HackTheBox Write-up — Traverxec

Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the recently retired HackTheBox machine ‘Traverxec’, which is an ‘Easy’ rated machine and runs a Linux OS.

1. Traverxec Info Card.

1. Summary

The initial foothold on this box involves exploiting a directory traversal remote command execution vulnerability in the open-source web server nostromo v1.9.6 (CVE-2019–162780) via Metasploit. To escalate our privileges from www-data we compromise ‘protected’ web directories to obtain a RSA private key, which we can use to login as David via SSH. Finally, to obtain root we modify a shell script running with sudo privileges to use ‘less’ instead of ‘cat’ to output the scripts results, which allows us to execute a simple bash command to escalate to root.

2. Enumeration and Initial Foothold (www-data)

I ran a standard Nmap port scan to identify the running services and open ports on this machine, enabling safe scripts (-sC) and service detection (-sV).

2. Traverxec Nmap Port Scan Results.

The results show SSH on port 22 and a web application running on port 80, along with the web server (and version) in use. After inspecting the web application, the functionality was extremely limited. However, after looking at the URL paths for the portfolio images at the bottom of the web page, I noticed they were redirecting me to a different URL shown below.

3. Confirming Nostromo 1.9.6 Web Server.

This further confirmed that the Nmap results regarding the web server version was correct and I proceeded to research available exploits. I found an applicable exploit on exploit-db that exploits CVE-2019–16278, which is a directory traversal remote command execution vulnerability. This was available as a Metasploit module so I opened up msfconsole, stuck with the default payload and set the required parameters.

4. CVE-2019–16278 Exploitation in Metasploit.

After running the exploit with these parameters, we gain the initial foothold on the box as www-data. I also used a python one-liner to upgrade my shell.

4. Initial Foothold (www-data) and Shell Upgrade.

2. User Shell — David

After running a Linux Enumeration script, the notable information from the results were:

  • Another user account on the system — ‘David’
  • A potential HTTP password hash for David in an accessible file (.htpasswd) within the /var/nostromo/conf/ directory.

Although many HackTheBox members expressed that they had cracked the hash found in the .htpasswd file and made use of it, I didn’t crack this hash myself, I tried Hashcat and John in numerous ways and neither would work.

I moved passed the .htpasswd file and explored the nostromo web server’s configuration directory. After reading the nhttpd manual online and inspecting the nhttpd configuration file, I realised that there were hidden directories on the web application and potentially in David’s home directory. However, after inspecting this I was only able to access ‘David’s’ private space and no further without authentication, which is what I guess the .htpasswd is for.

5. Interesting Directories in Nostromo Configuration File.
6. David’s Private Web Directory

I proceeded to David’s home directory within the terminal and was permitted access, however, when trying to issue commands such as ‘ls’ I received a permission denied. I tried to change directory into the directory specified in the nhttpd.conf file (i.e. /public_www) directly and was successful in obtaining access, after which ls was no longer denied. After moving down the available directories we find a Unix TAR archive file that contains David’s private RSA key. I moved these to my local machine and extracted them.

7. Obtaining David’s RSA Private Key.

After passing David’s RSA private key (id_rsa) through ssh2john to convert the RSA private key to a format that john can use, john cracks the SSH passphrase and returns the plaintext passphrase as ‘hunter’.

8. Converting and Cracking David’s RSA Private Key.

Following this, we log in as David through SSH and obtain the user.txt file.

9. User Shell (David) and User.txt.

3. Root

Inspecting David’s home directory, I found an executable shell script (~/bin/server-stats.sh) that was executing ‘sudo’ and then the ‘journalctl’ command, which was piped to ‘/usr/bin/cat’, to output some server statistics. However, after some research it appeared that ‘journalctl’ may be being piped to ‘/usr/bin/cat’ to increase security, as the default pager for ‘journalctl’ is ‘/usr/bin/less’ which can be used to elevate a user’s privileges to root if used with the ‘sudo’ command through a command execution vulnerability.

10. Changes to ~/bin/server-status.sh script.

After executing the modified script all that was required was to type ‘!/bin/bash’ whilst within ‘less’ and press Enter to elevate to root.

11. Executing Modified Script, Root Shell and Root.txt

4. Conclusion

This was the first box I ever attempted on HackTheBox and I thoroughly enjoyed the challenges this machine presented. It placed a good emphasis on enumeration and further research to be able to understand the capabilities of nostromo and nhttpd which allows you to progress. Whilst I found all stages of this box relatively easy, gaining root access was a bit frustrating at first but once I took a break I cracked it instantly.

Keep an eye out for my future write-ups!

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.