This is my first medium level machine on HackTheBox, called Passage. Overal, I learned a lot from this box. As always we start with the port scan using Nmap:

Nmap scan report for 10.10.10.206
Host is up (0.77s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
|   256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_  256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

What we see is that there are two ports open: 22 (ssh) and 80 (http).

Webserver

The webserver running on port 80 revealed that the server is running on CuteNews.

Looking at the documentation of CuteNews revealed that the CuteNews CRM system is located at the /CuteNews url. Going to the CuteNews url revealed that there is a log in and a register page.

Using some default credentials (e.g. admin:admin) did not succeed in logging in with the CuteNews CRM system. However, we are able to register an account and log in. However, we were unable to continue with our registered account since we could not find anything else to exploit.

However, in the bottom we see that this server runs on CuteNews version 2.1.2 and it seems that this version is vulnerable (https://www.exploit-db.com/exploits/48800). With this exploit we are able to get a shell and perform remote code execution on the server. Using this shell we were logged in as the www-data user. However, we saw that the server consists of two more users: paul and nadav.

We would like to perform a privilege escalation to one of the two users. Looking at the documentation of CuteNews, we found out that the CRM system does not use a (SQL) database to store data. It stores all the data in (txt) files on the server. This means that the credentials of users have to be in the CuteNews directory. The next step was to download CuteNews and install it on our own webserver and see how users are stored in this CRM system. We found out that our own local user is stored in the cdata/users/ folder. The folder contains four files (35.php, 38.php, 41.php, and 85.php) and one of these files contains a long base64 hashed string which can be easily decrypted. The decrypted string contains the name and the hashed password for example.

Next, we went back to the machine and went to the cdata/users/ directory and looked at the around 40 php files and kept decoding them until we found the files related to Paul and Nadav.

We tried to decrypt both hashed password using hashcat, however we only achieved to decrypt Paul’s password. Hashcat was ran using these parameters (whereby paul.hash is a file containing the hashed password):

hashcat -m 1400 paul.hash rockyou.txt

The password we retrieved was atlanta1, and running the command:

su paul

and entered paul’s password (atlanta1) and we were logged in as Paul. Hereby, we retrieved the user flag and the next step was to retrieve root.

Root

To retrieve root we first wanted to perform a privilege escalation to the user Nadav. We ran a Linux enumeration script and found out that Paul possible has private SSH keys in his /home/paul/.ssh/ folder. Looking at the id_rsa and id_rsa.pub file reveals that using these keys we can log in as nadav by using nadav@passage. So we copied these keys onto our local machine and ran ssh as:

sudo ssh -i id_rsa nadav@passage

And we were logged in as Nadav. The next step was to perform a privelege escalation to root. So we ran again a Linux enumeration script to find interesting files and settings. We did not found anything interesting, so we went looking at hidden files in our user directory. We found a file called .viminfo which contains the latest edited files. We found that a USBCreator (d-bus) file has been edited lately. Googling about this program, we found out that there was an exploit available (https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/).

This exploit is able to save files as the root user. So my idea was to create a shadow file containing the credentials of the root user. However, instead of using the original password or the root user, I will copy my own hashed password of my local machine into the newly created shadow file. After that I will copy the shadow file to the /etc/shadow location and log in as root using my own password.

To achieve this we looked at the shadow file of our local machine and copied it into a shadow file in the home directory of Nadav.

root:HASHED_PASSWORD:18537:0:99999:7:::

To overwrite the original shadow file on the machine, we need to run this command:

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/shadow /etc/shadow true

With this command, the original shadow file is overwritten by ours and we are able to log in as root using our own password. To log in as root write:

su root

And use the same password as you use for your local machine and you are logged in as root and retrieve the root flag.

Conclusion

During this box I have learned a lot about enumeration, hidden files, ssh, ownership of files, hashcat and privelage escalation. I rate this box a 7/10 and should be treated as one of the more simple medium boxes on HackTheBox.