Traverxec - [HTB]
![Cover Image for Traverxec - [HTB]](/assets/images/blog/Traverxec-htb/Traverxec.png)
Introduction
Traverxec is an easy linux machine from HackTheBox where the attacker will have to exploit a vulnerability in the nostromo service. Then, will have to crack some SSH keys for becoming the user david. Finally, will have to active the journalctl pager escalating privileges as root.
Enumeration
As always, let's start finding all opened ports in the machine with nmap.
Then, we continue with a deeper scan of every opened port, getting more information about each service.
Looking at nostromo service there is a web named TRAVERXEC.
This web page isn't usefull at all, but the nmap output proivdes us the nostromo version which has an associated vulnerability.
Exploitation
First of all, we need to erase the 10th line of the script in order to make it work.
Now, we are able to obtain RCE executing the exploit.
In order to obtain a proper reverse shell we can execute the following command.
Privilege escalation 1
Inside the nostromo's configuration folder there is a configuration file named nhttpd.conf which contains special information about the home directory.
Looking at the nostromo documentation we can understand that indise each user home folder there is a public_www folder.
Furthermore, we can travel inside the david's home direcory.
Finding a folder named protected-file-area with backup ssh identities.
After downloading it using netcat we can obtain david's identity file.
However, we still need the passphrase for the key.
Nonetheless, we can obtain it through john the ripper.
Now we are able to access to the machine as david through SSH.
Privilege escalation 2
Inside the home folder there is another directory named bin with some scripts inside.
The script server-stats.sh executes the journalctl binary as sudo.
Hence, if we try to execute the command outside the script we are able to execute it.
Looking at gtfobins there is a section about how to to escalate privileges using journalctl. However, in my case the default pager didn't automatically activate so I had to trigger the pager manually. For doing so, execute the following commands.