Traverxec Writeup | HackTheBox

This is the writeup of HackTheBox machine Traverxec.

nmap scan:

port 22 and 80 open

on web port 80, nostromo 1.9.6 is running, which is vulnerable to RCE.

used this exploit 47837.py to gain the shell as www-data, after enumerating nostromo directory found nhttpd.conf file, saying homedirs

after some guess and try found the extact location, where i can access files, “/home/david/public_www”, going to this directory found user david protected-file-area copied the backup-ssh-identity-files.tgz to /tmp directory, and extracted it, using tar.

tar zxvf backup-ssh-identity-files.tgz

in nostromo directory found also .htpasswd file which has david hash, tried bruteforcing it and got the password but not able to login using ssh.

after that, tried decrypting david id_rsa using ssh2john and bruteforce it using john and got the password of user david.

ssh2john ssh_key > ssh.hashes
john ssh.hashes --wordlist=rockyou.txt

gave permission and use the key to login as user david using ssh.

chmod 600 ssh_key
ssh -i ssh_key [email protected]

after login, found server-status.sh file in /home/david/bin directory, see its content found that it is running journalctl with sudo, that’s mean user david can run journalctl as root, confirmed it by running with sudo, look on gtfobins found that i can spawn a shell, but the command is somehow very tricky.

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

it is running journalctl and giving output of only 5 lines, using -n5 flag, we can small the terminal row size to less than 5, then it will give us prompt to execute command.

Setting row size to 2

stty rows 2

then running the sudo command, after that press ! and type /bin/bash to spawn shell as root.

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

rooted, if you have any questions, comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *