Hack the Box: Passage
Nice, a nod to Gandalf is always appreciated.
Here is the initial nmap scan:
Navigating to the webpage brings up this, which just looks like a generic news feed:
Most of the posts are that vaguely Latin-ish language that they prefill templates with. Out of curiosity, I translated a couple:
Because of this Fail2Ban thing, I was unable to run gobuster efficiently:
I did test it out though:
Yes, a failure.
After looking around a bit, you will notice that there is a little stamp at the bottom of the webpage that says the blog is powered by CuteNews:
If you search “CuteNews vulnerability”, you will find that there are a few:
That first blog post is actually from the guy that wrote the Remote Code Execution exploit, so that’s a great resource. In order to get started, he shows that you need to navigate to the /CuteNews/ directory.
When you arrive there, you will see a login screen that confirms we are dealing with the correct version to exploit, CuteNews 2.1.2:
The exploit involves sending malicious code to the server, masquerading as an avatar photo upload. CuteNews will not check the size of this upload, so you can upload large files. Additionally, it only checks the first magic bytes of the file upload, not the actual file extension.
For this exploit you don’t need to register, because everything has been automated. You just need to copy and paste that code into a text file and run it:
Hit enter and you it will be able to grab a shell quite easily:
You will notice that it also gives you some password hashes. I quickly threw them in CrackStation, which returned two of the five:
It looks like there are two users, Nadav and Paul:
I did try to use SSH with those credentials at this point, because I was getting annoyed by the limitations of this shell, which was very unstable. It did not work:
From here I decided to go back and use another exploit I found (HERE), so I could get a more stable connection, and also so I would not feel like I was cheating with the simple script above, lol.
Go back to that login page you found and register for an account. Once you’re in, you will see this:
Click on your personal options to get to the spot that you can upload an avatar.
Now you will need a reverse php shell. I just grabbed a basic one from PentestMonkey to use. Copy/paste that entire thing as a new file on your desktop, then save it as something like “reverse_shell.php”.
Ensure you make the necessary changes (add your IP where it says //CHANGE THIS):
Add “GIF8;” at the very top so the upload form is tricked:
Double-check it worked:
Set up a netcat listener in a new terminal instance to receive the reverse shell:
Now, upload that .php file as your avatar:
Next, right-click on the avatar thumbnail and select “Copy Image Location”:
Paste it into a new window in your browser, and change “passage.htb” to the Passage Box IP. Press enter.
Head back over to netcat to get your reverse shell!
Upgrade your shell:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
From here, use the password we cracked earlier to get into Paul’s account and retrieve the user flag.
Turns out the other password we found was not for Nadav:
But from here, you can actually SSH into Nadav’s account from Paul’s.
After looking around for quite a bit, I noticed this here:
It turns out, you can use this for privilege escalation:
THIS link will tell you exactly how to take advantage of it.
First, head to /tmp and make a new directory there:
I just called it “test”, but you can call it whatever.
Now, use this really long command to get the RSA Key from root and transfer it into your new folder.
gdbus call — system — dest com.ubuntu.USBCreator — object-path /com/ubuntu/USBCreator — method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/test/id_rsa
Here it is:
After you get this you can SSH over to root, just like we did with Nadav earlier:
Happy Hacking! ❤