HTB Walkthrough - Markup

Tony Harkness

- 3 minutes read - 545 words

Information Gathering

Scanned all TCP ports:

# save target IP as local variable
export ip='10.129.95.192'

#initial scan
rustscan -a $ip -- -sVC --open -oN initial

# scan results
PORT    STATE SERVICE  REASON          VERSION
22/tcp  open  ssh      syn-ack ttl 127 OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJ6igORqDgM0+6P4dUx3DcDJyuzMMRkDabKsdcrizRtEKleaaYjmgCbwyhD+JqwIX2AZqoC0MLH0q37YJzp3aegjEW9Q0dUBQGSoRRe8wWmsHRFbxgaoGunpB5VK4p3KE2MPVJXUkTSW2Mdrq4yWb63HnNF4TSIPk/+U5e99Qlrgmn0IeJrn9jkRBjPjLq1HSL0zY4YTO5qnvUktZ8J0Y19YVkYfZoLXJeTtiUKEXJYIUog8oUq9M8+1rUHU/GTjdU5X+jNExqvWm15fXr42Of2hnKP8ZRjyynWZ9hPAQjmCHCxh0Mvn/fWCsJ2nri/3SOULiwEfG9XULbLX0tABz++ujmiRyOZoPDscazFzxqfofiJhRm4cxiYf1p2pfjITfWGpxOUxOYDawXT10fLjo7hjpDqy6pKuK3TGbBx5VVG9p1szrctN9XpnI2bmpTMix3ISqddFgTHJimyb5TrcWZ876igSAPx0GtVOZqAk4ae1xh/qutG/PONnVQWcwZQLU=
|   256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPnBLEC67Ty1ccuPW0DPWevSQAIg39y1jbSVLmegQkZ3vCooq0wheIffYyBhRnAAJj6Fi1jpTxP7u6H8JAqyGjU=
|   256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID9o7yWjLL4g6Gu71UeLZB+kbmzW+cp0eiRtb21D1JZC
80/tcp  open  http     syn-ack ttl 127 Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
|_http-title: MegaShopping
443/tcp open  ssl/http syn-ack ttl 127 Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
|_http-title: MegaShopping
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Steps 2 Pwn

  1. Navigated to web page on Port 80 and upon landing, there’s a logon page

  2. Logged in on first attempt using default credentials admin:password. I tried this combo first due to my results from Google searching Apache 2.4.41 default credentials

  3. Discovered the Order page which accepts user input

  4. Inspected the page and discovered a script tag referencing XML version 1.0

  5. Discovered a user daniel on the same page

  6. Given the odd XML behavior, let’s test for some potential XXE vulnerability. I followed HackTricks section on XXE

  7. System is vulnerable to XXE. Now let’s try and find interesting files making sure to remember SSH being open

    The default path for an SSH key is in the user’s home folder under .ssh/id_rsa

  8. Now, let’s copy the key contents and save it to a file!

    echo "<key-contents>" >> daniel_rsa

  9. We need to make sure to set the permissions for the SSH key for it to work

    chmod 600 daniel_rsa

  10. Now, we can attempt to SSH as daniel

    ssh -i daniel_rsa daniel@10.129.95.192

  11. Let’s grab the user flag!

  12. Time to perform some enumeration

    I started by looking for other user’s directories and any files that stood out. When navigating to C:\ I found a non-standard Log-Management folder.

    Within that folder containing a Batch script that looks important

  13. This script references an executable called wevtutil.exe and appears to clear the logs and must be run as Administrator

  14. Let’s see if we have any privileges over this…

    Great, we have Full permissions!

  15. We will check if the batch script is already running

    # enter powershell
powershell

# list running processes
ps

    You should see that the wevtutil is currently running!

  16. Let’s transfer the netcat binary to the victim machine

  17. Let’s change the batch script to get us a reverse shell

    Note: Make sure you’re not still in powershell! If so, just type exit and rerun the command.

  18. Caught the shell! 🎣

  19. Finally, let’s grab the root flag!

Used tools

  • rustscan
  • burpsuite

Trophy

User.txt

032d2fc8952a8c24e39c8f0ee9918ef7

Root.txt

f574a3e7650cebd8c39784299cb570f8