TRAVERXEC [HackTheBox] HTB

Hello guys Traverxec is going to be retired today so i decided to do a walk through on how i exploited the box. The box was rated easy and good for beginners to practice pentesting skills. The box had an IP address of 10.10.10.165. For the initial foothold we had to exploit a webserver that was vulnerable to remote code execution and get a reverse shell back in our machine. For root the user David had privilege to execute journalctl as root we leveraged that to get root in the box. With that said Let’s jump in

First we are going to perform a port scan on the box using Nmap

Looking at the results we have only 2 ports open secure shell (ssh) and hyper text transfer protocol (http) which is used mainly by websites. Since websites have the biggest attack vector i started by enumerating port 80. I opened the website and found it was a simple website and from the website we might have found a username that might be useful in the later stage of exploitation

Before doing any directory brute forcing i decided to see documentation of nostromo web server since i had never heard of it and i found it is also called nhttpdand is a simple, fast and secure HTTP server that runs as a single process. I did a searchsploit on it and found out that the specific version had a remote code execution exploit that was publicly available the cve is cve2019–16278

Copied the exploit to my current working directory and decided to execute it. The arguments the script requires are IP address port and command[to be execute] in my case was whoami

And we get command execution since it brought the results back to us as WWW-data now what we have to do next is get a reverse shell .

And we have a shell as www-data. After doing manual we found that the box has another user called David and we must escalate our privilege to become David. I uploaded a script called linpeas (in my opinion the best script) that automates the process of finding privilege escalation vector and we find an odd directory in /tmp/test that has a ssh private key

The key seems to belong to David and it appears to be a backup of /home/david/.ssh directory. Looking at the key it appears to be encrypted. We have to brute force the passphrase using john the ripper. I copied the key back to my box and using ssh2 john which is a binary that converts the key to a hash format that john the ripper can understand and crack. I used rockyou wordlist to crack the private key hash. And after a few seconds the passphrase was cracked and it was hunter

Now we can login into the box as David using the private key. Remember to give the private key appropriate permission for it to work

Now we are the user David on the box. Now have to escalate out privileges to root. Looking at David’s home directory there was a folder called /bin and inside the directory there was a bash script called server-stats.sh i decided to cat the file and see the contents

The last command in the bash script is run as root. and it executes journalctl which is used to read logfile. I decided to execute the command and it seems i can run the command as root. Breaking down the command

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

First part is executing journalctl as root

The second part will allow you to read only the last 5 lines of the logfile and the results are piped to the cat command. I removed the command that ran after pip and still the command was executed. which i could read the command while using journalctl also i could execute code and knowing that i used GTFOBins to get a root shell

And finally we get root on the box now it’s time to submit flags both user and root

This was the first box i ever solved in Hack the Box and from the write-up am sure you’ve learnt something new till next time stay safe