Introduction

Traceback is a retired beginner Linux-based box. It was also one of my first boxes on the platform, sufficiently easy for my lack of skills at the time. It taught me about the use of webshells, had a simple lateral movement, and had a pretty easy privilege escalation based on misconfigured permissions.

Foothold

Getting straight to business, after the obligatory ping to see that everything is working, we launch an nmap scan while we go check out port 80 for some recon.

nmap scan

Port 80 is open. If you go check out the webpage you’ll find something a little less than usual.

Webpage on port 80

This is the idea behind this box. A very straightforward beginer idea, to give them a backdoor to just jump into. Now we just have to see how we get into it. A look into the HTML source of the page has this little comment.

HTML source of webpage

A bit suspicious. A quick trip to google with this phrase brings up a GitHub repository with a list of some webshells. The list is actually quite short, so there is no need to pull up any sort of fuzzer. A quick run down the list reveals that this uses smevk.php.

Webshell login page

We’ve found our webshell (with a login page, how ironic). On the webshell GitHub page, we follow the link trail to the smevk repository to pull the default login credentials (admin/admin) and get our way in.

Webshell home page

Not the simplest nor prettiest webshell, but it’s a foothold. Let’s get a “real” shell while we’re here. While netcat is installed on the system, I couldn’t seem to get a shell off of it (many versions don’t have the -c or -e flags for obvious reasons). But since we have read/write anyway, we’ll just get ourselves a login with an SSH key. According to the top of the interface, we’re the webadmin user, so we’ll just head over to his home page and toss our key into authorized_keys

New authorized_keys

SSH session established

Account No. 2

Okay great. A quick ls tells us that there is no flag here, so we’ll need to move laterally. Additionally, there is a note here. What could that tool to practice lua be?

So we run through some of the quick essentials and our user has permission to run a program called luvit as sysadmin. Let’s just use sudo to run it, and it’s… a lua intepreter. The tool to practice lua.

lua interpreter

Okay great, now all we need to do is use Lua’s os.execute() to give us a shell, and probably the flag aswell.

User flag

And that’s the user flag.

We wrap this part up by putting our ssh key into this user’s authorized keys, for some persistence (it’s an easy box, I don’t need to fly under any radars). Not going to supply a screenshot for this because it’s nothing special.

Root

Now, we get root. I noticed in the beginning that the motd is changed on the box as well, and we know that those are scripts that are run on login. uname -a reveals that we are on an Ubuntu machine, and we know that modern Ubuntu machines store the motd in /etc/update-motd.d/

etc/update-motd.d

There we are. This should be run as root when we log in, so we get to do whatever we want as root here! Let’s just grab a shell. Note there is some weirdness, the motd will often rewrite itself, meaning you’ll lose your edits. Given that all of these scripts execute, I decided to edit 10-help-text as it seems the least likely to be updated (and overwritten) by the system.

Our new motd

Awesome. Now we just log in before it decides to roll back our changes.

Root flag get!

And there’s our flag! That’s the traceback box rooted.

Thoughts

All in all, I thought this was a neat beginner box. It was one of my first, and served to introduce to me how powerful webshells were. It also implicitly teaches that privilege escalation is often a result of misconfiguration, as opposed to some strange 0-day or other vulnerability. After all, the entire reason I got root on this box was because of a permissions misconfiguration on the motd. The box was fun, but not very difficult (it’s beginner rated, what did we expect).

Cheers, thanks for reading.