HTB: Traverexec Walkthrough (Linux)

Traverexec is a now retired Linux HTB machine, it has been a while since I rooted this one but I do recall that I thoroughly enjoyed working it and planned to write it up when it was retired, so my notes are better 🙂

Recon:
I prefer to use multiple nmap runs rather than a whole bunch of checks in one run, it’s just personal preference.

Nostromo on TCP:80 is immediately intriguing…I had never heard of it so decided to see if there were any existing exploits in exploit-db (it’s HTB after all).

Yep, we have an RCE exploit on exploit-db and already on our Kali box 🙂 Remember to always check exploit code, in fact, all code before just running it! I really can’t stress it enough, if you don’t understand what’s happening, research more!

We have code execution as the www-data user via the nostromo web server on TCP:80, getting a shell from here is super simple.
Using the RCE exploit we setup a listener and tell the remote server to connect to us 🙂

We now have a shell as www-data, you can see in the above that I also upgraded the shell with Python’s pty 🙂 *Mentioned in previous articles but perhaps not shown

With the foothold achieved we need to get to user, so I had a dig around


We now know there’s a user called “david”, there’s an alias in place and it’s using htaccess !

First thing’s first, we need the password hash from .htpasswd, then crack it with john and our beloved rockyou.txt

Now we have david’s password, let’s see where that alias leads
In here, there’s an encrypted id_rsa file 😉
Awesome decryption key sorted, we can now use that certificate to SSH as david – PrivEsc next
Sudo -l and a few tweaks 😉

Comments are closed.

Create a free website or blog at WordPress.com.

Up ↑