Home Passage Writeup
Post
Cancel

Passage Writeup

Reconnaissance

Let's start off with a NMAP scan

1

Browsing to http://10.10.10.206 we get a page wth a bunch of posts, users and email addresses.

2

I did a bunch of XSS and LFI but none worked. We cannot use any Gobuster / wfuzz enumeration as fail2ban will block is after a few seconds so we have to do this manually.
I checked the RSS feed and we get a new folder /CuteNews

3

I then go to the CuteNews page.

4

Let's register a user and then login.

5

6

Browsing around didn't give me anything much to play with so then I checked the version of CuteNews and see if there is maybe an exploit in the current software version with searchsploit

7
8

Exploitation and gaining access

We find 4 exploits we can use.
I opted for the metasploit one because I was lazy. OffSec will not be pleased ;)
We need the .rb file as Metsploit doesn't have the module in its database.
So we are going to download the file via searchsploit, copy it to metasploit to use and then load the module into metasploit.

desktop view
desktop view
desktop view

We then have to configure the options.
Set the rhosts, lhost (your tun0 ip address) and also set the username and password to what we registered as above.

desktop view

Then we run the exploit and we should see a meterpreter shell!

desktop view

We run sysinfo to make sure we are on the machine and we also check to see what user we are.

desktop view

We need to get a proper shell.
After enumerating for quite a while I managed to find the following interesting file.

desktop view
desktop view

We need to get the hashes and then base64 decode them but first we need to prepare a nice faster way instead of manually doing it.
cat lines | grep YT | sed 's/^/echo \"/' | sed 's/$/" | base64 -d/g' > lines.hashed

desktop view

I manually added the hashes to a file.

desktop view

We run one of the hashes through hash-identifier to see what hash it is.

desktop view

Looks to be a SHA-256 hash.
Now we run hashcat.

desktop view
desktop view

We now have a password for the hash e26f3xxxxxf8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd and looking at the file from previously we can see that this hash belongs to paul@passage.htb

We try to ssh with the user paul and the password but we get a login failure probably because we will need a ssh key for the user.

desktop view

We just use the normal su method, login and then grab the user flag :)

desktop view
desktop view

Let's go grab that ssh key!
Copy Paul's id_rsa key.
I renamed it to paul.ssh and then used that to ssh.

desktop view
desktop view

I had a look in the .ssh directory and I found the following which we can use.

desktop view

We can just ssh to the nadav user as it seems Paul and Nadav are using the same ssh keys.

desktop view

Privilege Escalation to root

After enumerating for quite a bit, looking at the running processes we find the following.

desktop view

Let's go Google and see what we can do with this process.

desktop view
Looks like we might have the right exploit!
The username on the box and the author of the article is strangly the same!
desktop view

Let's get an idea what this exploit does.

desktop view

Time to run the exploit commands and get the ssh key from root as we are able to copy ANY file on the system to a specified file for us to access.

desktop view

Copy the key and use the key to ssh into the server as root and grab the root flag!

desktop view

This was a pretty fun box I have to say. Thank you ChefByzen for a great box!

This post is licensed under 0x3n0 by the author.

HackTheBox - Tabby

The invisible war