Hack The Box Control Writeup – 10.10.10.167

Hello, I’m back with Hack The Box Control writeup for this week. The latest Control machine is Windows-based, categorized as “hard” as per HTB. The first root blood was “01 days, 05 hours, 32 mins, 55 seconds” after the release of the machine gives you hint how hard this box is. Let us start.

Enumeration – Nmap Port Scan

Like all the previous machines, I’m going to start with nmap portscan to see what are the open ports and services running.

Here is the nmap scan results:

The nmap portscan showed me there are 3 ports open. A port 80 – webserver, 135 – msrpc and 3306 possibly mysql server.

There is a website hosted in the default tcp port called “Fidelity”

There are 4 pages, index page, an about page, Admin page and login page. The admin and login pages did not provide any login form, but with an error “Access Denied: Header Missing. Please ensure you go through the proxy to access this page“. This error pointing towards a misconfiguration. So I proceed to analyze the source-code.

The source-code of index.php has commented section with a message -To-do:

This revealed an internal IP address: 192.168.4.28d. I fire-up the burp to see if there is any requests being sent ot receives.

The Burp request also showed the request isn’t going to the webserver, but the same error comes if I request to access admin.php or login.php pages.

So, to access these either you need to have a proxy which allows you the access or simulate that you are using the proxy by adding HTTP header “X-Forwarded-For”. The Burp is useful to add such headers, so I’m going to use my already running Burp. I’m assuming that the IP 192.168.4.28 for x-forwarded-for IP (proxy) because this is the only internal IP I’ve found in the websites source-code and it actually worked.

As soon as I forward the request in Burp, I was able to access the admin panel (or a product page).

SQLi

So the next step was to find the SQLi in the products table. I used burp to extract search requests from the database to use exploit it using SQLMAP.

The Info:

I saved the info as control.txt. and run the SQLMAP using this command: sqlmap –all -r control.txt –batch

The SQLMAP successfully cracked the database and got me what I was looking for – usernames and passwords (in hash)

I can’t do anything with the passwords I have, I can’t log in to the system unless I upload the shell to get RCE from SQLi. So what I decided is to use Burp again to send my PHP payload to create a reverse shell inside the database system. I found several RCEs, but used this one. I modified a bit and my final payload would look like this:

After successfully upload the reverse shell, I called it back to test, it worked like a charm – immma hacker boyyy babbyy!!!

PowerCAT Reverse Shell

Now, I need a reverse connection from the Control machine. Since the machine is windows, I would go for PowerShell reverse shells. After reading and a lot of research, I decided to use PowerCAT.

Setup:

• I download the PowerCAT.ps1 to the working directory
• Setup the Python HTTP server: python -m SimpleHTTPServer 8081
• A netcat listener: nc –lvnp 8080
• And finally “calling it from the website” to make it work (very simple words).

The Activator:

ref: https://www.sherlocklee.top/2019/09/28/Reverse-Shell/

As soon as I run the above caller my netcat listener got me the reverse shell:

I have access to the system, however, I’m not able to list the user directories. There are two users, an Administrator and Hector – I have access denied to both user directories.

Building The Tunnel: (This is a failed step, please proceed to ” White Winter Wolf webshell” Section)

I fired-up netstat -ano to see the processes running and listening.

I found that the WinRM service is active and running (TCP [::]:5985 [::]:0 LISTENING 4). This service running locally I’m not able to access externally, so the next step is to create a tunnel between my Kali and the Control machine. I will use the windows binary in kali PuTTY PLINK to create the tunnel.

Uploading PLink.exe

Now this seems to be a hard task for me. I tried following but I have an error:

Setup Python SMBServer

Copy PLink.exe using Command Prompt:

WhiteWinterWolf Webshell

So, my plan to copy PuTTY PLINK using good boy way was failed so badly that I went to sleep shutting down my laptop. In the sleep, I was told by the angels that I could use WhiteWinterWolf’s Webshell to upload my PuTTY PLINK Here is what I did:

• I copied Webshell PHP script on to a file called “nshell.php”
• I used the same old resources text I used to run SQLMAP in my earlier step
• I created a new SQLMAP query to copy the script into C:\inetpub\wwwroot\uploads\

My new SQLMAP script:

After running the SQLMAP, my new shell was successfully uploaded.

As soon as I have the confirmation from SQLMAP that my shell was uploaded successfully, I opened my browser and browsed the shell:

I upload the nc.exe and PuTTY PLINK to be sure to make atleast 1 connection run properly.

I’m going to run the PLink.exe first because I wanted to test if this can help me. I know nc.exe will work for sure, but I haven’t tried Plink for tunnelling. Let us try.

The tunnel was successfully created

Note: I was not able to run PLink.exe as root, I don’t know what was the reason, the password wasn’t accepting. So I used my another called “navin“. Once the tunnel was successfully created, I use switch user to root to run my commands.

Now I can run EvilWiNRM localy on the Control machine. However, I’m still lowpreviladged user, so I need to run EvilWinRM as user Hector. if you remember in my initial SQLMAP scan it revealed 3 users’ password hashes.

hector : password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
manager : password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA clear-text password: l3tm3!n
root : password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8

SQLMAP managed to get the user Manager’s password in clear text, however, our Hector’s password is still unknown, I used John to crack the password. l33———tor (sorry, I will not release the password)

Time to run EvilWinRM as Hector:

Getting User.txt

Getting Root

In order to get Root, we need to escalate the privilege of our current user, Hector. This article and this article gives a great way of windows privesc. I had to read several such articles to find the right way to become Administrator of Control machine.

Let us see what is our user Hector is capable to do?

Is there any Administrator groups?

So the cmdkey /list also didn’t give me any hint of stored credentials in the box. Its getting a bit hard for me at this stage.

The Windows ACL (Access Control List) is the most important command to run post-exploit. This gives a hint about how the current compromised user can help in privesc. I’m concentrating on the System’s CurrentControlSet to see what type of rights our user Hector has. The command is: get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path“

The command returned with huge list of ACL of user Hector:

Abusing Services

I have a list of services Hector can run with full control. The service “wuauserv” is what I should use as per the hint I received in HTB Forum.

Windows WUAUServ is a system service of the Windows Update feature. It runs only when Windows Update is running. This service runs for a couple of minutes and verifies if there is a Windows Update is going on or no if the service is not running it stops itself.

If you remember the retired machine Helpline, I exploit the windows print spool service to run my nc.exe. I’m going to use the same practice to exploit this machine.

Start Listening:

Start Service

Reverse Shell As Administrator

Root.txt

Thank you for reading, hope you enjoyed.