From 99b717d614a547cdf3660caf2976e7ae618e48a4 Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Wed, 21 Apr 2021 01:36:12 +0500 Subject: [PATCH] Add files via upload --- HackTheBox/Atom.md | 233 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 233 insertions(+) create mode 100644 HackTheBox/Atom.md diff --git a/HackTheBox/Atom.md b/HackTheBox/Atom.md new file mode 100644 index 0000000..5d68af1 --- /dev/null +++ b/HackTheBox/Atom.md @@ -0,0 +1,233 @@ +# HackTheBox-Atom + +## Rustscan +```bash +PORT STATE SERVICE REASON VERSION +80/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) +| http-methods: +| Supported Methods: GET POST OPTIONS HEAD TRACE +|_ Potentially risky methods: TRACE +|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 +|_http-title: Heed Solutions +135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +443/tcp open ssl/http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) +| http-methods: +| Supported Methods: GET POST OPTIONS HEAD TRACE +|_ Potentially risky methods: TRACE +|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 +|_http-title: Heed Solutions +| ssl-cert: Subject: commonName=localhost +| Issuer: commonName=localhost +| Public Key type: rsa +| Public Key bits: 1024 +| Signature Algorithm: sha1WithRSAEncryption +| Not valid before: 2009-11-10T23:48:47 +| Not valid after: 2019-11-08T23:48:47 +| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0 +| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6 +445/tcp open microsoft-ds syn-ack ttl 127 Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) +5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) +|_http-server-header: Microsoft-HTTPAPI/2.0 +|_http-title: Not Found +6379/tcp open redis syn-ack ttl 127 Redis key-value store +7680/tcp open pando-pub? syn-ack ttl 127 + +``` + +## PORT 135/445 (SMB) + +We can see which shares are there + + + +Now to see which we can read as anonymous + + + +It seems we can read and write `Software_Updates` share + + + +There's a document available too so let's download it + + + +So the document tells about a note taking application named `Heed` and it's a client based application there's no interaction with the server but it does get's an update though client's folder and we have seen three client's folder i.e client1,client2,client3, so let's just visit port 80 + + + + + +## PORT 80 (HTTP) + + + +Scrolling a bit down we can see a download option and an email `MrR3boot@atom.htb` + + + +So first let's add the domain `atom.htb` to `/etc/hosts` file and fuzz for subdomains and also to fuzz for files and directories using `gobuster` + + + +Running gobuster to fuzz for files + + + +Fuzzing for subdomains + + + +Didn't find one so we would just have to download the heed note taking application + + + + + + + +So I had to switch to my windows machine as this was a windows application + + + + + +This tells us that this is an electron application + + + + + +So knowing that it's an electron app I searched on goolge for getting a RCE through it + + + + + +It says here that it will update from `latest.yml` + + + + + + +## Exploit + +So first we generate our payload with name having a single quote + + + +Now we need to generate a sha512 sum hash and encode it to hex and then further encode it to base64 + + + + +``` +093RMZA6MwaxL21rB2eTb14NNIH8+bfGjldpX5bFLvlALJJpKvi8Gm+TGXmqW/ROJsy+TEcGyDQk +djSS7Avnow== +``` + +Host this payload on your local machine using python3 + + + +Create a `latest.yml` file + + + +Upload the yml file in smb share + + + +Run the meterpeter listener + + + + + +So for escalating privileges I first ran `getprivs` to show privileges for the current user + + + +Going into `Program Files` + + + +Further going into `Redis` folder + + + +We see `redis.windows-service.conf` and there's a password for redis cli + + + + + +Run `info` command + + + + + + + +Redis stores data in database and we can there is only on database , we can access it by the command `SELECT 0` + + + + + +Now to access the KEY we need to first know it's data type, in redis there are 5 data types + +1. String +2. Hash +3. List +4. Sets +5. Sorted Sets + + + + + + + + +Going to jason's `Download` direcotry we can find `PortableKanban` which is a tak managment tool for windows + + + +Reading the `User Guide.pdf` portable kanban we can only user available is `Administartor` but we can't get the passoword as the guide says if the data is lost there is not way in retreiving it + + + +We can see that we are on the last version of portable kanban + + + +So this is the encrypted password which we can't retrieve + + + +But there's an exploit for it + + + +Now we extracted the encrypted portable kanban passowrd from redis key and we need to save the contents in a file `PortableKanban.pk3` but on running the exploit it showed errors so we may need to edit the exploit + + + +After editing it will decrypt the password + + + + + +Now since port 5985 was open which is for winrm we will use `evilwinrm` to login + + + +Evilwinrm was acting wierd so I downloaded the windows payload I used earlier to get foothold and ran the payload with cmd while listening at meterpreter for connections + + + + \ No newline at end of file