HackTheBox Endgame Xen Writeup Part 1 – Breach (Flag 01/06)

Hello readers, I’m back with another HackTheBox writeup series. This time its Endgame Xen, a month ago or so, I finished the challenge Endgame P.O.O, and I decided to continue working on the Endgame to test my ability in the Windows Active Directory environment.

HackTheBox EndGame Xen Writeup Series

As described by HTB, the Xen endgame is designed to test players skills in enumeration, breakout, lateral movement, and privilege escalation ability inside a small Windows Active Directory environment. There are 6 flags to capture, I’m going post my writeup one by one as soon as I finish the level (I may decide not to post if I feel lazy to write another post ;))

HackTheBox Endgame Xen Writeup Part 1 – Breach (Flag 01/06)

This writeup is about the first flag “Breach”. A lot of enumeration is required to get the first flag, its not easy as it looks. Each step gets harder as you climb.

Let us start.

Enumeration

As always, I add the machine IP 10.13.38.12 to hots file as xen.htb and start the NAMP scan to find the ports and services running. I wanted to see all open ports, so I proceed to run intensive scan.

NAMP SCAN RESULT:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 23:04 +03
Nmap scan report for xen.htb (10.13.38.12)
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE    VERSION
25/tcp  open  smtp
| fingerprint-strings: 
|   GenericLines, GetRequest: 
|     220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
|     sequence of commands
|     sequence of commands
|   Hello: 
|     220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
|     EHLO Invalid domain address.
|   Help: 
|     220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   NULL: 
|_    220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP, 
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 
80/tcp  open  http       Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open  ssl/https?
|_ssl-date: 2020-03-13T21:07:07+00:00; +1h00m07s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.80%I=7%D=3/13%Time=5E6BE77A%P=x86_64-pc-linux-gnu%r(NULL
SF:,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL
SF:\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCH
SF:ANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n
SF:")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.H
SF:TB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x20R
SF:CPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20ESM
SF:TP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Ba
SF:d\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comm
SF:ands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x2
SF:0\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 14.995 days (since Thu Feb 27 23:15:10 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1h00m06s

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   220.87 ms 10.14.14.1
2   220.98 ms xen.htb (10.13.38.12)

As per the initial enumeration, I found a couple of ports is open, an HTTP and HTTPS ports on 80 and 443 respectively and an SMTP service running on the port 25.

Upon visiting the web service on the port 80 and 443, it is a retail service website. What struck was the SSL certification registration. The SSL is issued to a domain humongousretail.com. However, a quick WHOIS lookup returned none and the domain is not registered to anyone yet.

I immediately added the newly fund domain name to my hots file against the Xen machine IP address. I as well found an email id: jointheteam@humongousretail.com.

HackTheBox Endgame Xen Writeup Part 1 – Breach (Flag 01/06)

So, there is nothing other than the few things I found above. The quick look at the website source revealed nothing. I then decided to run directory enumeration using WFuzz. Since the target server is IIS, I decided to use SecLists/raft-large-words.txt wordlist. WFuzz found a couple of directories. “Jakarta” and “Remote”

https://xen.htb/jakarta

Home Page Of Website https://xen.htb/remote

The directory Jakarta and the directory Remote is Citrix XenApp.

USER ENUMERATION

I spent a good amount of time on this machine without going any further. A friend in discord told me that the target machine is an Exchange Server as well, so I should do user enumeration on the mail server and find possible users, get their email id and password.

After getting users from the xen.htb, I decided to run same on the domain humongousretail.com. I update the hosts file and start the SMTP user enum. The tool I used is Smtp User Enum by Pentest Monkey. Ref:

SMTP USER ENUM Results

# root @ ns09 in ~/htb/xen [17:36:00] 
$ smtp-user-enum -U names.txt -D humongousretail.com -t 10.13.38.12 -m 15 -M RCPT
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 15
Usernames file ........... names.txt
Target count ............. 1
Username count ........... 10166
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ humongousretail.com
######## Scan started at Wed Apr 22 17:36:07 2020 #########
10.13.38.12: it@humongousretail.com exists
10.13.38.12: legal@humongousretail.com exists
10.13.38.12: marketing@humongousretail.com exists
10.13.38.12: sales@humongousretail.com exists
######## Scan completed at Wed Apr 22 17:46:00 2020 #########
4 results.
10166 queries in 593 seconds (17.1 queries / sec)
# root @ ns09 in ~/htb/xen [17:46:00]

So I found another 4 new users in the humongousretail.com domain.

  • marketing@humongousretail.com
  • legal@humongousretail.com
  • it@humongousretail.com
  • sales@humongousretail.com

TELNET

The next step is to get user credentials, I was informed by a friend in Discord that the email addresses can be triggered to log in to a remote netcat sessions by emailing them a remote IP (which is my netcat listener IP).

This blog post I referred to understand how TELNET session can be used to send emails. However, there was no response from the emails despite trying few times.

Then I realized, the external email could be filtered or it is not possible to trigger the action, so I decided to try an internal email to send mails and see what happens.

Well, no response yet. I tried one by one email addresses I found in the SMTP server without any success.

A Breakthrough

So, finally a breakthrough. The system was designed this way: users action will not trigger to an external IP unless it is sent by the IT Department email. Well, that is a good point. Once I understood how things works, I got credentials for all the users from the reverse connection in my listener. I was only able to get sales@humongosretail.com and the users related to that email id. When I tried more than 1 time, I got different users and their passwords.

Credentials of Sales Team

So, now I have credentials of 3 users and I know where to use: Citrix Zen APP, that’s the reason of my email subject.

  • pmorgan:S*******r!
  • jmendes: V****************!!!
  • awardel:@****************@

Citrix XenApp

I proceed to the XenApp remote login page I discovered earlier and logged in to it as PMorgan.

As I logged-in, I noticed Citrix Workspace ICA a remote desktop connection app “Default” was on the dash board, I clicked it and Citrix Launch tool downloaded. I already had installed required tools to open Citrix apps, so I opened it using my Citrix Workspace Engine for Linux.

Preview(opens in a new tab)

The system presented was Windows 7 Pro, there is nothing interesting found, however from the file explorer and looking at the desktop I found the Falg: XEN{wh0_n33d5_2f@?}. The same flag was in all 3 users desktop.

User AWardel:

So that is the end of story of Flag # 1 – Breach. The flag itself says, Who Needs 2FA?, lol I didn’t know breaking in tot the Citrix XenApp is so easy :), Thanks for dropping by, I will post my 2nd part writeup soon.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.