TraceBack Box Writeup From HTB DOT EU
Looking at the box on HTB rating and graph levels , it looks more of a CTF — Like Box so lets try to crack it :P
Lets head to start with INFOGATHER as always.
1st of Every Penetration Session.
INFO GATHERING
starting with nmap scan as following :
sudo nmap -sC -sV -oA nmap/traceback 10.10.10.181
two ports are open from the results
22 SSH
80 APACHE
The nmap results are as follows :
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.74 seconds```
lets try all flag , “all ports” maybe we are missing some ports that are open. Just in case.
lets while that is running enumerate the web directory and check the index and headers , etc.
looking at the main page we find a scary message :
lets see if enumeration work in the next part of this writeup.
all ports flag also gave us the same results so no need for it actually
2nd Vital Step of Penetration Session is :
ENUMERATION AND SCANNING
Lets enumerate with dirb this time just because it’s easy.
dirb http://10.10.10.181
or sudo dirb http://10.10.10.181 -o /home/MrRobot/Documents/Documents/BoxesHACK/Traceback/resultsenumeration.txt
lets wait
while we wait lets run some tools
```dig 10.10.10.181
curl 10.10.10.181
nothing special.
lets move forward
with enumeration results we get two directories
Scanning URL: http://10.10.10.181/ — —
+ http://10.10.10.181/index.html (CODE:200|SIZE:1113)
+ http://10.10.10.181/server-status (CODE:403|SIZE:300)
nothing special about these results lets try another wordlist ..
Lets Scan >>
dirb http://10.10.10.181/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o /home/MrRobot/Documents/Documents/BoxesHACK/Traceback/resultsenum
Lets google the apache ubuntu version.
Apache httpd 2.4.29 ((Ubuntu))
going back to something i noticed in the source page or the main page lets mention it
there was writting something that gave us a clue about what we are dealing with here which is :
<! — Some of the best web shells that you might need ;) →
so we have to hack the website using the webshell maybe?
or get a reverse connection with something similar.
Lets research something about this
Lets postpone it and use gobuster to try to use another wordlist instead of dirb.
gobuster dir -u http://10.10.10.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401 -o /home/MrRobot/Documents/Documents/BoxesHACK/Traceback/enumerationweb.txt3rd Step of the Process is
Exploitation and Examining With Different tools.
lets start.
nothing from ZAP
lets run Raccoon and see if we can get something….
raccoon 10.10.10.181
wait for results
nothing.
I guess the standard steps doesn’t work lets try to do some OSINT on the target and try to get something useful
by looking at the main page’s sourcepage again we find something interesting :
by googling this sentence we link to a github page with web shells names , first idea came to my mind is make a list of these webshells for enumeration with gobuster.
https://github.com/TheBinitGhimire/Web-Shells
by running gobuster against this list , BINGO we can find the one url that will lead us to the target webpage
smevk.php
by entering admin admin as credentials we could guess it easily.
we can login inside the main page
<div style=”width:100%;height:0;padding-bottom:178%;position:relative;”><iframe src=”https://giphy.com/embed/1k4svRPk1DGbB6xUb3" width=”100%” height=”100%” style=”position:absolute” frameBorder=”0" class=”giphy-embed” allowFullScreen></iframe></div><p><a href=”https://giphy.com/gifs/donnathomas-rodgers-instagram-1k4svRPk1DGbB6xUb3">via GIPHY</a></p>
after that it looks like we can upload a shell into the page so i uploaded the shell and got a reverse connection back with meterpreter BINGO , we got a shell :
Now we are listening :
lets upload the shell
and execute it!
4th Step Of Penetration Session is
Privilege Escalation
by running sudo -l
we know that we can run luvit as systemadmin without a password
we are now webadmin by running this command :
Sudo -u sysadmin /home/sysadmin/luvit -e ‘os.execute(“/bin/sh”)’we can escape to spawn as sysadmin.
WE GOT THE USER FLAG LETS MOVE ON >
Next lets get root …
i got pspy and i’ll place it in the /dev/shm directory to run it and check the running processes.
lets log to sysadmin via ssh maybe we can have a much clear idea of what are we dealing with here
by following these steps:
in our box :
by running pspy we could see the processes and monitor them in realtime
a process which caught my attention is update-motd
by going to the directory /var/backups/update-motd we can read the files there but we can’t edit them
so I decided to go to the original directory which has the files there and BOOM we can edit them.
by editing this file 00-header :
lets add cat /root/root.txt and see if it works when we log in again
we can do many other stuff at this moment but will stick to this way.
by login in again to ssh we CAN get root , boom !
done.
What i learned from this box is that the foothold was a bit tricky to get , which involves a custom dictionary for enumeration but it was hinted out which all you need is a google search and some creativity and fast observing skills.
Creating the shell was pretty easy so was the foothold but the privesc is a bit interesting it involves an automatic script with update-motd.d script that initiate after 30 sec of every reboots of the system so basically after editing the header to cat /root/root.txt we could log of ssh and relogin after 30 sec we could see the flag when we login again.
That’s all for this writeup , See you in the NEXT ONES
Peace!
SoftAddict OUT
