Hack The Box Arkham Detailed Writeup | 10.10.10.130

Arkham is a medium difficulty machine, which is now retired. Here in this post, you can learn the intended way of exploiting this Windows machine.

Once the Exploitation is done, you will learn the following skills.

● How To Java Deserialization in Windows Machine

ENUMERATION

Lets start with enumerating

HERE IS THE NMAP OUTPUT

So, nmap revealed I have an IIS on port 80, an Apache in port 8080 and SMB enabled. So l immediately went to see what SMB has in the box. From my previous experience, the SMB is what I prefer to enumerate first.

There is a share Batshare seem to be having some kind of secrets as per the description. lets go deeper and see what it contains.

The share contains a compressed file called appserver.zip. I used the get command to download the folder to my local machine to see what it contains.

There are 2 files inside, a text file that reads “lfred, this is the backup image from our linux server. Please see that The Joker or anyone else doesn’t have unauthenticated access to it. – Bruce ” and an encrypted image “backup.img”.

After running hashcat to crack the password of backup.img using rockyou.txt I found the password as batmanforever.

I will mount the image file and see what it contains using the password I found in the above step.

The mount has the script of the film Batman Begins, some pictures and some Tomcat “stuff”.

After going through files, I found web.xml.bak a little interesting, let’s see what it contains;

Well, I found a couple of “secrets”. I’m still unware where this secrets are applied for, so I moved-on to find other services in the box which might helpful. The port:80 has IIS running and port:8080 has a custom website named “mask”

There are a couple of links in the Mask website, a subscribe to us has an input so I added my name as email and clicked sign up, I got a confirmation saying my email “nav1n” has been registered – well, this looks like loosely configured as the form doesn’t validate the email id, lets find if I could exploit it! Also, I found out the page seems to be an Apache MyFaces instance. I wanted to see what happens after I sign-up, so I used BURP to intercept the request and see what are the responces I get from the webserver?

BURP SUIT REQUEST

I found a couple of hints in the HTB forum that saying this request holds a java serialized object, which is a potential deserialization vulnerability. I seem to have cracked the way in, let us dig more about this Apache MyFaces thing which I never had experience. I found this article https://myfaces.apache.org/core20/myfaces-impl-shared/apidocs/org/apache/myfaces/shared/util/StateUtils.html more useful.

The xml backup file I found in the mount is related tho this, after some brainstorming, I understood that this page uses encrypted viewstates from the web.xml.bak I found earlier.

These are the things I collected so far.

  • STATE_SAVING_METHOD: Saved in the server-side.
  • SECRET: SnNGOTg3Ni0= (The secret I found in ther xml file)
  • MAC_ALGORITHM: HmacSHA1
  • ENCRYPTION_ALGORITHM: DES (default)
  • PADDING: PKCS5 (default)

PAYLOAD GENERATION

I’m going to use YSoSerial to create a serialized payloads.

It won’t work if I send directly, it has to be encrypted.

Command:

INSTALLING ysoserial-master-SNAPSHOT.jar To Create Payload

Now, the plan is Create a Base64 decode the secret ==> create the ysoserial payload ==> encrypt the payload with the decoded secret using DES and PKCS5 padding ==> create a HmacSHA1 signature of the encrypted value and the secret ==> encrypt payload ==> Expoloit

The script I made to see if I can do a RCE to the box was successful, I do have RCE on the box. I started to listen tcpdump see the result.

EXPLOIT:

RCE EXPLOIT CONFIRMATION

So, once the payloads are ready, start the SimpleHTTPServer to upload nc.exe and I started my listener on port 4444, then I sent the payloads.

HERE IS THE RESPONSE:

USER.TXT

Privilege Escalation FROM Alfred To ROOT

In Alfred’s backup directory I found a backup.zip file. I used netcat to download it to my local machine to unzip and analysis.

UNZIPPING backup.zip

In the “Drafts” folder I found a mail with an attached picture.

The email has a screenshot of command prompt with a password of user “Batman”

Using the credentials of Batman:Zx^#QX+T!123 lets see if I can escalate the privilages. Because I found that user Batman is the part of the Administrators group.

So, in the next step I will use Powershell with the credentials batman: Zx^#QX+T!123 to get reverse shell

In the other hand I ran netcat to get reverse shell, but the Administrator user is still inaccessible.

But after trying diffeent possiblilities, I found that its possible to map the C$.

So, now I can access Administrator folder and read root flag.

Thanks for reading. 🙂

Click to rate this post!
[Total: 0 Average: 0]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: