HackTheBox Writeup — Traverxec

Cristian Cornea
5 min readApr 23, 2020


In this article, we will discuss a proposed solution to pwn the Traverxec machine from HackTheBox.

Information Gathering

After a basic port scan I’ve found ports 22 and 80 open which suggest that
we are dealing with a web application.

Also I’ve tried a full and complex port scan but it returned only those ports

So I navigated to our IP address ( and found a simple
presentation website.

The first thing that I’ve done after that was to discover potential directories
and files both manually and automatic.

While ​dirbuster was running, I’ve been trying to search for some admin
panels or login forms and found something interested.

The “Not found” error page was disclosing our web server technology and
its version.

The normal thing to do after you got an information like that is to search for
version vulnerabilities. (The name of the challenge is a big hint: traverxec=

Getting User

Found a Metasploit Module related to that vulnerability and used it for

Good, we got a shell as www-data so let’s navigate firstly to our home
directory which would be ​/var/nostromo.

An interesting folder is ​”conf”, which can contain files disclosing sensitive

And here we go, displaying the content of .htpasswd we got the following


Which is an username:password combination with username’s value
“david” and a password hashed value.

John is our best friend when it comes to crack passwords and hashes.

Our password plaintext value is “Nowonly4me”.

Trying to SSH into the machine with the given credentials didn’t work, so
probably our user:pass combination must be used somewhere else.

I’ve navigated back to our www-data session in order to gather more

Read the ​nhttpd.conf ​file located in the /var/nostromo/conf folder and its documentation which can be found here:


Going through the document I’ve found an interesting topic.

It results that our next step was to go to and we got
nothing but just a simple image page.

So I’ve started enumerating files inside that folder using ​ dirbuster ​ and got
this one (protected-file-area) which requires authentication, the perfect
place to input our credentials.

After the successfully login, there was a backup archive that we could

Once the archive is extracted on our local machine, it can be searched for
potential sensitive files or folders.

We got just one directory inside and navigated through it until we found
something cool.

Yes, a private key that we can use to login into the Traverxec machine
through SSH.

Unfortunately, it requires a passphrase, so we must extract the hash of the
key passphrase and crack it using John.

The tool that I am going to use in order to extract the hash is ​ ssh2john and
it can be downloaded from here:


Using the passphrase ​ ‘hunter’ ​ we’ve got a session for user ‘david

Getting Root

The first thing was to check the user’s home directory and something
catchy smiled at me, it was a bash script containing a command that was
executed using sudo.

The command is:

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

After that finding I went straight to GTFOBins (​ https://gtfobins.github.io/​ ), in order to check the exploitation possibilities of ​ journalctl.

It is interesting that our documentation suggests us to use the “​ less”
command which can be helpful in our situation.

Tried using less with sudo but it asked me for a password, then I’ve
remembered a little trick that helped me escalate my privileges on that machine.

/usr/bin/sudo $(less) /usr/bin/journalctl -n5 -unostromo.service



Cristian Cornea

🇷🇴 Founder @ Zerotak Security & Cyber Security Training Centre of Excellence (CSTCE)