TraceBack Writeup — HackTheBox

Made by RebornSec ®

Machine Maker(s) :

• Xh4H

Overview :

• Retrieving some information from the defaced webpage
• Grabing the username and the password for the webshell (some OSINT)
• Replacing the webadmin ssh key with ours
• Login as webadmin
• Embedding our ssh key using luvit
• Login as sysadmin
• We getUser.txt
• Checking the services to find script that run every 30 s as root
• Checking /etc/update-motd.d/00-header
• Edit the script to get root.txt when it’s executed
• Login as sysadmin again
• We get Root.txt

Enumeration phase :

As usual let’s start off with a Nmap scan :

[~] Nmap -sC -sV 10.10.10.175

As we can see http port is open. Let’s check it on the browser :

Looking for a way to login to the shell i stopped in this repository in Github :

TheBinitGhimire/Web-Shells

Checking our shell we found default credentials for the shell :

admin:admin

Loging in we got an interactive php shell :

If we dig in the directories we can locate /home/webadmin/.ssh/ contains authorized_keys, so we need to generate ssh key first then replace the existed key of the host with ours :

SSH Key generation

id_rsa.pub

Replace the existed ssh public key with the new one

After all of that we login as webadmin :

First thing we notice there is a note.txt talking about a tool made up by lua :

Trying sudo -l to check my rights as the actual user :

It seems we can run luvit as sysadmin so i embedded my ssh public key to sysadmin authorized key :

Ssh again but now with sysadmin as user :

And we got our user.txt !

Root phase :

Checking out the running process i found that /etc/update-motd.d/00-header is launched every 30 s as root :

So digging into that file :

I was able to edit it :

So after 30 s i ssh as sysadmin :

And here we go, we got our root.txt !