Thanks to a zoom call with members of PA Hackers. I fully exploited my first active HTB machine where I got points for my effort. To celebrate getting root, here’s my write-up. I learned quite a lot with this machine. It introduced me to new PHP web shells and message of the day (motd) privilege escalation.
- Open Source INTelligence (OSINT) refresher with Google and Github
- PHP web shell alternatives to php-reverse-shell.php
- Privilege escalation using etc/update-motd.d
Reconnaissance / Information Gathering
HackTheBox gives us the IP address for Traceback. It is 10.10.10.181. When I start an engagement, CTF or otherwise, I tend to run a fast port scan first and chase what I find there before wasting CPU cycles on a full system port scan.
The first thing I did after starting the Traceback machine in my lab was run the following nmap command.
nmap -T4 -A 10.10.10.181 -oA nmap-fast
Let’s look at the options I used here. **-T4** limits the response of a TCP port to 10ms. **-A** enables service enumeration and operating system detection so we can get a better idea of what’s running on each open port. **-oA** saves three output files in different formats, nmaps standard, greppable, and XML
<figure class="wp-block-image size-large">![nmap results](https://www.hackerunder.dev/wp-content/uploads/2020/05/traceback_1_nmap-1024x334.png)<figcaption>nmap shows two open ports of interest</figcaption></figure>### Service Investigation
Nmap returned two results. SSH on port 22 and an Apache web sever on port 80. We can ignore SSH, in most labs and CTFs, this is used for developing the box and reconnecting once the target is already compromised to get a full shell. Let’s look for the intended vulnerability starting by visiting http://10.10.10.181 in FireFox. While exploring the site, I ran OWASP’s [dirbuster](https://tools.kali.org/web-applications/dirbuster) to see if there were any hidden directories, but did not find any promising results.
Visiting the webpage, we’re greeted by xh4H’s message that the machine has already been compromised and a backdoor was left for us to enjoy. By inspecting the source of the webpage, we get an additional hint in an HTML comment that “the best web shells” were used.
<div class="wp-block-image"><figure class="aligncenter size-large">!(https://www.hackerunder.dev/wp-content/uploads/2020/05/traceback_2_index_html_comment-1024x321.png)<figcaption>inspect source of index.html at http://10.10.10.181</figcaption></figure></div>Googling for **Some of the best web shells that you might need** will lead us to a couple github repos. One Result in particular is hosted by xh4H himself.
<div class="wp-block-image"><figure class="aligncenter size-large is-resized">![Google search results as of May 3 2020](https://www.hackerunder.dev/wp-content/uploads/2020/05/Screen-Shot-2020-05-03-at-10.09.24-AM-1024x687.png)<figcaption>Google results</figcaption></figure></div>Visiting the [repository](https://github.com/Xh4H/Web-Shells) we see 16 different web shells. These are intended to be uploaded to a web server to allow information gathering, file upload, and command execution from a browser. We can start seeing if any of these shells were used on Traceback by typing the filename into the browser and hoping to get a response other than 404.
We see that the second to last shell, smevk.php is on the server and we are required to login. By reviewing the [source code on the github repository](https://github.com/Xh4H/Web-Shells/blob/master/smevk.php), we see default credentials are still **admin : admin** for the user and password. Logging into that we get access to a retro-looking GUI with information about the web server. Personally I am not a fan of the color scheme (purple on black) and small text.. so first thing I did was upload a php-reverse-shell.php file from Kali to get a different shell outside of the browser.
<div class="wp-block-image"><figure class="aligncenter size-large">![smevk web shell](https://www.hackerunder.dev/wp-content/uploads/2020/05/traceback_3_smevk_web_shell_upload-1-1024x415.png)<figcaption>smevk web shell, file upload is on the bottom right of the page</figcaption></figure></div>### Getting a simpler shell
Copy the php-reverse-shell from /usr/share/webshells and change the required values. Use your VPN IP address from HTB for the local IP, and port can be anything not in use currently by Kali.
*Tip: use 443 to appear as a https web server, it won’t fool anyone but it might get you past a port based firewall. Traceback doesn’t seem to require this, but it’s a good practice to start.*