Posts Passage - Hack The Box

Passage - Hack The Box

In Passage, I’ll find and exploit CuteNews with a RCE CVE. The exploit returns sha256 hashes, which I’ll crack. That user shares an SSH key with the next user on the box. To root, I’ll exploit a bug in USBCreator that allows me to run sudo without knowing the user’s password.



Website - Port 80

There’s a website running on the server with a news page.


The footer shows a possible software name which we’ll look up on Exploit-DB.

Exploit-DB has a match for CuteNews. The most recent release of CuteNews is vulnerable to 2019-11447 so its safe to assume its running this software. exploit

CuteNews exploitation

I’m going to first setup Burp proxy on port 8080 and then i’m going to have it redirect to passage. burp

Set Intercept On


Once it gets to the command prompt, type any command and have burp intercept it and Send to Repeater. You should have a cmd POST param to work with. I’m going to be using netcat to establish a reverse shell using the php shell.



When we ran the CuteNews exploit, we were given some sha256 hashes of the users.


Attempting to crack them with john, I get a hit on one of them. hashes

I tried su on paul and it worked. paul:atlanta1


Paul -> Nadav

Once as Paul, we see another user named nadav, this user appears to have more permissions than Paul. Located in paul’s .ssh/authorized_keys we see nadav public key. So perhaps Paul’s public key is located in nadav authorized_keys file?

navdav navdav

Privilege Escalation

Using the command ps aux we find a usb-creator-helper script running as root. ps

After searching you will find an article on a privesc method for this. link

According to the article, the _builtin_dd method takes unfiltered user input and throws it into dd, allowing us to overwrite files as root. Judging by all the times we worked with ssh keys on this box, its safe to assume the root user has a ssh key as well, so we can just send the ssh key into a directory we can access such as /tmp.

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key true

After this, use the key to login as root.

root.txt ea114a815d97b948819dd2045fc575d3

This post is licensed under CC BY 4.0 by the author.