Passage — HackTheBox

Source

This is a practical Walkthrough of “Passage” machine from HackTheBox. This machine is marked as medium level. Credit goes to ChefByzen for making this machine available to us and base points are 30 for this machine.

This walkthrough will be explanatory, because I learned a lot of new things from this machine. So, don’t mind my blabbering.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Enumeration

We will kick off this machine with enumerating using nmap.

nmap

Two ports are open, SSH and HTTP. Let’s visit homepage.

homepage
message

There’s a message that admin has implemented “fail2ban”, it’d ban two minute if we try to do/access more than it needed. So, we can’t run any automatic/bruteforce tools on target.

Do not forget to add the passage.htb to /etc/hosts file. The homepage source revealed that it’s using “CuteNews” management system for news. Its official page confirms that it’s last updated on 2018.

cutenews

It’s version is 2.1.2 and there is a vulnerability exists in this version, where the attacker can infiltrate the server through the avatar upload process from the profile area. For this to work, we need to register and login.

Register

From browse section we can upload php file with our one-liner. But, first we need to create a php file.

php file

Content of php file with gif magic bytes to make believe that our file is a gif not any malicious one.

file

As you can see it’s showing it as GIF file. Let’s upload and intercept the packets in BurpSuite.

upload php file
file location

As you can see our php file is uploaded to a location on server and named it differently. To execute our php file we need to visit the above link.

execution

We got the GIF bytes as result. Now let’s try with cmd.

whoami
uname -a

It’s working as expected. Now let’s run a python one-liner to get a reverse shell. You can get it from here. Setup a netcat listener on kali and encode the one-liner to URL from BurpSuite.

encoding

Execute it and you’d get a reverse shell.

reverse shell

Aight, *Hacker Voice* we are in. If we check the home directory, then we’d see two users.

home directory

One of them has user.txt and other would help us to get root shell. Both directories are not a accessible to our current user (www-data). Let’s run LinPeas to get any possible privesc information.

Note: Even though you have access to shell still target would ban you from accessing excessive resources. It’d get stuck time to time.

USB Creator
config

We got couple things, to look out for PrivEsc. First let’s look into config file.

config file

As you can see, it’s empty. Let’s look into the cdata directory for any information.

cdata contents

This directory has a lot of files, but out of all there’s a directory names “users”. If we list the contents, then we’d see a lot of php files some of them are in base64 strings.

users data

If we read the lines file, then we’d get all the .php files information in one file.

lines file content

Most of the content is encoded in base64. If we decode the below one then we’d get some juicy infomration.

base64 encoded
decoded information

As you can see, “paul” user’s information and there’s a hash of that user. Let’s find what hashing algorithm is that and crack it accordingly.

hash type
hashcat hash mode
hashcat cmd
cracked

We got the password for user “Paul” lets login and get our user flag.

login
user flag

If we check the home directory of current user, then there’s no any messages/hints, this user can’t run sudo, and there’s nothing much from LinPeas too. But, in .ssh directory, I found something interesting.

ssh public key

It seems, both paul and nadav are using same ssh keys. Lets run ssh on “nadav” user.

nadav user

We are privileged user now. Even though we have access to user shell but we don’t know the password to run sudo. After running LinPeas, I got this.

USB Creator

If we follow the link, then we’d end up in this blog post.

TL;DR
A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root — without supplying a password. This trivially leads to elevated privileges, for instance, by overwriting the shadow file and setting a password for root.

So, we can either copy the root.txt to our current user home directory or we can copy the ssh private key.

copy ssh key

Access the root using ssh private key and read the flag.

root flag

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://musyokaian.medium.com/cutenews-2-1-2-remote-code-execution-vulnerability-450f29673194
https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store