🛡️HTB Writeup: Passage – From News to Root
🧠 TL;DR
We exploit a CuteNews RCE to get a foothold, crack a SHA-256 hash for lateral movement, and abuse a D-Bus service misconfiguration to escalate to root. All with a bit of vim, a sprinkle of gdbus, and some ssh sorcery.
🔍 Recon and Enumeration
🔎 Port Scan
Revealed:
Port 22 (SSH)
Port 80 (Apache)
📰 Web App
Visiting http://10.10.10.206 shows Passage News. We spot two users: [email protected] and [email protected].
Digging deeper: /CuteNews is live and running version 2.1.2 — vulnerable to RCE (CVE-2019-11447) via avatar upload.
🚪 Initial Foothold (www-data)
Exploit Link:
Reverse Shell Payload:
🎯 Boom! We’re in as www-data..
🧬 Lateral Movement: www-data → paul
CuteNews stores user info in:
Let's decode:
🎉 Password = atlanta1
Switched user:
Tried to ssh but ssh can only be done with public key
🔐 Lateral Movement: paul → nadav
Found shared keys: (paul → nadav)
cat /home/paul/.ssh/authorized_keys
🗝️ Copied private key and connected:
We’re now nadav!
⚙️ Privilege Escalation: nadav → root
🔎 Key Find
Discovered interesting edit history in .viminfo:
i did look at the walkthrough at this point, but just the point i had to Google for usb creator exploit
got a link to this github https://gist.github.com/noobpk/a4f0a029488f37939c4df6e20472501d
The system is misconfigured: unix-group:sudo can now trigger USBCreator D-Bus methods.
🔥 Exploit Time
Used this command to copy root’s SSH key:
Logged in as root:
🔒 Security Takeaways
Don’t store sensitive info (like password hashes) in world-readable files.
Avoid SSH key reuse across users.
Misconfiguring D-Bus services with lax polkit rules? That’s just asking for root compromise.
Disables persistent Vim history system-wide, preventing:
Search history
Command history
Registers
File marks
If you want to be extra ruthless:
This:
Creates an empty
.viminfofile.Makes it immutable — Vim won't be able to write to it.
Want to apply it system-wide for all users? Loop it:
Last updated