ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.165 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.165 | tee nmap.txt
Ports 22 and 80 are open, which are associated with SSH and HTTP Server. We can see Nostromo HTTP Server being used.
There is nothing of interest on the website. Look up an exploit for nostromo 1.9.6 to find a python exploit for RCE.
Run the exploit to check if it works.
We setup a netcat listener and use the exploit get a reverse shell.
/etc/passwd file to discover the user
david. Upon further enumeration, we find the nostromo web root to be
/var/nostromo/ for interesting files. The folder
/var/nostromo/conf contains the configuration file for web servers. A password hash is discovered in
This hash is crackable but it turns out to be a rabbit hole. The
nhttpd.conf file contains the following configuration.
This tells us that there might be a
public_www directory in home directory of users. We don’t have read permissions on
david‘s home directory but we can access the
public_www directory present at
Enumeration leads to finding a backup file in protected-file-area directory.
Copy the file
backup-ssh-identity-files.tgz using netcat. For help refer to this.
After extraction, we discover that it’s a backup of
david‘s directory contains .ssh files. We can use the
id_rsa found in
home/david/.ssh/ directory and login as david.
Change the permissions of the file
chmod 400 id_rsa and try to use it for login.
It requires a passphrase. We can try to decrypt it using john.
id_rsa into crackable hash using ssh2john.py
python3 /usr/share/john/ssh2john.py id_rsa > hash.txt.
Now crack it using john and
This reveals the passphrase to be
hunter, which we can use to login as david by SSH.
We can now access the
user.txt located in
Enumerate david’s home directory to discover
We can see that the script is owned and created by david. At the end of the script, we can see that
journalctl is run as root. Looking at GTFObins, we discover the following:
Using this knowledge, we run
!/bin/sh to get the root shell and read