Atom - [HTB]

Cover Image for Atom - [HTB]
Marmeus
Marmeus

Introduction

Atom is an easy-medium from Hack The Box machine where we have to craft a special .yml file in order to bypass a signature validation in order to obtain a reverse shell as the user yason. Then, in order to become root, we need to extract an encrypted password used in the PortableKanban program stored in a redis database, for a later decryption using a PortableKanban vulnerability.

Enumeration

As always let's find all opened ports in the machine usingf nmap.

Then, we continue with a deeper scan in each opened port.

Looking inside the http service seems like a software company where you can download a software named Heed. Fortunately, we do not have to reverse engineer it.

Heed webpage

Enumerating the samba service there is a shared folder named Software_Updates.

Enumerating the folder there is a pdf that we can download.

Reading the document we learned that this application has been encoded with electron-builder and there is a server running inside the machine in charge of updating the application. Furthermore, we can upload updates in the client folders, which will be tested by the QA team to ensure it installs correctly.

Looking on google for "electron-builder update exploit" appears a post about how to craft an latest.yml that allow us to execute commands remotely.

Explotation

In order to turn this into a reverse shell we need to do the following.

First, we need to craft our payload with msfvenom, obtaining their sha512 hash in base64.

Secondly, we need to craft our latest.yml payload, adding the hash we calculated before and changing the IP where the server will connect to. This payload will connect to our machine executing the h'eedv.exe file.

Note: After a lot of trial and error, this is the one that work out for me.

Thirdly, we need to use msfconsole in order to handle the meterpreter session.

Fourthly, we need to create an HTTP server in the same folder where our payload was created.

Finally, we need to upload the latest.yml into one of the client folders.

The result will be an opened session as the user jason, obtaining the user flag.

Privilege escalation

Inside the jason's downloads folder there is a program named PortableKanban, which has a vulnerability associated capabable of decryting encrypted passwords. So, we need to find some credentials.

With further enumeration in the C:\Program Files\ directory there is the program named redis, which manages the databases for the program PortableKanban.

In order to access to the redis manager we need the password for the default user which is stored in the redis.windows-service.conf file.

Using redis-cli we can obtain the credentials for the Administrator user in PortableKanban.

Now, we can use the PortableKanban vulnerability in order to obtain the Administrator password. However, we need to modify the script so it decrypts directly the flag without crafting a PortableKanban.pk3 file. The modified script is the following.

Executing the script we obtain the password.

The password can be used to obtain a shell as Administrator, with evil-winrm, obtaining the root flag.