Summary

Traverxec,a Linux box created by HackTheBox user jkr, was an overall easy difficulty box.The initial enumeration expose that the web-server is vulnerable to an Directory traversal to RCE attack using which we can get a Reverse Shell as www-data. Later we enumerate and find public_www folder which contain the user david ssh key using which we can get user. Privilege Escalation on this box was very simple gtfobins journalctl.

Enumeration

nmap scan

# Nmap 7.80 scan initiated Mon Nov 25 11:47:35 2019 as: nmap -sC -sV -oN nmap/traverxec 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.21s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 25 11:48:20 2019 -- 1 IP address (1 host up) scanned in 44.58 seconds

In the nmap scan we see nostromo 1.9.6 is running on port 80. Looking in searchsploit/exploitdb

$ searchsploit nostromo

we find it has an exploit which can give us a meterpreter shell.

Exploiting that we get a shell as www-data.

User

Runnning LinEnum on the box we find something which definitely stand out.

[-] htpasswd found - could contain passwords:  /var/nostromo/conf/.htpasswddavid:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

Cracking the password with john the ripper.

$ john --wordlist=/usr/share/wordlists/rockyou.txt traver.hash

we find the password as Nowonly4me, but we’ll find that it wont work for either SSH orsu’ing to david. If we dig around a little more in the /var/nostromo/conf/ folder and cat the nhttpd.conf file

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html
# LOGS [OPTIONAL]
logpid                  logs/nhttpd.pid
# SETUID [RECOMMENDED]
user                    www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons                  /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs                /home
homedirs_public         public_www

We see that /home is the home directory and there is a public_www folder.
If we look at /home/david/ we get permission denied,
however if we look at /home/david/public_www we see some files.
we find protected-file-area folder which contain an backup-ssh-identity-files.tgz tgz.

Copying it to our system and extracting

$ tar -xvzf backup-ssh-identity-files.tgz
home/david/.ssh
/home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub

that we find an encrypted id_rsa.

Cracking the password for the id_rsa using john by first converting id_rsa to an hash using ssh2john.py. We get the password as hunter.

Using this credentials we can ssh to the box as david and can grab user.txt as 7db0b48469606a42cec20750d9782f3d

Privilege Escalation

We see there is a bin folder inside david home directory looking inside that we find only one script server-stats.sh. catting that file we see.

david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Examining and running it we see it’s basically just outputting a header (the other file in the bin directory) and a bit of information about the server.
The last line of this script is the most important. We see it is running sudo and then journalctl, this means that journalctl is running with elevated privileges so if we can can figure out a way to bend that to our will we will have root.
However we don’t seem to be able to change any of the arguments. When we run anything other than sudo journalctl -n5 -unostromo.service we are asked to supply a password.
if we look at GTFObins for journalctl we see an important bit of information.So journalctl is using less to write to the screen, and if we follow the link we see that we can break out of less into an interactive shell.

Using the above information we can break the less and get an interactive shell as root.

Note: You might need to resize your terminal so that we can have less still outputting.

getting the root shell we can grab root.txt 9aa36a6d76f785dfd320a478f6e0d906

and we have pwned Traverxec 💃

Extra

If we couldn’t think of a way to access the file and got stuck, and tried looking at 10.10.10.165/david/ to no avail, as with all things when we stuck or frustrated, lets RTFM. Looking up the documentation for nostromo which we can find at http://www.nazgul.ch/dev/nostromo_man.html, we see the following

HOMEDIRS
     To serve the home directories of your users via HTTP, enable the homedirs
     option by defining the path in where the home directories are stored,
     normally /home.  To access a users home directory enter a ~ in the URL
     followed by the home directory name like in this example:

           http://www.nazgul.ch/~hacki/

     The content of the home directory is handled exactly the same way as a
     directory in your document root.  If some users don't want that their
     home directory can be accessed via HTTP, they shall remove the world
     readable flag on their home directory and a caller will receive a 403
     Forbidden response.  Also, if basic authentication is enabled, a user can
     create an .htaccess file in his home directory and a caller will need to
     authenticate.

     You can restrict the access within the home directories to a single sub
     directory by defining it via the homedirs_public option.

we can see we can access the david homedir from http://10.10.10.165/~david/

and http://10.10.10.165/~david/protected-file-area/ ask for a creds and trying (david:Nowonly4me) give us access to the backup-ssh-identity-files.tgz.