Traverxec (Easy)
Category: Linux. Vulnerability - RCE, Mis-configuration, sudo exploit
Enumeration
nmap
Lets navigate to port 80
As we can see here, this is a normal website.
After some digging, we can see from the nmap result which indicates Nostromo is in version 1.9.6 and it is vulnerable to RCE.
Then, we can perform a reverse shell
Reverse Shell
Now we got a shell. Then we can proceed to escalate to user.
After poking around, I found a .htpasswd under /var/nostromo/conf
We can see there is a hash, let crack it with John-The-Ripper
Now we got a password, but I tried SSH and it failed.
Here is the nhttpd.conf file that contains inside the same directory
From here we can see that we are able to navigate to other user directory by passing ~ symbol followed by the username. Also, we can see that it restricts the access of the home directory by defining the homedirs_public option.
Which right now, we can access the user david's public_www directory
We can see there is a protected-file-area directory and inside we will get a backup-ssh-identity-files.tgz
Lets bring it to our local machine and extracts it
After extracting, we will get a home directory.
We continue to navigate deeper and we can find the private key under .ssh file.
We now can proceed to login using the id_rsa file.
We can see that the id_rsa is requesting the password, means we need to pass it to SSH2John and convert it to hash and let John-The-Ripper to crack the hash.
User Shell
Got the user flag !
Privilege Escalation
Right after we SSH into user david, we can see a bin directory. After run the server-stats.sh, we can see it runs some journalctl command.
After cat the server-stats.sh, we can see some code like this
After playing around with the commands, I found out that we just need to run the command /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
to get root. But in order to get the root, we need to resize the window of our terminal like so
Got the root flag! Congratz!
Last updated
Was this helpful?
