OSCP PREPROTİONS – HTB Traverxec

Traverxec machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags using these vulnerabilities.
To recognize the target machine, we first perform a network scan with nmap.


We are doing a classic scan

Full port scan

As a result of port scanning, we saw that ports “22/tcp ssh OpenSSH” and “80/tcp http nostromo 1.9.6” were open
Since http service is open, let’s perform enumeration via browser.

It’s a dynamic web address with a simple interface, but looking at the source code, developer mods and web analyzer, we couldn’t find any significant information. We will run a directory scan with gobuster and dirbuster

As a result of the directory scan, /css, /icons, /img, /index.html, /lib directories were detected, but no useful information was obtained.
Explit research was done about the version of the web server

We have detected exploits in our server version.
Let’s download this exploit to our machine

We run it immediately according to the given pattern

We were able to get a shell.
Since the www-data user has restricted privileges, we provide enumeration. We obtained a password hash with linenum.

Let’s break this hashi with Hashcat

david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ hash to get the hash “Nowonly4me”
only with this password we could not ssh or change the user in any way, we continue with the enumeration part
We detect the file backup-ssh-identity-files.tgz which, as the name suggests, is a ssh key

We move it to our machine with the nc command

We extract our file with tar.

Under the Home directory

We access the id_rsa file.
We will try to connect to ssh using this file

When connecting, it asked us for a password, let’s crack it with john

We have detected the password as hunter, let’s try to connect again
as seen we were able to get ssh connection and get our user flag

We get permission denied error when going to root, here we provide enumeration to provide privilege escalation again

Here server-stats.sh draws our attention, we go to that directory immediately

We investigated whether we can get gtobin sudo authorization on the /usr/bin/journalctl side.

Here we type the command given in the section that appears and we can obtain root privileges