search
About me
githubEdit

🔥HTB: Traverxec – From RCE to Root with a Nostalgic Bang

circle-info

“Give me 3 minutes and I’ll show you how a misconfigured web server handed me SSH keys on a silver platter.”

hashtag
🧠 Reconnaissance

We kick things off with a good old nmap scan:

hashtag
🚀 Initial Foothold – CVE-2019-16278

A quick search reveals CVE-2019-16278arrow-up-right, a remote code execution vulnerability in nostromo 1.9.6.

I used a simple Python script to exploit it and got a remote shell as www-data.

hashtag
🛠️ Post-Exploitation – Looting Configs

Once inside, I poked around

  • Quick Google and nostromo has conf stored in /var/nostromo/conf/nhttpd.conf

That public_www bit? Jackpot.

I couldn't list /home/david directly due to drwx--x--x permissions, but /home/david/public_www was accessible.

  • this is cause of the permission i have on the dir

  • On David's home dir, i have drwx--x--x in order for me to read the content of the directory i need read permission, which would mean drwx--xr-x

Inside, I found a zipped SSH key bundle. Extracted it, and then:

  • crack the password with john

hashtag
🧗 Privilege Escalation – From David to Root

As david, I spotted a custom script directory in his home: /home/david/bin/.

hashtag
⚔️ The Root Strike

journalctl can spawn a shell by executing:

And with that… Root. Owned. Game over.

PreviousHTB-Forge: Double SSRF to Root Breaking Forge from the Inside Out 🧨NextHTB Walkthrough – making a magical walkthrough with Magic

Last updated