In this post, I would like to share a walkthrough of the Coder Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

What will you gain from the Coder machine?

For the user flag, you will need to analyze an SMB server containing a DotNet executable responsible for encryption, along with an encrypted file. Through reverse engineering of the executable, I aim to uncover a vulnerability enabling decryption of the file, thereby obtaining a KeePass Database and a corresponding file. Utilizing the file as a crucial key, I intend to access and retrieve information including domain details, credentials, and a backup for two-factor authentication associated with a TeamCity server. Further investigation involves reverse engineering of the Chrome plugin to comprehend the functionality of the backup process. Additionally, I plan to employ a brute force attack to ascertain the password and recover the Time-based One-Time Password (TOTP) seed. With this knowledge and the acquired credentials, I aim to access the server and initiate an upload of a modified version that executes as part of a Continuous Integration/Continuous Deployment (CI/CD) pipeline

As for the root flag, you need to exploit CVE-2022-26923 on Coder machine that involves the registration of a counterfeit computer equipped with a malicious DNS hostname. This deceptive setup is aimed at deceiving ADCS (Active Directory Certificate Services) into perceiving the counterfeit machine as the Domain Controller (DC). Once this ruse is successful, I can extract the hashes associated with the domain, ultimately gaining access to a shell with administrator privileges

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vv

Information Gathering on Coder Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/Coder]
└──╼ $nmap -sC -sV 10.10.11.207 -oA initial  
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-04 07:44 EDT
Nmap scan report for 10.10.11.207
Host is up (0.16s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-05-04 19:04:03Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m47s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after:  2023-06-30T04:24:26
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m48s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=default-ssl/organizationName=HTB/stateOrProvinceName=CA/countryName=US
| Not valid before: 2022-11-04T17:25:43
|_Not valid after:  2032-11-01T17:25:43
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m48s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after:  2023-06-30T04:24:26
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m47s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after:  2023-06-30T04:24:26
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:51+00:00; +7h18m47s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after:  2023-06-30T04:24:26
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-05-04T19:04:44
|_  start_date: N/A
|_clock-skew: mean: 7h18m47s, deviation: 0s, median: 7h18m46s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.63 seconds

Let’s access the website interface

However, the website interface only shows a page that normally indicates the server is using IIS

SMB enumeration

We managed to see a few shares that we can look into but Development shares caught my attention.

There are two files stored in the Temporary Projects directory.

Let’s download the file into our attacker’s machine.

Keepass tools

In this activity, we will be using KeePassXC tools that run on the Linux Operating System.

sudo apt install keepassxc

We can use the command above to install the tools on our attacker’s machine

We managed to retrieve some useful credentials that we can use to login to the dashboard.

As a result, let’s enter the credentials that we found earlier.

Sadly, we are required to enter a “Two-Factor Authentication” code to get a dashboard.

Let’s brute the 2fa code by using ffuf script

After a while, we managed to get the 6-digit code and try to validate the code

Boom! At last, we managed to see the dashboard

We should be creating the diff file format that contains the code as shown above.

Sadly, it’s not working as i planned

After a long of troubleshooting, i managed to find the issues and resolve them so that the file would work

Finally, it works as I planned

Let’s start our nc listener

We should be trying to upload our nc64.exe into the victim’s machine

Therefore, let’s start our Python HTTP server

At last, the upload process is a success.

Boom! We managed to retrieve a reverse shell connection back to us.

We managed to see the file that we executed on the current directory.

There are a lot of diff files that we can analyze further

Inside the file, we managed to locate some useful information such as enc.txt and key.key file

The file will contain the information above.

For Linux machines, we can use the command above to obtain the password of a certain user.

Looking back into the diff file that we analyzed previously, i did notice some usernames that we might use for escalation.

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access on Coder Machine

Firstly, we are required to install Certipy version 4.4.0

After that, we should be executing the command above to obtain some information

We should export the template to our JSON file as shown above.

As a result, let’s download the JSON file into our machine so that it’s easier to modify than on the victim’s machine.

By default, the file will look something as shown above.

Therefore, let’s modify some key information such as msPKI-Certificate-Name-Flag and msPKI-Enrollment-Flag as shown above.

Let’s upload the modification JSON file into the victim’s machine

Let’s execute the command shown above

At last, we have been providing the vulnerabilities where Erron Black can enroll which means the template will allow anyone to authenticate.

As a result, let’s create the pfx certificate which we can use it for privileges escalate later

Let’s update the ntpdate on our machine.

Boom! We have managed to retrieve the administrator’s hashes

Finally, we managed to access the machine via evil-winrm using the administrator’s hashes that we found earlier.

We can read the root flag by typing the command “type root.txt”

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *