About me

🔥 HTB: Traverxec – From RCE to Root with a Nostalgic Bang

“Give me 3 minutes and I’ll show you how a misconfigured web server handed me SSH keys on a silver platter.”

🧠 Reconnaissance

We kick things off with a good old nmap scan:

nmap -Pn -A -p- 10.10.10.165
22/tcp open  ssh     OpenSSH 7.9p1 Debian
80/tcp open  http    nostromo 1.9.6

🚀 Initial Foothold – CVE-2019-16278

A quick search reveals CVE-2019-16278, a remote code execution vulnerability in nostromo 1.9.6.

I used a simple Python script to exploit it and got a remote shell as www-data.

python nostroSploit.py 10.10.10.165 80 "id"

🛠️ Post-Exploitation – Looting Configs

Once inside, I poked around

  • Quick Google and nostromo has conf stored in /var/nostromo/conf/nhttpd.conf

serverroot		/var/nostromo
homedirs		/home
homedirs_public		public_www

That public_www bit? Jackpot.

I couldn't list /home/david directly due to drwx--x--x permissions, but /home/david/public_www was accessible.

  • this is cause of the permission i have on the dir

  • On David's home dir, i have drwx--x--x in order for me to read the content of the directory i need read permission, which would mean drwx--xr-x

Inside, I found a zipped SSH key bundle. Extracted it, and then:

ssh -o IdentitiesOnly=yes -i id_rsa [email protected]

  • crack the password with john

🧗 Privilege Escalation – From David to Root

As david, I spotted a custom script directory in his home: /home/david/bin/.

⚔️ The Root Strike

journalctl can spawn a shell by executing:

And with that… Root. Owned. Game over.

PreviousHTB-Forge: Double SSRF to Root Breaking Forge from the Inside Out 🧨Next🪄 HTB Walkthrough – making a magical walkthrough with Magic

Last updated