HackTheBox Writeup — Traverxec
--
In this article, we will discuss a proposed solution to pwn the Traverxec machine from HackTheBox.
Information Gathering
After a basic port scan I’ve found ports 22 and 80 open which suggest that
we are dealing with a web application.
Also I’ve tried a full and complex port scan but it returned only those ports
too.
So I navigated to our IP address (10.10.10.165) and found a simple
presentation website.
The first thing that I’ve done after that was to discover potential directories
and files both manually and automatic.
While dirbuster was running, I’ve been trying to search for some admin
panels or login forms and found something interested.
The “Not found” error page was disclosing our web server technology and
its version.
The normal thing to do after you got an information like that is to search for
version vulnerabilities. (The name of the challenge is a big hint: traverxec=
traversal/execution).
Getting User
Found a Metasploit Module related to that vulnerability and used it for
exploitation.
Good, we got a shell as www-data so let’s navigate firstly to our home
directory which would be /var/nostromo.
An interesting folder is ”conf”, which can contain files disclosing sensitive
information.
And here we go, displaying the content of .htpasswd we got the following
output:
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/Which is an username:password combination with username’s value
“david” and a password hashed value.
John is our best friend when it comes to crack passwords and hashes.
Our password plaintext value is “Nowonly4me”.
Trying to SSH into the machine with the given credentials didn’t work, so
probably our user:pass combination must be used somewhere else.
I’ve navigated back to our www-data session in order to gather more
information.
Read the nhttpd.conf file located in the /var/nostromo/conf folder and its documentation which can be found here:
Going through the document I’ve found an interesting topic.
It results that our next step was to go to 10.10.10.165/~david/ and we got
nothing but just a simple image page.
So I’ve started enumerating files inside that folder using dirbuster and got
this one (protected-file-area) which requires authentication, the perfect
place to input our credentials.
After the successfully login, there was a backup archive that we could
download.
Once the archive is extracted on our local machine, it can be searched for
potential sensitive files or folders.
We got just one directory inside and navigated through it until we found
something cool.
Yes, a private key that we can use to login into the Traverxec machine
through SSH.
Unfortunately, it requires a passphrase, so we must extract the hash of the
key passphrase and crack it using John.
The tool that I am going to use in order to extract the hash is ssh2john and
it can be downloaded from here:
Using the passphrase ‘hunter’ we’ve got a session for user ‘david’
Getting Root
The first thing was to check the user’s home directory and something
catchy smiled at me, it was a bash script containing a command that was
executed using sudo.
The command is:
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/catAfter that finding I went straight to GTFOBins ( https://gtfobins.github.io/ ), in order to check the exploitation possibilities of journalctl.
It is interesting that our documentation suggests us to use the “ less”
command which can be helpful in our situation.
Tried using less with sudo but it asked me for a password, then I’ve
remembered a little trick that helped me escalate my privileges on that machine.
/usr/bin/sudo $(less) /usr/bin/journalctl -n5 -unostromo.service
![Dav Tryhackme Writeup [Detailed]](https://miro.medium.com/v2/resize:fit:1358/1*iIpvyAnKbUs4XFlv9mK0Rg.png)
