Traversxec

easy linux machine

Traverxec is an easy Linux machine that features a Nostromo Web Server, which is vulnerable to Remote Code Execution (RCE). The Web server configuration files lead us to SSH credentials, which allow us to move laterally to the user david. A bash script in the user's home directory reveals that the user can execute journalctl as root. This is exploited to spawn a root shell.

nmap :

As usual let's start with a nmap scan :

and we have 2 ports open ssh on port 22 and a nostromo web server at port 80

Foothold :

a quick search on the nostromo version we find that it's vulnerable to RCE

copy the exploit from exploitDB and put it inside a python script

so we need tree arguments the target ip address target port and the command we want to execute on the remote target

let's execute a command on the remote target using this exploit

now let's get a reverse shell as the user www-data

let's start listening on port 9999

now using the RCE vulnerablity let's make a reverse shell on port 9999 using nc because for some reason the other doesn't seem to work

and we get back a shell as the user www-data

Lateral Movement to david :

Enumerating the filesystem, we find the configuration file nhttpd.conf

There are a couple of interesting things here, first is the username david and authentication file htpasswd and the homedirs . Going through the documentation to understand the conf file

nazgul.ch

this looks interesting

so public_www directory is inside the home directory of the user david

looking at the directory protected-file-area we find a ssh backup

let's transfer the ssh backup to our kali box

and now we will find that the backup is transfered to us

let's decompress this backup

let's use the private key (id_rsa) to ssh into david's machine

the private key is encrypted

ssh2john :

we will use john to decrypt the private key

so the passphrase of the ssh private key is hunter now let's try again to ssh into david's box

Privilege Escalation to root :

enumerating the box we will find that the user david has a seperate bin folder which contains a bash script that executes the journalctl command with sudo and withut requiring a password

looking for journalctl in gtfobins we find that if we can run it with sudo we may get a privesc on the machine

journalctl | GTFOBins

this invokes the less so we can execute in it !/bin/bash to get a privesc to root

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara