🚒Passage
https://app.hackthebox.com/machines/Passage
We find 2 TCP ports open:
On the web page we see the follwoing information ->
Fail 2 ban is an anti brute force software:
So basically with a gobuster I got my IP banned so i'm going to be cautious when it comes to finding subdirectories
through enumeration, i find that it's CuteNews 2.1.2 running with a known CVE ->
Very straightforward CVE
We see some PHP files
So with a quick PHP reverse shell ->
We get a more stable shell
after enumerating a bit, we find where is stored the flat files that are used by cuteCMS as a "database"
so we see this is base64 encoded:
After looking up a write-up to see how a pro would go quick to go through all of this, i found this crazy one-liner that got me thinking i should start learning those:
explanation:
Loop Over Files:
This loop iterates over all files in the current directory (using
*
to match all filenames).Process Each File:
For each file, it:
Uses
cat $f
to read the content of the file.Pipes the content to
grep -v 'php die'
, which filters out any lines containing the string'php die'
.Uses
echo
to add a newline after processing each file.
Concatenate and Filter Non-Empty Lines:
After processing all files,
done
ends the loop. The output is then piped togrep .
, which filters out any empty lines (only lines containing at least one character are kept).Read and Decode Each Line:
This
while
loop reads each non-empty line:read line
reads a line into the variableline
.echo $line | base64 -d
decodes the line from base64 encoding.echo
adds a newline after each decoded line.
Since we looked at the home directory and saw a paul user, we could guess that this user is the pivoting path, so i added a grep "paul" to the oneliner as a part of contribution
took this hash and looked it up and saw it was mode 1400 on hashcat ->
I could not change user with my low interaction shell so i did a tty upgrade ->
and we connect
We quickly find an ssh authorization key:
We copy the id_rsa key and connect to nadav user ->
We'll get root tomorrow
Last updated