Passage machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, 22/tcp ssh OpenSSH and 80/tcp http Apache ports are open.
Since there is no vulnerability on the ssh port, we continue enumeration on port 80.

Here we have found a lot of information from the source code, this information is with irayla
The e-mail addresses paul@passage.htb and nadav@passage.com were detected, which were prepared using cutenews (cutenews is a free news management system).
Here we understood from the source code that the connection will be made via cutnews. We look at the target list from the url.

We are trying the default password without success. Here we do a search in the version and then

Let’s download and use this code

In this way it gave us the shell screen. In order to stabilize the shell screen, we create a revershell for ourselves

We provide local enumeration because the authorization is limited.

Here we see php files encoded with base64 where we have credential information about the users and we decoded these files one by one.

This is how we identified the credentials of user “paul”.
let’s log in to user paul using this information

Here we have our user flag, but we still do not have root access. Therefore we continue with local enumeration.
Here we obtained the ssh key of user nadav among the ssh keys. We connected to user nadav and continued the enumeration.

We provided auto enumeration with linenum and pspy but we didn’t get enough information. We continue with manual local enumeration.

Here USBcretor caught our attention, let’s see if we can realize privilegeesc related to bula in Google.

In the com.ubuntu.USBCreator.conf file, the users of the sudo group means that the usb creators are a member of the sudo group. Let’s google search how to do privilege escalation with usb cretor

As a result of research, an attacker with access to a user in the sudo group can use the USBCretor D-Bus interface to read and write the contents of files with arbitrary content as root, bypassing the password policy enforced by the sudo binary. The USBCretor D-Bus service runs in privileged mode and acts on behalf of unprivileged users.

Let’s apply the technique found on Github

1. command we tested if USBCreator is present or not.
In command

2. we accessed the .ssh folder in the root directory and copied it to the /tmp folder as id_rsa.

3. here we read id_rsa.
We read this id_rsa and copied it to our machine. Then we got a connection with this ssh key.

This is how we got root authorization and got our flag.


  1. ecommerce

    Wow, marvelous blog structure! How long have you
    been blogging for? you made blogging glance easy. The entire glance of your website is great, let alone
    the content! You can see similar here sklep

  2. sklep

    I just could not depart your web site before suggesting that I really enjoyed the usual info an individual supply
    on your visitors? Is going to be again steadily to inspect new posts
    I saw similar here: Sklep

  3. sklep internetowy

    Howdy! Do you know if they make any plugins to assist with
    SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing
    very good gains. If you know of any please share. Thank you!
    You can read similar text here: Sklep online

  4. Phone Tracker Free

    What should I do if I have doubts about my partner, such as monitoring the partner’s mobile phone? With the popularity of smart phones, there are now more convenient ways. Through the mobile phone monitoring software, you can remotely take pictures, monitor, record, take real – Time screenshots, real – Time voice, and view mobile phone screens.

  5. GSA List

    Hey there! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my site to rank for some targeted keywords but I’m not seeing
    very good results. If you know of any please share. Cheers!
    I saw similar article here: GSA Verified List

  6. tlover tonet

    Hello There. I discovered your weblog using msn. This is an extremely well written article. I will be sure to bookmark it and return to learn extra of your helpful info. Thank you for the post. I’ll certainly return.

  7. Boostaro reviews

    I carry on listening to the newscast speak about getting free online grant applications so I have been looking around for the most excellent site to get one. Could you advise me please, where could i get some?

  8. hire a hacker for facebook

    What i don’t realize is actually how you are not actually much more well-liked than you might be now. You’re so intelligent. You realize thus considerably relating to this subject, produced me personally consider it from a lot of varied angles. Its like men and women aren’t fascinated unless it is one thing to accomplish with Lady gaga! Your own stuffs outstanding. Always maintain it up!

  9. cbd bestellen

    Good day very cool web site!! Guy .. Excellent .. Superb .. I’ll bookmark your website and take the feeds additionally?KI’m happy to search out so many helpful information here in the post, we’d like work out extra techniques in this regard, thank you for sharing. . . . . .

  10. cbd shop schweiz

    Having read this I thought it was very informative. I appreciate you taking the time and effort to put this article together. I once again find myself spending way to much time both reading and commenting. But so what, it was still worth it!

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir