Traceback | HackTheBox Writeup

Overview

Traceback is an easy Linux-based machine in HackTheBox by Xh4H

User Part

Start with nmap scan found 2 open ports

22:SSH

80:HTTP

Go to the website , we can see the site is pwned by Xh4H

So we need to find who is Xh4H, Google the name.
We can see a Github repository of Xh4H, Go to The Repository

There are many Repositories, We Only need PHP files which is used by
Xh4H for pwning the website, So I found a web-shell repository

There are some php files, copy the file names to a file

Run Dirsearch to get the directories that are available ,
and we found smevk.php is available

Go to the Link, and we can see a login page. The Username and password are admin:admin,
we can see it from the smevk.php file which is in Xh4H’s Repository

Now We LoggedIn ,There is a option to upload files, so we can upload the files

Search for php reverse shell and we found one from pentestmonkey

Upload the file and listen to netcat

Now We Got reverse Shell Of Webadmin

Root Part

Search for sudo commands that we can run without a password,
and we found luvit from sysadmin can execute with sudo permission,
and we found luvit is executable and the file extension is lua

search for GTFObins of lua and we can get privilege escalation by the given code

Save that command to a file and execute with sudo permission of sysadmin,
we got the shell

By running linpeas we can see the Group writable files

By analyzing the 00-header we can see it is a Head page while login through ssh

So we need to create a ssh key and add that to the .ssh directory, create ssh key by ssh-keygen

 

Add the files to .ssh directory of webadmin, copy the content of id_rsa.pub
and paste it in authorized_keys and upload all files

Now we can login to webadmin with id_rsa file without password

Now add cat /root/root.txt to the 00-Header

Now login with id_rsa and we can get the root flag in there

Share on facebook
Share on twitter
Share on linkedin