Port enumeration

Own user

Nowonly4me

~

http://10.10.10.165/~david/

david

Nowonly4me

http://10.10.10.165/~david/protected-file-area/backup-ssh-identity-files.tgz

hunter

Own root

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

My lessons learned

Don't overlook the configuration file and the manual!

I kept stuck with escalating privilege from www-data to david until I read the Nostromo's manual again and found out what the configurations homedirs and homedirs_public are.

So, RTFM!

I kept stuck with escalating privilege from www-data to david until I read the Nostromo's manual again and found out what the configurations homedirs and homedirs_public are. So, RTFM! Many information can be grabbed from the HackTheBox's forum!

Just use it like an OSINT hunter. I found the "resizing terminal window" technique to make the less window remain when reading others' comments on the forum.

Hi,Welcome to my blog!In this post, I will make a write-up of Traverxec , a machine on Hack The Box which just retired. It's my first own box and helped me learn a lot to hack more others. Although it's rating difficulty is easy (and the root owning is definitely easy), the user part may be a little tricky.I solved this box when I was preparing for OSCP but I finished the Exam a few days ago. Although I rooted 4/5 exam machines, I might have to retake it due to the missing of one screenshot.Ah, the's report shows that Traverxec has a website that runs on Nostromo 1.9.6. As you know, the Nostromo web server, aka nhttpd, has an unauthenticated remote code execution in all versions before 1.9.7. So, it must be the point to get the initial shell!If you want to analyze this vulnerability, named CVE-2019-16278 , you can read more at my blog post I use my Python script of CVE-2019-16278 to make a reverse shell back to my local machine.In my machine (I use a Kali Linux 2019.4 virtual machine), I run a listener by using. After getting the reverse shell, I use Python to spawn a TTY . If you don't have a TTY, many commands like su, sudo,... will not work.Now, let's dig deeper into the box. Thedirectory contains only a folder namedso it must be the user we have to own.I search in the Nostromo's directory,, and find some useful information.First, the filecontains username and password hash for HTTP Authentication . I hope that the userreuses this password for his other accounts so I immediately use john to crack it and find out the password is "".Unfortunately, he doesn't (he may be a). I tried to switch towith the command su but it keeps saying "Authentication failure".A bit stuck, I read the config fileand the Nostromo's manual again. Oh! There is something I forgot, it's the. This configuration allows users to access their home directory by an URL with the character "" like that:Although the directoryis not accessible, I can still access the directory, which is shown at the configuration. Browsing this directory, I see a backup file named. Maybe it contains the ssh key to access theaccount!Do you remember the password hash in the filewhich we've just cracked? Using these credentials, I can download the backup file via the browser by access this URL:Extracting the backup file, I find the private key file which we need. However, it's encrypted by a passphrase so I useto crack it.Now, using the passphrase "", I can ssh to theaccount and own the user flag.I think this part is straighter and easier than the user part above. Browsing the home directory of, I find a strange file namedInside this file, there is only a command takes my notice:Oh, a command with, it's definitely where to get root! If you know GTFOBins , you may also know that journalctl will invoke the command less and inside thewindow, you can spawn a shell. Here comes a trick, if your terminal's width is smaller than the output's longest line, thewindow will be held and you can spawn a shell from it. Otherwise, it will return back to the terminal.Note that you can only use exactly the command "" to run withprivilege without a password in this box.Finally, we just grab the root flag!If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.Thank you for reading!