# Hack The Box - Hackback

## Quick Summary

Hey guys today Hackback retired and here’s my write-up about it. Hackback was a very hard machine full of different steps and rabbit holes. It’s a Windows machine and its ip is 10.10.10.128, I added it to /etc/hosts as hackback.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC hackback.htb

We got two http ports, 80 and 6666, I also ran a full scan but we’ll get to that later.

## HTTP

I checked both ports, on 80 there was this donkey image :

I ran gobuster and it got nothing.
I couldn’t send a request to port 6666 from the browser so I used curl :

It says "Missing Command!"
So I tried /help :

It returned a list of what commands we can use. /whoami lists information about the user running this service, not really important. /list lists the files in the current directory :

/info prints system information, we might need that :

/services lists the services, that’s also important and we might need it later :

/netstat lists the listening ports, we can check that when we need to know about some internal services but for now we will just ignore it. The rest of the commands are not really doing anything useful. I tried to exploit this service since it’s executing system commands, however it wasn’t possible.
I used wfuzz with subdomains-top1million-5000.txt from seclists to enumerate any possible subdomains :

admin gave a different response length, I added it to /etc/hosts :

Which actually didn’t do anything :

Also the password reset and sign-up pages are non-existent :

By looking at the page source :

We notice this weird comment : <!-- <script SRC="js/.js"></script> -->
However /js gave a 403 :

I ran gobuster with /usr/share/wordlists/dirb/common.txt and .js extension :

## Script Deobfuscation

By looking at private.js it’s not really what we expect a javascript file to be :

First thing we notice is that it’s not actually js. ine n ? This doesn’t look like js, most likely it’s gonna be var. v is the 22nd letter in alphabet while i is the 9th. 22 - 9 = 13
So this script is rot 13 encoded. I used rot13.com to decode it :

Now this is better. I also used a js beautifier to make it easily readable :

As you can see it’s still heavily obfuscated, I solved this by pasting the code in the js console. It will do the magic happening in these functions then we can just read the variables at the bottom of the script : x z h y t s i k w

We got this message :

Going to that path only caused a redirect, so we need to enumerate more.

## Accessing the Secret Path

From the secret message we know what parameters it’s expecting us to send : (?action=&site=&password=&session=). This is probably gonna be a php page. So I ran gobuster on that path with the same wordlist I used before and .php extension :

Great we got webadmin.php, I tried again and now I didn’t get a redirect :

But I got Wrong secret key!, and that’s expected because I set the password to test. I used wfuzz again with darkweb2017-top10000.txt from seclists to bruteforce the password which happened to be a very easy one :

12345678 gave a different response length so it’s probably the password :

Yes it worked. I added my PHPSESSID cookie with the -b option and I also added it to &session=, because some stuff didn’t work without including the session cookie.
list showed us some logs. I tried the other actions, exec said Missing command but I couldn’t make it execute anything. init didn’t output anything but most likely it’s doing something that doesn’t produce an output. Also show didn’t result in any output but we will make it do soon.

## Gophish

Let’s take a look at the full nmap scan :
nmap -T5 -p- hackback.htb --max-retries 1

There’s another 3rd port : 64831. I scanned that port with nmap :
nmap -sV -sT -sC -p 64831 hackback.htb

It’s https. I went there and it was gophish :

Gophish is a powerful, open-source phishing framework that makes it easy to test your organization’s exposure to phishing. -getgophish.com

I tried to login with the default credentials : admin : gophish and it worked :

It was kinda empty but I found some email templates for Facebook, HackTheBox, PayPal and Twitter.

So there are phishing sites somewhere for these sites and now we can understand what’s happening in the secret path. It’s an endpoint that shows the collected data from the phishing sites. I created a small list to search for HackTheBox phishing site :

Then I used wfuzz :

www.hackthebox gave a different response length so it’s the right one. I added it to /etc/hosts :

http://www.hackthebox.htb :

Just a fake Hack The Box login page. I entered test credentials :

Then I checked the secret path again and did list :

The logs increased by one. I did show and found the credentials I just sent :

With a functionality like this, there might be some injection somewhere. After some attempts I tried php code and it was executed :

The username is empty instead of printing the text I have sent, which means that it got executed as php. However all the functions we would use to get RCE like exec and system are disabled so … no we won’t have a shell now.
I wanted to list the files in the current directory so I used the scandir() function :

I went up one directory :

web.config and web.config.old look interesting. I checked them and in web.config.old I found some credentials. I used the file_get_contents() function :
<?php echo file_get_contents('../web.config.old'); ?>

web.config.old :

Credentials : simple : ZonoProprioZomaro:-(. However there’s no place to use these credentials. I went back to the http port 6666 and I executed netstat. I found that winrm was running internally :

So somehow we need a proxy to run internally and make us able to connect to winrm. Luckily there’s reGeorgSocksProxy.
I downloaded tunnel.aspx, converted it to base-64 then I uploaded it using file_put_contents() and base64_decode() :

Then I checked the tunnel :

Great !

## Running the Proxy Server, Shell as simple

First thing to do is to configure proxychains to use whatever port we like, I used 8888 :
/etc/proxychains.conf :

Then I used reGeorgSocksProxy.py and gave it the port and the path :

Now we can connect as simple. I used Alamot’s winrm ruby shell :

And …. no flag !

## clean.ini , Shell as hacker

I checked c:\ and found a strange directory called util :

c:\util:

However there was a hidden directory, if we do dir -force :

A new directory appeared : scripts. looking in that directory :

Without talking too much about the rabbit holes and the failed attempts. If we check clean.ini :

Obviously it gets executed from time to time, and it’s the only writable thing by simple in that directory. We can inject commands in LogFile which means that we can make another user execute our commands. I tried to upload nc.exe but :

Expected. I terminated that winrm session and used Alamot’s other winrm shell that had upload and download capabilities :

Then I uploaded nc.exe to C:\windows\system32\spool\drivers\color\ (to bypass applocker) :

After that I used simple echo commands to edit clean.ini. It should look like this :

This way we can get a bind shell.

After some time the listener starts and we can connect to port 1338 through the proxy :

Finally we owned user !

## UserLogger, Filesystem Access as System, Root Flag

After getting a shell as hacker I did my regular Windows enumeration, one thing I wanted to check was the services, I remembered the services list I got from port 6666 so I checked that.
I noticed a strange service called UserLogger :

So I checked the entry of that service in registry :

Description says it’s responsible for logging user activity. I tried to start that service as hacker :

hacker was allowed to start and stop the service. I started to look more into the service and test it. I created a test file and called it test.txt then I started the service and gave it the file as a parameter : sc start userlogger test.txt. It created a new file called test.txt.log :

Nothing interesting, however when I checked the permissions of that file :

It’s readable by everyone. This means we can use this service to read anything we don’t have access to, but how will we do that ? it adds .log after the file name ..
Since windows doesn’t accept : in filenames we can try to read root.txt like this : sc start userlogger C:\users\administrator\desktop\root.txt:
When it tries to add .log everything after : will be removed and the new permissions will be applied to root.txt :

It worked and we are able to read root.txt. But what is this ? A troll ?
Just like bighead I suspected that it had an alternate data stream, but without using streams.exe I tried some stuff and one of my guesses worked :

And we owned root !
That’s it , Feedback is appreciated !