Hackthebox — Passage Walkthrough
First thing first we run initial nmap scan to see which ports are open and which services are running on those ports.
-sC : to run default Nmap scripts
-sV : to enumerate service versions
We get back the following result showing that two ports are open. Those are 22 and 80.
Port 80 is running a web server so we will be performing the standard enumeration techniques on it.
We keep note email addresses and also its domain in order to add into hosts file in our machine.
We add passage.htb into out hosts file.
After some manuel enumeration on the website we encountered an article called **Implemented Fail2Ban**
Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
So, there is Fail2Ban installed which is an intrusion prevention software framework. That means we are not able to brute force the hidden directories.
After continue to do enumeration manually we get a page called Passage RSS Feed.
Let’s navigate to CuteNews directory.
We get a login panel.
We try some default credentials such as admin/admin, admin/password, admin/passage etc. However, none of them are worked.
The bottom of the panel states that the version of CuteNews is running on 2.1.2 version.
We check that the specified version on searchsploit which is an utility to search the Exploit Database archive (aka: exploit-db) .
We go with the python script. Let’s view the script.
What does basically this exploit code is that it registers with an username and password, and then tries to upload a fake GIF file which is php code inside and finally it tries to gives us a webshell.
We download the script onto our machine.
And run it by entering the target address.
We get www-data web shell after the payload ran successfully.
Now, it is time to get a reverse shell. Firstly, we start up a listener on our machine.
We go to pentestmonkey and grab the netcat command. Afterwards we run the command on the webshell.
Great! We get the reverse shell.
Let’s upgrade our shell to have a interactive TTY shell.
Let’s background the session by typing CTRL+z and run the following command which tells our terminal to pass keyboard shortcuts to the shell.
Cool! We now have a fully interactive shell.
As a www-data user we do not have privileges to do something worthy. So, we need to find a way to escalate our privileges.
After enumerating the web files we find some interesting files called users, users.db.php and users.txt.
Let’s first navigate users file.
users.txt file is empty.
Well, what are those php files? Let’s view some of them.
We see that it contains users data that is encrypted in Base64.
There might be interesting data. And yes, we need to view each of them.
With this command; we go every file one by one and get the data inside and copy it into the file called bunchofdata .
We have them all. We do some cleaning stuff on the file.
And we have now only data which is encrypted by Base64.
Let’s decode it and see if there is something interesting for us.
Cool! we get the admin credentials.
We need to decode the hash. We go to md5hashing and try to decode it. However, it could not decode the hash.
We navigate on the decrypted data and see Paul’s credentials at this time.
It decoded successfully but it did not work again.
We are not giving up! Let’s give it a try this too.
Well, this one seems to be okay. Time to switch the user as paul.
Great! We successfully switched the user as paul.
We start to enumerate the box. The .ssh file is one of the interesting files that we need to check all the time.
There is authorized_keys file that contains paul and nadav’s ssh keys to login into the machine
We now have the private key.
We copy the key onto our machine.
We give it the permission 600.
And we successfully ssh into nadav’s account by using the private key we found.
We need to escalation the privilege to root in order to get the root.txt flag.
We see that an interesting process is running on the box.
Let’s view the code.
We search for the usb-creator privilege escalation method. Let’s go to the first result.
The article states that accessing to an user in the sudo group can bypass the password security policy that is imposed by sudo binary due to a vulnerability in the USBCreator D-Bus.
The article also shows that USBCreator contains a Python implementation
of the Unix tool dd , that allows to copy files between locations, without verification of the
source or destination paths, or password prompts. We invoke the method com.ubuntu.USBCreator.Image to exploit this vulnerability.
Finally, copy the root.txt file to the note.txt file by using the following command.
We successfully get the root.txt file.
Thank you for your time.
Originally published at https://atalaysblog.wordpress.com on March 6, 2021.
