4. HackTheBox. Level Easy: Passing Traverxec. RCE in the nostromo web server, GTFOBins technique

6 December 2024 5 minutes Author: Lady Liberty

The article provides a detailed analysis of the Traverxec machine traversal process on the HackTheBox platform. In addition, the article describes obtaining a Meterpreter shell and elevation of privileges using the GTFOBins technique. Readers learn about specific tools such as Masscan, nmap, Metasploit, and how to use them to effectively exploit vulnerabilities in real-world scenarios.

How to find vulnerabilities in the nostromo web server and get RCE

The article covers the process of obtaining an RCE in the nostromo web server, obtaining a meterpreter shell via an active metasploit session, analyzing nostromo configurations, cracking the password for encrypting an SSH key, and using the GTFOBins technique to elevate privileges.

The lab is connected via VPN. It is not recommended to connect from work computers or devices that store sensitive data, as access to the private network is provided by people with experience in information security.

Recon

This machine has an IP address of 10.10.10.165, which we add to /etc/hosts.

10.10.10.165    traverxec.htb

First, a scan of open ports is performed. Since scanning all ports with nmap takes much longer, masscan is used to speed up the process. All TCP and UDP ports are scanned through the tun0 interface at a rate of 1000 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.165 --rate=1000

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A traverxec.htb -p22,80

So we have SSH and the Nostromo web server.

Let’s check the Nostromo web server for known exploits for version 1.9.6. For these purposes, you can use search.com, this program provides the ability to conveniently work with exploits that are in the exploit-db database.

From the scan results, it can be understood that the second exploit is not suitable, and the first one has the “Metasploit” tag, which indicates that this module is implemented in the context of the Metasploit Framework.

Entry Point

Download msfconsole and search for the exploit.

Now that you have the full name of the exploit, you can start using it. After downloading the exploit, you need to view its information to learn the basic options for use and get a description of the exploit itself.

Great! Since this exploit is suitable for our version of nostromo, we can set the basic options and test it. The next step is to configure the exploit parameters and run it to test its effectiveness.

For convenience, we will get a meterpreter shell. To do this, we will send the session to work in the background – Ctrl+Z and confirm. And if we look at the running sessions, we will see the one that was just minimized.

You can get a meterpreter shell in an active session using the post-exploitation module post/multi/manage/shell_to_meterpreter. To quickly use this module, it is recommended to proceed as follows.

It is reported that the meterpreter shell is active in a second session. Therefore, a second session must be opened and started.

USER

First, you need to perform a system scan on the host. To do this, you download a Linux enumeration script to the machine.

Next, we call the shell, grant it execution rights, and run the script.

Analyzing the output, we find the password hash from .htpasswd.

Further aimless exploration of the system turned out to be a waste of time. Realizing this and not having a clear plan of action, it was decided to review the web server configurations. Fortunately, the directory leading to this file was clearly indicated.

Next, let’s look at the nhttp.conf file.

In the nostromo configuration file, the root directory is specified as homedirs_public, which corresponds to the public_www directory. It is located in the user’s home directory (homedirs – /home), namely in the directory of the serveradmin user ([email protected]). Thus, the index.html file is located at /home/david/public_www. To ensure that users can access this page, the directory must have read permissions for all users.

The assumptions were confirmed. In addition, a certain directory was discovered that should be investigated in more detail to understand its contents.

There we find the backup of SSH files. We download them.

Unzip the files.

The user’s private key was detected, but the connection attempt asks for a password. This indicates that the key is encrypted.

The hash will be saved to a file, after which it will be checked against the rockyou.txt dictionary using the JohnTheRipper tool.

Yes, we find the key encryption password. Using it and the key, we connect via SSH.

ROOT

Let’s see what we have in the user directory.

In the bin directory we find interesting files.

The script executes a command that first prints lines, and then runs another command under sudo, piping its output to cat. This looks pretty interesting. Executing this command yields very informative output.

Redirecting to cat immediately suggests the possibility of using the GTFOBins technique. The essence of this technique is that using various system utilities you can get access to reading, writing files, executing commands, etc. Examples of use for various programs are available in the corresponding directories.

The peculiarity in this case is that if you reduce the size of the terminal window and execute the command without redirecting the output to cat, the output is automatically redirected to less. From there you can access the shell using the !/bin/sh command. Since the command is executed with sudo rights, the resulting shell will have maximum privileges.

This gives you access to the root user on the system, which provides full control and the highest privileges.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.