Hack The Box - Traverxec Writeup

System Summary


Initial Foothold

An initial scan reveals ssh and http port open.

The web server is not the usual apache, IIS or nginx but Nostromo 1.9.6
There is a publicly disclosed RCE (CVE-2019-16278) that is already included in Metasploit framework (multi/http/Nostromo_code_exec) and it's really easy to run it:

So we’re in as www-data user




User Escaation

Looking for some juicy files ew can easily find the Nostromo config with an htpasswd file:


Now decrypting with john and rockyou (it takes a few minutes):


The password is Nowonly4me but it doesn’t work for ssh, or su: it’s definitely a rabbit hole…

The next step is to look for the user folders (http://10.10.10.165/~david) but it seems that there is an index.html and no directory listing.





But there is also last line with a public folder named  “public_www”.
So let’s try to look for it in David home:


The backup file is quite interesting and I transferred it to my local machine with netcat (don’t want to copy in /tmp and leave it to other people 😊
From the tgz file we can get the .ssh folder of David with an id_rsa.
Let’s convert and unlock using ssh2john, john and rockyou.txt



The passphrase of the ssh key is hunter and we can use it to connect as user david and get the user flag


Root escalation

Looking at David home there is an interesting folder named bin:


Now the server-stats.sh script contains a sudo command that executes without authentication:

An interesting behavior of sudo is that it executes a “pager” application when the terminal session is not able to show the full output of command.
Usually it’s less command (or more, vi, or other depending on some environment variable that are defined)
So if we resize the terminal to a windows less than 5 lines high, sudo will show the output with less.
And this less command will be executed as root.
In that less session we can execute commands by using ! followed by the command

Let’s resize the window and then run the sudo command



The output is longer than the window height.
Execution will stop and show the output inside a less session:

We can then run any command by using the command mode of less with !bin/bash


And now:


So root flag is:    9aa36a6d76f785dfd320a478f6e0d906

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.