Hack the Box — Traceback write-up by fcmunhoz
Foothold
OSINT
After testing almost all of them, the web shell smevk.php works
lets view the webshell source
username admin password admin
Lets upload a reverse shell
Lets change attacker ip and port and upload the file
Now we open a nc connection
Lets execute the webshell
http://active.htb/php-reverse-shell.php
connection received
Lets open the user directory
Nothin interintings here
Lets see what can we do as sudo
i created a simple script in lua to get shell as user sysadmin
now we upload this script
and execute it on terminal
sudo -u sysadmin /home/sysadmin/luvit /var/www/html/script.lua
now we are logged as sysadmin, lets read user flag
Root
I listed all the files user sysadmin can modify
find / -group sysadmin
we have permission to modify motd messages — displayed when logged via ssh
lets check 00-header
We have to log in using ssh to have this script executed
so now we generate a sshkey on our machine and import to the attacker
ssh-keygen
you copy the public key generated the content inside /home/user/.ssh/id_rsa.pub on your machine to the attacker machine on
I cleaned this file and paste the key generated on my machine
i uploaded the file and overwrite the content
sysadmin@traceback:~/.ssh$ cat /var/www/html/id_rsa.pub > authorized_keys
lets try to log via ssh as sysadmin
sysadmin@active.htb
We logged in and we can see the welcome msg written in 00-header file
lets modify the script 00-header to execute commands as root, save and enter using ssh again
on this step you have to be fast before the file 00-header be overwritten by the system
I modify the 00-header on my machine and uploaded
with two terminals opened we copy overwrite the 00-header
cp /var/www/html/00-header /etc/update-motd.d/00-header
on the other terminal you log on ssh
the welcome message will execute the script and we can get the flag
Thanks