HackTheBox – Traverxec – Writeup
User
- port and version enumeration:
nmap -sV -sC -oA traverxec.htb 10.10.10.165
- We see that the http server being used is
nostromo 1.9.6
. This is a vulnerable service as seen by https://www.exploit-db.com/exploits/47573
- We can run the metasploit module as per rapid7.
- This gives a shell with
www-data
.
- Running
LinEnum.sh
provides some interesting data, namely that we have a .htpasswd
hash available.
- This hash is a
md5crypt
hash. We will use john htpasswd --list=/usr/wordlist/rockyou.txt
to crack this.
- After cracking this hash, we need to find the http directory where we can use this password.
- Browsing
/home/david/public_www
we can find a protected area. The password cracked earlier works!
- Download the tar.gz file and extract using
gunzip
.
- We have some ssh key backups. The most important file here is
id_rsa
.
- Use
ssh -i <key file>
to try and connect to david@traverxec.htb.
- We need a passphrase. Let's try using
ssh2john
and pass it to john
to brute force. We will use rockyou.txt
once again.
- Passphrase found! Use this to connect via ssh.
- id = david
cat user.txt
Root
- Use the shell script in home directory and see the commands being issued. Namely the use of
sudo
with journalctl
.
- Copy the file elsewhere and execute. It still works.
- Add a
&&
operator and issue /bin/sh
at the end of the shell script.
- Run the script and you should be able to use
!/bin/sh
to get a shell via less
with uid=0
- cat root.txt
#hackthebox #htb
Talks
John Strand, Keynote: A Hunting We Must Go
- Interval, con time, data size.
- Holes in an org are just as important to detect as threat actors.
- Deception time + Reaction time < Time to perform attack.
Katie Knowles, How to (Holiday) Hack It: Tips for Crushing CTFs & Pwning Pentests
- Recon –> ID Vuln –> ID Exploit –> Test –> New Info Integrate
1. Understanding the Problem
- Drawing is a useful way to visualise a problem e.g.:

credit: Katie Knowles
2. Plan
- Google things; look for other things that are similar.
- Having a list of things that we've done and then ensuring all bases are covered in each step e.g. all ports checked, UDP as well?
3. Carry out the plan
4. Looking Back
- Record your steps, useful links, wiki.
Snow, Santa’s Naughty List: Holiday Themed Social Engineering
#CTF #SANS #HolidayHack #KringleCon2019
Link: https://tryhackme.com/room/25daysofchristmas
Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas
Day 1
- cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
- a new cookie can be created from Firefox dev tools > storage > cookies > add new
Day 2
- check source pages
- dir searching
- github search for website
Day 3
- for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
- follow stream to export to txt
- johntheripper can work on
/etc/shadow
without needeing /etc/passwd
.
Day 4
- to find text within all files:
grep -Ril "text"
- to grep for all IP addresses:
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
- It's wise to search for *.bak files in case some world readable backups exist :
find / -name *.bak 2>/dev/null
Day 5
- OSINT required creative google searches, social media, and the use of waybackmachine.
Day 6
- Tools used:
- wireshark-gtk
- fcrackzip
- steghide
Day 7
- strange protocols running on weird ports are worth trying out via http.
Day 8
- if binaries such as
find
are running as another user you can usually use exec
to execute something with that binary e.g.:
find /home/igor -name flag1.txt -exec cat /home/igor/flag1.txt \;
- commonly used command to list all suid binaries:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
- After a quick nmap scan, there seems to be a tomcat server running on port 80.
- Version enumeration reveals that it may be prone to the struts2 vuln.
- Let's use the
struts2_content_type_ognl
exploit via MSF and configure hosts, ports, and path (path = “”).
- exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
- SSH creds are available —> this is how we break out.
Day 11: Network Exploitation
nmap -A $IP -oA <filename>
- We can see the following services open: ftp, nfs, mysql
- Anonymous login is allowed on FTP. Use
ftp
to login and retrieve file and credentials.
NFS
showmount -e $IP
to check if NFS is present and directory path.
cd /tmp && mkdir thm-nfs-11
sudo mount $IP:/opt/files thm-nfs-11
- thm-nfs-11 contains a file with the flag.
MySQL
- I'll be using
mycli
to connect to the msql database.
mycli -h $IP -P 3306 -u root
show databases
use data
show tables
SELECT * FROM 'USERS'
- Creds are now retrieved from the table.
Day 12
1) md5sum
2) gpg --decrypt note1.txt.gpg
with supplied passphrase
3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key
3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt
to obtain decrypted note.
Day 14: AWS S3 Buckets
- Buckets can be accessed via
bucketname.s3.amazonaws.com
or bucketname.region-name.amazonaws.com
- Bucket contents can be accessed via
bucketname.region-name.amazonaws.com/file-name
Day 15: Local File Inclusion
- Webservers will often pull files from local locations to display on a webpage.
- It's best to have a look at the HTTP requests and start crafting potential LFI that way.
- Be sure to encode the
/
using %2F
.
- Example payload:
http://host/get-file/%2fetc%2fpasswd
#writeups #ctf #tryhackme