HackTheBox Writeup — Traverxec

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.165

Running masscan on it , we get

masscan -p1-65535,U:1-65535 10.10.10.165 --rate=200 -e tun0

Running NMAP against the open ports

Port 22 running OpenSSH 7.9p1 and Port 80 running nostromo 1.9.6

Moving to the Web Part

Running the IP on the browser

We see a webpage related to web development, but since we saw the web server was nostromo 1.9.6 I went to search for potential exploits for it

We see 2 exploit, one of them being on metasploit so we will use that one for our ease

Spawning metasploit and searching the module

Checking and setting the required options

Now we run the exploit command

We got shell on the box as www-data, but since this is an unstable shell , so I wish go for little bit more stable shell by using bash oneliner reverse shell command

Looking back to the netcat listener

Looking further inside we get a folder for nostromo

Here we went into the conf folder of nostromo and then upon looking on the nhttpd.conf file we see that there is a .htpasswd file on the conf folder

We got a hash along with the username david and looking at the hash type in hashcat website

We see that its md5crypt or MD5(Unix) , since we now the mode to use which is 500, I will use hashcat for cracking it

We cracked the password which is Nowonly4me, trying to login to the user david

We see that it fails, remember from the above config file we saw there was a public_www which was listed as homedir_public

If you go to the home directory of user david

We see that we cant see the contents of the folder, but if we try to access the public_www folder inside it

We got into that folder and also there is one more folder named protected-file-area so we try to access that

We see two files named .htaccess and backup-ssh-identity-files.tgz

We got a message in .htaccess file , looking into the other file type

We see its a gzip compressed file, so we will bring it to our box

So here we used the base64 encoding method to bring the file to our box and now we work on it

Here we decompressed the gzip tar file and we see that we got ssh keys

We see that the ssh key is encrypted, so we will have to crack the passphrase

Now we crack it using John

We cracked it successfully and got the passphrase as hunter

We got in successfully and now time to get the user flag

Moving onto the priv esc part

Looking into the directory of the user david

We see a folder named bin in the home directory of user david and also inside that folder are two files one of them being a bash script

We see that last time which uses sudo, but when we use sudo

It asks for password which we dont have, but when we use the last line command

Upon looking on GTFOBins, I figured it out we could exploit the journalctl binary if it gets us a prompt but for that we need to change out terminal to tty

We see we get a prompt at the end of the line, so now we abuse it to get the a shell

After pressing enter

We got root!!! Root flag in the usual place as always

Overall a big troll at the end :)

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app