Traverxec

This box is a mixture of CVEs, mis-configurations and GTFObins

Run Nmap

Quick scan shows us a webserver and ssh are open. We will run a more intensive scan to double check and get dirb running. We also see Nostromo 1.9.6 is the webserver running. While those scans run lets research this.

Run Dirb

Nostromo exploit

We see an RCE; https://www.exploit-db.com/exploits/47837 and https://git.sp0re.sh/sp0re/Nhttpd-exploits

Lets give CVE-2019-16278 a try.

We have rce! 😊 Lets try and get a shell before proceeding. Using https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md as a guide we try for a bash shell.

We setup a simple python webserver to host our shell.

We are able to upload our shell to /tmp

We run it

And we get shell! Time to move to user enumeration.

Enumerating for user

We see our target user David.

Going through the server bit by bit e see the Nostromo config file and this give us a lot of good info – the server admin name and the location of the password in .htpasswd.

We have the password hash – now lets crack it!

Running john on the hash gets us the password; Nowonly4me

We arnt able to ssh with these credentials so they must be for something else so lets keep looking.

Checking out the MAN page for nostromos, it looks like we can navigate to the home directories because of how the server is set up. lets try it

The web page itself gave us nothing and after tearing our hair out for several hours we try to cd directly to the directory.. and it works… ouch.

Going through the public_www folder we find a subdirectory that is quite interesting. It looks like we have an ssh key, lets unzip it and get Davids ssh cert.

We have issues running john to crack the password protected rsa key, after some googling we find a script that will run a dictionary attack against the file and we find the pasword to the private key is hunter. Lets try to ssh as David now.

We got user.txt and ssh access to David!

Enumerating to root.

Shortly after starting to explore David we find this shell script that lets us use sudo for the Journalctl command. Dusting off our trusty GTFOBins spellbook we find the incantation we need; https://gtfobins.github.io/gtfobins/journalctl/

After some playing around we were able to identify the correct place to enter the GTFOBin command and get a root shell. Happy days.

Interesting box, foothold and root was easy but user took ages to figure!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s