Machine - Traverxec - Retired - Easy
IP=10.10.10.165
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-title: TRAVERXEC
|_http-server-header: nostromo 1.9.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Exploration
fuzz
human
http-enum
exploit
searchsploit shows that there is a remote code execution on nosotrom 1.9.6…
www-data to…
- there is a user named
david - no suid
- uname
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux - debian 10
- processes
- found this hash
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/Nowonly4me
- the folder in ~david is visible by www-data
- there is a copy of the id_rsa
david to root
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
there is a video… lets capture the frame
cat /dev/fb0 > file.raw
cat /sys/class/graphics/fb0/virtual_size ⇐ to know the size
https://rawpixels.net/ ⇐ we can see the image
video doesn’t seem to give us anything…
dip is for controlling the dial up (modem)
plugdev
netdev
there is a script that we can run as sudo…
is the journalctl, that spwans a less pager