This post documents the complete walkthrough of Passage, a retired vulnerable VM created by ChefByzen, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Passage is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.206 --rate=500
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-09-06 15:07:44 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.206
Discovered open port 80/tcp on 10.10.10.206
Nothing unusual. Let’s do one better with nmap
scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p22,80 -A --reason 10.10.10.206 -oN nmap.txt
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
This is a shit-show. Here’s what the site looks like.
Looking at the source of CuteNews/rss.php
suggests that we are looking at CuteNews and I should add passage.htb
into /etc/hosts
.
<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/css" href="http://passage.htb/CuteNews/skins/rss_style.css" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Passage RSS Feed</title>
<link>http://passage.htb/news.php</link>
<language>en-us</language>
<description></description>
<!-- <docs>This is an RSS 2.0 file intended to be viewed in a newsreader or syndicated to another site. For more information on RSS check: http://www.feedburner.com/fb/a/aboutrss</docs> -->
<generator>CuteNews</generator>
<atom:link href="http://passage.htb/CuteNews/rss.php" rel="self" type="application/rss+xml" /><item>
<title><![CDATA[**Implemented Fail2Ban**]]></title>
<link>http://passage.htb/news.php?id=11</link>
<description><![CDATA[Due to unusally large amounts of traffic,]]></description>
<guid isPermaLink="false">1592488043</guid>
<pubDate>Thu, 18 Jun 2020 09:47:23 -0400</pubDate>
</item>
<item>
<title><![CDATA[Phasellus tristique urna]]></title>
<link>http://passage.htb/news.php?id=8</link>
<description><![CDATA[Sed felis pharetra, nec sodales diam sagittis.]]></description>
<guid isPermaLink="false">1591987514</guid>
<pubDate>Fri, 12 Jun 2020 14:45:14 -0400</pubDate>
</item>
<item>
<title><![CDATA[Aenean dapibus nec]]></title>
<link>http://passage.htb/news.php?id=7</link>
<description><![CDATA[Urna eget vulputate.]]></description>
<guid isPermaLink="false">1591450298</guid>
<pubDate>Sat, 06 Jun 2020 09:31:38 -0400</pubDate>
</item>
<item>
<title><![CDATA[Nullam metus tellus]]></title>
<link>http://passage.htb/news.php?id=6</link>
<description><![CDATA[Ornare ut fringilla id, accumsan quis turpis.]]></description>
<guid isPermaLink="false">1588433035</guid>
<pubDate>Sat, 02 May 2020 11:23:55 -0400</pubDate>
</item>
<item>
<title><![CDATA[Fusce cursus, nulla in ultricies]]></title>
<link>http://passage.htb/news.php?id=5</link>
<description><![CDATA[Posuere, lectus metus ultricies neque, eu pulvinar enim nisi id tortor.]]></description>
<guid isPermaLink="false">1587128696</guid>
<pubDate>Fri, 17 Apr 2020 09:04:56 -0400</pubDate>
</item>
<item>
<title><![CDATA[Maecenas varius convallis]]></title>
<link>http://passage.htb/news.php?id=4</link>
<description><![CDATA[Nisi ut porta.]]></description>
<guid isPermaLink="false">1586711095</guid>
<pubDate>Sun, 12 Apr 2020 13:04:55 -0400</pubDate>
</item>
<item>
<title><![CDATA[Nunc facilisis ornare]]></title>
<link>http://passage.htb/news.php?id=3</link>
<description><![CDATA[Arcu quis finibus.]]></description>
<guid isPermaLink="false">1585405439</guid>
<pubDate>Sat, 28 Mar 2020 10:23:59 -0400</pubDate>
</item>
<item>
<title><![CDATA[Sed porta lectus]]></title>
<link>http://passage.htb/news.php?id=2</link>
<description><![CDATA[Vitae justo ultricies vehicula.]]></description>
<guid isPermaLink="false">1584459160</guid>
<pubDate>Tue, 17 Mar 2020 11:32:40 -0400</pubDate>
</item>
<item>
<title><![CDATA[Lorem ipsum dolor]]></title>
<link>http://passage.htb/news.php?id=1</link>
<description><![CDATA[Sit amet, consectetur adipiscing elit.]]></description>
<guid isPermaLink="false">1583243399</guid>
<pubDate>Tue, 03 Mar 2020 08:49:59 -0500</pubDate>
</item>
<!-- News Powered by CuteNews: http://cutephp.com/ --></channel></rss>
CuteNews 2.1.2 - ‘avatar’ Remote Code Execution (Metasploit)
Searching for CuteNews exploits with searchsploit
reveals the following.
It was a simple matter of copying the Metasploit module to ~/.msf4/modules/exploits/multi/http/cutenews_avatar_rce.rb
and reload_all
in msfconsole
for it to work. Oh yes, there’s an minor typo in this module, a missing comma between the two URL references.
Since this is an authenticated RCE exploit, we need credentials. Lucky for us, the site has a user registration function.
And we are in!
Hold up, this is only part of the puzzle. We haven’t run our exploit.
Foothold
Let’s exploit.
OK. This time we are truly in! Because I prefer a full TTY shell, let’s run another reverse shell back to us. Again, lucky for us, there’s a nc
lying around that comes with the -e
switch.
CuteNews cdata
directory
It should be clear at this point we should try to gain access to paul
’s account and then make our way to nadav
’s account.
A little digging around CuteNews configuration soon revealed the presence of directory cdata/users
, where all the users information is base64
-encoded like so.
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==
Here’s a little Linux-fu to save the day.
CrackStation tells me that the password for that hash is atlanta1
.
And there you have it.
The file user.txt
is at paul
’s home directory.
Privilege Escalation
During enumeration of paul
’s account, I notice that nadav
’s SSH key is in /home/paul/.ssh
. Sneaky~
This means that we are able to SSH to nadav
’s account like so.
During enumeration of nadav
’s account, I saw the hint left behind by the creator.
USBCreator D-Bus Privilege Escalation in Ubuntu Desktop
The hint led me to this.
A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root – without supplying a password.
Check out the groups nadav
is in.
Please tell me you’re seeing this too? Is the creator and the author of the write-up the same person?
Anyway, the end is here…
Time to claim the prize!