TraceBack Writeup — HackTheBox

3 min readAug 15, 2020


Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Retrieving some information from the defaced webpage
  • Grabing the username and the password for the webshell (some OSINT)
  • Replacing the webadmin ssh key with ours
  • Login as webadmin
  • Embedding our ssh key using luvit
  • Login as sysadmin
  • We getUser.txt
  • Checking the services to find script that run every 30 s as root
  • Checking /etc/update-motd.d/00-header
  • Edit the script to get root.txt when it’s executed
  • Login as sysadmin again
  • We get Root.txt

Enumeration phase :

As usual let’s start off with a Nmap scan :

[~] Nmap -sC -sV

As we can see http port is open. Let’s check it on the browser :

Looking for a way to login to the shell i stopped in this repository in Github :

Checking our shell we found default credentials for the shell :


Loging in we got an interactive php shell :

If we dig in the directories we can locate /home/webadmin/.ssh/ contains authorized_keys, so we need to generate ssh key first then replace the existed key of the host with ours :

SSH Key generation
Replace the existed ssh public key with the new one

After all of that we login as webadmin :

First thing we notice there is a note.txt talking about a tool made up by lua :

Trying sudo -l to check my rights as the actual user :

It seems we can run luvit as sysadmin so i embedded my ssh public key to sysadmin authorized key :

Ssh again but now with sysadmin as user :

And we got our user.txt !

Root phase :

Checking out the running process i found that /etc/update-motd.d/00-header is launched every 30 s as root :

So digging into that file :

I was able to edit it :

So after 30 s i ssh as sysadmin :

And here we go, we got our root.txt !