In this post, I would like to share a walkthrough of the Sekhmet Machine from Hack the Box


This room will be considered an Insane machine on Hack the Box

What will you gain from the Sekhmet machine?


For the user flag, you will need to abuse the ExpressJS website which has been vulnerable to a deserialization attack. I will need to bypass the ModSecurity website application firewall to obtain an execution. By default, i will get a backup archive and break the encryption using the bkcrack tool which leads us to get a root environment on VM. I also use the proxychains to access the share and also use the LDAP enumeration which we get a mobile attribute for the user in the Active Directory environment. We also need to bypass the AMSI and Applocker to obtain a reverse shell on Windows Machine.


As for the root flag, you only need to jump a few access which it will lead to Administrator access by getting the administrator’s password in the excel file

Information Gathering on Sekhmet Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/Sekhmet]
└──╼ $nmap -sC -sV 10.10.11.179 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-27 00:30 EDT
Nmap scan report for 10.10.11.179
Host is up (0.26s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 8c:71:55:df:97:27:5e:d5:37:5a:8d:e2:92:3b:f3:6e (RSA)
|   256 b2:32:f5:88:9b:fb:58:fa:35:b0:71:0c:9a:bd:3c:ef (ECDSA)
|_  256 eb:73:c0:93:6e:40:c8:f6:b0:a8:28:93:7d:18:47:4c (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.90 second

Therefore, let’s access the website interface

┌──[darknite@parrot]─[~/Document/htb/Sekhmet]
└──╼ $curl http://10.10.11.179
<html>
<head>
<script>

window.location.replace("http://www.windcorp.htb");
</script>
</head>
<body>
<h2>Nothing to see here, move along.</h2>
</body>
</html>

Aside from that, we can try to curl the IP Address and i managed to obtain the domain from there.


However, we didn’t see anything useful on the website itself


Sadly, it’s the same with the gobuster


Nothing has been found within the burpsuite at all


I did try to enumerate the subdomain by using gobuster but i didn’t manage to get anything from it.


However, i managed to retrieve a subdomain after a few days from the first enumerates being executed.


Let’s access the subdomain and it has redirected to a login page.


We managed to access the windcorp dashboard via default credentials such as admin:admin


Sadly, the website is still in the “Under construction


Therefore, let’s analyze the packet via Burpsuite. I manage to notice there is one cookie that looks like a jwt token


I managed to sight a jwt token decoded as shown above.

Bypass the ModSecurity by using the nodejsshell on the machine


As a result, we should be using the nodejsshell.py as shown above and we managed to obtain an encoding string from the character code.


I should copy and paste the jwt token on the packet on Burpsuite


The nc connection that returns to us shows it’s a Linux server, but we all know that the creator said it’s a Windows Machine

Analyze the backup file to escalate the access on the Sekhmet machine


Therefore, let’s use pwncat-cs to retrieve a reverse shell connection back to us


As shown in the screenshot above, we managed to see one zip file which looks backup,zip which might be useful to us in analyzing the process.


Sadly, we cannot unzip the backup.zip because we don’t have a password

Cracking the hashes via bkcrack tool on Sekhmet Machine


As a result, let’s upload the bkcrack file into the victim’s machine


After a while, let’s copy the /etc/passwd on the victim’s machine and zip the password with file passwd


Let’s give execution permission to the bkcrack file so that we can work with it in the next stage.


We should be able to execute the command above to obtain the code key with reset the password for the backup.zip this way.


By default, we should be able to execute the bkcrack with the code that we found earlier.


Boom! At last, we can finally unzip the backup.zip with the password that we reset earlier.


After i have analyzed the directory and file from the backup.zip, we managed to find a location that we can investigate further.


After a while, we managed to retrieve the potential username and hashes which we can crack with hashcat later.


Aside from that, we also managed to obtain another subdomain which is hope.windcorp.htb


We managed to obtain the ray.duncan hashes


At last, we managed to obtain a password for the user

SSH to the machine via ray.duncan@windcorp.htb Access


We managed to access the machine via SSH service


Therefore, we can use the command above to change to root@webserver


From the IP address, we managed to assume that we are inside the docker environment


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access on Sekhmet Machine


Let’s enumerate the port that opens to the server.


The output should look like shown in the screenshot above.


On the Attacker’s machine:


On the Victim’s machine:


If the port forwarding is a success, it should look something shown above.

