Giriş

Registry HackTheBoxta 40 puanlık “Zor” kategorisinde bir makine. Makine üzerinde kolay, tahmin edilebilir bir şifre kullanılmış private docker registry sunucusu mevcut. Bu sunucudaki docker imajında ana host üzerinde bir kullanıcıya ait ssh anahtarı bulunuyor, saldırgan bu anahtarın şifresini de biraz araştırmayla bulduktan sonra ana makineye ilk erişimi sağlayabiliyor. Sunucuda Bolt adında bir CMS var ve bu uygulamanın admin kullanıcısının hashi kolay bir şekilde kırılabiliyor. www-data kullanıcısının root yetkisiyle restic adlı programı kullanarak sunucunun yedeklemesini yapma yetkisi mevcut. Sunucunun yedeklemesi yapıldıktan sonra ana sunucuda root yetkisine erişilebiliyor.

Read more »

Recon

# Systeminfo
systeminfo
hostname 

# Especially good with hotfix info
wmic qfe get Caption,Description,HotFixID,InstalledOn

# What users/localgroups are on the machine?
net users
net localgroups
net localgroup Administrators
net user morph3

# Crosscheck local and domain too
net user morph3 /domain
net group Administrators /domain

# Network information
ipconfig /all
route print
arp -A

# To see what tokens we have 
whoami /priv

# Recursive string scan
findstr /spin "password" *.*

# Running processes
tasklist /SVC

# Network connections
netstat -ano

# Search for writeable directories
dir /a-r-d /s /b

### Some good one-liners

# Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths):
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul

Elevation of Privileges

General

# PowerShellMafia
# Use always dev branch others are shit.
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

# Sherlock
https://github.com/rasta-mouse/Sherlock

# Unquoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v 

Kerberoast

Read more »

Introduction

* It is a 64 bit dynamically linked binary, nx and aslr is enabled *

There are many things to be done in binary analyzation but I will just mainly focus on Ret2Libc attack.
You can use many other tools but I will use those mainly.

  • pwntools (python library)
  • A reverse engineering tool (gHidra , IDA etc.)
  • gdb-peda
  • ldd
  • readelf
  • strings
  • objdump
  • ropper
  • one_gadget

Analyzation

First thing first,
We need to analyze our binary in order to determine what kind of attack vector we need to use

Read more »

How Buffer Overflow Works

        Overwriting the return address of the stack with overflowing the buffer allows us to return another malicious address which ends up with code execution.

Keep that in mind if NX is enabled we can't just directly jump to shellcode

Stack state

1
2
3
4
5
6
7
8
9
10
11
12
|                  |        
| | |
| | |
| BUFFER | |
| | |
| | |
| | | Oops, I overflowed it
|__________________| |
|_______esb________| -------|---> Junk buffer ends here
|_______ret________| -------V----> We overwrite the ret address with the one we want to call
| |
|__________________|

1
2
3
4
5
6
7
8
junk_buf + system_call + exit_addr + /bin/sh 
| | ^ ^
| | | |
| |first argument| |
| |______________| |
| |
| second argument |
|__________________________|
Read more »