About me
Edit

🔥HTB: Traverxec – From RCE to Root with a Nostalgic Bang

“Give me 3 minutes and I’ll show you how a misconfigured web server handed me SSH keys on a silver platter.”

🧠 Reconnaissance

We kick things off with a good old nmap scan:

🚀 Initial Foothold – CVE-2019-16278

A quick search reveals CVE-2019-16278, a remote code execution vulnerability in nostromo 1.9.6.

I used a simple Python script to exploit it and got a remote shell as www-data.

🛠️ Post-Exploitation – Looting Configs

Once inside, I poked around

  • Quick Google and nostromo has conf stored in /var/nostromo/conf/nhttpd.conf

That public_www bit? Jackpot.

I couldn't list /home/david directly due to drwx--x--x permissions, but /home/david/public_www was accessible.

  • this is cause of the permission i have on the dir

  • On David's home dir, i have drwx--x--x in order for me to read the content of the directory i need read permission, which would mean drwx--xr-x

Inside, I found a zipped SSH key bundle. Extracted it, and then:

  • crack the password with john

🧗 Privilege Escalation – From David to Root

As david, I spotted a custom script directory in his home: /home/david/bin/.

⚔️ The Root Strike

journalctl can spawn a shell by executing:

And with that… Root. Owned. Game over.

PreviousHTB-Forge: Double SSRF to Root Breaking Forge from the Inside Out 🧨NextHTB Walkthrough – making a magical walkthrough with Magic

Last updated