys file:
I now had a stable shell:
User Pivot
In the home dir was a nice little note:
It turns out that sysadmin gave webadmin the ability to run luvit
as sysadmin:
I ran luvit
to see wtf it was and had no idea what to do with it:
I found the github page and after googling a bit more, was not entirely surprised to see that PayloadsAllTheThings had an entry for it. I created rs.lua:
As webadmin, I ran `sudo -u sysadmin /home/sysadmin/luvit rs.lua' and caught a reverse shell as sysadmin:
User flag:
Privilege Escalation
I proceeded to append the same ssh public key generated earlier to sysadmin's authorized_keys file and got ssh access:
While enumerating the system, I saw an interesting set of commands being run:
This was a huge hint for the next step and was most likely there to clean up after lazy htb players. Let's take a look at /etc/update-motd.d:
All of these are owned by root and sysadmin has write access. These motd (message of the day) scripts are run when someone logs in. I appended bash reverse shell code to one of these, which should give us a reverse shell when someone logs in. I readied a netcat listener, ssh'ed in and caught a root shell:
Root flag: