Technical

HTB: Traceback Writeup

Posted on by boy.suganda

I am going to write my exploration with Traceback machine.

This is my first machine in Hack The Box (HTB).
As usual, if we are given an IP address, we need to do port scanning to ensure the open-to-public port.

nmap -sC -sV 10.10.10.181

Port 22 and 80 are open.

Port Scanning

Let’s open via browser.

Browser’s View

I think there is a backdoor inside.
Let’s check the source code.

A clue…

Inspect Element

Let’s take attention on commented lines.
“Some of the best web shells that you might need”

Searching from Google

If you are going to search it from Xh4H, it will redirect you to the top one, because Xh4H fork it from the top one.

Web-Shells repository

So many versions of shells here. You can try to predict if one of them exist on the machine (10.10.10.181). Let’s use brute-force directory.

gobuster -w list-shell.txt --url 10.10.10.181
Brute-force directory

smevk.php existed, next take a look on smevk.php file.

smevk.php

Go to 10.10.10.181/smevk.php
Username:Password = admin:admin
We are in.

smevk backdoor interface

To make you can ssh, you need to transfer your public key inside the machine. Copy your public key and store it in /home/webadmin/.ssh/. Why not /home/sysadmin/.ssh too? Because you can’t go there. Let’s escalate from the thing that you can.

public key

Welcome, you already inside machine as webadmin.

ssh to machine

Let’s see files inside directory.
There is a “note.txt”.

clue again, note.txt

Hmm, seems not good with this clue.

what is lua

Let’s check the syntax that can be executed by webadmin.

sudo -l
Result sudo -l

Then try to go as sysadmin.
But before go there, we need to try to understand “lua” and “luvit”.

Lua is programming language, and luvit is one of lua code implementation.
Let’s check the shell of lua on GTFOBins.

From GTFOBins, you can try this exploit.

lua -e 'os.execute("/bin/sh")'

Ok, let’s try it as input for changing account to sysadmin

sudo -u sysadmin /home/sysadmin/luvit

different between /bin/sh and /bin/bash

As i know, /bin/sh is better used on macOS, and /bin/bash on linux.

Ok, we owned user flag.

Let’s go to root.

When we are going to ssh, you can see that we have custom header. I reference you to this web, just for knowing the location of the welcoming file. It’s located in /etc/update-motd.d.

echo "id" >> /etc/update-motd.d/00-header

Let’s try to ssh again to webadmin (open new terminal).

ssh as webadmin

Wow, it’s running as root.
I try to know what is inside root directory.

echo "ls /root" >> 00-header
root directory

There is single file, root.txt.
We just need to cat the file now by using file 00-header.

root flag

We owned the root flag.

Traceback Machine already been owned.

I’ll post this after the machine was expired.
Please inform me if the writeup was exposed by (someone).

Written on June 07th, 2020.

Published by boy.suganda

My name is Boy Suganda Sinaga. I worked as Site Reliability Engineer (SRE) at Shipper Indonesia. I'm still developing my skill, both hard-skill and soft-skill. Let's work together, to bring better future for others.

You might also like

[Certification] Apsara Clouder – Protect Your Web Application on Alibaba Cloud
May 27, 2020
[CERTIFICATION] ALIBABA CLOUD ASSOCIATE (CLOUD NATIVE)
July 6, 2020
Install Pritunl on your ECS Alibaba Cloud
August 2, 2020

Leave a Reply

Your email address will not be published. Required fields are marked *