HackTheBox Passage

Table of Contents

Passage from HackTheBox is medium, fun but straightforward machine, it starts with two open ports SSH on 22 and HTTP on 80, we find CuteNews (which is a free, powerful and easy-to-use news management system based on flat files as a storage with quick installation, search function) it has an upload vulnerability that gives us a shell on the box and from there we hunt for some credentials for user paul who shares private ssh key with the user nadav, finaly we find vulnerable version of the program USBCreator installed that we use it for privilege escalation to root

Recon #

Nmap #

Nmap full TCP scan shows us two open ports 80 for HTTP and 22 for SSH.

We run nmap targeted scan with default scripts flag -sC and version enummiration flag -sV against port 22,80, from apache version we can guess this is ubuntu Xenial.

Port 80 #

We check port 80 and we find what looks like blog posts titled Passage News.

Looking at the source code of the page reveals an e-mail address nadav@passage.htb

Clicking on CuteNews/rss.php takes us to another page source that tells us that ip address of this machine is associated with domain http//passage.htb.

Adding passage.htb to /etc/hosts.

Registering a user #

Checking website more took us to http://passage.htb/CuteNews which is a login/registration system for CuteNews. Note: the version of CuteNews is revealed to be 2.1.2.

Let’s register a user to see what we get.

After registering it logs us to dashboard.

User shell #

Uploading a shell (manual) #

By clicking on personal options we are taken to our profile infos, looks normal but what if we try to upload php file instead of picture in avatar option? (uploads options usually vulnerable).

We create and uplaod a simple php file p-shell.php to get command execution on the server.

Looks like the php file was uploaded successfully.

To know where our php file was uploaded we right click on avatar option and copy image location

We try to execute whoami and we get a response back!

User shell (automated) #

That was the manual method but someone created a script to exploit CuteNews 2.1.2 automaticly on exploit-db.

We execute the script with python (version 3) and give it ip address of our website or domain name and it drops a shell automaticly for us and interesting note is it droped hashes to crack for users as well.

We continue our recon after obtaining a shell to find interesting php files in /var/www/html/CuteNews/cdata/users that contain base64 encoded hashes for users.

Finding hashes #

After inspecting all php files we hit jackpot with b0.php.

We decode the base64 encoding to find a hash for the user paul.

We try to crack that hash online https://crackstation.net/ and we get password:atlanta1.

Su as paul #

We su as paul and we get in.

After a little investigating the home directory of paul we find .ssh directory it has private key, how about we try it maybe paul and nadav shared the key to login as nadav.

Login as nadav #

Trying the private key to login as nadav.

Root shell #

Now let’s use linpeas.sh to try to find a way to escalate to root.

Interestingly enough linpeas.sh found a vulnerable version of USBCreator installed on the system.

With a little google search we find an article that explains the vulnerability and how to exploit it.

After replicating the steps in the article we can obtain private key of the root user and use it to login.

Thank you for reading, and I hope this article was enjoyable and helpful.