Post

Hackthebox Tracback walkthrough

Trace-Back

Enumeration

ِWe will use NMAP for enumeration phase, So let`s GO !.

Enumeration

ِSo NMAP found that port 22 and port 80 are open. Let`s Check port 80.

Port-80

ِOuch! look like someone was here before us. ِLet`s view the source code.

1-b-U1oqc-2-WAFbyzo4-CS6-Z6g

ِHe left a backdoor for us. Now search for Xh4h web shell

Capture

1-b-U1oqc-2-WAFbyzo4-CS6-Z6g

Now let`s clone it and try them.

tj5AChI image image

So it`s smevk.php webshell. let`s open the shell and see what is in it.

Foothold

image

We found the password. let`s login.

1-D9x-Hd7-S-k-La-Rzy-Guznj-RBg

We are logged as WebAdmin. let`s discover what we can do.

image
i9uJTaY image

So i found that i can log in as webadmin by SSH. let`s upload our public key.

1-iv-UY-AD4zm-MI2-Hu-NMno-Q4w

Execute this to use your public key. echo “your-publickey” >> authorized_keys in Execute option in /home/webadmin/.ssh/ directory
Let`s log in now !.

image

Privilege Escalation

We need to see what i can do without sudo password. We can switch to sysadmin

image

User hash

image

Let`s run Pspy to see runing proccess.

image

Gotcha !.

image

00-header displays when we log by ssh as webadmin so we need to make our reverse shell. I used Pentestmonkey cheatsheet

image

Start you nc and log as webadmin and you will get root access.

1-9f-Z-f-RTAn3opew-C01-QSh-HQ

Thanks for Reading 🙏

This post is licensed under CC BY 4.0 by the author.