Today we are going to solve the Hack The Box machine which is retired. In that we are going to solve the easy machine (Linux) TRAVERXEC.
First, we need to scan for open ports for the initial process to enumerate the information and we used nmap -sC -sV 10.10.10.165
- sV used to know the versions of ports.
- sC used to execute the default scripts.
We found the webserver called NOSTROMO which is interesting. Let's check for the webpage of this machine.
Here we got the TRAVERXEC page. We have found a web server Nostromo. So, lets check for vulnerabilities of this webserver in Linux by using searchsploit.
Searchsploit is like a CLI for Exploit-DB. We can get all the exploits which are in Exploitdb and by using the “-m” command we can download exploits into our machine.
searchsploit -m path.
We got Remote Code Execution so we downloaded that and for execution, we need to give,
python exploit.py <IP> <PORT> <COMMAND>
After checking, the command is working and we need to get the reverse shell so we are giving the Netcat reverse shell command. Before executing this command we need to start listening through NC.
After executing this we got the reverse shell as “www-data”
After this, we need to upgrade the shell by using
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Checking in the home we got the user david but we can’t enter into that user so let's check for other possible ways for getting the user. After different checks, we found a file called “nhttpd.conf”.
By checking that we can get some information like we have access to
public-www inside the /home directory so let's check that.
Inside the home, we can’t get that but inside the david we got the access.
We found a file that is zipped. We need to unzip the file into the machine by using NC.
By using nc we got the file. Now to unzip .tgz files we have command tar -xvf filename.
And we found the id_rsa key in that so with this we can find the user.
When we have the RSA key of a user we can get the user directly without a password with this command ssh -i rsa_key user@IP.
But in our case, it asked for the password for phrase so that the RSA key has some password and that we need to crack . For the same we use John The Ripper. In this, we have a tool called ssh2john.py by using this we converted that id_rsa key into john readable text.
Again using john we got the password for that RSA key.
We got the user and we can get that user.txt
Now we need to Escalate the privileges for root. For this we checked a bin folder which is unusual in the user's directory.
Here we found that journalctl
By following this Gtfobins we got the root.
That's about this box. I hope you learned something about this writeup.
Final: One thing I liked about this box is that it didn’t require running any scripts to find something obscure, all it required is a careful enumeration, reading documentation, which I think is a hallmark of any top-notch box.
