This blog is an excellent resource for learning cybersecurity. I will be posting write-ups on Hack The Box machines, providing insights into offensive cybersecurity. Hack The Box offers a range of challenging boxes, each designed to assess your hacking skills. Our write-ups will assist you in comprehending and conquering these challenges.
Clicker
Clicker is a Linux medium Hack the Box machine that was released on 09/23/2023 This box starts with a simple PHP application that allows a user to register an account and play a game that consists of clicking fast. The game endpoint allows users to use a POST parameter that I will modify by abusing a type juggling vulnerability to set my account as admin. Then, I will access the admin panel, from which I can export the highest scores of all players. By injecting PHP code into the game endpoint, specifically into the "nickname" parameter, and then exporting the player's scores, I will gain code execution and access to the box as www-data.
Once inside, I will abuse a program with SUID privileges as "jack" and exploit its functionality to read the ID_RSA of the user "jack" and connect as him via SSH. As "jack," I will exploit a shell script that I can run as root. The program uses some Perl environmental variables that may be vulnerable to variable hijacking. Since I can specify the 'setenv' parameter before running the program as root, I will hijack a variable to execute commands as root.
Visual
Visual is a medium Windows box from Hack The Box that was released on 09/30/2023. It runs an application that compiles .sln solutions for .NET v6 applications based on a GitHub repository. To gain access, I will create a malicious C++ program with a pre-build function that executes code. Additionally, I will create an HTTP repository, enabling the machine to upload my repository and gain code execution.
With code execution, I will access the box as Enox. This user can place files in the web root directory. Consequently, I will inject malicious PHP code into the web root directory to achieve code execution and obtain a shell as the NT Authority user.
This user has the capability to run a program called "Full Powers," allowing the user to acquire the "SeImpersonatePrivilege." I will exploit this privilege using a technique involving "potatoes." Notably, common potatoes won't work, as the box is a Windows Server 2019, and most of the known vulnerabilities have been patched for this Windows version. However, I will discover a new privilege escalation technique known as "GodPotatoe," released in May 2023, which will enable me to exploit the privilege and gain code execution as NT Authority System.
Drive
Drive is a challenging Linux box from Hack The Box, released on 10/14/2023. It features an application that allows users to create notes, use groups, reserve notes, and more, with multiple available features. To gain access, I will begin by modifying the request to the endpoint responsible for reserving a note. This will allow me to view content that I'm not supposed to see. Subsequently, I will read the username and password for the user Martin Cruz. With these credentials, I can log in via SSH as that user.
Once inside, I will discover an internally running Gitea application with a backup of the system. I will download the backup and also find the password for unzipping the backups.
Within the backup, there will be an SQLite database containing some 'Dejango' hashes. I will crack these hashes to find the password for the user 'tomHands' and then connect via SSH as that user. To achieve root access, I will need to reverse-engineer a binary with multiple functionalities, which the user Tom can run as root. Within the binary, I will exploit a SQL injection vulnerability, not for reading data, but for executing commands. I will create a malicious C library, load it into the application by bypassing all the filters, and finally execute commands as the root user.
Appsanity
Appsanity is a challenging Windows box from Hack The Box, released on 28/10/2023. It begins with a simple application that allows me to create a new user and send messages to a supervisor. To gain access, I will exploit the signup page by altering some parameters to add my user as a doctor, granting me higher privileges. I will discover a subdomain with an admin panel exclusively available to doctors. To authenticate as a doctor, I will reuse the cookie from the main website and use it on the portal panel.
Within the 'panel' portal, I will identify and exploit two vulnerabilities. One of them is an upload bypass, where I will bypass the filter for only PDF files and upload an ASPX reverse shell. Since I can't find my file to trigger the shell, I will abuse an SSRF on another endpoint of the 'portal' panel to perform internal port discovery. Using the SSRF, I will trigger the reverse shell on a web proxy.
I will gain access as 'svc_exampanel,' with limited privileges. However, I will have access to a DLL that I will reverse-engineer to understand its behavior. I will discover that it is using data from registry keys to bind with an SQLite database. By dumping the data from the registry key, I will find a possible password for another user on the box. This user, 'devdoc,' is part of the 'remote management system' group, allowing me to connect as him using WinRM.
As this user, I will find an internal .exe file using port '100' for interaction. I will debug and reverse the binary, realizing that it loads libraries depending on the functionality the user calls. I will notice that the program attempts to call a non-existent library when running the 'upload' function. To exploit this, I will find the folder where it's called and inject a malicious DLL file. Then, I will use Chisel to forward port 100 and interact with the service, triggering the 'upload' functionality and gaining a shell as the Administrator on the box.
rebound
Rebound is an insane machine from Hack the box; it is one of the best Active Directory boxes that they have relases, adn was extremely challenging to complete
i will start by finding valid users with 2 techniques, 1 brute force on kerberos, and brute force on SMB the SID with crackmapexec, because it allows anonymous access.
i will find an as-rep roasteable user , but i wont be able to crack his hash, but since it does not require authentication, i will perform a kerberoas attack, and will find that
a user with a SPN. i will crack his hash and get valid credentials for the domain.
i will run bloodhound, and will not find too mcuh stuff, also i will perfomr a password spray with the hash that i cracked, and found password reuse for other user.
then i will enumerate the DACL on a specific group, and found that my user has enough priviledges to modify it, since the group has the 'Genericall' over the Organizational Unit that contains
the only user group member of 'Remote Management Users', i will abuse that by granting me full access to the group, and then abusing the Genericall to reset the password of the winrm user, and in taht way gain the foothold to the box
once inside, will realized that the user tbrady, has a loggon session, so i will abuse this by using RemotePotatoe with NTLM relay, to steal his hash, and crakc his password.
finally , since the user has the priviledge of reading GMSA password over a machine account, and that machine account has the 'Dcsync' with teh DC, i will abuse this to perform
a RBCD(resource Based constrained Delegation) agains the domain controller, and be able to Dump the Hashes from it, and finally connect as the user Administrator to the domain.
CYBERMONDAY
CyberMonday is a crazy difficult box, most of it front-loaded before the user flag. I will start with a website, and abuse an off-by-slash nginx misconfiguration
to read a .env file and the Git source repo.
I will find a mass assignment vulnerability in the site allowing me to get admin access, which provides a new subdomain for a webhooks API.
I will enumerate that API to find it uses JWTs and asymmetric crypto. I will abuse that to forge a token and get admin access to the API, where I
can create webhooks. One of webhooks allows me to get the server to issue web requests, like an SSRF.
I will abuse that, with a CRLF injection to interact with the Redis database that is caching the Laravel session data.
I willll abuse that to get code execution in the web container. From there, I will find a Docker Registry container, and pull the API container image.
Source code review shows additional API endpoints with an additional header required. I will abuse those to get file read on the API container,
and leak the password of a user that works for SSH. To get to root, I will abuse a script designed to allow a user to run docker compose in a safe way.
i will create a Docker-composer file with All the capabilities, so i can abuse one of them to be able to affect the host from inside the container, and get root.
Nov 25, 2023