Traverxec,a Linux box created by HackTheBox user jkr, was an overall easy difficulty box.The initial enumeration expose that the web-server is vulnerable to an
Directory traversal to RCE attack using which we can get a Reverse Shell as
www-data. Later we enumerate and find
public_www folder which contain the user
david ssh key using which we can get
user. Privilege Escalation on this box was very simple gtfobins
# Nmap 7.80 scan initiated Mon Nov 25 11:47:35 2019 as: nmap -sC -sV -oN nmap/traverxec 10.10.10.165
In the nmap scan we see
nostromo 1.9.6 is running on port 80. Looking in searchsploit/exploitdb
we find it has an exploit which can give us a meterpreter shell.
Exploiting that we get a shell as
LinEnum on the box we find something which definitely stand out.
[-] htpasswd found - could contain passwords: /var/nostromo/conf/.htpasswddavid:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Cracking the password with john the ripper.
john --wordlist=/usr/share/wordlists/rockyou.txt traver.hash
we find the password as
Nowonly4me, but we’ll find that it wont work for either SSH orsu’ing to
david. If we dig around a little more in the /var/nostromo/conf/ folder and cat the
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
We see that /home is the home directory and there is a public_www folder.
If we look at
/home/david/ we get permission denied,
however if we look at
/home/david/public_www we see some files.
protected-file-area folder which contain an
Copying it to our system and extracting
tar -xvzf backup-ssh-identity-files.tgz
that we find an encrypted
Cracking the password for the id_rsa using
john by first converting id_rsa to an hash using
ssh2john.py. We get the password as
Using this credentials we can ssh to the box as
david and can grab
We see there is a bin folder inside
david home directory looking inside that we find only one script
server-stats.sh. catting that file we see.
david@traverxec:~/bin$ cat server-stats.sh
Examining and running it we see it’s basically just outputting a header (the other file in the bin directory) and a bit of information about the server.
The last line of this script is the most important. We see it is running sudo and then
journalctl, this means that
journalctl is running with elevated privileges so if we can can figure out a way to bend that to our will we will have root.
However we don’t seem to be able to change any of the arguments. When we run anything other than
sudo journalctl -n5 -unostromo.service we are asked to supply a password.
if we look at GTFObins for journalctl we see an important bit of information.So
journalctl is using
less to write to the screen, and if we follow the link we see that we can break out of less into an interactive shell.
Using the above information we can break the
less and get an interactive shell as root.
Note: You might need to resize your terminal so that we can have less still outputting.
getting the root shell we can grab
and we have pwned
If we couldn’t think of a way to access the file and got stuck, and tried looking at 10.10.10.165/david/ to no avail, as with all things when we stuck or frustrated, lets RTFM. Looking up the documentation for nostromo which we can find at http://www.nazgul.ch/dev/nostromo_man.html, we see the following
we can see we can access the david homedir from http://10.10.10.165/~david/
and http://10.10.10.165/~david/protected-file-area/ ask for a creds and trying (david:Nowonly4me) give us access to the