Always stay close to what keeps you feeling alive!
Traverxec is an easy difficulty machine running Linux. It tests your knowledge in Basic enumeration and privelege escalation using a common exploit and GTFOBin.
Be sure to checkout the Basic Setup section before you get started.
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
We see port 80 open and straight away we notice nostromo 1.9.6.
Using searchsploit we find some vulns:
We will take a look at 35466.sh script to see what that’s about. Searchsploit scripts notoriously have different unicode formats and whitespace from other operating systems and what not that cause the script to fail or run incorrectly. Not only that but they generally have comments that don’t use comment syntax of the language it is written in. So open up the file with your preferred editor and just take what you need.
We end up with the following:
Upon running this script as is it runs without errors but nothing happens. At closer inspection we see the url encode ..%2f..%2f..%2 which equates to ../../../ our directory traversal.
Changing this to a carriage return instead, such as .%0d./.%0d./.%0d./.%0d. and changing #!/bin/sh to #!/bin/bash fixes the issue:
Now lets connect with netcat.
First setup our netcat listener:
Then we use our local script to issue our netcat command remotely on traverxec:
Ok so we are in as user www-data and our working directory is /usr/bin.
First things first let’s see what other users we have on this machine. Taking a look in /home we see a user called david but we see that we do not have permissions to access their home directory.
Next we will do a search for hidden files to see if we uncover anything:
Having a look inside this file we find a hash:
Let’s take this over to our attacker machine and see if we can crack it:
Ok so we have a password. Now let’s go see where we can use it.
It doesn’t work with ssh or su david so we need to know more about how nostromo works and where the .htpasswd is being used.
Doing some research about nostromo it seems that the folder that stores the configuration files is /var/nostromo/conf where we found our .htpaswd. Let’s take a look in this directory and see if there is anything interesting:
We need to know more about how nostromo’s configuration works so we will open up the manpage with man nhttpd so we have a reference for the configuration file.
Now let’s have a look at how things are set up:
Looking at the config a couple of things stand out. We have the Basic Authentication set up and can see that the password hash is located at /var/nostromo/conf/.htpasswd of which we have already cracked.
The other thing that stands out is that there is a section called HOMEDIRS. I am assuming this is similar to apache.
On reviewing the manual we see that homedirs sets up a path on the webserver to any users home directories found in /home. We see that to access a users home directory from the webserver we need to append the username to the url such as http://traverxec.htb/~david.
In going to this page we are presented with a message:
Looking further in to the HOMEDIRS config within the manual we also see that one can restrict access to a sub folder rather than giving access to the users whole home directory. This has been set to public_www.
Let’s see if we can take a peak in this directory:
And there is our protected folder it seems. Let’s go see if the password works with the username david at the web address http://traverxec.htb/~david/protected-file-area:
Yep we get access and get a directory index with the file backup-ssh-identity-files.tgz. That will be our ssh access, w00t!
We download the file and unzip it and take a look in /home/david/.ssh. Remember, dot files and folders are hidden so when you look in the extracted folders it will look like there is nothing there. Use the command ls -la to show them.
Let’s try using our new found ssh key:
We get asked for a passphrase and our password we found is a no go. Looks like we have some more cracking to do!
Fireup ssh2john and convert the key to a readable format for John The Ripper:
Now that we have gotten our ssh key passphrase let’s try logging in again:
And there were are. We have our user flag!
Now let’s move on to root.
When we take a look in davids home directory we see a script in the bin folder called server-stats.sh:
The last line is using sudo. This will most likley be our exploit.
The journalctl command is a gtfobin because it uses less which can used to grab a shell.
Let’s have a run of the command that is on the last line. The pipe (|) and execution of the cat command is pointless so let’s get rid of that:
Ok so here we see a problem. We like to see what we are doing so we always have our terminal windows maximized. Because of this the command runs with less but then exits.
Making the terminal window smaller and running the command again so less can do it’s thing does the trick.
When less shows lines 1-6/6 (END) type in !/bin/bash to grab the root shell:
Now wasn’t that fun? Enjoy :)
This machine was a good learning curve in making sure you research the services that you are trying to exploit. Using what we had at hand on the machine we were able to understand what paths we needed to take both for user and root. We should never underestimate the importance of active research.