HACKTHEBOX-TRAVERXEC-WALKTHROUGH

Posted by on
 

 

Greetings to all CTF players out there, I owned this Linux Box in December and now (April) it is retired, well being rated as an Easy box, the box taught me a couple of things, especially the root part of abusing the journalctl and shrinking the screen to escalate the priveledges. Hope you like the walkthrough.


 Step 1. Firstly I started with the port scan and found two open ports.

  • nmap -sC -sV -oA ports 10.10.10.165


Step 2. On Enumerating the web, I did not find anything good but from the name on the webpage, I guess the user could be David. And after this I google the service Nostromo 1.9.6, I found an exploit on exploit-DB.
Download and run the python file to get RCE as www-data.



step 3. Then I started enumerating and found an interesting directory named ‘Nostromo’ in /var. This directory contains config file ‘nhtttpd.conf’. The data stored in nhttpd.conf file :



 
Step 4.From the last two lines of HOMEDIRS I figured out the public_www is the subdirectory in /home/david/ . Inside public_www there is a dir ‘protected-file-area’ which contain ‘backup-ssh-identify-files.tgz’.



Step 5. Copied the ‘backup-ssh-identity-files.tgz’ to /tmp/testing as sshfiles.tgz and extract it there.
Files were extracted in the current working directory. The files include ssh keys. Then I transfer the id_rsa key to my machine with name ‘private’ and creates its hash using ssh2john.py.



  • python ssh2john.py private > login

Step 6. File ‘login’ contains the hash of the ssh key, now crack the hash file (login) using john with password list as rockyou.txt.

I got the password of the passphrase ‘hunter’ so set the permissions and try to ssh in as David.



  • Chmod 600 private
  • ssh -i private david@10.10.10.165

Step 7: Now the final step, privilege escalation. I found the ‘bin’ file in /home/david/ which contain server-stats.sh. I notice the last line in server-stats.sh where journalctl is running as root.

Step 8: I lookup for journalctl in gtfobins and I find it can be used to break into the shell. From the wargames like a bandit, I remember one challenge where I have to shrink the size of the terminal to abuse the ‘more’ command. Similar case here ran the last line of the ‘server-stats.sh’ and it invokes the less and then takes the shell.


Hacker,Developer,Human

Comments

Post a Comment