TraceBack Writeup — HackTheBox

Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Retrieving some information from the defaced webpage
  • Grabing the username and the password for the webshell (some OSINT)
  • Replacing the webadmin ssh key with ours
  • Login as webadmin
  • Embedding our ssh key using luvit
  • Login as sysadmin
  • We getUser.txt
  • Checking the services to find script that run every 30 s as root
  • Checking /etc/update-motd.d/00-header
  • Edit the script to get root.txt when it’s executed
  • Login as sysadmin again
  • We get Root.txt

Enumeration phase :

As usual let’s start off with a Nmap scan :

[~] Nmap -sC -sV 10.10.10.175

As we can see http port is open. Let’s check it on the browser :

Looking for a way to login to the shell i stopped in this repository in Github :

Checking our shell we found default credentials for the shell :

admin:admin

Loging in we got an interactive php shell :

If we dig in the directories we can locate /home/webadmin/.ssh/ contains authorized_keys, so we need to generate ssh key first then replace the existed key of the host with ours :

SSH Key generation
id_rsa.pub
Replace the existed ssh public key with the new one

After all of that we login as webadmin :

First thing we notice there is a note.txt talking about a tool made up by lua :

Trying sudo -l to check my rights as the actual user :

It seems we can run luvit as sysadmin so i embedded my ssh public key to sysadmin authorized key :

Ssh again but now with sysadmin as user :

And we got our user.txt !

Root phase :

Checking out the running process i found that /etc/update-motd.d/00-header is launched every 30 s as root :

So digging into that file :

I was able to edit it :

So after 30 s i ssh as sysadmin :

And here we go, we got our root.txt !

--

--

--

Cyber Security Specialist

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AV Website Review Part 5

Tips for Approaching Domain Modeling

The Nova Early Adopter NFT

A Quick Way to Access Inside of the Function in PostgreSQL

Typing: static or dynamic, strong or weak, safe or unsafe

Optimising Query Performance — In Azure Synapse Analytics

Moss Giant Animation

Logicify Office Dashboard

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
REBRON SECURITY

REBRON SECURITY

Cyber Security Specialist

More from Medium

Metasploit: Introduction

Things You Must Know For Vehicle Hacking: PART 2

Gunship (easy) -HTB Writeup

DRIVER — HackTheBox WriteUp