Initial Enumeration

Oogway-white.webp

Starting off with a typical htb nmap scan:

nmap -AT4 -Pn -p- -v -oN Traceback 10.10.10.181

We can see ports 22 and 80 are open.

Screenshot_20200403_020425.png

Heading over to the website and inspecting the source, we see a little note from Xh4H who has claimed to have hacked this site, about the best webshells you'll ever need.
Screenshot_20200403_021451.png

According to Xh4H, he has left us a backdoor and we can assume it's a webshell backdoor from his inline comment.

Taking this comment, we paste it word for word in duckduckgo and get a github directory for our first link. Going through some of the files we can see they are definitely webshells.

Screenshot_20200403_022609.png

So we'll clone the entire github repo to /opt/ and write a for loop to check if any of these files are uploaded on the site.

while inside the Web-Shells github directory inside /opt/ we can construct our for loop:

for i in ./*; do echo $i; curl -I 10.10.10.181/$i; done

We get a 200 response from smevk.php, this is our backdoor webshell.