Traverxec is an easy, retired machine that is listed on Hack The Box. It was first released on November 16th, 2019, and was designed by jkr. While a number of potential pivot points were identified during the recon phase, Searchsploit identified a critical CVE in Nostromo web servers through version 1.9.6 that allowed for Remote Code Execution (RCE). This CVE is identified at CVE-2019–16278 and has a CVSS Base Score of 9.8/10.
Part One: Enumeration
Port scanning is the most obvious first step in assessing this box, and scanning with Legion reveals fairly common results — a web server hosting a web page, and an SSH server. It also returned a number of Moderate CVEs.
From this point, the logical next step is to attempt to view the web page, and scan for file architecture.
Part Two: Banner Grabbing
Several Dirbuster scans failed to return compelling results, but between viewing the hosted website and reading about Nostromo on Searchsploit, a number of options for exploitation become immediately apparent.
After learning more about versions of Nostromo versions 1.9.6 and prior, a path to exploiting Traverxec becomes clear.
Part Three: Initial Exploitation
For initial exploitation, two simple (nearly identical) solutions now present themselves. One option is using the exploit.py file at https://github.com/sudohyak/exploit/blob/master/CVE-2019-16278/exploit.py , and simply running the script with information specific to the server, and my Hack The Box IP. The other option involves using Metasploit to gain access. This exploitation involved the latter.
This allows for the quick development of shell access.
Part Four: Looking For The Progressive Access
Based on the results of the whoami request, it is unlikely that this exploitation has granted root access, but aside from revealing additional file architecture, this level of access may expose the User flag. Unfortunately, the User flag does not seem to be visible from accessible folders. Accordingly, this phase of exploitation will also involve searching for a pivot to SSH access.
From what I have read, there should be a file named .htpasswd here. Let’s see if I can read it.
That is clearly a hashed password, which Kali tools (John) are immediately useful for. Note that these credentials were decrypted in a matter of seconds, using a free operating system, on a $70 Raspberry Pi.
This might be an SSH password, but it seems as though I will need an RSA key to access the SSH server. Using what I have learned about Nostromo’s file architecture, I start looking for David’s information. After finding a promising file, I am unable to unpack it.
Circumventing David’s file protection by moving the tgz file to the tmp folder was productive, as file permissions allow me to move the file to a folder where I am allowed to access it.
Part Five: Pivoting to SSH Access/Finding The User Flag
Since Traverxec is a search for flags, it is reasonable to assume that we have found the intended pivot point. After using ssh2john on the RSA key file id_rsa, the credentials produced to this point grant SSH access. The User flag is immediately accessible.
Part Six: Finding The Root Flag
The primary purpose of this SSH server seems to be maintenance. Looking at the newly accessible files revealed a shell script with a very interesting last line.
This does not seem like it should have the needed permissions to work — no passwords were used. Looking into it, this is specifically from journalctl.
Spawning an interactive system shell in journalctl seems like a very promising path to root access. Running the bash script, a Bourne shell is immediately produced, just by typing !sh. This Bourne shell has root access, so access to the Root flag is immediate once the shell is active.
