In this post, i would like to share walkthrough on Passage Machine.
This room is been considered difficulty rated as MEDIUM machine
Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Let’s open the browser and straight into the website interface.
Nothing that we can make use here. As a result, let’s read the source code of the website.
On the source code, we found a login page of CuteNews which it’s CMS portal
So, Let’s register so that we can login into the Dashboard
Now, we are inside the dashboard as shown below
We have to click on the Personal Options and it will direct us to a page where there’s a upload function on the page.
We will use a normal php reverse shell that normally can be found on the internet and modify the file
- Add GIF8;
- Change IP
- Change Port
Once we have upload, it will appear on the top that show we have “Success – User info updated!”
After that, we can access the uploads directory on the website path. On the uploads web directory, I notice that the PHP shell file is been stored there. Before clicking the file, we need to run the netcat listener in order to get a shell connection back to us
When we look back on the shell interface, the shell connection has been reverted to us.
We can go to /var/www/html/CuteNews/cdata/users and read all the php file in order to get anything special.
We will be using CyberChef website until we get the output which starts with e26f3e (hint base64)
Once we got those result, we will be using another website such as crackstation and paste the result that we found in CyberChef.
Now, we can change the privileges to paul by execute su paul and using the password that we found on the previous step.
For us to read the user.txt file, we need to go to /home/paul where it’s the location of the user flag and we can read it by executing cat user.txt
We can login into the nadav privileges via ssh service which can be found at ~/.ssh and need to execute ssh -i id_rsa nadav@<IP Address>
I have notice that the exploit that we can look will be related to USBCreator which i have to do some research on the vulnerability. After a while, i have found an exploit like show on the screenshot above.
Finally, id_rsa have been there after i have multiple time executing the exploit.
Let’s use ssh service as root by executing the command ssh -i id_rsa root@<IP Address>
Once we have successfully login the machine as root, we should to /root/ directory in order to read root.txt (root flag)
Happy Learning Guys!