Hack The Box Traverxec Full Writeup – 10.10.10.165

Hack The Box Traverxec Notes Writeup

So, I spawned the Traverxec a while ago. This Linux machine actually says an easy one.

I’m preparing a full writeup on this machine, planing to publish by couple of days – stay tuned until then.

The initial foothold and user was too easy!. If you remember a recent CVE (CVE-2019-16278) and the MS exploit for it will give you immediate shell. Once you are in, a light enumeration gives you user.txt

So here are the steps I followed:

User.txt

Hack The Box Traverxec Notes Writeup – 10.10.10.165. The initial foothold and user was too easy!. If you remember a recent CVE…

Update your msf and get the latest exploits and follow the steps below:

Now I have the shell, I’m going to the home directory of user David and get his ssh backup to a .tmp directory I made using below commands.

I copied the RSA private key to my Kali and cracked it using John.

The John cracked the password as “hunter”

Getting user.txt

Once I have the keyphrase, I ssh the box using the following command:

Privesc and Getting root.txt

The user David’s bin has a bash file called “server-stats.sh” this is to collect the log stats from the Server, I will use it to run David as root user.

After reading the server-stats.sh, I understood how to run it 🙂

Now, I resized the terminal to smallest as possible (this will execute the linux pager – or you can use the command “less”)

and typed !/bin/sh boom – I’m root

Thanks for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Andy Alfa
Andy Alfa
7 months ago

Hi, There are few improvements I can see you can do to make your write up more friendly: 1) How did you find out a vulnerability to use? 2) There is no explanation on how did you get SSH key directory. /home/david/ is not browsable (permissions denied) so you need to find internal browsable directory in another way. 3) “After reading the server-stats.sh, I understood how to run it 🙂” – what does this mean? There is no explanation. There is no reference to GTFOBins (or any other trick). Write ups and challenges are used for education. So the person… Read more »

Anton Oleynik
Anton Oleynik
3 months ago

1. In docs for nostromo we can saw how structure work. In config for nostromo we saw that home directory for pages it’s home then it’s work for every user, ””homedirs /home
homedirs_public public_www””
2. Just make listing /home/david/public_www give us listing of folder.
2.1 I go another way, I break hash from .htpasswd and didn’t know where use this password, and after found in ls “protected-file-area”
this page, got login system
3. https://gtfobins.github.io/gtfobins/journalctl/

Sorry, that action is blocked.
%d bloggers like this: