![](https://hackyourmom.com/wp-content/uploads/2024/12/50-465x240.png)
The article provides a detailed analysis of the Traverxec machine traversal process on the HackTheBox platform. In addition, the article describes obtaining a Meterpreter shell and elevation of privileges using the GTFOBins technique. Readers learn about specific tools such as Masscan, nmap, Metasploit, and how to use them to effectively exploit vulnerabilities in real-world scenarios.
The article covers the process of obtaining an RCE in the nostromo web server, obtaining a meterpreter shell via an active metasploit session, analyzing nostromo configurations, cracking the password for encrypting an SSH key, and using the GTFOBins technique to elevate privileges.
The lab is connected via VPN. It is not recommended to connect from work computers or devices that store sensitive data, as access to the private network is provided by people with experience in information security.
This machine has an IP address of 10.10.10.165, which we add to /etc/hosts.
10.10.10.165 traverxec.htb
First, a scan of open ports is performed. Since scanning all ports with nmap takes much longer, masscan is used to speed up the process. All TCP and UDP ports are scanned through the tun0 interface at a rate of 1000 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.165 --rate=1000
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A traverxec.htb -p22,80
So we have SSH and the Nostromo web server.
Let’s check the Nostromo web server for known exploits for version 1.9.6. For these purposes, you can use search.com, this program provides the ability to conveniently work with exploits that are in the exploit-db database.
From the scan results, it can be understood that the second exploit is not suitable, and the first one has the “Metasploit” tag, which indicates that this module is implemented in the context of the Metasploit Framework.
Download msfconsole and search for the exploit.
Great! Since this exploit is suitable for our version of nostromo, we can set the basic options and test it. The next step is to configure the exploit parameters and run it to test its effectiveness.
For convenience, we will get a meterpreter shell. To do this, we will send the session to work in the background – Ctrl+Z and confirm. And if we look at the running sessions, we will see the one that was just minimized.
Next, we call the shell, grant it execution rights, and run the script.
Analyzing the output, we find the password hash from .htpasswd.
Further aimless exploration of the system turned out to be a waste of time. Realizing this and not having a clear plan of action, it was decided to review the web server configurations. Fortunately, the directory leading to this file was clearly indicated.
Next, let’s look at the nhttp.conf file.
The assumptions were confirmed. In addition, a certain directory was discovered that should be investigated in more detail to understand its contents.
There we find the backup of SSH files. We download them.
Unzip the files.
The user’s private key was detected, but the connection attempt asks for a password. This indicates that the key is encrypted.
The hash will be saved to a file, after which it will be checked against the rockyou.txt dictionary using the JohnTheRipper tool.
Yes, we find the key encryption password. Using it and the key, we connect via SSH.
Let’s see what we have in the user directory.
In the bin directory we find interesting files.
The script executes a command that first prints lines, and then runs another command under sudo, piping its output to cat. This looks pretty interesting. Executing this command yields very informative output.
Redirecting to cat immediately suggests the possibility of using the GTFOBins technique. The essence of this technique is that using various system utilities you can get access to reading, writing files, executing commands, etc. Examples of use for various programs are available in the corresponding directories.
The peculiarity in this case is that if you reduce the size of the terminal window and execute the command without redirecting the output to cat, the output is automatically redirected to less. From there you can access the shell using the !/bin/sh command. Since the command is executed with sudo rights, the resulting shell will have maximum privileges.