HackTheBox – Traverxec – Writeup
- port and version enumeration:
nmap -sV -sC -oA traverxec.htb 10.10.10.165
- We see that the http server being used is
nostromo 1.9.6. This is a vulnerable service as seen by https://www.exploit-db.com/exploits/47573
- We can run the metasploit module as per rapid7.
- This gives a shell with
LinEnum.shprovides some interesting data, namely that we have a
- This hash is a
md5crypthash. We will use john
htpasswd --list=/usr/wordlist/rockyou.txtto crack this.
- After cracking this hash, we need to find the http directory where we can use this password.
/home/david/public_wwwwe can find a protected area. The password cracked earlier works!
- Download the tar.gz file and extract using
- We have some ssh key backups. The most important file here is
ssh -i <key file>to try and connect to firstname.lastname@example.org.
- We need a passphrase. Let's try using
ssh2johnand pass it to
johnto brute force. We will use
- Passphrase found! Use this to connect via ssh.
- id = david
- Use the shell script in home directory and see the commands being issued. Namely the use of
- Copy the file elsewhere and execute. It still works.
- Add a
&&operator and issue
/bin/shat the end of the shell script.
- Run the script and you should be able to use
!/bin/shto get a shell via
- cat root.txt