HTB Traverxec Writeup

Enumeration

ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.165 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.165 | tee nmap.txt

Ports 22 and 80 are open, which are associated with SSH and HTTP Server. We can see Nostromo HTTP Server being used.

There is nothing of interest on the website. Look up an exploit for nostromo 1.9.6 to find a python exploit for RCE.

Foothold

Run the exploit to check if it works.

We setup a netcat listener and use the exploit get a reverse shell.

Lateral Movement

Look at /etc/passwd file to discover the user david. Upon further enumeration, we find the nostromo web root to be /var/nostromo/ .

Enumerate /var/nostromo/ for interesting files. The folder /var/nostromo/conf contains the configuration file for web servers. A password hash is discovered in .htpasswd file.

This hash is crackable but it turns out to be a rabbit hole. The nhttpd.conf file contains the following configuration.

This tells us that there might be a public_www directory in home directory of users. We don’t have read permissions on david‘s home directory but we can access the public_www directory present at /home/david/public_www.
Enumeration leads to finding a backup file in protected-file-area directory.

Copy the file backup-ssh-identity-files.tgz using netcat. For help refer to this.
After extraction, we discover that it’s a backup of /home directory.
david‘s directory contains .ssh files. We can use the id_rsa found in home/david/.ssh/ directory and login as david.
Change the permissions of the file chmod 400 id_rsa and try to use it for login.

It requires a passphrase. We can try to decrypt it using john.
Convert the id_rsa into crackable hash using ssh2john.py python3 /usr/share/john/ssh2john.py id_rsa > hash.txt.
Now crack it using john and rockyou.txt.

This reveals the passphrase to be hunter, which we can use to login as david by SSH.

We can now access the user.txt located in /home/david directory.

Privilege Escalation

Enumerate david’s home directory to discover server_stats.sh script.

We can see that the script is owned and created by david. At the end of the script, we can see that journalctl is run as root. Looking at GTFObins, we discover the following:

Using this knowledge, we run !/bin/sh to get the root shell and read /root/root.txt.

Leave a Reply