Hack The Box: Freelancer Machine Walkthrough – Hard Difficulty

Introduction to Freelancer:

In this write-up, we will explore the “Freelancer” machine from Hack the Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Freelancer” machine from Hack The Box by achieving the following objectives:

User Flag:

IDOR Vulnerability

Freelance begins by gaining access as an employer and then progresses to privilege escalation to the administrator account through an IDOR vulnerability.

SQL Shell attack

I obtained a shell as an SQL user using standard MSSQL commands, leveraging existing database functionalities to a foothold for further actions within the system.

Root Flag:

Gaining Access and Exploiting Delegation

Freelance starts by switching to another user and performing a memory dump, which allowed access to a third user. I later discovered an unintentional method to exploit resource-based constrained delegation, ultimately leading to domain administrator access.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.5

Nmap Output:

┌─[darknite@parrot]─[~/Documents/htb/Freelancer]
└──╼ $nmap -sC -sV 10.10.11.5 -oA initial 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 00:56 EDT
Nmap scan report for 10.10.11.5
Host is up (0.020s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          nginx 1.25.5
|_http-server-header: nginx/1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-05 09:45:32Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-10-05T09:45:37
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 4h48m42s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.07 seconds

Analysis:

• Port 53 (DNS): Simple DNS Plus service.
• Port 80 (HTTP): Web server running nginx 1.25.5.
• Port 88 (Kerberos): Microsoft Windows Kerberos service.
• Port 135 (MSRPC): Microsoft Windows RPC service.
• Port 139 (NetBIOS-SSN): Microsoft Windows NetBIOS service.
• Port 389 (LDAP): Active Directory LDAP service (freelancer.htb).
• Port 445 (SMB): Microsoft Windows SMB service.
• Port 464 (Kpasswd5): Kerberos password change service.
• Port 593 (RPC over HTTP): Microsoft Windows RPC over HTTP 1.0.
• Port 3268 (LDAP): Active Directory Global Catalog LDAP service.
• Port 636 and 3269: TCP-wrapped services.

SMB enumeration with smbclient

The error NT_STATUS_RESOURCE_NAME_NOT_FOUND typically occurs when attempting to access a shared resource (like a file, directory, or network service) that does not exist or cannot be found on the target system. This can happen due to incorrect path names, misconfigured shares, or attempting to query resources that the server doesn’t recognize

Web Enumeration:

Exploitation

While working on this machine, Hack The Box issued a notice stating that “The web server on port 80 may take up to two minutes to initialize.“

When I accessed the website, it appeared to be a basic job-hunting platform with nothing particularly interesting at first glance. So, I decided to register as a freelancer.

To successfully register an account, all required details must be filled out completely.

Let’s login using the credentials we created earlier.

I didn’t find anything useful during my enumeration as a freelancer. , I ran into an error when attempting to log in.

Later, I tried registering as an employer

Let’s try logging in with the credentials we just created.

I encountered some errors after completing the registration.

I’ll reset the employer account password and attempt to log in again

The interface looks somewhat different from the employer’s interface. The section that caught my attention the most was the QR-Code feature.

IDOR Vulnerability on Freelancer Machine

Let’s download the QR Code to our machine for further analysis.

For this task, we will use the CyberChef platform to decode the QR Code. We will use the Parse QR Code tool to obtain the output for further analysis.

When I scan it, I receive an OTP login URL, indicating a potential IDOR vulnerability.

The data encoded in base64 is my current user ID number. If I replace this with the admin’s ID, I can easily log in as the admin. When I checked the blog earlier, I noticed the user comments, which made it easy to find the admin. I simply went to the user profiles and changed the ID number in the URL.

On the /admin page, I see a SQL terminal at the bottom.

I’ll enter the command above to determine the current user.

So, let’s try pinging ourselves to see if there’s any command injection vulnerability.

It works as expected.

Command Injection Attack on Freelancer machine

Let’s upload the nc64.exe file to the victim’s machine.

It was successful.

Let’s set up our listener.

I used the command above to get my reverse shell.

Finally, we successfully established the reverse shell connection.

There are many users installed on the machine, but one account stands out from the rest.

There is one directory that we can explore further.

Check the SQL configuration file.

RunasCs is a utility that allows you to run specific processes with different permissions than those provided by the user’s current logon, using explicit credentials, to demonstrate that we’re using this tool. Therefore, let’s upload the utility tool into the victim’s machine

We attempted the command above, but it failed, indicating that the account password is incorrect.

As a result, we will use the PowerShell command, and we need to find an alternative method to access it if this approach doesn’t work. Fortunately, it worked.

We can read the user flag by entering the command “type user.txt.”

Escalating to Root Privileges

Privilege Escalation:

There’s a text file that caught my attention, and it resembles a mail file.

Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue.
Best regards,

The content of the mail resembles what is shown above.

HTTPUploadExfil

HTTPUploadExfil is a simple HTTP server written in Go that helps you transfer files (and other information) of a machine using HTTP. It’s designed for low-stakes offensive scenarios, like CTFs, and has several use cases.

You can think of it as a version of python3 -m http.server, but instead of serving data to a machine, it focuses on getting data off a machine.

We extracted the credentials security.txt that we obtained from the activity above. We then tried this password on all known users and found it to be lorra199.

Let’s access the user account as lorra199 using evil-winrm.

Resource-Based Constrained Delegation

Resource-Based Constrained Delegation is a method used in computer networks to enhance security while allowing certain users or services to access resources on behalf of others. Imagine a bank where you can grant a trusted friend permission to withdraw money from your account only under specific conditions.

In the tech world, this means that a service (like a web app) can act on behalf of a user to access other services (like a database) while ensuring that it’s only allowed to use specific permissions. This is helpful for scenarios where you want a user to access resources without giving them full control or access to everything. It creates a safer environment by tightly controlling who can do what, reducing the risk of unauthorized access or misuse.

First, I’ll add a fake computer to the domain that I control. This will allow me to act as the Domain Controller (DC) and request Kerberos tickets for the fake computer, enabling me to impersonate other accounts, such as Administrator.

This command grants the ATTACKERSYSTEM$ computer object the ability to delegate write authority to the DC$ computer object, allowing it to perform specific actions. I can then obtain a service principal name (SPN) and a service ticket for the CIFS service using the Kerberos protocol, which lets me impersonate a particular user.

However, I encounter an error due to a time mismatch. I can sync the clocks using the following commands.

This command helps locate the Kerberos credential cache file, which is used by tools and applications during authentication.

We can export the KRB5CCNAME to Administrator.ccache.

I’ll also use impacket-secretsdump to extract NTLM hash information from the Domain Controller.

Let’s access the machine as Administrator using the hashes we collected earlier.

We can read the root flag by entering the command “type root.txt.”