Writeup - Traverexc [HTB] | Infosec Blog By Abhi

Writeup for HTB linux based box [Travexec].

Firstly, while enumerating http://10.10.10.165, I found that it runs a nostromo server on a specific port, the banner was displayed on /img/

i searched for exploits and found an exploit for directory traversal->command injection exploit, used that in metasploit and gained access to www-data..

there was a var/nostromo directory, which had a password file

which had a bcrypt password hash.

david:bcryptsalt

abhi@dexter2:~/Desktop$ john –format=md5 –wordlist=/wordlists/rockyou.txt hashfile.h

i bruteforced that using john the ripper, and cracked it

the password was Nowonly4me (david) and got it as david through ssh.

now i checked httpconf, which shows that public-www is divided based on user, so i tried for /~david in url, and it displayed a private area which was only accessible to the user david.

i logged in using david and Nowonly4me and got a zip file with SSH backup…

now i need to crack the SSH private key to get the passphrase, for which i used ssh2john.py module of johntheripper

https://github.com/koboi137/john/blob/bionic/ssh2john.py

abhi@dexter2:~/Desktop$ python ssh2john.py ../Downloads/id_rsa > id_rsa.txt

now gonna run johntheripper on it,

abhi@dexter2:~$ john Downloads/id_rsa.john –wordlist=Desktop/wordlists/rockyou.txt

got the passphrase hunter… now gonna SSH

i connected through SSH and pwned the user…

now i uploaded linuxprivchecker script through SCP

and checked for priviledge escalation exploits.

but the exploits doesnt seem to work.

inside the /bin/ folder, there is a server_stats.sh file which is executable…

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

interesting thing is that, /usr/bin/journalctl -n5 -unostromo.service is executed as sudo without password.

I did that, and went to help option of the CLI editor, and did #!bin/bash and got the root access :)

Share on: