In Passage, I’ll find and exploit CuteNews with a RCE CVE. The exploit returns sha256 hashes, which I’ll crack. That user shares an SSH key with the next user on the box. To root, I’ll exploit a bug in USBCreator that allows me to run sudo without knowing the user’s password.
Website - Port 80
There’s a website running on the server with a news page.
The footer shows a possible software name which we’ll look up on Exploit-DB.
Exploit-DB has a match for CuteNews. The most recent release of CuteNews is vulnerable to 2019-11447 so its safe to assume its running this software.
I’m going to first setup Burp proxy on port 8080 and then i’m going to have it redirect to passage.
Once it gets to the command prompt, type any command and have burp intercept it and
Send to Repeater.
You should have a
cmd POST param to work with. I’m going to be using netcat to establish a reverse shell using the php shell.
When we ran the CuteNews exploit, we were given some sha256 hashes of the users.
1 2 3 4 5 7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1 4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88 e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca 4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc
Attempting to crack them with john, I get a hit on one of them.
su on paul and it worked.
Paul -> Nadav
Once as Paul, we see another user named
nadav, this user appears to have more permissions than Paul. Located in paul’s
.ssh/authorized_keys we see
nadav public key. So perhaps Paul’s public key is located in
nadav authorized_keys file?
Using the command
ps aux we find a
usb-creator-helper script running as root.
After searching you will find an article on a privesc method for this. link
According to the article, the _builtin_dd method takes unfiltered user input and throws it into
dd, allowing us to overwrite files as root. Judging by all the times we worked with ssh keys on this box, its safe to assume the root user has a ssh key as well, so we can just send the ssh key into a directory we can access such as
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/key true
After this, use the key to login as