
hello fellow hackers, today im going to solve Traverxec from hack the box
so lets get started!!!
I started with nmap to check for open ports and services
nmap -A -v -sS

so the machine has two ports open on it :
1- OpenSSh running on port 22
2- Nostromo web server running on port 80
so lets check the web server…..

so its look like its a template for a blog for a front end developer named David White
after some goofing around i didn’t find any thing there so I went to back to check the web server if it’s running a vulnerable version
and yes it’s nostromo 1.9.6 which is vulnerable to RCE
CVE-2019-16278
lucky for us there is a metasploit module ready to exploit this vulnerable
exploit/multi/http/nostromo_code_exec

now let’s exploit that !!!

and we are in as www-data !!!!
now for the privilege escalation part, so the configuration files of nostromo web server located in /var/nostromo/conf/ lets see if we can find something interesting

so that’s cool, there is a publicly accessible directory public_www lets check it out !!!

so there is a back up files and after downloaded to my machine i found the ssh public key for david so we need to crack it in order to get the pass phrase for the key and login
so I used ssh2john then cracked it using john the ripper yo crak the hash and get the pass phrase
ssh2john id_rsa

john -w=rockyou id_rsa.hash

and yes it cracked!!! the pass phrase is hunter
now lets login to ssh …..

and we are in as david !!!
now for the root part, so inside david home directory i found bin directory containing a bash script to check the server statues
after reading the script i found that it’s running journalctl as root and piping the output into cat command
so we need to copy the file, delete the pip and then use journalctl to get a root shell by writing !/bin/bash

and we poped the root shell !!!