Lets get statrted by viewing the nmap results
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-25.png)
We can see that port 80 is running with a web server.
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-26-1024x531.png)
Gobuster was failing continuously and I decided to take a peek in the official discussion forum. So I confirmed that was not an issue. So I continued inspecting the page and in the bottom side of the page it is written “Powered By Cutnews“
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-27-1024x530.png)
Its a kind of CMS
I directly googled exploit for cutnews in exploit db. and there were many exploits
From the first exploit I found that therte is possibility of below directories
Since I was not sure about the version, I decided to try with the directories I got while reading the exploit in exploit DB
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-28.png)
http://passage.htb/CuteNews/
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-29.png)
Now I know Cutenews 2.1.2 is running
and there was an option to register
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-31.png)
We have an option upload avatar
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-32.png)
https://www.exploit-db.com/exploits/46698
which is for remote code execution
We can get a RCE if we are able to upload a PHP code hidden in a image file which is out avatar
https://book.hacktricks.xyz/pentesting-web/file-upload
exiftool -comment=” passage.jpg
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-30.png)
and I uploaded the avatar
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-33.png)
from the code from exploit db I get to know to the location of avatar
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-34.png)
i added ?cmd=whoami to the url with my upload file
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-35.png)
We got RCE. Now lets get the reverse shell
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-37.png)
I was able to locate a few PHP file
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-39.png)
I read lines using cat and I got some base64 ecoded data
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-41.png)
I coped the base64 encoded data and decoded it. I got hash value and I cracked it using john and I got below credentials
user: paul
password: atlanta1
I became paul by su command
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-40.png)
I copied idrsa of paul into attacker machine
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-48.png)
Using same ssh key of paul, I SSH as nadav
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-45.png)
At nadavs home folder I saw a .vim file with below mentioned contents
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-49.png)
I also ran linPeas
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-44.png)
there is a dbus-deamon-launch-helper with SUID permission (this time its exploitable )
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
This privilege escalation is not possible through paul’s account. The user should have executable privileges to dbus. and also should be from the Sudo group.
I got nadav who is in sudo group
gdbus call –system –dest com.ubuntu.USBCreator –object-path /com/ubuntu/USBCreator –method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true
By running the above command, we replaced the ssh key for root with nadav’s ssh keys. Here you can also add any key which is generated by you.
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-46.png)
so using pauls ssh key, which is same as nadav’s ssh key and which I replaced with roots ssh key, I can ssh directly as root
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-47.png)
We got the root!!
If you find this write-up useful please respect on HTB
![](https://ehackify.com/blog/wp-content/uploads/2020/09/elite.png)
https://www.hackthebox.eu/home/users/profile/240146
You can connect me on
LinkedIn: Derick N
Twitter: Derick N
Leave a Reply