Traverxec machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags using these vulnerabilities.
To recognize the target machine, we first perform a network scan with nmap.
We are doing a classic scan
Full port scan
As a result of port scanning, we saw that ports “22/tcp ssh OpenSSH” and “80/tcp http nostromo 1.9.6” were open
Since http service is open, let’s perform enumeration via browser.
It’s a dynamic web address with a simple interface, but looking at the source code, developer mods and web analyzer, we couldn’t find any significant information. We will run a directory scan with gobuster and dirbuster
As a result of the directory scan, /css, /icons, /img, /index.html, /lib directories were detected, but no useful information was obtained.
Explit research was done about the version of the web server
We have detected exploits in our server version.
Let’s download this exploit to our machine
We run it immediately according to the given pattern
We were able to get a shell.
Since the www-data user has restricted privileges, we provide enumeration. We obtained a password hash with linenum.
Let’s break this hashi with Hashcat
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ hash to get the hash “Nowonly4me”
only with this password we could not ssh or change the user in any way, we continue with the enumeration part
We detect the file backup-ssh-identity-files.tgz which, as the name suggests, is a ssh key
We move it to our machine with the nc command
We extract our file with tar.
Under the Home directory
We access the id_rsa file.
We will try to connect to ssh using this file
When connecting, it asked us for a password, let’s crack it with john
We have detected the password as hunter, let’s try to connect again
as seen we were able to get ssh connection and get our user flag
We get permission denied error when going to root, here we provide enumeration to provide privilege escalation again
Here server-stats.sh draws our attention, we go to that directory immediately
We investigated whether we can get gtobin sudo authorization on the /usr/bin/journalctl side.
Here we type the command given in the section that appears and we can obtain root privileges