HackTheBox — Traverxec Writeup

This is my first write up for a HackTheBox Machine, it’s Traverxec.

Let’s start with scanning it. I do have my readymade script which first scan for all open ports, then do a service enumeration and other stuff on the opened ports.

Here is the scanning bash script:

Now i will run the below command:

let’s check the scanning results

i found that we have only 2 ports:

  • SSH → (22/tcp)
  • Web → (80/tcp): this service has Nostromo web server running on it with version 1.9.6.

the first thing came to my head is to search for any known exploits for it, i used Searchsploit for this:

it seems that i was lucky enough to find out a Remote Code Execution by first hit.

Let’s copy the exploit to current directory then use it.

i copied it and named it Exploit.py

I read the script of the exploit and find out that Nostromo web server is affected by RCE as result of Directory Traversal in the function http_verify in nostromo nhttpd through version 1.9.6 allows to get RCE via a crafted HTTP request.

CVE-2019–16278

Now let’s see what is required to run the python exploit script.

So i found the below function:

which sends a crafted payload to call /bin/sh and send the cmd user argument to it to be executed on the server, then receive the results and print it.

i run the script to show the help:

So, it will only need to pass the Target IP , Target Port and Command

Now i will manage to get a reverse shell to my machine, Thank to Pentestmonkey for the cheat sheet.

First will create a netcat listener on port 8090

and in another teminal will execute the exploit again to get the reverse shell:

now i got a reverse shell

now let’s get the users on the system

Now let’s filter only users with bash profile

Now let’s spawn a tty shell.

Now i will upload LinEnum Script to the target system to get more enumeration.

I already downloaded it and uploaded it to my web server, so i will just to go /tmp in the target machine to upload in it, as i found that i have the permission to write files to it.

Let’s change the permission on the Script to be able to use it

I run the script

the most interesting part from the finding is that i could find a hashed password in htpasswd file

I copied it into file called hash.txt, then i used JohnTheRipper to get the password in clear text using rockyou wordlist

i tried to login through SSH using david credentials, but i could not, so i decided to check if i can find any other config files related to Nostromo which may find any other clues.

I found an accessible directory called public_www in nostromo home directory as per he is the Server Admin.

i unzipped backup-ssh-identity-files.tgz to /tmp

now let’s decrypt the SSH key using John

now let’s change the permission of the SSH key id_rsa to 600 to disallow anyone except the owner of accessing it, then let’s access the target using it in addition to the cracked hunter

I explored bin directory to find

I searched about journalctl to use it for privilege escalation as i found it run in the script using sudo.

It seems that the day was mine, as i found the answer in first link from google search Gtfobins just told me that it can be used to break out from restricted environments by spawning an interactive shell. after some search i realized that after firing the command i have to minimize the terminal window

--

--

--

Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Shifting left with vulnerability management

Massive steps backwards.

AWS S3 invalid syntax issue and solution

Plug your existing domain models into NServiceBus Sagas

👩‍💻Walkthrough | How to Upgrade Your Miner to Join the 1605 Race

Bite-Sized Byte Order

Project: Offbeat Offsite Backup Storage

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Khaled Fawzy

Khaled Fawzy

Security Researcher

More from Medium

Retro WriteUp | TryHackMe | Utkar5hM

TryHackMe- Frank and Herby try again walkthrough

TryHackMe : Wgel CTF Write-up

Tryhackme Overpass Write-up