7.4 KiB
HackTheBox-Atom
Rustscan
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
443/tcp open ssl/http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
445/tcp open microsoft-ds syn-ack ttl 127 Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6379/tcp open redis syn-ack ttl 127 Redis key-value store
7680/tcp open pando-pub? syn-ack ttl 127
PORT 135/445 (SMB)
We can see which shares are there
Now to see which we can read as anonymous
It seems we can read and write Software_Updates
share
There's a document available too so let's download it
So the document tells about a note taking application named Heed
and it's a client based application there's no interaction with the server but it does get's an update though client's folder and we have seen three client's folder i.e client1,client2,client3, so let's just visit port 80
PORT 80 (HTTP)
Scrolling a bit down we can see a download option and an email MrR3boot@atom.htb
So first let's add the domain atom.htb
to /etc/hosts
file and fuzz for subdomains and also to fuzz for files and directories using gobuster
Running gobuster to fuzz for files
Fuzzing for subdomains
Didn't find one so we would just have to download the heed note taking application
So I had to switch to my windows machine as this was a windows application
This tells us that this is an electron application
So knowing that it's an electron app I searched on goolge for getting a RCE through it
It says here that it will update from latest.yml
Exploit
So first we generate our payload with name having a single quote
Now we need to generate a sha512 sum hash and encode it to hex and then further encode it to base64
093RMZA6MwaxL21rB2eTb14NNIH8+bfGjldpX5bFLvlALJJpKvi8Gm+TGXmqW/ROJsy+TEcGyDQk
djSS7Avnow==
Host this payload on your local machine using python3
Create a latest.yml
file
Upload the yml file in smb share
Run the meterpeter listener
So for escalating privileges I first ran getprivs
to show privileges for the current user
Going into Program Files
Further going into Redis
folder
We see redis.windows-service.conf
and there's a password for redis cli
Run info
command
Redis stores data in database and we can there is only on database , we can access it by the command SELECT 0
Now to access the KEY we need to first know it's data type, in redis there are 5 data types
- String
- Hash
- List
- Sets
- Sorted Sets
Going to jason's Download
direcotry we can find PortableKanban
which is a tak managment tool for windows
Reading the User Guide.pdf
portable kanban we can only user available is Administartor
but we can't get the passoword as the guide says if the data is lost there is not way in retreiving it
We can see that we are on the last version of portable kanban
So this is the encrypted password which we can't retrieve
But there's an exploit for it
Now we extracted the encrypted portable kanban passowrd from redis key and we need to save the contents in a file PortableKanban.pk3
but on running the exploit it showed errors so we may need to edit the exploit
After editing it will decrypt the password
Now since port 5985 was open which is for winrm we will use evilwinrm
to login
Evilwinrm was acting wierd so I downloaded the windows payload I used earlier to get foothold and ran the payload with cmd while listening at meterpreter for connections