Hack The Box – Traverxec Box Writeup By Nikhil Sahoo

Introduction

Hello everyone, I hope everyone is doing well and is safe in this current situation due to the coronavirus outbreak and hope that everyone is utilizing this time in a meaningful way 🙂 .

So, back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Traverxec which retired very recently. It was actually a fairly easy box and was based on Linux. So without further ado let’s begin…

 

 

Recon

We’ll start with our recon by doing a Nmap scan.

nmap -sC -sV 10.10.10.165

 

We’ve got port 80 and 22 open and seems like the web server used is nostromo version 1.9.6.

Let’s do a quick search over searchsploit if we can get any exploits for this server and this particular version.

Seems like we do have an exploit 🙂

 

Let’s view the code to see how it executes.

 

The usage is very simple, we just have to provide the IP address and the port along with the command we would like to execute. And yes, there’s an extra line “cve2019_16278.py” as seen in the above picture so we either have to remove it or comment it out in order to run the code.

Moving on to vulnerability itself, this basically exploits a directory traversal attack by traversing backwards to execute the shell (“/bin/sh”) and takes the commands to execute as POST method body.

 

So let’s set up our listener first using netcat and we can proceed forward with exploitation.

 

Exploitation

./exploit.py <IP Address> <Port> <command to run>

I had already checked before if netcat was present in the box or not using the same script.

 

And we’re in !

Since our current user is www-data, it’s always good to check the var directory first.

After a little bit of more enumeration we can find a configuration file named nhttpd.conf inside /var/nostromo/conf/ directory. Let’s check that first…

The first thing that got my attention was the htpasswd file placed in that current directory. However I wasted hours on it without any positive outcome 🙁

It basically consisted of a hash of David user in the md5 crypt format probably. Although I tried cracking the hash with John, it gave me nothing. Tried with hashcat as well and as usual my hashcat also gave me a lot issues and errors…

So moving on, in the same configuartion file we can see the public home directory “public_www” present inside home directory. We also see the server admin being David so probably the public_www is present inside the David directory.

We won’t be able to access the David directory so we can move onto the /david/public_www/ directory directly.

Once we’re in we can see a tar backup file of ssh keys. Let’s copy it quickly to our local machine using netcat.

Once we untar the file we can find the ssh keys of david.

We can try to ssh using David’s private key itself but unfortunately it has a passphrase set so we have to crack it.

So we need to convert the SSH key to a format that John can understand. This can be achieved using ssh2john.

ssh2john oldhash > newhash

Once it is done we can provide a wordlist to John in order to crack the hash. We’ll be using the very common rockyou.txt wordlist for this purpose.

john –wordlist=/path to wordlist <hashfile>

Cracked !! The passphrase is “hunter

Let’s try to ssh into David’s account using his private key.

And we should be getting our user flag. 🙂

 

Privilege Escalation

Moving on, inside the bin folder we can see that there is a bash script named “server-stats.sh” and if we view the contents of it we can see that the script is running journalctl (command used mostly to view logs) with sudo privileges and the script is owned by our current user david as well.

 

So we just have to find a way to escalate our privileges within journalctl. GTFObins is best place to search for this.

As mentioned above we could escape our shell to root using !/bin/sh or !/bin/bash

So let’s run the same command as mentioned in the script itself.

sudo journalctl -n5 -unostromo.service

Once we’re in, simply type in !/bin/bash to get access to the root shell.

So we got our root flag 🙂 … That explains it all.

So that’s for now. See you next time.

Till then Stay Safe, Stay Home

Happy Hacking !!!

 

You can have a look at my previous article on Hack The Box: Postman Box Walkthrough. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *