In this post, I would like to share a walkthrough of the Hathor Machine from Hack the Box


This room will be considered an Insane machine on Hack The box

What will you gain from the Hathor machine?


For the user flag, you will need to abuse the Windcorp application to obtain the reverse shell on the machine


As for the root flag, you need to use ticketer.py to obtain as admin and use impacket-smbclient to retrieve the root flag

Information Gathering on Hathor Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan initiated Tue May  3 23:07:29 2022 as: nmap -sV -sC -oA intial 10.10.11.147
Nmap scan report for 10.10.11.147
Host is up (0.21s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Home - mojoPortal
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 29 disallowed entries (15 shown)
| /CaptchaImage.ashx* /Admin/ /App_Browsers/ /App_Code/ 
| /App_Data/ /App_Themes/ /bin/ /Blog/ViewCategory.aspx$ 
| /Blog/ViewArchive.aspx$ /Data/SiteImages/emoticons /MyPage.aspx 
|_/MyPage.aspx$ /MyPage.aspx* /NeatHtml/ /NeatUpload/
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-04 03:27:05Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
Service Info: Host: HATHOR; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 19m14s, deviation: 0s, median: 19m14s
| smb2-time: 
|   date: 2022-05-04T03:27:52
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May  3 23:09:15 2022 -- 1 IP address (1 host up) scanned in 105.72 seconds

Let’s access the website interface


The page appears didn’t show much information that we can use over here.


Therefore, let’s run some gobuster tools.


I notice that /admin has been redirected to /admin/ website directory

WindCorp Enumeration


As we managed to access the URL, a Windcorp login page appeared before our eyes.


Let’s register the new account


The creation of a new account has been successful and let’s log in using the credentials that we register for earlier.


Boom! We managed to sight the Dashboard.


However, there are only two users that have been stored in the database of the website.


We cannot access some of the features. However, i notice on the home page that the website says that “Still working on initial setup”


Therefore, let’s do some research on their developer website.


From there, i notice that there are credentials that we can use on the login page

Access the Windcorp Dashboard as an admin


Let’s try our luck by key-in email as admin@admin.com and the password “admin”


Finally, we managed to get access as admin on windcorp dashboard


There are a lot of features that we can abuse right now.


The information above shows all details of the server.


When we access the file manager, there are a bunch of folders that we can investigate


Let’s modify the file so that we can obtain a reverse shell here.


The code can be found here


We are required just to change the IP and Port on the reverse shellcode


Once we have completed modifying the code, we can copy the file into the /logos/name.aspx


As a result, we can start our listener with pwncat while trying to callback the file


Let’s call the file by using the curl


Unfortunately, it doesn’t connect at all.


However, we managed to obtain the shell if we are using nc listener


While roaming inside the shell, i notice there’s a folder called Get-bADpasswords


After a while, I found some CSV files that might be useful to us and i found some credentials within one of the files.


At last, we managed to retrieve the password


Let’s create a .dll file to obtain a reverse shell connection that way


We can use the x86_64-w64-mingw32-gcc tool to compile the file that we created earlier.


The command above is the right one.


Let’s transfer it using a python proxy that running on our attacker’s machine


We can retrieve it using the curl command above


After a while, the shell connection comes back to us.


Finally, we can read the user flag by executing the type user.txt command

Escalate to Root Privileges Access on Hathor machine


There’s a pfx file inside the Recycle Bin


We can create a new folder on C:\


The next step is to move the Get-bApasswords to a temporary file in the folder that we created earlier


Let’s try to create the reverse shell connection command using the Bginfo64.exe and Get-bApasswords


Let’s try to start our nc listener


Let’s execute the command above so that we can get another shell.


We can use the ticketer.py to obtain the administrator ticket


Once that is completed, we can execute the export of the cache and then use impacket-smbclient to retrieve the administrator’s access. Sadly, we got errors such as the clock skewing too great.


Therefore, we can use sudo ntpdate <IP Address> to solve the issues, and let’s execute again the previous command.


Finally, it works like charm!

A screenshot of a computer

Description automatically generated with medium confidence

We can read the root flag by downloading the flag into our machine and reading from there.

Extra Information