Passage from HackTheBox is medium, fun but straightforward machine, it starts with two open ports SSH on 22 and HTTP on 80, we find CuteNews (which is a free, powerful and easy-to-use news management system based on flat files as a storage with quick installation, search function) it has an upload vulnerability that gives us a shell on the box and from there we hunt for some credentials for user paul who shares private ssh key with the user nadav, finaly we find vulnerable version of the program USBCreator installed that we use it for privilege escalation to root
Nmap full TCP scan shows us two open ports 80 for HTTP and 22 for SSH.
nmap full tcp scan
We run nmap targeted scan with default scripts flag -sC
and version enummiration flag -sV
against port 22,80, from apache version we can guess this is ubuntu Xenial.
nmap targeted scan
We check port 80 and we find what looks like blog posts titled Passage News.
checking port 80
Looking at the source code of the page reveals an e-mail address firstname.lastname@example.org
source code of the page at port 80
Clicking on CuteNews/rss.php
takes us to another page source that tells us that ip address of this machine is associated with domain http//passage.htb
adding passage.htb to /etc/hosts
Registering a user
Checking website more took us to http://passage.htb/CuteNews which is a login/registration system for CuteNews.
Note: the version of CuteNews is revealed to be 2.1.2.
Let’s register a user to see what we get.
registering a user
After registering it logs us to dashboard.
Uploading a shell (manual)
By clicking on personal options we are taken to our profile infos, looks normal but what if we try to upload php file instead of picture in avatar option? (uploads options usually vulnerable).
personal options of the user
We create and uplaod a simple php file p-shell.php
to get command execution on the server.
uploading php file
Looks like the php file was uploaded successfully.
php file uploaded successfully
To know where our php file was uploaded we right click on avatar option and copy image location
copy image location
We try to execute whoami
and we get a response back!
whoami command executed
User shell (automated)
That was the manual method but someone created a script to exploit CuteNews 2.1.2 automaticly on exploit-db.
automatic exploit script
We execute the script with python (version 3) and give it ip address of our website or domain name and it drops a shell automaticly for us and interesting note is it droped hashes to crack for users as well.
shell with automatic script
We continue our recon after obtaining a shell to find interesting php files in /var/www/html/CuteNews/cdata/users
that contain base64 encoded hashes for users.
interesting php files
After inspecting all php files we hit jackpot with b0.php.
We decode the base64
encoding to find a hash for the user paul
decode base64 encoding
We try to crack that hash online https://crackstation.net/
and we get password:atlanta1
Su as paul
We su as paul and we get in.
su as paul
After a little investigating the home directory of paul we find .ssh
directory it has private key, how about we try it maybe paul
shared the key to login as nadav
finding .ssh directory
Login as nadav
Trying the private key to login as nadav.
login as nadav
Now let’s use linpeas.sh to try to find a way to escalate to root.
Interestingly enough linpeas.sh
found a vulnerable version of USBCreator
installed on the system.
a vulnerable version of USBCreator
With a little google search we find an article that explains the vulnerability and how to exploit it.
article of the vulnerability
After replicating the steps in the article we can obtain private key
of the root
user and use it to login.
Thank you for reading, and I hope this article was enjoyable and helpful.