Traverxec-HTB-Writeup

Faris

·

Follow

3 min read

·

Jul 7, 2021

--

Listen

Share

So today I am gonna make a writeup about Traverxec machine on HackTheBox platform.

Scanning

After running nmap scan we got these results

After reading the results carefully we can see that this web is running on (nostromo 1.9.6) on port 80

I already know that (nostromo 1.9.6) is vulnerable.

So we can get a shell using cve2019–16278 or with metasploit

After using metasploit to exploit the target we successfully got a shell as www-data

After searching in the files I found nhttpd.conf file in /var/nostromo/conf

And it says that the htpasswd is in /var/nostromo/conf/.htpasswd … let’s check it.

Cool we got the hashed password for the user david lets crack it

hashcat -m 500 --force david-hash.txt /usr/share/wordlists/rockyou.txt

after waiting for a long time here is what i got **Nowonly4me** let’s see how we can use this password…

I tried logging in via ssh as david with this password but it didn’t work

I searched again and found that we can change directory to /home/david/public_www

and found there 2 files index.html and protected-file-area

We found backup-ssh-identity-files.tgz file in the protected-file-area I tried to unpack it but I failed so I transferred it to the attacking machine and tried again.

Bingo… we got ssh keys but unfortunately they were encrypted so we gonna use john to decrypt them

It was faster this time and now we can login as david using the id_rsa file

We got the first flag now its time to escalate to root.

personally searching for capabilities and SUIDs is the first step

i didn’t find any capabilities but i found this in SUID :

find / -user root -perm /4000 2>/dev/null

we can see bash here by running this command congrats we are root now

/usr/bin/bash -p

Hope it was simple writeup and you understood it.

Respect on HTB it won’t take a minute

Twitter