As usual Nmap scan showed only 2 ports open port 22 and port 80. 

Port 80 was running nostromo service. After a little enumeration on nostromo service I found an RCE exploit for the same. 

After getting the reverse shell, I was still stuck on any further opening.  

Fortunately reading the HTB Forum for Traverxec provided a hint to search for config. 

Reading the config got a hint that there’s a hidden directory (public_www) inside /home/david/ 

And got access to backup-ssh keys  

Downloaded backup ssh files into kali  

From there got access to id_rsa for David.  

Used ssh2john.py to convert the id_rsa into john’s crackable format.  

Copied the output provided by ssh2john.py into a new file named hash. 

Then used “john hash” (with john’s default wordlist) to crack the passphrase.  

Logged in to David with found passphrase and grabbed the user.txt 

Now for the root part, I found a strange file inside bin named server-status.sh.  

I knew that’s the file which is going to take me to the root. 

I tried running /usr/bin/sudo /usr/bin/journalctl n5 unostromo.service but didn’t got anything.  

Went back to the HTB Forum and got the hint to resize the terminal in order to get the prompt.  

Did that and got a prompt, then typing “!/bin/bash” did the trick. 

Author:

Sentinal920