Month: April 2021
Protected: htb-monitors-private
Protected: pg-zenphoto-private
Protected: pg-nappa-private
Protected: pg-sybaris-private
Protected: pg-quackerjack-private
htb-atom-nl
Hackthebox Atom writeup
Introduction@Atom:~$
Column | Details |
---|---|
Name | Atom |
IP | 10.10.10.237 |
Points | 30 |
Os | Windows |
Difficulty | Medium |
Creator | MrR3boot |
Out On | 17 Apr 2021 |
Nmap
Let’s start with port-80
Port-80
There is a simple html page
.
Let’s check https
443 port.
Same page on port 80
and 443
not so interesting.
Now let’s check with smbclient
now.
┌─[puck@parrot-lt]─[~/htb/atom]
└──╼ $smbclient -L \\10.10.10.237 -U ""
Enter WORKGROUP\'s password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Software_Updates Disk
SMB1 disabled -- no workgroup available
┌─[puck@parrot-lt]─[~/htb/atom]
We have a interesting
share called Software_Updates
let’s check what’s inside.
Inside folders
there is nothing for us. but there is a pdf
file. let get this real quick.
After reading the pdf
i known that we can place the update
in any client folder and the automated
script check the update.
So if we place the rev
shell instead of update so we can get the reverse
shell. but for that we need to bypass the "Signature Validation"
.
So i search the on google for electron-builder
exploit and we got a good blog
post.
Link
: Signature Validation Bypass Leading to RCE In Electron-Updater
After reading the blog
i understand that how to bypass
the Signature and get reverse
shell.
I am using msfvenom
for creating the reverse
shell.
We got the hash
now let’s start our msfconsole
to catch the rev
shell.
Now we need to create
a file called latest.yml
and add our hash
inside this file.
latest.yml
My file look
like this.
Now start your python3
server on port 80
and we good to go.
Now last thing
you want to do is put the file inside client2
or client1 folder it’s your choice
.
After putting file wait for 10sec
and you get the reverse
shell in metasploit.
Boom we got the shell
.
I will also share a bash
script for automate the work for getting the rev
shell.
dedsec.sh
Now let’s get our user.txt
file.
Privilege escalation
let’s run winPEAS
.
Link
: winPEASx64.exe
After running winPEAS
i got two interesting things first a file called redis.windows-service.conf
and second a service is running called redis-server
.
First let’s get the file
and see what’s inside
.
I found a password -> kidvscat_yes_kidvscat
And with this password we can connect with redis-server
.
But first if you don’t have redis-cli
so install that with this command
.
And here is the cheatsheet
of redis-cli
commands.
Link
: redis_cheatsheet
Now let’s connect with server
.
Let’s list the keys
.
Now let’s go with first user
becuase first is always admin
.
We got the hash
-> Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi
Now the question
is how to crack or decrypt
this hash.
I again check the winPEAS
result and i found something good
.
I download the pdf
and read the pdf
.
After reading this i understand
that portable-kanban stores all the setting and Encrypted
Password.
Let’s search
on google for any exploit
for portable kanban.
Link
: Python3 Script
Found a python3
script for Encrypted Password
Disclosure.
With the help of this script
i can decrypt the hash
.
But the problem is the script
require the file called PortableKanban.pk3
so i modify the script for our usecase
.
decrypt.py
Before running the script
install the req for that with this command
.
Now we are ready to decrypt
the hash.
And we got the password of Administrator
-> kidvscat_admin_@123
Now let’s login with evil-winrm
.
And we pwned
it …….
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP
Resources
Topic | Url |
---|---|
Signature Validation Bypass | https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html |
winPEASx64.exe | https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite…… |
redis_cheatsheet | https://gist.github.com/LeCoupa/1596b8f359ad8812c7271b5322c30946 |
PortableKanban Encrypted Password Disclosure | https://www.torchsec.net/portablekanban-4-3-6578-38136-encrypted-password-disclosure-torchsec/ |
Python3 Script | https://dl.packetstormsecurity.net/2101-exploits/pk43657838136-disclose.txt |