Hello, welcome back! and wish you a very happy new year 2020.
After a break of almost 2 weeks, I’m back with another Windows machine writeup. The machine I’m doing today’s walkthrough is RE (10.10.10.144). The machine categorized in Hack the Box is as hard and real-life like, so let us see how it goes.
Note: This post is up to the user only. I will post the root part soon.
As always, I added the machine IP 10.10.10.114 to etc/hosts as re.htb for easiness and let us start our enumeration with the nmap scan –
nmap -A -oA re.namp re.htb
# root @ ns09 in ~/htb/re [20:03:21] $ nmap -A -oA re.namp re.htb Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-31 20:05 +03 Stats: 0:01:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 20:07 (0:00:29 remaining) Nmap scan report for re.htb (10.10.10.144) Host is up (0.58s latency). rDNS record for 10.10.10.144: flujab.htb Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Ghidra Dropbox Coming Soon! 445/tcp open microsoft-ds? Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 2s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-12-31T17:07:42 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 521.20 ms 10.10.14.1 2 521.10 ms flujab.htb (10.10.10.144) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 167.35 seconds
After nmap enum, we found only two ports are open. An HTTP port on 80 and a TCP port 445 that runs server message block (SMB). The webserver on 80 seems doesn’t have much to show, but the view-source shows a few filenames and indications that there are unfinished works in the project called “Ghidra”.
Since nothing can be done with port 80 at this stage, let us see what port 445 has to offer. I used the smbclient to connect the SMB to see what it contains. I didn’t provide any password, though the SMB asked for the root password. I tried to log in using anonymous that went well too. I was served with a directory called
"malware_dropbox". I went ahead connecting the directory
malware_dropbox but it seems to be empty.
At this point, I’m again clueless, so letup scan again higher ports and services and find if we missed anything in the previous nmap scan. However, this was not helpful either. So I decided to go to the HTB forum for hints, and there is one! A user mentioned a page called “reblog.htb“. I added this to my etc/hosts against machine IP and proceeded to browse it.
The reblog.htb is actually a blog with a few posts and an email id “email@example.com”. I decided to go through the posts to find something useful. The latest post “ods Phishing Attempts” is actually talking about Apache Open Office ODF Documents exploitation and phishing using maliciously crafted ODF macro payloads.
Actually there are a lot of Open Office exploitations that are possible using maliciously crafted macros. The Armitage in Kali actually has inbuilt modules to create such macros, especially a couple of for Open office. I’m going to test one to create a malicious macro file and send it using Python HTTP server in-to the malware_dropbox SMB and proceed from there. A couple of things that need to consider are LPORT and SRVPORT. LPORT.
The ODT Macro is successfully created and stored in
/root/.msf4/local/msf.odt. I copied the file to my Windows machine and extracted the file msf.odt using WinRAR.
I now have the package with all the required files. I just need one main xml file which always resides in
msf/Basic/Standard. I opened it and amend it with my reverse shell command to have a reverse shell when the macro is executed.
Final Module1.xml file screenshot is below. Let us zip the package back to its original state and rename it as msf.odt. After this step, I moved the msf.odt file back to my Kali machine inside my Re directory to import it to the Re machine.
In the Kali machine, I’m going to host a Python Webserver, At the same time, I will start listening to nc on the designated port 8089 and open the SMB and import the msf.odt file using PUT command. Here is the screenshot of successfully importing the msf.odt described in the above steps.
Here is my setup:
As soon as I put my malicious macro file, the host at RE reads it. The reading runs my command of reverse shell and it executes my nc.exe and I have the shell in my listener.
# root @ ns09 in ~/htb/re [21:47:20] $ nc -nvlp 2169 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::2169 Ncat: Listening on 0.0.0.0:2169 connect to [10.10.14.16] from (UNKNOWN) [10.10.10.144] Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\LibreOffice\program>
After a couple of minutes enum, I found the user.txt in the directory of the user Luke’s desktop.
C:\Program Files\LibreOffice\program> . . . . C:\Users\luke\Desktop\ type user.txt FE41[---------------]384D3