write-up

Write-up for the machine RE from Hack The Box. A fun one if you like Client-side exploits. You check out the website and find a blog with plenty of information on bad Office macros and malware analysis. A writable SMB share called "malware_dropbox" invites you do upload a prepared .ods file, which is all you need for the initial shell. The script that processes these uploads contains comments with hints about downstream .rar file processing. You guess this must be about the WinRAR ACE vulnerability, prepare an archive which writes a web shell and voilà, you get another shell. This is where the intended way would have been to upload yet another malicious file, this time exploiting an XXE in Ghidra. I did it in a different way though, by service abuse to become SYSTEM. Surprisingly, this was not enough to read the flag. It is encrypted with EFS and only the right user can read it. As SYSTEM though it is easy to impersonate this user since we get all the NT hashes and can pass them to WinRM, which can be accessed remotely after forwarding the port.

Write-up for the machine Carrier from Hack The Box. This box is really fun since it allows you to try something yourself that you otherwise only hear about in the news. BGP hijacking is required to get the root flag. You start by checking out the admin interface of an ISP called Lyghtspeed Networks. Fuzzing the web server, you find some documentation on error codes which suggest you could log in with default admin credentials. However, the password is a serial number of the device. Some UDP port scans later you realize there is SNMP running and it spits out this number. Once inside the admin interface you read some support tickets. One of them is about an important FTP server is a specific network attached to a neighboring AS. Also, there is a feature to check router status which turns out to be vulnerable to command injection. This vulnerability turns into a shell on the router. This was all easy but now the fun begins. You must carefully manipulate the route advertisements to direct the traffic to this mysterious FTP server over the compromised router. Dumping the traffic reveals the FTP password. The root flag is now only one FTP download away. All in all a really interesting challenge and a great way to learn more about how the Internet actually works.

Write-up for the machine Access from Hack The Box. This one is a pretty easy box. The main challenges are processing proprietary Windows files (MS Access DBs, MS Outlook PST files, Windows shortcuts) on a Kali box and understanding stored Windows credentials. To get started, enumerate to find open FTP and Telnet ports as well as a web server. Ignore port 80 and log into FTP anonymously to find a Microsoft Access database with a username and password inside. Use it to get a shell via the Microsoft Telnet service available on port 23. To escalate privileges, you can now use "runas" with saved admin credentials. On one of the users' desktops there is a shortcut which is a hint to this solution. However, it is also easily discovered by enumeration. Although not necessary to get the flag, I demonstrate in the end of this post how to get the plaintext admin password using impacket.

Write-up for the machine Active from Hack The Box. The machine is a very interesting exercise for those who do not work with Active Directory domain controllers every day but want to dive deeper into their inner workings. Basically, you find one such domain controller with plenty of open ports. After a short distraction in form of a web server with no content, you find that you get unauthenticated access to an SMB share with some group policy files in it. Inside, you find an encrypted password. It is easy to decrypt though since the key is public information. With these credentials, you get not only the first flag but also access to the AD itself. Searching for server principal names reveals that the Administrator account is kerberoastable. With impacket and john, it is easy to crack the password of this account. Now the root flag is only one execution of psexec away.

Write-up for the machine Dropzone from Hack The Box. This is a very interesting box since you have to get in only by writing files to arbitrary locations. An initial TCP port scan returns no open ports at all, only after scanning UDP you find an open TFTP daemon on port 69. After playing with it a little, you find out the box is an old Windows XP machine and you can read and write anywhere. The flag is hidden so you need a shell to explore the system. Remembering the old Stuxnet exploits, you can find a way in by exploiting Windows WMI with a malicious MOF file uploaded to a special folder. The last step to get both flags is to read the ADS of the hidden file, which only works after uploading the streams.exe tools from Sysinternals.

Write-up for the machine DevOops from Hack The Box. The box is Python-focused and illustrates nicely the various kinds of mistakes you can make when using Python libraries carelessly. XML parsing is vulnerable to XXE, giving access to source code. The source reveals that pickle is used to parse user input, which turns into RCE as an unpriviledged user. From there, searching the history of a git repository left on the box exposes a deleted private key, which can be used to SSH in with root. There is an unintended shortcut since the SSH key of the unpriviledged user is accessible via XXE, but I ignore this way in for this write-up.

Write-up for the machine Sunday from Hack The Box. The box is pretty straightforward but still cool to do. You start with enumerating finger, finding some usernames. If you did thorough port scans and did not miss SSH on a non-standard port, one of these names allow you to brute-force your way into the box. Cracking a password hash from a shadow-file backup you find get's you to the other, from which you can escalate to root after realizing you can sudo wget.

Write-up for the machine SolidState from Hack The Box. Requires thorough port scanning to find an esoteric telnet admin interface of the Apache James email server. With default root credentials, you become James admin and break into people's email inboxes. Inside, you find SSH credentials, bypass a restricted shell and finally find an insecure cron job to escalate to root.

Write-up for the Hack The Box machine called Calamity. Involves basic enumeration, finding a way into a hidden admin panel of the webserver, injecting PHP code after getting past the login, evading an intrusion detection system, recovering an SSH password hidden inside audio files and finally using LXD/LXD to exploit a user administration mistake to get root.