Posts Passage - Hack The Box
Post
Cancel

Passage - Hack The Box

In Passage, I’ll find and exploit CuteNews with a RCE CVE. The exploit returns sha256 hashes, which I’ll crack. That user shares an SSH key with the next user on the box. To root, I’ll exploit a bug in USBCreator that allows me to run sudo without knowing the user’s password.

Portscan

nmapscan

Website - Port 80

There’s a website running on the server with a news page.

nmapscan

The footer shows a possible software name which we’ll look up on Exploit-DB.
footer


Exploit-DB has a match for CuteNews. The most recent release of CuteNews is vulnerable to 2019-11447 so its safe to assume its running this software. exploit

CuteNews exploitation

I’m going to first setup Burp proxy on port 8080 and then i’m going to have it redirect to passage. burp

Set Intercept On

burp

Once it gets to the command prompt, type any command and have burp intercept it and Send to Repeater. You should have a cmd POST param to work with. I’m going to be using netcat to establish a reverse shell using the php shell.

burp

Paul

When we ran the CuteNews exploit, we were given some sha256 hashes of the users.

1
2
3
4
5
7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca
4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc

Attempting to crack them with john, I get a hit on one of them. hashes

I tried su on paul and it worked. paul:atlanta1

user


Paul -> Nadav

Once as Paul, we see another user named nadav, this user appears to have more permissions than Paul. Located in paul’s .ssh/authorized_keys we see nadav public key. So perhaps Paul’s public key is located in nadav authorized_keys file?

navdav navdav



Privilege Escalation

Using the command ps aux we find a usb-creator-helper script running as root. ps

After searching you will find an article on a privesc method for this. link

According to the article, the _builtin_dd method takes unfiltered user input and throws it into dd, allowing us to overwrite files as root. Judging by all the times we worked with ssh keys on this box, its safe to assume the root user has a ssh key as well, so we can just send the ssh key into a directory we can access such as /tmp.

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key true

After this, use the key to login as root.

root.txt ea114a815d97b948819dd2045fc575d3

This post is licensed under CC BY 4.0 by the author.