Let us Traceback -A HTB WriteUp

Pratyaksh Singh
SecOnset
5 min readSep 3, 2020

--

Hey folks, today we are going to go through Traceback machine on HTB.

Let us jump right into it.

First we perform “nmap” scan:

nmap -sC -sV 10.10.10.181

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 16:45 IST
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 16:46 (0:00:00 remaining)
Nmap scan report for 10.10.10.181
Host is up (0.49s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.78 seconds

Nothing much here apart from a ssh service information.

We are also given another open port i.e. port:80 this means that a http service is also currently running.

let us now visit the site

Hmm…Let us first examine the source code of the page.

Hmm…the comment obviously is giving us a hint about the web shells.

Let us all try to find those web shells, just copy the comment and search for the string in your browser.

The very first link I got was “this”.

Here you get a bunch of web shells out of which you need to figure out the one we are going to work with….

To do so…. Just copy the names of all the web shell into a file and then run the “dirb” command with these web shells as the wordlist. 🐒

Once you find the correct web shell, you can now visit that shell by adding http://[ip]/webshell_name.php

Interesting, we get a login page, the username and password can be found in the web shell itself. Use them to log in.

Now that you are in, navigate to the /home/webadmin/.ssh/ directory, delete the authorized_keys file on the server.

Now you need to upload your own ssh key onto the server.

To create the ssh-key use the command “ssh-keygen” in the .ssh/ directory and change the name of the newly generated file id_rsa.pub to authorized_keys and then upload it onto the server.

Deleting the old key :

Upload the newly generated SSH key:

Once the ssh file is uploaded onto the server, use the command

ssh webadmin@10.10.10.181 -i id_rsa

This command will get you the access to the web admin shell on the server.

Voila, we are in. Let us see what we can find in the directory.

Hmmm…..interesting, we are getting to know about a tool to practice LUA. If you do not know what LUA is I recommend you to do a quick google search regarding it.

Let us look into the file:

Let us try to find the file related to Lua, using the “find” command in Linux. Now go try to find some exploit for lua.

After researching i got this site

Now before moving forward let us just check the privilege the user webadmin has, to do this type the command, sudo -ll, this command tells us which commands can the user run wit escalated privileges.

We can see that the user webadmin has the access to the instance ‘luvit’ which has to be executed as user ‘sysadmin’.

Let us go ahead and execute the command:

use the command: sudo -u sysadmin /home/sysadmin/luvit

-u: flag is used to indicate to run a command as some specific user.

Let us move to the sysadmin home directory, and see what we can find there.

Yaaay, we finally got our user hash.

Now let us go hunt down the root hash….

Rememeber the ‘Welcome to Xh4H land’ when we first logged into the webadmin server?

That message basically comes from a motd file that contains a “message of the day”, this file generally exist in the /etc/ folder in linux.

Let us see if we can find it.

We can clearly see that the file ‘00-header’ contains the string saying, “Welcome to Xh4H land”. Also looking at the file type of this file, we come to know that this is a shellscript.

Looking at the permissions of the file we see that we do have the ‘write’ permission allowed for the file ‘00-header’. This means we can edit the file.

Let us see if we can find a way to get the root hash using this file…

Edit the file and put the following commands into it

  • cat /root/root.txt
  • echo done.

After doing this again log into the server using ssh, use the command, ssh webadmin@10.10.10.181 -i id_rsa

And you’ll be given the root hash along with the welcome message.

There you go, we have successfully completed this machine.

Thanks for reading this write up. Every share and likes would encourage me to write some more. See you in the next one. :)

--

--

Pratyaksh Singh
SecOnset

Security Reasearcher | Pentester | ThinkTank | OOBT | Source code Reviewer | Android PT