Traverxec (Easy)

Category: Linux. Vulnerability - RCE, Mis-configuration, sudo exploit

Enumeration

nmap

nmap -sC -sV -oA nmap/10.10.10.165 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.055s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul  5 11:24:31 2021 -- 1 IP address (1 host up) scanned in 18.68 seconds

Lets navigate to port 80

As we can see here, this is a normal website.

After some digging, we can see from the nmap result which indicates Nostromo is in version 1.9.6 and it is vulnerable to RCE.

We can find the exploit from exploit-db.

Then, we can perform a reverse shell

Reverse Shell

Now we got a shell. Then we can proceed to escalate to user.

After poking around, I found a .htpasswd under /var/nostromo/conf

We can see there is a hash, let crack it with John-The-Ripper

Now we got a password, but I tried SSH and it failed.

Here is the nhttpd.conf file that contains inside the same directory

After digging some information, I stumbled across this Nostromo manual page.

From here we can see that we are able to navigate to other user directory by passing ~ symbol followed by the username. Also, we can see that it restricts the access of the home directory by defining the homedirs_public option.

Which right now, we can access the user david's public_www directory

We can see there is a protected-file-area directory and inside we will get a backup-ssh-identity-files.tgz

Lets bring it to our local machine and extracts it

After extracting, we will get a home directory.

We continue to navigate deeper and we can find the private key under .ssh file.

We now can proceed to login using the id_rsa file.

We can see that the id_rsa is requesting the password, means we need to pass it to SSH2John and convert it to hash and let John-The-Ripper to crack the hash.

User Shell

Got the user flag !

Privilege Escalation

Right after we SSH into user david, we can see a bin directory. After run the server-stats.sh, we can see it runs some journalctl command.

After cat the server-stats.sh, we can see some code like this

After playing around with the commands, I found out that we just need to run the command /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

to get root. But in order to get the root, we need to resize the window of our terminal like so

After that we can follow the guide from GTFObin to lead us to getting root.

Got the root flag! Congratz!

PreviousKnife (Easy)NextBastion (Easy)

Last updated