Home Traverxec Writeup
Post
Cancel

Traverxec Writeup

Let's do the nmap scan

desktop

Ports 22 and 80 are open.

Browsing to the webpage I found nothing of interest and running GoBuster brought back no results.

Noticing the webserver that is running Nostromo I checked for any exploits.

desktop

Found one, let's see what happens!

desktop

desktop

Reverse shell given!

First thing to do is find the webserver config and see what we can get.

desktop

Browsing htdocs brought nothing useful. Now we check .htpasswd and see.

desktop

Let's crack it!

desktop

I used another box of mine that cracks passwords quicker and found the following.

desktop

Let us try our luck with ssh login.

desktop

Thought as much.

In the Nostromo config we see that user home directories are setup.

desktop

Drats.

After trying and understanding what the homedir setting does, we managed to get into the user's public_www directory. Nice file permissions.

Wait, what do we have here? He backed up his ssh keys where?

desktop

Let's browse to the folder on the webpage.

desktop

Use the credentials from above for david.

desktop

Download the file and untar it.

desktop

Now we need to convert the private key to push it through John to crack the password.

desktop

Password cracked and now we have the user flag!

desktop>

There is a file in the bin directory which we need to have a look at.

Running this script just outputs a couple of things and doesn't do anything special on output.

desktop

I hit a bit of a wall at this stage and then I saw a clue when someone mentioned GTFOBins - https://gtfobins.github.io/

desktop

This is where things get weird. Bare with me.

If your terminal is full screen and you run the command then the following happens.

desktop

But now if you make your terminal smaller and run the command again, then the following happens

desktop

When the above screen shows, enter !/bin/bash and you will be given a root prompt, wtf?

desktop

desktop>

root flag :)

This post is licensed under 0x3n0 by the author.

Postman Writeup

Resolute Writeup