Traceback - HackMD

# Traceback ![](https://i.imgur.com/bYxGaDz.png) ![](https://i.imgur.com/FCfX7Oz.png) ## Enumeration ### Port Scan ``` root@kali:~/traceback# nmap -p1-10000 -sV -Pn 10.10.10.181 >> nmap.result && echo $'\07' && echo $'\07' root@kali:~/traceback# nmap -Pn -A -O 10.10.10.181 >> nmap.result && echo $'\07' && echo $'\07' ``` ![](https://i.imgur.com/KgKgK2C.png) nothing special in the header and the body, even no cookies. ![](https://i.imgur.com/6VEcl29.png) ![](https://i.imgur.com/jNnxZNH.png) ![](https://i.imgur.com/xAT0BbJ.png) ### Web Content Scan as it was web service, i scanned this web and got nothing. ![](https://i.imgur.com/F3NJyVZ.png) ### Google Finally, i searched the clues from `index.html` - "Xh4H" and "backdoor"/"webshell". ![](https://i.imgur.com/MLzze3X.png) ![](https://i.imgur.com/GG2n5hZ.png) and i got the way. ![](https://i.imgur.com/ybzTjBF.png) ![](https://i.imgur.com/tj5AChI.png) ![](https://i.imgur.com/TPh2xVn.png) ![](https://i.imgur.com/OygdQmA.png) ## Foothold Fortunately, there recorded the user name and the password. ![](https://i.imgur.com/gjeBcja.png) ![](https://i.imgur.com/Mpd7geZ.png) ![](https://i.imgur.com/DagamHC.png) ![](https://i.imgur.com/i9uJTaY.png) ![](https://i.imgur.com/wbUWV26.png) it looks like we can login ssh with this account, so i inject my public key to `/home/webadmin/.ssh/authorized_keys` to make a foothold. ![](https://i.imgur.com/Jkg3VaR.png) ![](https://i.imgur.com/WuLyQGt.png) ![](https://i.imgur.com/CmXuZfk.png) ![](https://i.imgur.com/xcKQ2pv.png) ### Lateral Movement i used three tools to get information for lateral moving, and found the point to switch to another account, and fortunately there was the user flag. * sudo(linux builtin) * [Linenum.sh](https://github.com/rebootuser/LinEnum) * [Pspy](https://github.com/DominicBreuker/pspy) ![](https://i.imgur.com/qknsRDU.png) ![](https://i.imgur.com/Ni7iTMq.png) ![](https://i.imgur.com/xyIcl3R.png) ### User Flag ![](https://i.imgur.com/6jMtKK0.png) ## Privilege Escalation i tried to find some files i can write and was a SUID file, but nothing useful. ![](https://i.imgur.com/CGqWn8S.png) i turned to target the process which was created by root, and i found some scheculed task runned by root. ![](https://i.imgur.com/eopxHk6.png) (i forgoted to take a screenshot first time, and i got into and redo it again.) there were two information useful, the first was "it will copy everythings from `/var/backups/.update-motd.d/` to `/etc/update-motd.d/` every 30 seconds", and the second was "root(UID=0) will execute everythings in `/etc/update-motd.d/` when a user login ssh". actually it seemed like that we can escalate privilege during this 30 seconds via login ssh, and only one thing we need to check whether `/var/backups/.update-motd.d/` or `/etc/update-motd.d/` is writable for sysadmin or webadmin. 1. ![](https://i.imgur.com/kFgi4j0.png) 2. ![](https://i.imgur.com/YJrRlXS.png) ![](https://i.imgur.com/cw14O1k.png) as i first time tried to inject the public key to `/root/.ssh/authorized_keys`, i failed. it didn't work and i couldn't login as root, and i found the script in `/etc/update-motd.d` was cleaned. so i did it looply to make sure after i login as other account once the sshd service will inject my key to `/root/.ssh/authorized_keys`. ![](https://i.imgur.com/CXjyy3L.png) ### Root it ![](https://i.imgur.com/GGMBHnW.png)