Passage machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of port scanning, 22/tcp ssh OpenSSH and 80/tcp http Apache ports are open.
Since there is no vulnerability on the ssh port, we continue enumeration on port 80.
Here we have found a lot of information from the source code, this information is with irayla
The e-mail addresses paul@passage.htb and nadav@passage.com were detected, which were prepared using cutenews (cutenews is a free news management system).
Here we understood from the source code that the connection will be made via cutnews. We look at the target list from the url.
We are trying the default password without success. Here we do a search in the version and then
Let’s download and use this code
In this way it gave us the shell screen. In order to stabilize the shell screen, we create a revershell for ourselves
We provide local enumeration because the authorization is limited.
Here we see php files encoded with base64 where we have credential information about the users and we decoded these files one by one.
This is how we identified the credentials of user “paul”.
paul@passage.htb:atlanta1
let’s log in to user paul using this information
Here we have our user flag, but we still do not have root access. Therefore we continue with local enumeration.
Here we obtained the ssh key of user nadav among the ssh keys. We connected to user nadav and continued the enumeration.
We provided auto enumeration with linenum and pspy but we didn’t get enough information. We continue with manual local enumeration.
Here USBcretor caught our attention, let’s see if we can realize privilegeesc related to bula in Google.
In the com.ubuntu.USBCreator.conf file, the users of the sudo group means that the usb creators are a member of the sudo group. Let’s google search how to do privilege escalation with usb cretor
As a result of research, an attacker with access to a user in the sudo group can use the USBCretor D-Bus interface to read and write the contents of files with arbitrary content as root, bypassing the password policy enforced by the sudo binary. The USBCretor D-Bus service runs in privileged mode and acts on behalf of unprivileged users.
Let’s apply the technique found on Github
1. command we tested if USBCreator is present or not.
In command
2. we accessed the .ssh folder in the root directory and copied it to the /tmp folder as id_rsa.
3. here we read id_rsa.
We read this id_rsa and copied it to our machine. Then we got a connection with this ssh key.
This is how we got root authorization and got our flag.