Traverxec (Easy)
Category: Linux. Vulnerability - RCE, Mis-configuration, sudo exploit
Enumeration
nmap
nmap -sC -sV -oA nmap/10.10.10.165 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.055s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 5 11:24:31 2021 -- 1 IP address (1 host up) scanned in 18.68 seconds
Lets navigate to port 80

As we can see here, this is a normal website.
After some digging, we can see from the nmap result which indicates Nostromo is in version 1.9.6 and it is vulnerable to RCE.
We can find the exploit from exploit-db.
Then, we can perform a reverse shell
Reverse Shell


Now we got a shell. Then we can proceed to escalate to user.
After poking around, I found a .htpasswd under /var/nostromo/conf

We can see there is a hash, let crack it with John-The-Ripper

Now we got a password, but I tried SSH and it failed.
Here is the nhttpd.conf file that contains inside the same directory

After digging some information, I stumbled across this Nostromo manual page.

From here we can see that we are able to navigate to other user directory by passing ~ symbol followed by the username. Also, we can see that it restricts the access of the home directory by defining the homedirs_public option.
Which right now, we can access the user david's public_www directory

We can see there is a protected-file-area directory and inside we will get a backup-ssh-identity-files.tgz

Lets bring it to our local machine and extracts it

After extracting, we will get a home directory.

We continue to navigate deeper and we can find the private key under .ssh
file.
We now can proceed to login using the id_rsa file.

We can see that the id_rsa is requesting the password, means we need to pass it to SSH2John and convert it to hash and let John-The-Ripper to crack the hash.

User Shell


Got the user flag !
Privilege Escalation

Right after we SSH into user david, we can see a bin directory. After run the server-stats.sh, we can see it runs some journalctl command.
After cat the server-stats.sh, we can see some code like this

After playing around with the commands, I found out that we just need to run the command /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
to get root. But in order to get the root, we need to resize the window of our terminal like so

After that we can follow the guide from GTFObin to lead us to getting root.

Got the root flag! Congratz!
Last updated
Was this helpful?