Summary
Passage is a medium-rated Linux machine created by ChefByzen. Initial foothold is gained by exploiting a vulnerable version of CuteNews PHP. User compromise is performed by finding encoded files and decrypting a SHA256 password. Movement to another user was done by simply authenticating through SSH in localhost. Root privileges are granted after copying nadav’s public key to root’s authorized_keys file by exploiting a vulnerable USB creator (gdbus).
Reconnaissance
Nmap discovered port 22(ssh) and port 80(http) open.
Visiting the HTTP service displays a ‘Passage News’ page and a note about a Fail2Ban implementation. I avoided brute forcing directories and files to prevent myself from possibly getting banned.
Checking the source code reveals a possible user nadav.
Remote Code Execution
At the bottom of the page, we can see a technology being used by the server which is CuteNews — PHP News Management System.
Clicking the link redirects us to the download page of the version installed on the server. Further research lead to discovery of a Remote Code Execution POC on exploit-db
After downloading the public exploit and running it, an input for URL is displayed. Entering the target’s link to the HTTP service will spawn a webshell as www-data.
Since it is only a webshell, I used it to get a reverse shell so I can enumerate effectively.
Finding User Credentials
Further gathering of information lead me to a file named lines in /var/www/html/CuteNews/cdata/users directory and the contents are mostly base64 encoded.
I went for my go to site for decoding/encoding which is CyberChef and tried to decode the strings. I found hashes which looked like SHA256 hashes.
Of all the hashes, I was able to decrypt one which is for the user ‘paul’.
Using the password on SSH did not work so I switched user using my current reverse shell. I was able to get the user flag afterwards.
Movement to Nadav User
I copied paul’s private SSH key and logged in to SSH for better shell functionality.
authorized_keys and known_hosts files also exist in Paul’s SSH directory so I checked them out. I discovered that nadav’s public key is in his authorized_keys.
I tried authenticating to SSH in localhost with nadav with the hopes of successfully logging in and luckily, I was able to.
Privilege Escalation
Enumerating processes show usb-creator-helper being run by root. After looking it up on google, I found an article that demonstrates how to perform privilege escalation with USB-creator (gdbus) service.
According to the article, the USB-creator service has a Python implementation of the Unix tool dd which allows a user to copy files between locations with root privileges. I used it to copy nadav’s public key inside root’s ssh/authorized_keys and authenticate as root.
Command: gdbus call — system — dest com.ubuntu.USBCreator — object-path /com/ubuntu/USBCreator — method com.ubuntu.USBCreator.Image /home/nadav/.ssh/id_rsa.pub /root/.ssh/authorized_keys trueThat is it for Passage. Thank you for reading and have a great day!
