Hack The Box: Hathor Machine Walkthrough – Insane Difficulty

Written by darknite -
on May 14, 2022

In this post, I would like to share a walkthrough of the Hathor Machine from Hack the Box

This room will be considered an Insane machine on Hack The box

Testing

What will you gain from the Hathor machine?

For the user flag, you will need to abuse the Windcorp application to obtain the reverse shell on the machine

As for the root flag, you need to use ticketer.py to obtain as admin and use impacket-smbclient to retrieve the root flag

Information Gathering on Hathor Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan initiated Tue May  3 23:07:29 2022 as: nmap -sV -sC -oA intial 10.10.11.147
Nmap scan report for 10.10.11.147
Host is up (0.21s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Home - mojoPortal
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 29 disallowed entries (15 shown)
| /CaptchaImage.ashx* /Admin/ /App_Browsers/ /App_Code/ 
| /App_Data/ /App_Themes/ /bin/ /Blog/ViewCategory.aspx$ 
| /Blog/ViewArchive.aspx$ /Data/SiteImages/emoticons /MyPage.aspx 
|_/MyPage.aspx$ /MyPage.aspx* /NeatHtml/ /NeatUpload/
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-04 03:27:05Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-05-04T03:28:27+00:00; +19m15s from scanner time.
Service Info: Host: HATHOR; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 19m14s, deviation: 0s, median: 19m14s
| smb2-time: 
|   date: 2022-05-04T03:27:52
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May  3 23:09:15 2022 -- 1 IP address (1 host up) scanned in 105.72 seconds

Let’s access the website interface

The page appears didn’t show much information that we can use over here.

Therefore, let’s run some gobuster tools.

I notice that /admin has been redirected to /admin/ website directory

WindCorp Enumeration

As we managed to access the URL, a Windcorp login page appeared before our eyes.

Let’s register the new account

The creation of a new account has been successful and let’s log in using the credentials that we register for earlier.

Boom! We managed to sight the Dashboard.

However, there are only two users that have been stored in the database of the website.

We cannot access some of the features. However, i notice on the home page that the website says that “Still working on initial setup”

Therefore, let’s do some research on their developer website.

From there, i notice that there are credentials that we can use on the login page

Access the Windcorp Dashboard as an admin

Let’s try our luck by key-in email as admin@admin.com and the password “admin”

Finally, we managed to get access as admin on windcorp dashboard

There are a lot of features that we can abuse right now.

The information above shows all details of the server.

When we access the file manager, there are a bunch of folders that we can investigate

Let’s modify the file so that we can obtain a reverse shell here.

The code can be found here

We are required just to change the IP and Port on the reverse shellcode

Once we have completed modifying the code, we can copy the file into the /logos/name.aspx

As a result, we can start our listener with pwncat while trying to callback the file

Let’s call the file by using the curl

Unfortunately, it doesn’t connect at all.

However, we managed to obtain the shell if we are using nc listener

While roaming inside the shell, i notice there’s a folder called Get-bADpasswords

After a while, I found some CSV files that might be useful to us and i found some credentials within one of the files.

At last, we managed to retrieve the password

Let’s create a .dll file to obtain a reverse shell connection that way

We can use the x86_64-w64-mingw32-gcc tool to compile the file that we created earlier.

The command above is the right one.

Let’s transfer it using a python proxy that running on our attacker’s machine

We can retrieve it using the curl command above

After a while, the shell connection comes back to us.

Finally, we can read the user flag by executing the type user.txt command

Escalate to Root Privileges Access on Hathor machine

There’s a pfx file inside the Recycle Bin

We can create a new folder on C:\

The next step is to move the Get-bApasswords to a temporary file in the folder that we created earlier

Let’s try to create the reverse shell connection command using the Bginfo64.exe and Get-bApasswords

Let’s try to start our nc listener

Let’s execute the command above so that we can get another shell.

We can use the ticketer.py to obtain the administrator ticket

Once that is completed, we can execute the export of the cache and then use impacket-smbclient to retrieve the administrator’s access. Sadly, we got errors such as the clock skewing too great.

Therefore, we can use sudo ntpdate <IP Address> to solve the issues, and let’s execute again the previous command.

Finally, it works like charm!

A screenshot of a computer Description automatically generated with medium confidence

We can read the root flag by downloading the flag into our machine and reading from there.

Extra Information

Categories:

Insane Machine

Tags:

aspx shellbADpasswordChallengescrackstationcurlgobusterHackTheBoximpacketKRB5CCNAMEntpdatepwncat-csPythonpython3Securitysmbclientticketer.pyuploadWindcorpWindows

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *