Wednesday, July 31, 2019

SecNotes


SECNOTES

- Layout for this exercise:





1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine SecNotes from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- SecNotes' IP is 10.10.10.97:



- Scanning with Nmap:








- Browsing the web server on port 80:




- Registering a new user whitelist:





- Login as the new user whitelist:




- Secure Notes is a notepad application that stores notes and to-do list with secure password protection using AES encryption and providing quick and easy access using a simple password:





- The email tyler@secnotes.htb informs about two details:

  • user named tyler
  • domain secnotes.htb

- Also, it is interesting the .php extension at the login page, revealing PHP is run by the server.


- Confirming the existence of user tyler with a random password:







- Browsing the other web server at port 8808:




- Viewing the source we find the image iisstart.png:





3 - EXPLOITATION

3.1 - SQL injection

- "Second order" SQL injection attack delays execution until a secondary query, by injecting a query fragment into a query (that’s not necessarily vulnerable to injection), and then have that injected SQL execute in a second query that is vulnerable to SQL injection.

https://portswigger.net/kb/issues/00100210_sql-injection-second-order


https://bertwagner.com/2018/03/20/how-to-steal-data-using-a-second-order-sql-injection-attack/


- Using wfuzz to help us finding a valid SQL injection:

 

- From the proposed queries the last one ' or 1=1 or ''=' seems easy to apply:




- Entering ' or 1=1 or ''=' as a new user and password, and later login with those credentials:







- Now the home page yields credentials for user tyler at the 3rd note named new site:







3.2 - Exploiting SMB

- Using credentials tyler:92g!mA8BGjOirkL%OG*& to access SMB service on port 445:





- Connecting and listing new-site:









- So we confirm that there is a web service at port 8808 where folder new-site contains the image iisstart.png.


3.3 - Getting a remote shell


- First of all let's download to Kali the Windows Netcat application:










- Also let's create exploit.php, a PHP exploit which goal is to spawn a remote shell  with a Netcat connection:




- Transferring nc.exe and exploit.php from Kali to SecNotes:




- The transfer of both files is successful:




- Setting a Netcat listening on port 5555:




- Running exploit.php directly on the browser:




- A remote shell is successfully spawned:







4 - CAPTURING THE 1st FLAG

- Reading user.txt:





- PRIVILEGE ESCALATION

- Access to Administrator's account is denied, as expected, so we need Privilege Escalation:




- Checking user tyler's Desktop there is a file bash.lnk:





- Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10 and Windows Server 2019.

https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux


- Reading bash.lnk the path C:\Windows\System32\bash.exe seems to be interesting:




- However the clue is false because there is no bash.exe at C:\Windows\System32:




- Let's find real location for bash.exe:




- Running bash.exe we get a root shell for the Windows Subsystem for Linux (WSL):




- Improving the shell:




- Checking content of root  home folder there is the hidden file .bash_history:




- Reading .bash_history credentials for Administrator are available:




- Making use of credentials administrator%u6!4ZwgwOM#^OBf#Nwnh there are two ways of accessing the Administrator's account:


5.1 - Smbclient

- Connecting with the SMB service:










5.2 - Psexec.py


- The Impacket Psexec.py Python script helps to get a remote root shell, just by providing credentials for Administrator:




6 - CAPTURING THE 2nd FLAG

- So we have two options to read root.txt:

- First, transferring root.txt from SecNotes to Kali and reading it locally:






- Second, reading it from the remote root shell: 







Tuesday, July 30, 2019

Jeeves


JEEVES

- Layout for this exercise:




1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Jeeves from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- Jeeves's IP is 10.10.10.63:




- Scanning with Nmap:




- Connecting to the web server on port 80:





- Connecting to the web server on port 50000:





- Applying dirbuster to both web servers we find the folder askjeeves on port 50000:








- Browsing /askjeeves we find a Jenkins server.

- Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software:


https://jenkins.io/





- Going to Manage Jenkins:





- Checking the Script Console there is available a Groovy Script that allows to write and run code on the server:







3 - EXPLOITATION

3.1 - Getting a remote reverse shell

- The Apache Groovy language is a Java-syntax-compatible object-oriented programming language that can be used as both a programming and scripting language for the Java Platform:






- There are multiple available scripts for getting a reverse shell, for instance this one:





- Just setting a Netcat listener session, adapting the script to our needs and running it:







- The consequence is a remote reverse shell:




- The user is kohsuke:




- However it seems that we cannot get out of the current folder due to lack of enough administrative privileges:




3.2 - Meterpreter session with web_delivery

- Let's create a web_delivery exploit on Kali with the purpose of getting a Meterpreter session:




- Setting all options and running the web_delivery exploit a Powershell script is created:




- Now, the Powershell script must be run on the remote reverse shell from Jeeves:




- As a consequence a Meterpreter session is opened:




- Getting information about the current folder, user and the system:











4 - PRIVILEGE ESCALATION

- RottenPotato is a local privilege escalation binary from service account to System:





- Downloading rottenpotato.exe to Kali:





- Getting as many system privilege as possible with getprivs:




- Uploading rottenpotato.exe to Jeeves:




- Loading the incognito extension:




- Executing rottenpotato.exe:




- Impersonating as System:





- Now we've got System privileges:




- Spawning a shell:










5 - CAPTURING THE 1st FLAG

- Reading user.txt:





6 - CAPTURING THE 2nd FLAG

- Going to the Administrator's Desktop we find hm.txt:




Alternate Data Stream (ADS) is the ability of an NTFS file system (the main file system format in Windows) to store different streams of data, in addition to the default stream which is normally used for a file.

- The two stream types that are commonly used directly by Windows programs are data ($DATA) and index ($INDEX_ALLOCATION).

- The relevant attribute for our scope is the $DATA attribute, which is used to store the data streams of a file.

- In the past, it was common to store a malicious payload within an ADS of a legitimate file. But today, many today security solutions will detect and scan ADSs’.

- For further information:

https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams

https://www.deepinstinct.com/2018/06/12/the-abuse-of-alternate-data-stream-hasnt-disappeared/

https://stackoverflow.com/questions/50518734/dir-r-and-output-stream-in-windows-machine


-  The option dir /R calls FindFirstStreamW and FindNextStreamW on each file or directory in a listing in order to list its $DATA streams: