To solve this machine, we begin by enumerating exposed services – finding ports
80 open. Using source code analysis on the web server, we find a login page for
CuteNews CMS, as well as its version. Exploiting a vulnerability in the avatar uploader, we are able to get a reverse shell on the machine as the
www-data user. Looking around the webserver files, we find encoded password hashes, that we are able to crack. Using the password, we are able to log in as
paul – allowing read access to
user.txt. Using SSH, we are able to privesc to the
nadav user. After enumerating the file system, we learn that a vulnerable version of the USBCreator dbus interface is installed. Exploiting it, we are able to read/write files as
root – allowing us to gain access to
Like all machines, we begin by enumerating exposed services using nmap – finding ports
$ sudo nmap -v -p- --min-rate 3000 $RHOST [...] $ sudo nmap -A -oA enum/nmap/tcp-scripts -p80,22 $RHOST # Nmap 7.80 scan initiated Sat Sep 5 14:02:36 2020 as: nmap -A -oA enum/nmap/tcp-scripts -p80,22 10.129.4.205 Nmap scan report for 10.129.4.205 Host is up (0.042s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA) | 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA) |_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Passage News Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Linux 3.12 (93%), Linux 3.13 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 42.41 ms 10.10.14.1 2 42.63 ms 10.129.4.205 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 5 14:03:00 2020 -- 1 IP address (1 host up) scanned in 23.98 seconds
Going to the website, we see that fail2ban is enabled, so we are unable to use automated tools like gobuster to find hidden files and directories.
Looking around the website, we find a potential domain name of
passage.htb from some contact information, and add it to our
http://passage.htb/CuteNews/, we are presented with a login page for
CuteNews news management system, where we get find a disclosure that it is running version
CuteNews 2.1.2, we find that it is vulnerable to a remote code execution vulnerability in its avatar upload process. In order to upload an avatar, we need to first register an account. Once the account is registered, we can click “Personal options” to edit our account and upload an avatar.
To exploit this, we can concatenate an image with our php reverse shell, and save them to a file. For my reverse shell, I used the
laudanum, and made the necessary changes.
$ cat image.png reverse-shell.php > revshell.png
Next, we start our reverse shell listener. Since the CVE states the image header should be “GIF”, we can capture the upload request in BurpSuite, change the file header, and the file extension (so the php interpreter will process it). Once we make the edits and forward the request, we get a reverse shell as
Since we had to create an account, we know there is a database of some kind. Using netstat to check for listening services, we do not see anything associated with a database. Next, we explore the webserver files, as user accounts/account configurations may be stored in a file rather than a networked database. In our exploration, we find the
/var/www/html/CuteNews/cdata/users/ directory. Within it, we find several files, all appearing to contain encoded data. Assuming the data is base64 encoded (most common), we attempt to decode it, and see what appears to be user account data.
Further examining the files, they appear to be incremental iterations of the same data, so we choose to decode the largest file –
lines. Looking through the data, we see what appears to be password hashes for associated user accounts.
Sending them through hashcat, we are only able to crack one of them. Checking out the user home directories in
/home/, we see only 2 possible accounts the password can be tried against. Using su to login as
paul, we are able to get
paul, we look around his
.ssh/ folder and grab the
id_rsa file so we can log in directly via ssh. Looking at the
authorized_keys file, we see an entry for the
nadav user, which gives us the idea that we may be able to SSH into the
nadav account. Trying it, we are allowed a shell as
nadav‘s home directory, we see a
.viminfo file, which is kind of like a cache file for vim. Looking through it, we find several references to
Googling for things like “ubuntu usbcreator exploit” and “dbus usb creator exploit”, we find this article, which interestingly is authored by someone named
Nadav. According to the article, the daemon needs to be running as
root to be effective. To check this, we can use busctl. Doing so, we see it is not running, however, it is activatable.
$ busctl list
To activate it, we just need to interact with the daemon. We can use something like the tree command to activate it.
$ busctl tree com.ubuntu.USBCreator
Following the rest of the article, we introspect the object to view its methods. Next, we invoke the
Image method to read
root‘s SSH key, and use it to SSH into the machine as
root. Finally, we are able to read
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!