Hack The Box — Traverxec Write-up
Step 1: Scanning
Found two services running (ssh and nostromo).
Step 2: Getting foothold
Search for nostromo CVE on msf and you'll find nostromo_code_exec exploit.
Now you have the meterpreter shell.
Step 3: Enumerating
After getting initial shell checkout for nostromo conf directory in var, there you’ll find some useful information about david.
Cracking david password using john.
After cracking david password enumerate more.
Reading nhttpd.conf for some useful information. (Also read nhttpd manual)
In config file you'll find public_www directory.
While enumerating public_www directory you'll find a backup-ssh-identity-files.tgz file.
You can browse it directly and get the file using the david’s password we cracked.
Step 4: User
After extracting the file you'll get a private key for which you have to crack the passphrase using john.
First use ssh2john to convert private key to john crackable file and then use john.
Using ssh ,connect to david using the private key and the passphrase.
Step 5: Root
Enumerating bin you'll find server-stats.sh who have root privileges
So while running
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
you can get a root shell by !/bin/bash
Note: when you run the service your terminal window should be minimized.