HackTheBox: (“Passage”) — Walkthrough

Hi People :D

Today we’ll solve “Passage” machine from HackTheBox, let’s get started

Enumeration

— — — — — —

Start with Nmap

We have two open ports (22/80) so let’s see the website on port 80

Web Enumeration

— — — — — — — —

After going to the website, you will see something like news articles

The next step is to run any directory brute-force tool, but when you run any fuzzing tool you will be banned from the website. I didn’t know why until I had read the first article. Which it is mentioned that the website has implemented Fail2Ban protection, it’s an Intrusion detection system (IDS) framework that protects computer servers from brute-force attacks

So we must dig deeper into the main page to find any useful information, scroll down a bit and you will find that the website powered by CuteNews

If you don’t know what CuteNews is, it’s an open-source news management system with some security features.

That’s all we found on the website, now let’s search for any public exploit

The Fifth link is an explanation for 'avatar' RCE vulnerability and the writer of this article made a script to exploit this vulnerability automatically ( First Link ), I’ll explain exploiting this vulnerability manually and then automatically

Exploitation

— — — — — —

[*] Manual exploitation :

As mentioned in our reference, this exploit only works on CuteNews 2.1.2 version so we must find CuteNews Directory exist to know the version .. and it is :D

Nice, it is the correct version, let’s continue with our exploitation process, first create an account then the website will automatically redirect you to the index page

Click on Personal options, you will be redirected to the account options

from here we can upload an account avatar but first we need to create a PHP script that executes a system command. This simple script can do the job

Note that only the second line is our code, but this service is only accepted for uploading images and it validates the magic bytes of the uploaded file. ( If you don’t know what the magic bytes are, simply they’re the first bits of a file which uniquely identify the type of file, you can find a list of almost all of the magic bytes for the different extensions here )

If you try to upload the code file without any image magic bytes, the website will not upload it because it is not an image, to bypass this filter, we need to add any image magic bytes at the beginning of the file, that’s why I added GIF8 ( followed by a semicolon to end the line )

As you can see in the upper image, when we run file command it tells us that the file is a GIF image

Now we successfully made a script so let’s upload it

We uploaded our payload, next go to the uploads directory, you will find the uploaded file in this format : avatar_{User_Name}_{filename.php}

We need to pass cmd parameter followed by our command, I tested the script with whoami command and it worked ☺

The last step is to get a shell, simply set Netcat listener with nc -lvp 4444 command then pass a Netcat reverse shell payload to cmd parameter, I used this payload :

We got a www-data shell with manual exploitation

[*] Automated exploitation :

Download this script and give it execution permission then pass the machine link to it

As simple as that, we got a www-data shell with only one step.

Note that with this script we found SHA-256 Hashed passwords ( we’ll use this later )

User Flag

— — — — —

If you used the manual exploit, Make some improvements to your shell with :

then do ls -la command to show files, you’ll find users directory inside cdata directory, the full path is /var/www/html/CuteNews/cdata/users, in this directory, there are some PHP files with base64 encoded strings, I checked these files manually and found some files with big data size so I decided to decode the first file with big encoded string ( 7a file )

After decoding this data with this website, I found some PHP serialized object data and there is a pass with some encrypted data again

Use CrackStation to crack this encrypted string but unfortunately, CrackStation failed to crack it ☹.

So, I went back to the files search process to find another encoded data.

Finally, I found the data that I was looking for in b0 file

Decrypt this data, we found another encrypted password

Stop here for a moment, do you remember the users SHA-256 hashed data that we found in the results of the automated script? It’s the same hashed data that we found in these files !

Now try to crack this hash with CrackStation again and this time the website successfully crack our hash and the password is atlanta1 ☺

Try this password with paul user, we successfully switch to it

You’ll find user.txt in the home directory, read it and you got a user flag

So you can get user flag with two steps only :

  1. Run automated script
  2. Try to crack the hashes from script results, you’ll find paul password, use it to switch to paul then read user.txt

Root Flag

— — — — —

When you do ls -la command in paul directory, you’ll find .ssh directory that contains SSH private key for nadav user

Just copy this private key into text file then change the permissions of this file with chmod 600 your_filename to be able to use it for SSH connection

Nice, we SSHed nadav :D
There is a file named .viminfo, in this file it is mentioned that the system uses ubuntu USBCreator

So i searched for privilege escalation exploit for USBCreator and I found this article

As the exploitation says, we can overwrite any file as root with the command in the upper image
So, let’s make a SSH key and overwrite the root SSH key with our key to connect via SSH as root, you can create a SSH key with this command :

Copy this key and paste it in nadav authorized_keys with this command :

Then run exploit command to overwrite root SSH key with our key

Connect with SSH :

ssh root@10.10.10.206

We successfully SSHed root and got root flag ☺

Thanks for your reading and I hope this writeup was useful ❤

--

--

GameDev | Pentester | Bug Hunter | Security Researcher | IoT Sec | Digital Forensics Investigator | CTF player

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohamed Elmasry

GameDev | Pentester | Bug Hunter | Security Researcher | IoT Sec | Digital Forensics Investigator | CTF player