This box is a part of TJnull’s list of boxes. I am doing these boxes as a part of my preparation for OSCP. I will be sharing the writeups of the same here as well.
PASSAGE is a LINUX machine, and is of MEDIUM difficulty.
Do a rustscan to check for open ports:
rustscan -a 10.129.125.118 --ulimit 5000 -- -A
Add passage.htb to your /etc/hosts. Let’s do some directory busting.
(Note: Don’t do directory busting in this machine. I had to restart it because it crashed for some reason after this. You can read about this in the “Implemented Fail2Bain” page on the website)
Opening the website:
In the source code of the main page, we find some emails:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and the mention of CuteNews.
Going to http://passage.htb/CuteNews/, we find a login page:
We find the version: CuteNews 2.1.2. I used this exploit. And ran it.
And I got a shell! Let’s get a shell using socat.
In the /var/www/html/CuteNews/cdata/users directory, I did a cat * and got a lot of base64 strings. Decoding them, I got some users and hashes:
I wasn’t able to crack nadav’s password using crackstation or hashcat. But crackstation was able to crack paul’s hash and I got the password: atlanta1
Let’s change to paul using su paul (Password login for paul’s SSH is disabled)
Get user.txt from /home/paul/user.txt.
Next, I went to grab paul’s SSH key, but I found this:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage
in the authorized_keys. It’s nadav’s! Let’s login to nadav using the id_rsa. In the .viminfo file, I noticed the mention of USBCreator. I searched for some things related to that. I found this:
USBCreator D-Bus Privilege Escalation
Hi .. Another post-exploitation that is very easy to be executed is using Linux USBCreator. The vulnerability allows an…
I ran the following command:
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true
And I got root’s id_rsa in /tmp! Let’s login as root!
And we are root!
Get root.txt from /root/root.txt.
We have successfully pwned the box!