This box is a mixture of CVEs, mis-configurations and GTFObins
Quick scan shows us a webserver and ssh are open. We will run a more intensive scan to double check and get dirb running. We also see Nostromo 1.9.6 is the webserver running. While those scans run lets research this.
We see an RCE; https://www.exploit-db.com/exploits/47837 and https://git.sp0re.sh/sp0re/Nhttpd-exploits
Lets give CVE-2019-16278 a try.
We have rce! 😊 Lets try and get a shell before proceeding. Using https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md as a guide we try for a bash shell.
We setup a simple python webserver to host our shell.
We are able to upload our shell to /tmp
We run it
And we get shell! Time to move to user enumeration.
Enumerating for user
We see our target user David.
Going through the server bit by bit e see the Nostromo config file and this give us a lot of good info – the server admin name and the location of the password in .htpasswd.
We have the password hash – now lets crack it!
Running john on the hash gets us the password; Nowonly4me
We arnt able to ssh with these credentials so they must be for something else so lets keep looking.
Checking out the MAN page for nostromos, it looks like we can navigate to the home directories because of how the server is set up. lets try it
The web page itself gave us nothing and after tearing our hair out for several hours we try to cd directly to the directory.. and it works… ouch.
Going through the public_www folder we find a subdirectory that is quite interesting. It looks like we have an ssh key, lets unzip it and get Davids ssh cert.
We have issues running john to crack the password protected rsa key, after some googling we find a script that will run a dictionary attack against the file and we find the pasword to the private key is hunter. Lets try to ssh as David now.
We got user.txt and ssh access to David!
Enumerating to root.
Shortly after starting to explore David we find this shell script that lets us use sudo for the Journalctl command. Dusting off our trusty GTFOBins spellbook we find the incantation we need; https://gtfobins.github.io/gtfobins/journalctl/
After some playing around we were able to identify the correct place to enter the GTFOBin command and get a root shell. Happy days.
Interesting box, foothold and root was easy but user took ages to figure!