PASSAGE — HackTheBox WriteUp

This box is a part of TJnull’s list of boxes. I am doing these boxes as a part of my preparation for OSCP. I will be sharing the writeups of the same here as well.
PASSAGE is a LINUX machine, and is of MEDIUM difficulty.

Do a rustscan to check for open ports:

rustscan -a 10.129.125.118 --ulimit 5000 -- -A

Add passage.htb to your /etc/hosts. Let’s do some directory busting.
(Note: Don’t do directory busting in this machine. I had to restart it because it crashed for some reason after this. You can read about this in the “Implemented Fail2Bain” page on the website)

Opening the website:

In the source code of the main page, we find some emails:
nadav@passage.htb, kim@example.com, sid@example.com, paul@passage.htb, and the mention of CuteNews.

Going to http://passage.htb/CuteNews/, we find a login page:

We find the version: CuteNews 2.1.2. I used this exploit. And ran it.

And I got a shell! Let’s get a shell using socat.
In the /var/www/html/CuteNews/cdata/users directory, I did a cat * and got a lot of base64 strings. Decoding them, I got some users and hashes:

nadav:7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
paul:e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

I wasn’t able to crack nadav’s password using crackstation or hashcat. But crackstation was able to crack paul’s hash and I got the password: atlanta1
Let’s change to paul using su paul (Password login for paul’s SSH is disabled)
Get user.txt from /home/paul/user.txt.
Next, I went to grab paul’s SSH key, but I found this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage

in the authorized_keys. It’s nadav’s! Let’s login to nadav using the id_rsa. In the .viminfo file, I noticed the mention of USBCreator. I searched for some things related to that. I found this:

I ran the following command:

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

And I got root’s id_rsa in /tmp! Let’s login as root!

And we are root!
Get root.txt from /root/root.txt.

We have successfully pwned the box!