TraceBack Writeup — HackTheBox

Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Retrieving some information from the defaced webpage
  • Grabing the username and the password for the webshell (some OSINT)
  • Replacing the webadmin ssh key with ours
  • Login as webadmin
  • Embedding our ssh key using luvit
  • Login as sysadmin
  • We getUser.txt
  • Checking the services to find script that run every 30 s as root
  • Checking /etc/update-motd.d/00-header
  • Edit the script to get root.txt when it’s executed
  • Login as sysadmin again
  • We get Root.txt

Enumeration phase :

As usual let’s start off with a Nmap scan :

[~] Nmap -sC -sV

As we can see http port is open. Let’s check it on the browser :

Looking for a way to login to the shell i stopped in this repository in Github :

Checking our shell we found default credentials for the shell :


Loging in we got an interactive php shell :

If we dig in the directories we can locate /home/webadmin/.ssh/ contains authorized_keys, so we need to generate ssh key first then replace the existed key of the host with ours :

SSH Key generation
Replace the existed ssh public key with the new one

After all of that we login as webadmin :

First thing we notice there is a note.txt talking about a tool made up by lua :

Trying sudo -l to check my rights as the actual user :

It seems we can run luvit as sysadmin so i embedded my ssh public key to sysadmin authorized key :

Ssh again but now with sysadmin as user :

And we got our user.txt !

Root phase :

Checking out the running process i found that /etc/update-motd.d/00-header is launched every 30 s as root :

So digging into that file :

I was able to edit it :

So after 30 s i ssh as sysadmin :

And here we go, we got our root.txt !




Cyber Security Specialist

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AV Website Review Part 5

Tips for Approaching Domain Modeling

The Nova Early Adopter NFT

A Quick Way to Access Inside of the Function in PostgreSQL

Typing: static or dynamic, strong or weak, safe or unsafe

Optimising Query Performance — In Azure Synapse Analytics

Moss Giant Animation

Logicify Office Dashboard

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cyber Security Specialist

More from Medium

Metasploit: Introduction

Things You Must Know For Vehicle Hacking: PART 2

Gunship (easy) -HTB Writeup

DRIVER — HackTheBox WriteUp