Playing around with proxychains tool on Sekhmet Machine


Boom! We managed to link our attacker’s machine with the victim’s machine


By default, we can create the ticket


As a result, we can export the ticket


Therefore, we should be executing the smbclient and we cannot get the connection denied which it has been refused.


After a while, we should modify the proxychains.conf which we need to add the configuration line such as socks5 127.0.0.1 1080


Also, we are required to add the domain into the /etc/hosts file.


Finally, the command works like a charm!

Graphical user interface, text, application

Description automatically generated
Text

Description automatically generated
Text

Description automatically generated
Graphical user interface

Description automatically generated with medium confidence

There’s a file on the /temp directory called debug-users.txt


Sadly, we cannot read the file on the SMB service

Text

Description automatically generated
Text

Description automatically generated

Inside the file, there have a bunch of names or also clarify it as username

Another tool to play such as the LDAP package

A screenshot of a computer

Description automatically generated with medium confidence

By default, we should be getting information from the ldapsearch command

Text

Description automatically generated
Graphical user interface, text, application, chat or text message

Description automatically generated
Text

Description automatically generated

We managed to obtain a ton of information but what has caught my attention is mobile: 43235345 which i don’t have

Graphical user interface, text

Description automatically generated

My first thought was we should be able to use msfvenom on the machine but sadly, it doesn’t


Let’s execute the ldapmodify on the root machine but we stumble upon a character limitation.

AMSI and AppLocker bypass


This is a Windows Machine that might have some security features that might be preventing the reverse shell from running on the machine itself. We can assume that AppLocker is in use inside the machine which also leads to AMSI might be active on the machine. Therefore, it might be hard to execute a reverse shell on the machine and we should be looking for another alternative to retrieve a reverse shell on the machine.


After having done some research on the Internet, we found those two resources that we can use for this activity

  1. MinatoTW/CLMBypassBlogpost: This code was used for the blogpost on secjuice. (github.com)
  2. Powershell CLM Bypass Using Runspaces (secjuice.com)

For this activity purpose, i will open my Windows with Visual Studio 2022 which is shown in the screenshot above. We should modify the command which sits on LINE 49. For safety purposes, we should be using a single character with the file extension (.ps1)


By default, we can compile the program that we modify by using the command above.


The file should be the same as shown in the screenshot above.


We should start our normal nc as shown above.


Also, we should be starting the python HTTP server

LDAP enumeration with RCE on the Sekhmet machine


Firstly, we should execute some ldif files that we can use as above.


Next, we should be able to upload the file extension of exe into the victim’s machine under c:\windows\debug\wia


As a result, we can update the server by running the ldapmodify


By default, we should be getting the response of d.ps1 should be successfully uploaded into the victim’s machine


It should look something as shown above


We can start the exe file by running the command above.


As a result, we can update the server by running the ldapmodify


On the ps1 file, we should insert the reverse shell on the top of the file


When we see a response like the screenshot above, we should be getting the reverse shell on the machine

Privileges Escalation as scriptrunner


Boom! We have finally accessed the machine via a reverse shell connection


Let’s run the smbserver on the root machine which is something like above


On the windows access, we just need to execute the command “net use \\webserver.windcorp.htb\share


We should be getting the result as shown in the screenshot above. Therefore, we should be cracking the hashes but i will not share them.


Finally, we got a password for scriptrunner


Let’s execute the command above to escalate to another user on a different reverse shell connection

Privileges Escalation via Bob.Wood


At last, we should be getting a shell on Bob.Wood access


We can analyze the directory and found a file called Login Data


After i investigate the login data file, i notice that there was a username as “bob.woodADM


I managed to do some research and found an exe file that might be useful for this activity. Therefore, let’s upload the file that can be found here


Let’s move the file into the c:\windows\debug\wia directory


Once the file is already inside the actual directory, let’s execute the file as shown above.


Inside the results/microsoft_edge_default_password.csv file, we manage to retrieve a password for bob.woodADM


As we execute previously, we should be executing a similar command as username and password

Privileges Escalation via bob.woodadm access


Finally, we are accessing the machine as bob.woodadm privileges access


Sadly, there are no root flags on the bob.woodadm’s Desktop location


At last, we managed to find the root flag on Administrator’s Desktop


We can read the root flag by typing the “type root.txt” command