Traverxec is the first hackthebox machine that I am doing a writeup on. It's a fairly simple linux box. Starts with a normal webserver to exploit then we go on to a directory readable by www-data and enumerate from there to gain user and find more useful information to gain root eventually. The I.P for the machine is 10.10.10.165'
The first and most common step for every recon part is Nmap. It's a very useful tool for finding the port of entry and therefore we are going to use that. Just do a normal nmap -A -T4 10.10.10.165 on the machine and you'll get some interesting results''
So from the nmap results we can see that it has port 22 open and port 80 open. Port 22 is an ssh service and port 80 is a http webserver. When we go on the website we will find that it's just a normal website owned by some guy named david and it has nothing interesting there. However there is something interesting about the webserver. It caught my eye because most web servers I see are Apache servers but the Nostromo was a weird one. So i looked it up and fair enough I found that the version of Nostromo that it uses is vulnerable. There is a script out there we can use but for saving time I used metasploit.'
In metasploit there is already a exploit for the nostromo server. You can find it in /multi/http/nostromo_code_exec. So that's the exploit we'll use. I used a payload of linux/x86/shell/reverse_tcp after setting the target to Linux, because we know it's running a Linux. We set LHOST to our IP in the htb vpn, which is 10.10.15.127 for our case and then we set RHOST to the machine IP. And after that We should be able to run the exploit and gain a shell. The metasploit options are shown below'''
So after running the exploit we'll gain shell to www-data. We can set it up to run bash and then export TERM=xterm to be able to use some options like clear.etc. The first thing I did after gaining access to www-data is to go to the tmp directory and then downloading the LineEnum.sh script onto it. The LineEnum script can be found by google and it basically does a enumeration and finds possible passwords or weak points. You're not allowed to download anything from normal websites for some reason, so i just transfered it from my machine to the htb machine. I set up a webserver with the LineEnum.sh script in it and then used wget on the htb machine to get the LineEnum script.''
After running the LineEnum script we can see that it found a hash for a david at /var/nostromo/conf/.htpasswd. It's the htaccess password for david and I used john to crack the hash and tried sshing to david with it but it didn't work(obviously because it's a htpasswd password not a ssh one). I looked around the location of that folder and found a nhttpd.conf file
If we look through that file we can find something very useful. It has the location of the public folder. The name of the folder is public_www and it's located in /home, which is the home directory for david'
Once we go to that directory we'll notice everything is private and we can't look at the directories. However if we cd to public_www, we are able to go into it. In there we can see a index.html file and a protected-file-area. The protected-file-area directory looked interesting so I went into there and found a backup-ssh-identity-files.tgz file. I downloaded that file onto my machine to decrypt it.''
after untarring/unzipping the tgz file, we find that it contains an ssh key. I used ssh2john.py script that can be found by googling to turn it into a format that johntheripper can crack. I then cracked the password with john to get the password hunter
After that it's fairly straightforwad. I sshed using the id_rsa into david@10.10.10.165 and then put in hunter as the password'
And then we gained access to david. We can see that it contains some files which we'll exploit to gain root. Also the user.txt contained the hash to complete the User for HTB'
This was easy
Gaining root was fairly easy. All that needed to be done is look through the server-stats.sh script from david's folder. The most interesting thing from there is the fact that journalctl is being run as root. So if you look up gtfobins for journalctl, you can find ways to gain root through that. I tried running that command but it just catted out some useless server stats, however i removed the pipe to cat and ran it again and noticed it spawned a less command. I then typed v to go into edit mode thorugh vi and entered !sudo -s to gain root shell. After that i just looked through root.txt to gain the root password. And that's all, Traverxec has been rooted''
