> For the complete documentation index, see [llms.txt](https://docs.wehost.co.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.wehost.co.in/ctf-walkthrough/htb-traverxec-from-rce-to-root-with-a-nostalgic-bang.md).

# HTB: Traverxec – From RCE to Root with a Nostalgic Bang

<figure><img src="/files/hADMv0uMEMLVKiq6FreE" alt="" width="375"><figcaption></figcaption></figure>

{% hint style="info" %}
**“Give me 3 minutes and I’ll show you how a misconfigured web server handed me SSH keys on a silver platter.”**
{% endhint %}

### 🧠 Reconnaissance

We kick things off with a good old `nmap` scan:

```
nmap -Pn -A -p- 10.10.10.165
```

```
22/tcp open  ssh     OpenSSH 7.9p1 Debian
80/tcp open  http    nostromo 1.9.6
```

### 🚀 Initial Foothold – CVE-2019-16278

A quick search reveals [CVE-2019-16278](https://github.com/AnubisSec/CVE-2019-16278), a remote code execution vulnerability in `nostromo 1.9.6`.

I used a simple Python script to exploit it and got a remote shell as `www-data`.

```
python nostroSploit.py 10.10.10.165 80 "id"
```

<figure><img src="/files/ERLfHQIgEKvDyBxtpz1c" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/vmwBHok72f79qfhNiwcl" alt=""><figcaption></figcaption></figure>

### 🛠️ Post-Exploitation – Looting Configs

Once inside, I poked around

* Quick Google and `nostromo` has conf stored in `/var/nostromo/conf/nhttpd.conf`

```
serverroot		/var/nostromo
homedirs		/home
homedirs_public		public_www
```

That `public_www` bit? Jackpot.

I couldn't list `/home/david` directly due to `drwx--x--x` permissions, but `/home/david/public_www` was accessible.

<figure><img src="/files/Rpek8PtCbZHbZodt32hx" alt=""><figcaption></figcaption></figure>

* this is cause of the permission i have on the dir

<figure><img src="/files/xIkO6khw36ISUbtfxv1K" alt=""><figcaption></figcaption></figure>

* On David's home dir, i have `drwx--x--x` in order for me to read the content of the directory i need read permission, which would mean `drwx--xr-x`&#x20;

<figure><img src="/files/RhsgKUJsdYyQRB3f4dYV" alt=""><figcaption></figcaption></figure>

Inside, I found a zipped SSH key bundle. Extracted it, and then:

```
ssh -o IdentitiesOnly=yes -i id_rsa david@10.10.10.165
```

* crack the password with john
*

```
<figure><img src="/files/7AxUNUxwbzsqBZ5bQB1L" alt=""><figcaption></figcaption></figure>
```

### 🧗 Privilege Escalation – From David to Root

As `david`, I spotted a custom script directory in his home: `/home/david/bin/`.

<figure><img src="/files/qMFaAN4NPjkXe1CM60Ma" alt=""><figcaption></figcaption></figure>

#### ⚔️ The Root Strike

`journalctl` can spawn a shell by executing:

<figure><img src="/files/kJep0iTM29rTb4RuT9aa" alt=""><figcaption></figcaption></figure>

And with that…\
**Root. Owned. Game over.**

<figure><img src="/files/oiD5mSv9KS087bGd67UI" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.wehost.co.in/ctf-walkthrough/htb-traverxec-from-rce-to-root-with-a-nostalgic-bang.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.